Can you help me please?

[Kain]

I had a trojan virus (perhaps multiple I don't know much about these things) on my computer. A friend told me about this site so I am asking for help.

I have already performed all the steps found here, and have attached all the logs I was asked to create to this post.

The viruses that were on my computer as defined by AVG are as follows;

Trojan Horse Generic10.ASBQ
Trojan Horse Generic10.ASFN
Trojan Horse Generic10.ASPK
Trojan Horse Generic10.ATLN
Trojan Horse Generic10.ATPA
Trojan Horse Generic10.AVJA
Trojan Horse Generic10.AVUU
Trojan Horse Generic10.AVID
Trojan Horse Generic10.AWVP
Trojan Horse Generic10.AXQR
Trojan Horse Generic10.BABF
Trojan Horse Downloader.Zlob.XTN
Trojan Horse Downloader.Zlob
Trojan Horse Downloader.Generic7.XBU
Trojan Horse Agent.XGB
Trojan Horse SHeur.BSKV
Trojan Horse SHeur.BROU
Trojan Horse BHO.EPI
Trojan Horse BHO.EQL
Potential harmful program Fake_AntiSpyware.WI

Thanks for your help.

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

Looks like the scans got rid of the majority of malware but there is still some work to do.

Open Hijackthis and select Do a system scan only then place a check mark next to:

- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
- O4 - Startup: PowerReg Scheduler.exe
- O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-be3dfe2fec863c6b.spaces.live.com/PhotoUpload/MsnPUpld.cab
- O20 - Winlogon Notify: tuvWNFYr - tuvWNFYr.dll (file missing)

Now close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis and run CCleaner.

----------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally copy and paste the contents of the results file Report.txt with a NEW HijackThis log in your next reply.

If SDFix won't run or you get errors, follow the link for instructions on running SDFix. How to use SDFix

----------

Next post add SDFix log.

Also let me know how everything is now.

[Kain]

I have done as you said and have attached the relevant logs to this post. Everything seems to be working much better now and Windows even updates again! Yay! lol.

Thank you for your help so far and please let us know if I need to do anything more.

PS: Also, can you let me know if I need to leave these programs (CCleaner, SuperAntiSpyware, MalwareBytes etc.) on my computer or can they be uninstalled after the problem is fixed?

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

Keep CCleaner and run it every other day or so to keep the PC clean of clutter.

SuperAntiSpyware and MalwareBytes are good to keep and run every other week or so to make sure nothing nasty has gotten into your PC. Be sure to update each program before running them.

----------

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt2

.
----------

Go to:

• Start
• Run
• type: CLEANMGR.EXE
  
• Press Enter.
  

.
When prompted select the C: drive and click OK.
Check the boxes for:

• Temporary Internet Files
• Downloaded Program Files
• Recycle Bin
• Temporary Files

.
Click OK or Enter

----------

Use the Kaspersky Online Scanner

You must use Internet Explorer.

• Click Accept.
  
• Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
  
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
  • Extended
• Scan Options:
• Scan Archives
  
• Scan Mail Bases

• Click OK & have it scan My Computer

When the scan is done, in the Scan is complete window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As...

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area, use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

---------------

Next post add
Kaspersky log

[Kain]

Here is the Kaspersky scan report.

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

If you don't use the iMesh or would rather not use it as it is spyware follow these instructions to remove it.

Download

OTMoveIt2 by OldTimer

• Save it to your desktop.

• Double-click OTMoveIt2.exe to run it.
  
• Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\Documents and Settings\Martin\Desktop\Martin\Install Files\Copy of iMeshV7.exe
C:\Documents and Settings\Martin\Desktop\Martin\Install Files\iMeshV7.exe
EmptyTemp
[start explorer]

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
  
• Close OTMoveIt2

.
----------

How is everything now?

[Kain]

My computer is running much better now thank you. Everything seems to be fine which is a big relief.

Also, I have attached the log for OTmoveit2.

Once again, thanks.

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical updates.

If you are running any Microsoft Office version go to the Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

----------

Make sure all of your security programs are up to date and run scans with them regularly. Once or twice a week minimum.

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
Using Winpatrol to protect your computer from malicious software

Another thing I would suggest installing SiteAdvisor. SiteAdvisor rates sites on business practices and spam.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
*Using SpywareBlaster to protect your computer from Spyware and Malware
*If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.