Contracted a Virus Yesterday

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by LA_Cyn, Oct 29, 2009.

  1. LA_Cyn

    LA_Cyn Private E-2

    Hello,

    Maybe you can help me. You have in the past (even after I paid someone who couldn't fix my computer).

    I think I contracted a virus yesterday from a well-known advertiser (I'd been getting their newsletters to over a year). Yesterday when I opened the newsletter & went to delete it, a warning came up saying it may be dangerous. But I'd already clicked the delete button when it popped up & think I hit that warning as well. After that, every link I clicked took/redirected me to some shopping type page like greatfeedmill.com, toseeka, iProwl, etc. & when I hit the "back" button it sends me to another one. I used Spybot Search & Destroy & it removed some. And when I restarted my computer last night, it seemed fine. I had AVG antivirus but it recently expired (my own fault).

    When I started my computer this morning, all my desktop icons showed up but only for a couple of minutes. Then a blue screen (default background) came up & a "SecurityTool" (brand name) page came up to try to get me to pay a yearly fee in order to protect my computer & remove 20 viruses it found (down from the 32 it showed the first time I logged on). I restarted my computer several times. This "SecurityTool" had installed itself on my computer (the shortcut is on my desktop) & it's not in the Add/Remove programs but was the last one under the "All Programs" in the "Start" menu. It says it's at C:\Documents and Settings\All Users\Application Data\30743825. I found it (2 versions - one that installed last night) & deleted them. It doesn't say who the manufacturer of SecurityTool is. I use Firefox & I Googled to find out who makes "Security Tool" & couldn't find the name. Windows Defender found Trojan:Win32/Winwebsec on my computer (which it said was severe) & quarantined it. (I run WinXP.)

    I noticed from the SUPERAntiSpyware scan that "SecurityTool" is termed a "Rogue Agent."

    Thanks in advance,
    Cynthia

    BTW, when I clicked on the "Support Forum" link at the bottom here, a very real looking "My Computer" screen came up looking like my computer doing a scan & said I needed to install the antivirus software from http://spyware-remover-free.org. I know it's not my screen because I have some other drives on it that this one isn't showing & I had another tab open on the browser. It wouldn't allow me to cancel/exit out. My only choice was to install the software. (I didn't.) I had to shut down the entire browser & come back to try again.
     

    Attached Files:

    LA_Cyn, Oct 29, 2009
    #1
  2. LA_Cyn

    LA_Cyn Private E-2

    This is my 2nd posting with logs attached.

    When I boot up & log on after the SUPERAntiSpyware scan, 2 dialog boxes come up.

    One says:
    RUNDLL
    Error loading C:\WINDOWS\system32\calc.dll
    The specific module could not be found

    & the other says:
    RUNDLL
    Error loading C:\DOCUME~1\Owner\ntuser.dll
    The specific module could not be found

    I can still log on but those 2 dialog boxes come up.

    I am not running a 64 bit version of Windows but RootRepeal hangs up on initializing so I was never able to install or run it.

    When running MGtools, a dialog box with Error Message Type 2 came up:

    16 bit MS-DOS Subsystem
    C:\WINDOWS\system32\cmd.exe
    C:\PROGRA~1\Symantec\S32EVNTI.DLL. An installable Virtual Device Driver failed Dll initialization. Choose 'Close' to terminate the application. I clicked "Ignore" & the program ran.

    I'm not getting the redirects to the shopping site & things seem to be working fine...so far (fingers crossed).

    You guys are the greatest!

    Thanks Again,
    Cynthia
     

    Attached Files:

    LA_Cyn, Oct 29, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use windows explorer to find and delete ( if they still exist ):
    c:\documents and settings\All Users\Application Data\WholeSecurity
    c:\documents and settings\Owner\Application Data\mjusbsp

    Now you must update your AV program!!

    And lastly,
    Please use add/remove programs to uninstall:
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME
    J2SE Runtime Environment 5.0 Update 10

    Reboot and download and install:
    Java Runtime 6

    Tell me what problems you still have.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    TimW, Oct 31, 2009
    #3
  4. LA_Cyn

    LA_Cyn Private E-2

    I've uninstalled Viewpoint Media (I missed it the first time) & J2SE Runtime Environment 5.0 Update 10. I've also rebooted & installed Java Runtime 6.

    I did renew my AV...for 2 years (AVG 9.0 - which comes with its own firewall now).

    I never changed MSconfig back (I'm not sure how) so I think it's still running on Start up because I'm getting a different blue screen that scans my external hard drive first before it boots up (mentioning something about it being dirty).

    When I tried to uninstall ComboFix (& copied & pasted the line you posted), it asked me to run it. Then an 'Error - Win32 only' box showed up saying: Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP (I have WinXP.)

    AVG detected malware, file name: C:\32788R22FWJFW\NIRCMD.CFXXE; Threat name: Tool-NirCmd. Category: PUA - Potentially Unwanted Application. (I'm guessing this is the ComboFix application). The only 2 options were "Quarantine" & "Allow." I hit "Allow." After a few clicks, ComboFix uninstalled.

    I did a Disable System Restore & rebooted to Enable.

    It seems to be running fine & I have no more problems.

    Thanks Again,

    Cynthia
     
    LA_Cyn, Nov 1, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can check your start up mode by just going to start / run / and type:
    msconfig ....once it is open, just check that the normal start up box is checked and exit....you will need to restart your computer for the change to take effect.

    And you are most welcome.
     
    TimW, Nov 4, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds