Malware - activescan manually remove?

pippa80

Hi there,

I have some malware on my computer at home and have followed the instructions in the malware removal guide. Adaware, ccleaner and spybot all cleaned trojans and other nasties out. However the problem (an error message when any application loads) keeps happening.

I did the activescan and it found some more nasties, but I couldn't see an option for cleaning them (other than buying some software). I did use the option to export the location of the nasties to a txt file.

Should i go into explorer and delete the files?

Thanks

aliEnRIK

Adaware is useless, spybots ok but no trojan killer, and ccleaner is only for cleaning up the machine, it has nothing to do with trojan removal (At least not directly)

Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM QUICK SCAN then click SCAN
Remove everything thats found (needs to be ticked)
Post the COMPLETE log here AFTER youve deleted everything it finds
If anything was found then do the exact same but run a FULL scan


reboot

Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)
If you get a message that you cant write to the hosts file then Press the SHIFT key, and whilst holding it RIGHT CLICK and select RUN AS (admin)

pippa80

Thanks! Will do so when I get home this evening :beer:

pippa80

Nothing found there - will go on to next step...

Malwarebytes' Anti-Malware 1.50
https://www.malwarebytes.org

Database version: 5263

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

07/12/2010 18:19:27
mbam-log-2010-12-07 (18-19-27).txt

Scan type: Quick scan
Objects scanned: 139689
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

pippa80

Hi there - had to log in as administrator.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:32:02, on 07/12/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\windows\system32\conhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Hijackthis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O3 - Toolbar: Sopcast Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\Update\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://remote.consumerfocus.org.uk/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 7726 bytes

closed

You haven't said what the error message is, or what the infection was.

All that overlapping security software will be slowing the machine down, and as you got infected, the security software installed at the time was clearly not very effective, while non are perfect, you might want to consider replacing them with avast or avira, with malwarebytes as a secondary scanner.

Do a malwarebytes full scan, uninstall ask toolbar, and tick and fix this in hijackthis

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

pippa80

The error message is:

[Application eg firefox].exe - Bad image
C:\windows\system32\avgrsstx.dll is either not designed to run on windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.

I did just have AVG but downloaded the others as from the advice on the removing malware sticky here. Happy to replace AVG as it hasn't protected me!

Am running the full malwarebytes scan now.

Incidentally this was what the activescan found last night:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-12-06 22:41:47
PROTECTIONS: 2
MALWARE: 4
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Lavasoft Ad-Watch Live! Anti-Virus Yes Yes
AVG Anti-Virus Free Edition 2011 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00079426 Java/OpenConnection Virus/Trojan No 0 Yes No c:\users\julian\appdata\locallow\sun\java\deployment\cache\6.0\7\3b307187-734f56c6[bpac/a.class]
00079426 Java/OpenConnection Virus/Trojan No 0 Yes No c:\users\julian\appdata\locallow\sun\java\deployment\cache\6.0\34\317c61e2-45cc14d3[bpac/a.class]
00079426 Java/OpenConnection Virus/Trojan No 0 Yes No c:\users\julian\appdata\locallow\sun\java\deployment\cache\6.0\43\5bc843eb-133e6e51[bpac/a.class]
00079426 Java/OpenConnection Virus/Trojan No 0 Yes No c:\users\julian\appdata\locallow\sun\java\deployment\cache\6.0\57\6021ab39-19e47694[bpac/a.class]
00079426 Java/OpenConnection Virus/Trojan No 0 Yes No c:\users\julian\appdata\locallow\sun\java\deployment\cache\6.0\59\47e2117b-480674ab[bpac/a.class]
00079880 Exploit/CVE-2009-3867 Virus/Trojan No 0 Yes No c:\users\julian\appdata\locallow\sun\java\deployment\cache\6.0\51\425fc2f3-38c30f69[vmain.class]
07322992 Trj/Downloader.XVT Virus/Trojan No 1 Yes No c:\users\julian\appdata\locallow\sun\java\deployment\cache\6.0\14\66f248e-12907855[quote/skypeqd.class]
07326279 Trj/Downloader.XVT Virus/Trojan No 1 Yes No c:\users\julian\appdata\locallow\sun\java\deployment\cache\6.0\14\66f248e-12907855[quote/twitters.class]
;===================================================================================================================================================================================

pippa80

Hmmm nothing came up on the full malwarebytes scan.

Do any of you have advice for me?

closed

download avast

http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&!!!!!button

uninstall avg using the removal tool

http://www.avg.com/us-en/download-tools

install avast

click on the orange icon and register it

pippa80

Thanks so much closed - am doing so.

Should I then remove adaware etc?

Also, do you think I need to do anything about the things that activescan found?

closed

I'd leave the protection job to avast, with malwarebytes and this for backup in case anything is missed. Adaware etc will just slow things down

http://www.surfright.nl/en/hitmanpro

clear your java cache

control panel, java, cache, clear

install ccleaner, tick sun java under applications, and run

http://www.piriform.com/ccleaner/download/slim