PDA

View Full Version : Need Help Removing Viruses/Malware/Spyware


Yaswanth
2007-02-15, 22:24
Hi,

Ok my laptop is pretty bad off. I recieved a virus from an e-mail attachment that has messed up my computer pretty bad, mostly cause i hadn't had time to fix it for a few months. So far this is what I have done:

1.) Ran Kaspersky online virus scan. It found something like 50 Viruses and 125,000+ Infected Files. Yes the # is correct 125,000. Like I said it is pretty bad.

2). Downloaded Kaspersky 30-day Free trial. Removed most of the viruses and about 97,000 of the Infected files. Also it backs up the removed files and everytime i got to the option where i can clear the quarantied files it freezes the program because there are so many. But I think that the TrendMicro online scan might delete the quarantined files? No idea.

3). I updated SpyBot and ran it in regular and Safe mode. It got rid of some moer stuff but even in safe mode it kept freezing or stopping at exactly 48066 when it was scanning for the Win32.Lager.au virus I believe.

4) I did a TrendMicro online scan, it removed most the remaining 28-29,000 Infected files and a few more viruses/malware. But because it's java or whatever it wouldn't let me copy and paste the log here. It also found about about 13 or so vulnerabilties in Windows or Microsoft Products I believe. Again wish I could post their results, is there a way to do that? I don't know how.

5) So I did a eTrust Online scan, mostly because Panda's was really slow and the BitDefender scan is no longer there?

6) I've also updated a few windows updates, the installation failed for half of them. I'm hoping one I get my computer cleaned then they will properly install.

So Here is my HJT Log and the eTrust Online Scan

Logfile of HijackThis v1.99.1
Scan saved at 3:18:25 PM, on 2/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\msiexec.exe
C:\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file)
O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file)
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O2 - BHO: (no name) - {AB268D16-3B58-482F-91EB-8D305534302F} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
O2 - BHO: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [adir] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FBF558D-6D24-44CA-8A1A-4B5738783841}: NameServer = 199.166.31.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FB2C11E-4377-46C7-90DC-48A431E770D1}: NameServer = 199.166.31.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{C52FBA76-C9E8-4E58-B8FB-F8C2C9591852}: NameServer = 199.166.31.3
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe



eTrust Online Scan

File Infection Status Path
actmovie.exe Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
actmovie.exe.000 Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
csrss.exe Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
csrss.exe.000 Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
hh.exe Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
hh.exe.000 Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
lsass.exe Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
lsass.exe.000 Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
mqsvc.exe Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
msdtc.exe Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
msdtc.exe.000 Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
nddeapir.exe Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
nddeapir.exe.000 Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
ntbackup.exe Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
ntkrnlmp.exe.000 Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
ntkrpamp.exe.000 Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
winver.exe Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
winver.exe.000 Win32/Luder!corrupt infected C:\WINDOWS\$NtServicePackUninstall$\
hh.exe Win32/Luder!corrupt infected C:\WINDOWS\$NtUninstallKB896358$\
caspol.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
cisvc.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
csrss.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
hh.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
ieexec.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
jsc.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
moviemk.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
ntbackup.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
progman.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
regasm.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
winver.exe Win32/Luder!corrupt infected C:\WINDOWS\ServicePackFiles\i386\
actmovie.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\
csrss.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\
hh.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\
lsass.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\
mqsvc.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\
msdtc.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\
nddeapir.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\
ntbackup.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\
ntkrnlmp.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\
ntkrpamp.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\
winver.exe Win32/Luder!corrupt infected C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\backup\


That's everything. Hopefully you can help. Thank you so much!
shelf life
2007-02-17, 01:06
hi Yaswanth,


for a few months
a few months? trojans fetch more trojans


125,000+ Infected Files
its all over your computer. while it may be cleaned up-- the virus can leave behind damaged window files and cause problems in the future. its even copied itself to your service pack files

you should seriously consider wiping the hd and reinstalling windows.


shelf life
Yaswanth
2007-02-17, 06:56
Well if at all possible, I'd rather try and fix as much as possible and make it much harder for viruses and other bad stuff to infect my computer in the future with your help. I have a lot of stuff on there that I'd rather not lose and it would just be too much of a hassle to wipe the hd and reinstall windows, i want to keep that as a last resort option.

But in your opinion is that the Best option? Or could I get away with fixing everything and installing programs and keeping uptodate with security stuff from now on?

So if possible I'd like to try and fix things first. So in the next post can you tell me where you would like me to start shelf life or anyone else. Thank you.
shelf life
2007-02-17, 15:30
hi Yaswanth,

if it was my comp. i would reformat. you can try and clean it up.

you can delete these two folders:
C:\WINDOWS\$NtServicePackUninstall$\

C:\WINDOWS\SoftwareDistribution\Download

do not delete this one:
C:\WINDOWS\ServicePackFiles\i386\

from here:
Tidying Up After Installing SP2
by Alex Nichol

Installing SP2 leaves a lot of space on your hard disk taken up by files you would only ever need if you were to uninstall SP2. Once you are sure you are happy with the upgrade, do the following:

* A very big System Restore point will have been made. Once a new regular size one has been made in the ordinary way, clean up by going to Start | All Programs | Accessories | System Tools | Disk Cleanup and, under ‘More Options,’ click the bottom button to remove all but the most recent restore point.

* Delete the hidden folder of files that would be restored by an uninstall: C:\Windows\$NTServicePackUninstall. Once this is done, if you try to use the ‘Remove’ for Service Pack 2 in Add/Remove Programs, that will fail and will offer to delete the entry.

* There may also be a large folder C\Windows\SoftwareDistribution\Download, depending on how you did the installation. That can be deleted also.

* Check that the installation’s temporary folder got properly removed. It will be on the drive where you downloaded the setup files (probably C:) and will have a long name of random letters. If it is still around, delete it. And burn the downloaded file to a CD so as to have it if you ever need to reinstall.

* There will also be a large folder C:\Windows\ServicePackFiles. Do not delete this — it will be used in future by Windows File Protection — but on an NTFS disk you can compress it to save about 200MB of disk space. Right-click on it, select Properties, click the Advanced button, and select Compress.
-------------------------------------------
you may have to "show all files" to locate the above

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
------------------------------------------
boot to safe mode and attempt to run your antivirus once more along with spybot.

shelf life
tashi
2007-02-26, 02:13
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.
tashi
2007-03-07, 03:08
Re-opened upon request.
shelf life
2007-03-07, 05:17
hi Yaswanth,

here iam. have you made any progress?
tashi
2007-03-20, 22:28
Re-opened upon request.

This topic has been archived.