Thread: knee deep in viruses

Avast updates at least once a day and frequently at shorter intervals

Originally Posted by dirtydog

I just tried it again keda and the link works for me, I reckon you got a hijacker,

same here , and for what you are trying to do the portable is exactly what you want

keda , try this url

https://www.secure-tunnel.com/xpress...&b=0&f=norefer

you could try this procedure, its long but i believe it works. maybe some of the other posters could comment on this procedure. probably best to download (step 1) to a clean thumbdrive first, and then (step 2) use the thumbdrive on the infected computer.

its from the major geeks forum.



Windows XP Cleaning Procedure - MajorGeeks Support Forums




Windows XP Cleaning Procedure

Notes:

• <LI itxtvisited="1">Some programs (like MGtools mentioned later and maybe other tools too) may not run on restricted user accounts so you may need to temporarily change the user account to an admin type account and then complete the scans.
• If you are a Spybot Search and Destroy user, make sure that you do not have Teatimer enabled. If you already have Teatimer enabled, see this to disable it: How to disable Spybot's TeaTimer

Step 1: Downloading Tools

In this section we are going to download tools we will use. We will install and configure the programs and then run scans at a later point so please only download right now.

Make sure you download the tools to the exact locations specified below in the procedures to avoid problems later. It is not a good idea to download them to any folder within C:\Documents and Settings.) It is also a bad idea to download and save anything you need into any kind of Temp folder. Malware hides in Temp folders and standard cleaning practices will delete everything from Temp folders.


Now download the below tools ( PLEASE only download at this point ):

• <LI itxtvisited="1">SUPERAntiSpyware <LI itxtvisited="1">Malwarebytes Anti-Malware
  • Important: Rename the downloaded mbam-setup.exe file to mb.exe to help work around certain malware that will block it from being run.
  <LI itxtvisited="1">combofix.exe
  • <LI itxtvisited="1">Important Notes:
    • <LI itxtvisited="1">If you are using a 64 bit version of Windows skip this step with ComboFix because it is not compatible with x64 systems. See: How to check for 32 bit or 64 bit Windows <LI itxtvisited="1">you MUST save & later run this to from directly from your Desktop not from anywhere else (not even from a folder that is on your Desktop). Do not run it yet!!!!!! <LI itxtvisited="1">When trying to download, if you receive a message like "ComboFix is currently not available for download until an issue with the program is resolved"then just skip ComboFix for now and tell us later about this problem.
    • If you are running Kaspersky antivirus, it may popup warnings about combofix.exe and catchme.exe being infected as Heur.Invader. These are false indications. You must tell Kaspersky to Skip or Ignore these and let ComboFix run. McAfee may also intefere with ComboFix
    • If you are using Online Armor's Firewall, you will have to uninstall it in order to run ComboFix properly. Otherwise you will not be able to get ComboFix to run properly thru all phases.
  <LI itxtvisited="1">RootRepeal - do not run on 64 bit systems
• MGtools - Recent bugs in many antivirus programs are detecting this as malware. Disable your AV while you download and run MGtools if you have this problem. Rest assured that it is clean. Your AV is incorrect. We prefer that you download this file to the root folder of the drive where you have installed Windows (Typically this would be C:\ and thus you would have a C:\MGtools.exe file after downloading). If you use FireFox and still have it set to defaults, it will not let you choose where to download files to. To change FireFox, run FireFox and Click Tools, Options, and on the Main tab select Always ask me where to save files. If for some reason you still have a problem trying to save MGtools.exe properly which can happen with Vista and Win7, you can download and run it from your Desktop as long as your Desktop folder is located on the same drive that you boot Windows from.

Step 2: Installing Tools and Running Scans - please only run each scan one time and complete all scans before attaching any logs!

• <LI itxtvisited="1">Follow the instructions in the below link for installing and running SuperAntiSpyware
  • <LI itxtvisited="1">SUPERAntiSpyware - running & getting a log
  • NOTE: If you had any problem trying to download, install, and run SUPERAntiSpyware then try the portable version in the below link since it requires no installation
    • SUPERAntiSpyware_Portable
  <LI itxtvisited="1">Now we need to run Malwarebytes Anti-Malware. Please carefully follow the instructions in the below link to most effectively run it and obtain a log:
  • Using Malwarebytes Anti-Malware
  <LI itxtvisited="1">Now we need to run ComboFix. Please carefully follow the instructions in the below link to most effectively run ComboFix. PLEASE DO NOT stop and post the ComboFix log as suggested in the below procedure. We want you to finish ALL of our procedures and attach all logs at the end. If you have any problems running ComboFix, skip it and continue on but explain your problems when you come back to attach your logs.
  • http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  <LI itxtvisited="1">Now run this procedure Running RootRepeal to get a RootRepeal log
• Now follow the directions in the below link for running MGtools It also explains possible reasons for not being able to run MGtools
  • Using MGtools

Step 3: Do You Still Have Problems

• <LI itxtvisited="1">Yes, I’m still having problems
  • <LI itxtvisited="1">DO NOT run the READ ME again!!!! Please attach your logs as given below. <LI itxtvisited="1">If you do not already have a thread started, start a new thread otherwise post the following in your original thread. Clearly describe in detail the problems you are having and how long ago they started. Think about what you were doing at the time. <LI itxtvisited="1">Now you need to attach (See: HOW TO: Attach Items To Your Post ) the below logs created while running the above scans
    • <LI itxtvisited="1">SASlog.txt log from SuperAntiSpyware. <LI itxtvisited="1">Malwarebytes Anti-Malware log <LI itxtvisited="1">ComboFix.txt (normally C:\ComboFix.txt)
    • RRlog.txt (from RootRepeal)
    • MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.
  • <LI itxtvisited="1">You should attach all of your logs in two messages after you have completed all scans. You need two messages since only 4 attachments are allowed in a single message.
  • Be patient after posting your logs and wait for one of the helpers to get to you. It can take a while to read thru all of the logs and to create individual fixes for you.
  • Also DO NOT BUMP your thread to try and get a faster answer. This will actually significantly delay getting an answer. See this: Don't Bump! It Only Hurts You!!!

• No, I’m not having any problems
  • If you are sure everythingis okay and that you do not need to request any help, then jump to the next step below.

Step 4: Toggle System Restore

• <LI itxtvisited="1">You only need to Toggle system restore if malware had been found during the cleaning procedures. If no malware was found, there are no infected restore points to worry about, thus you can skip to the next step. <LI itxtvisited="1">Once you are sure all malware problems have been removed follow the below steps:
  • <LI itxtvisited="1">Disable System Restore ( see Disable And Enable System Restore)
  • Now reboot your PC
  • Now Enable System Restore using the same link as above

Why we toggle System Restore!

If you have been infected with any trojans, spyware, etc, they could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files that may contain viruses. Even though your tools may say they are deleting them, they are not! The reason for doing this after your system has been completely cleaned of problems, is so we can remove possible infected restore points. When you disable system restore, it removes restore points!

We only toggle System Restore after you are clean because keeping even infected restore points around while we are fixing things may prove useful if something goes wrong during the process. An infected restore point could be better than none at all!

Step 5: Keeping your computer safe and secure

• See the following thread and complete the steps: How to Protect yourself from malware!

Step 6: Alternative Scans - If still having problems, see: Alternative Scans

Now surf safely!

Originally Posted by dirtydog

Originally Posted by keda

Not found, thanks anyway.

I found it, the site that is, you got a browser hijacker?

Hole in one as usual and thanks. All seemed to be running normal, been lazy with housekeeping the past few months and this was the first indication that the fifth column has already entered. I've run the bits 'n bobs, most came back clean but Adaware, Malwarebytes and HijackThis returned loads of objects; most cleaned, and now mopping up.


Wallalai: Ok I can get there now.

HB: I had Kaspersky Virus Removal Tool but never used it; stopped trusting that firm (+Symantec) 10-15 years ago after major issues. But they're still in biz and probably advanced a bit by now so all is forgiven.

Michael: Never used Malwarebytes before but got it now. Easy to use, found stuff that others missed, has moved in.

SandMike: Excellent idea and it would probably work until they get fed up having to update. I didn't feel the need to stipulate in the OP that the most critical feature of any solution must be zero input from those on site.

Michael: ...and you should too, nothing beats staying alert.

Scandinavian: I'm ok with Avast but was weaned on AVG so will probably end up installing the latest AVG as god with the spyware stuff and extras as the wee angels.

TBR: No ploplem about money, all progs cost the same.

mc2: Can start afresh with the OS, but nobody has copies of the Thai progs or knows who installed them. I mentioned it might have been Buddha, and nobody could conclusively disagree.

Originally Posted by dirtydog

I just tried it again keda and the link works for me, I reckon you got a hijacker, download opera browser and try it with that, hijackers mainly work with ie and firefox, they don't let you go to anti virus sites or at least the download section.

Another coconut for the man!

Originally Posted by taxexile

[CENTER][B][COLOR=black][SIZE=5]you could try this procedure, its long but i believe it works. maybe some of the other posters could comment on this procedure. probably best to download (step 1) to a clean thumbdrive first, and then (step 2) use the thumbdrive on the infected computer...

Will run through it later, still mopping up and moping.

I recently used the Kaspersky cleaner after a McAfee foul up exposed a few computers to a virulent little bugger. It installs, does a splendid job of cleaning up, then uninstalls itself and reboots to finish the job.

I've since kicked McAfee out of the company in place of MS Forefront Client Security.