Elusive viruses

Hello Chaslang,

My computer is a bit ill with some strange happenings but no trace of a virus using convetional Kaspersky virus scanner or the tools in your "Run This First Guide".

Symptoms:
(1)Slow, start up takes a while giving a full minute to stare at the standard backdrop.
(2) IE wants to monitor user imput like a keylogger according to Zone Alarm.
(3) Stuff wants to add itself to my startup menu.
(4)Random changes in the time displayed.

I didnt pick up anything with the malware scanners although I attached the logs.

CCleaner was great and now I dont get told that my hotmail website is fake when I access it. I copied and pasted the CounterSpy log after I had run the scan from viewing scan history. The denfender scan ran fine but didnt bring any nasties up. Panda Active had a problem as I get a prompt to allow " (yes a program named with a single quotation mark) to run on start up when I try to download the scanner. I refuse and the download stops. I just feel such a name is dodgy because I cant even search for it on my system!

Thanks for your help

jim

 

Oh, I just got the warning about hotmail being a fake site again. Perhaps it's not fixed after all. Here are my newfiles and hijack this (analyse.exe) log. Hope that its fixable!

Thanks again

 

Is Kaspersky new for you, or have you been using it for awhile?
abri

 

Hello Abri,

Thanks for your very speedy respose. You are right Kaspersky is pretty new to me. My friend recommended it to me as a light weight but effective antivirus with proactive defences which are cool (cos Im pretty paranoid about trojans and have found stuff injecting into other processes and stuff communicating through windows messenger;some of the things I have seen so far which no other program has told me about) but I havent quite mastered yet as you spotted and may have denied some stadard Windows programs registry access upo occassion (are some of my settings a bit different from errr normal?).

One other symptom that I forgot to mention is that very occassionally I cant open any files and need to reboot for things to return to normal.

Cheers

jim

 

Hi Jim,
You have some things in your logs which require fixing and I'll post that to you as soon as I finish. That takes some time, so please have patience. As for Kaspersky 6.0 ... it's an excellent piece of protective software, but for my system it turned out to be too bulky. Since it receives the highest marks, I took the problems I had with it to be due to having an older system. Anyway, that's something to think about later after anything malware related has been resolved.
Will get back to you asap.
abri

 

Hi Jim,
Did you do something to your computer on August 12th?
abri

 

Hi Jim!

Your computer's not showing malware symtoms. However, to be on the safe side, I will ask you as part of the following procedures to run a rootkit scan. Before then, I have a few things for you to do that will make your computer less vulnerable and will clean up some things that may be causing problems. If, after you do the steps below, that doesn't clear it up, I would uninstall Kaspersky and put in a free antivirus (AVG-free, Avast-free) just to see if by uninstalling Kaspersky, the problems like Hotmail getting a warning as a fake site, go away. Also, check if it runs better with or without ZoneAlarm turned on. You need a firewall. More recent versions of ZoneAlarm tend to make everything sound dangerous, including perfectly legitimate programs. I think the free version is not quite as forceful in this way.


You're missing a lot of Windows updates. If you want to install them manually, it's worth reading through them to see which ones are necessary and critical for your system and what possible issues are associated with them. SP2 incorporates a lot of them, but there are many new ones in the meantime. If you set a restore point before installing them, you can get back out more easily than having to uninstall them one at a time if there are any problems.


1) We are finished with CounterSpy now. Please go to add/remove programs and uninstall:

- Java 2 Runtime Environment, SE v1.4.2_15
- Sunbelt CounterSpy

Then delete the below folders which may be left behind by the uninstall:

C:\Documents and Settings\Tim\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

2) Once you've done the above, REBOOT

3) Then install Java Runtime Environment vs. 6.2.
NOTE: Do not install the new Java until you've rebooted!


4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Do you know what the following follow is? If not, please delete it. It should be listed under one of these two names.

6) Run HijackThis(select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

After clicking Fix, exit HJT.

Attach a new HJT log after completing all the procedures.


7) Please copy the bold text including the word REGEDIT4 below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it, double click it and allow it to merge with the registry.

8) Please download F-Secure's BlacklightBeta (fsbl.exe)

* Download fsbl.exe and save it to the Desktop.
* Once saved... double click fsbl.exe to install the program.
* Click accept agreement and Click scan
* This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
* If it displays any items...don't do anything with them yet. Just hit exit (close)
* It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

9) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


10) When you've completed all of the above, please post the following logs:


* HijackThis
* Blacklight (fsbl....big number on the desktop)
* ShowNew (newfiles.txt)
* GetRunKeys (runkeys.txt)



Thanks!
abri

 

Thankyou Abri!!!!
I will work through this and get back to you. All your help is very appreciated! Ah windows updates are missing, this makes sense. I have had this before and it definitely slows everything down, good to know!

Friendly Regards

jim