Computer Hope
Software => Computer viruses and spyware => Topic started by: mattd on September 30, 2008, 07:46:10 PM
-
virus scan shows 3 instances of infection with above referenced virus.
Virus protection will not disinfect or quarantine viruses.
Have read post from evilfantasy. I have begun to remove programs listed as malware on your website's link: Viewpoint Mgr. (remove only), Viewpoint Media Player, View Point Toolbar.
I would like to submit additional unknown programs with your permission for your consideration for removal.
-
http://www.computerhope.com/forum/index.php/topic,46313.0.html
If you post the three logs requested on that page, it will be much easier for us to assist you.
-
Here are the logs. I appreciate the help.
[Saving space - attachment deleted by admin]
-
It looks like those scans did a pretty good job of clearing out your infections. Let's just do one more thing as a precaution... Download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.
-
This has been an exciting experience. Combo Fix produced a log which I am going to attach.
To this point, is it possible to understand how this computer became infected? Virus definitions are current and I know that the viruses came individually.
[Saving space - attachment deleted by admin]
-
My guess is that you were probably infected by a gaming site of some sort, as you had a couple of game-related ActiveX infections. Your infections are quite common, though, so it's hard to pinpoint their origins. You may want to take a look at this page here...
http://www.castlecops.com/postlite7736-.html
Sometimes, these infections get by, even if you do keep everything updated. In any case, it looks good to me now. Go ahead and uninstall ComboFix by going to Start > Run and typing in combofix /u (note the space) and pressing OK.
Before wrapping this up, I should make sure you're aware that you have the Ask Jeeves toolbar installed on your computer. It's fairly harmless, but some consider it to be a form of spyware. If you want to keep it, feel free. But if you don't need it, I would advise uninstalling it. Also...is Level 3 Communications (http://www.level3.com) your internet provider?
-
I checked the start menu and found many games included with this Toshiba laptop; and one that wasn't, item: additional games. I opened it and found the name "Wild Tangent". I'm familiar with past problems consistent with that name. I deleted that item from the games options menu item.
I deleted all the programs you recommended including combo fix.
I was not aware of the Ask Jeeves Toolbar and I never heard of Level three communications. My internet provider is Charter. My intentions are to look for both and remove Ask Jeeves.
This is my opportunity to say thank you. My children use this computer and I am their only resource. You are mine. Thank you.
-
Okay, Level 3 is nothing to be concerned about. There's a reference to them in your logs...they have merged with Charter for certain services, I think it's probably normal for them to be in your log, especially if you use any VoIP service.
Wild Tangent isn't necessarily malicious, but I agree that removing it is a good idea. Just to make sure it's completely gone, you may want to check this link here...
http://www.pchell.com/support/wildtangent.shtml
As for the Ask Jeeves...it's actually the Ask.com Toolbar. Their site was originally called Ask Jeeves, but they changed it to Ask.com a couple of years ago (I have a habit of still calling it by the original name). Basically, it works a lot like the Google and Yahoo toolbars. In your Add/Remove Programs list, look for any mention of AskBar and choose to remove it. That should get rid of it for you.
-
I scanned two folders: AskSBar and Wild Tangent. No malware found by Malaware.
I was able to delete Wild Tangent. When I searched for it on this computer afterwards, the search came up empty.
Not so lucky with AskSBar. A scan using Malaware showed that AskSBar folder (also in the Programs folder) showed no malware. However, I was not able to delete it from the computer. I received a message indicating that I should make sure that the file was not in use or write protected. Something called ALSRCHAS.dll could not be deleted. Further, is AskSBar the Toolbar you referred to?
I believe that you were accurate about the exploit.java.gimsh.b virus entering via these downloaded games. Each of these programs, Wild Tangent and AskSBar, seem to be associated with the "games" menu option.
This computer is running like brand-new thanks to you.
-
Chris is away at the moment but we can take care of the AskBar with ComboFix.
Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop. http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"=-
[-HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
I followed your instructions and was able to delete the file and folder called AskSBar.
For your information, I am attaching logs from ComboFix. I have two logs; one from the first ComboFix scan and the other from the second scan. Please let me know if I am allright.
[Saving space - attachment deleted by admin]
-
Looks good.
Go ahead and uninstall ComboFix by going to Start > Run and typing in combofix /u (note the space) and pressing OK.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your Desktop.
Alternate download link (http://majorgeeks.com/ATF_Cleaner_d4949.html)
Note: Vista users must use Run As Administrator (http://vistasupport.mvps.org/run_as_administrator.htm)
- Under Main: Select Files to Delete choose: Select All.
- Click the Empty Selected button.
- If you use Firefox browser click Firefox at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- If you use Opera browser click Opera at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- Click Exit on the Main menu to close the program.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.
----------
Download OTCleanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to your Desktop.
- Double-click OTCleanIt.exe.
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes, if not delete it yourself.
.
----------
Disable the System Restore Utility to prevent re-infection from an old one
1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.
Now re-enable System Restore
To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.
1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.
----------
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.
Concerned about Browser Security? Consider using Mozilla Firefox 3.0 (http://www.spreadfirefox.com/node&id=224248&t=324) with Adblock Plus (https://addons.mozilla.org/en-US/firefox/addon/1865) and NoScript (http://noscript.net/)
To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)
* Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
I suggest using SiteAdvisor (http://www.siteadvisor.com/). SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilspages.blogspot.com/2008/05/keeping-yourself-safe-on-web.html) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilspages.blogspot.com/2008/05/slow-computer-it-may-not-be-malware.html) for free cleaning/maintenance tools to help keep your computer running smooth.
-
I copied your instructions:
Disable the System Restore Utility to prevent re-infection from an old one
1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button
Please note: I'm using Windows XP Professional
on the properties item there is no tab for system restore. Do you have any suggestions?
-
There is another way to to it.
Disable the System Restore Utility to prevent re-infection from an old one
1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.
Now re-enable System Restore
To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.
1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.
-
Thanks for the abundance of good information. To you and Chris, I extend my heartfelt thanks and appreciation for your work.
-
Thanks for taking over, evilfantasy. I didn't get a chance to provide ample warning of my leave. Things have been hectic (again!), so he was probably in better hands with you anyway.
And mattd, thank you for being patient and following evilfantasy's advice. I was hoping to have everything completed with you before I had to take off, but that unfortunately didn't happen. But I assure you that you were left in good hands.
Just to get a better understanding of malware, I suggest reading the post linked below...
http://www.castlecops.com/postlite7736-.html
-
You did such a great job, I can't believe that I could even be in the same "room" with you.
Thank you so much. Maybe I can return the favor some time. Stay well!
-
For CB Matt (Chris)
3 weeks since you helped me solve my virus problem and no new viruses. I remain grateful for your help.
Sincerely,
mattd
-
Great, that's what we like to hear! I'm very glad that evilfantasy and I were able to help you.