1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Computer in terrible condition after virus

Discussion in 'Virus & Other Malware Removal' started by Dotte1839, Apr 9, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Dotte1839

    Dotte1839 Thread Starter

    Joined:
    Apr 9, 2007
    Messages:
    14
    Hi, I'd like to see if the computer is completely free of viruses and if it's possible it can be salvaged? It had a trojan before, and though it appears to be cleaned now, even with a Panda Software Virus Scan, AVG, etc, it's still got some issues. For example, the Search function no longer works as it comes up with a missing file, the computer goes to 100 percent usage fairly easily, and it's been fairly slow at times, especially in terms of the internet.

    Here is a HJT log to start:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:01:58 AM, on 4/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\PC Tools Firewall Plus\FWService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

    A WPFing log is also attached.

    Thank you.
     

    Attached Files:

  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,220
    First Name:
    Derek
  3. Dotte1839

    Dotte1839 Thread Starter

    Joined:
    Apr 9, 2007
    Messages:
    14
    I have AVG and already said the scan comes up clean. Thanks.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,220
    First Name:
    Derek
    NO

    you have AVG anytispyware NOT any Antivirus

    an antispyware & an Antivirus are 2 very different things

    as you have no Antivirus try this one which is probably the best one around to detect anything

    try the trial version of Kaspersky 6

    select Free trial, Fill in the required email address & click submit

    follow download instructions then install it & run a full system scan and see what it finds
     
  5. Dotte1839

    Dotte1839 Thread Starter

    Joined:
    Apr 9, 2007
    Messages:
    14
    When I download that, upon installation it says I have incompatible programs on my computer, and AVG Anti-Virus is on the list. Do you suggest removing it to use Kaspersky instead ?
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,220
    First Name:
    Derek
    I can't see AVG antivirus only AVG antispyware

    have you fixed some entries in HJT by mistake so they don't show

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
      • In the Processes group click Non-Microsoft
      • In the Win32 Services group click Non-Microsoft
      • In the Driver Services group click Non-Microsoft
      • In the Registry group click Non-Microsoft
      • In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
      • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
      • In the File String Search group select Non-Microsoft
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    Use the Reply button and attach the notepad file here . I will review it when it comes in.
     
  7. Dotte1839

    Dotte1839 Thread Starter

    Joined:
    Apr 9, 2007
    Messages:
    14
    OK I just went ahead and uninstalled the AVG to use Kaspersky program instead. It found a trojan, here's the report:

    Scan
    ----
    Scanned: 145888
    Detected: 1
    Untreated: 0
    Start time: 4/14/2007 12:53:38 AM
    Duration: 01:28:40
    Finish time: 4/14/2007 2:22:18 AM


    Detected
    --------
    Status Object
    ------ ------
    deleted: Trojan program Trojan.Win32.Obfuscated.ev File: C:\WINDOWS\system32\fednplb.dll


    Events
    ------
    Time Name Status Reason
    ---- ---- ------ ------


    Statistics
    ----------
    Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
    ------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


    Settings
    --------
    Parameter Value
    --------- -----
    Security Level Recommended
    Action Prompt for action when the scan is complete
    Run mode Manually
    File types Scan all files
    Scan only new and changed files No
    Scan archives All
    Scan embedded OLE objects All
    Skip if object is larger than No
    Skip if scan takes longer than No
    Parse email formats No
    Scan password-protected archives No
    Enable iChecker technology Yes
    Enable iSwift technology Yes
    Show detected threats on "Detected" tab Yes

    Attached is the WinPFind3U scan

    Thanks
     

    Attached Files:

  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,220
    First Name:
    Derek
    how is it after KAV found & deleted that one

    post new HJT log
     
  9. Dotte1839

    Dotte1839 Thread Starter

    Joined:
    Apr 9, 2007
    Messages:
    14
    Logfile of HijackThis v1.99.1
    Scan saved at 10:14:40 PM, on 4/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\PC Tools Firewall Plus\FWService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Documents and Settings\Dot.LAFFO1999\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

    It seems to run ok I suppose, I'm just worried about security, being able to pay bills on here safely and such. Any way to be sure of that?
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,220
    First Name:
    Derek
    lets check with this

    Download this tool to your desktop:
    http://www.uploads.ejvindh.net/rootchk.exe
    Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

    Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)
     
  11. Dotte1839

    Dotte1839 Thread Starter

    Joined:
    Apr 9, 2007
    Messages:
    14
    ********************************* ROOTCHK-(13-04-07)-LOG, by ejvindh
    Sun 04/15/2007 17:25:06.90

    Rootkit driver huy32 (hidden) is present. A rootkit scan is required. Rustbfix or Gmer are recommended

    ********************************* ROOTCHK-LOG-end

    Rustbfix gave me this:

    ************************* Rustock.b-fix -- By ejvindh *************************
    Sun 04/15/2007 17:36:24.76

    Rustock.b-driver on the system: NONE!

    Rustock.b-ADS attached to the System32-folder:
    :huy32.sys 73148
    Total size: 73148 bytes.
    Attempting to remove ADS...
    system32: deleted 73148 bytes in 1 streams.

    Looking for Rustock.b-files in the System32-folder:
    No Rustock.b-files found in system32


    ******************* Post-run Status of system *******************

    Rustock.b-driver on the system: NONE!

    Rustock.b-ADS attached to the System32-folder:
    No System32-ADS found.

    Looking for Rustock.b-files in the System32-folder:
    No Rustock.b-files found in system32


    ******************************* End of Logfile ********************************

    After the restart I've got no taskbar or any items on my desktop, is that normal?
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,220
    First Name:
    Derek
    Download
    http://www.uploads.ejvindh.net/rustbfix.exe
    ...and save it to your desktop.

    Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
     
  13. Dotte1839

    Dotte1839 Thread Starter

    Joined:
    Apr 9, 2007
    Messages:
    14
    As in the previous post I already did that, I only got one logfile though, should I reboot again for the other one?
     
  14. Dotte1839

    Dotte1839 Thread Starter

    Joined:
    Apr 9, 2007
    Messages:
    14
    OK I'll just post what it said again:

    ************************* Rustock.b-fix -- By ejvindh *************************
    Sun 04/15/2007 17:36:24.76

    Rustock.b-driver on the system: NONE!

    Rustock.b-ADS attached to the System32-folder:
    :huy32.sys 73148
    Total size: 73148 bytes.
    Attempting to remove ADS...
    system32: deleted 73148 bytes in 1 streams.

    Looking for Rustock.b-files in the System32-folder:
    No Rustock.b-files found in system32


    ******************* Post-run Status of system *******************

    Rustock.b-driver on the system: NONE!

    Rustock.b-ADS attached to the System32-folder:
    No System32-ADS found.

    Looking for Rustock.b-files in the System32-folder:
    No Rustock.b-files found in system32


    ******************************* End of Logfile ********************************

    Rustock.b-ADS attached to the System32-folder:
    Attempting to remove ADS...

    Looking for Rustock.b-files in the System32-folder:
    ECHO is off.


    ******************* Post-run Status of system *******************

    Rustock.b-driver on the system:
    YOU NEED TO CONSULT MORE ADVANCED TOOLS!!
    The Gmer-rootkitscanner may be a good place to start.
    Gmer rootkit-scanner may be found here: http://www.gmer.net

    Rustock.b-ADS attached to the System32-folder:
    ECHO is off.
    You should either run the tool again or consult more advanced tools
    The Gmer-rootkitscanner may be a good place to start.
    Gmer rootkit-scanner may be found here: http://www.gmer.net

    Looking for Rustock.b-files in the System32-folder:
    ECHO is off.
    You should either run the tool again or consult more advanced tools
    Swandog46's Avenger or Gmer's-rootkitscanner may be a good place to start.
    Swandog46's Avenger may be found here: http://swandog46.geekstogo.com/avengernotes.htm
    Gmer rootkit-scanner may be found here: http://www.gmer.net


    ******************************* End of Logfile ********************************

    After doing this my desktop icons and taskbar no longer show up, and running explorer.exe from the task manager just brings up My Documents. Is that normal?

    Edit - Fixed the last problem (desktop/taskbar) through HJT

    I appreciate your patience with this issue
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,220
    First Name:
    Derek
    ok this is starting to look very deeply infected

    download gmer rootkit detector from http://gmer.net

    unzip it & double click the gmer.exe file

    select rootkit tab & press scan

    when it has finished press copy & post back the log it makes
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/559741

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice