Need help with malware/virus removal

Hi: First of all, total newbie here, so please be patient: My daughter is currently running an IBM pc with XP Pro service pack 2, broadband connection with router, and apparently ran into a virus problem that disabled the McAfee av program on 1/4; never able to recover or reinstall McAfee (now unistalled), so when I stumbled onto your forums I attempted to follow read and run me first, etc., to control or eradicate the virus.

After downloading two different free (AVG and Avast) antivirus programs (one at a time) to scan for virus, only result was that I found a record of Trojan Horse Agent.MOP that had been archived, but something managed to get by McAfee and disable it. Spybot also found some adware and spyware that made it through McAfee (can supply the log, but it included virtumonde.generic and WinAntiVirusPro 2006), so ran the Virtumonde fix it, which found nothing). Scans since that time have indicated nothing but tracking cookies, but the system still is not operating correctly (VERY slow loading of programs, internet and e-mail, frequent hang ups, etc.), although the error messages to end programs at shut down is now looking better) so I'm not sure we controlled all of it. Re-ran the appropriate scans (first time with MGtools) and am attaching the records as requested (I also have the earlier scan from ComboFix if necessary).

As a note, several days before this computer was infected, practically the same thing happened on My PC (XP Home with Norton Internet protection) which was also disabled. Contradicting info regarding what infected that one (windows quickly sent a msg saying it was a worm, a Symantec scan indicated W32.Hitapop, but the AVG scan showed several instances of PSW.OnlineGames.UYA.) Since I had most of my info backed up and found evidence that it was recording every keystroke, I decided to wipe the hard drive and start over. Really don't have that option on this PC, so I am desperate for help, as my daughter did NOT back up her system and has much to lose - not to mention I apparently don't have system recovery CDs for this PC as I did for mine. Thanks so much for any help you can provide - can't believe the education I've gotten from reading the forums since the beginning of January - you guys are great!

 

Hi Chaslang:

Completed all of the steps as requested with the exception of the following; I wasn't able to actually locate these two files when I searched for them (DID find C:\WINDOWS\TEMP - but it was dated today), so I just continued on with the CCleaner and MGTools... I hope that was okay.

"Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Administrator\Local Settings\Temp"

System is still much slower than it used to be - takes a long time to pull up IE (which will be changed after reading your forums) and/or any webpages or e-mail. I know I still have some tweaking to do with McAfee gone and following your recommendations (obviously now have AVG AV and anti-spy, still need a new firewall as I read Windows Defender wasn't great either), but was trying to get this thing cleaned up before I do too much more.

Attached are the two reports you requested.

Again, thanks so much for your help!

 

Hi Chaslang:

Sorry, the newbie showing again: I meant I wasn't able to find the two files/subfolders you had listed (tried to quote you below my entry to help clarify).

The computer is running slower when compared to before we first appeared to have been infected (on January 4 - when I noticed McAfee attempting to block a virus attack and then become "disabled"). Even after the fixes I ran between yesterday and today, the computer is VERY slow to boot, when opening any programs or the browser and when trying to open MS Outlook. Since we dumped McAfee I thought if anything it would get a little faster. Any suggestions?

Out of curiousity, can I ask what you were able to find in the logs? Has been driving me crazy trying to figure out where we managed to pick up our malware issues - try to be careful with e-mail attachments, no myspace or music/game downloads, and thought we were pretty protected with McAfee on her system and Norton on mine (amazing that it got past BOTH of them). I'm also assuming it's time to add a more effective firewall to her computer from your recommended list. Please let me know my next steps - I've seen the list you usually provide at the end of a clean-up but am awaiting your advice on when to proceed with that and the system restore toggle - if that is what I should do.

Thanks again - you guys are really amazing!
Lin

 

Yeah, unfortunately, when McAfee was disabled I first scanned with the Symantec tool I found when trying to reinstall my Norton on my computer (the first system "down"), then found out about Avast and tried that when AVG failed to install. Around that point I found Majorgeeks and got an education and tried to follow the Read Me First, etc., etc., which eventually brought me to this point.

Now the bad news (supplying the details in case they're significant): AFTER disabling my AVG, and when trying to "initialize and update" the ESET Online Scanner the computer was behaving fairly erratically (first "Virtual Memory Low" message popped up), and the process kept failing with the following message "Error: Update Failed (200)" after a fairly lengthy wait (being they said the process should take around a minute w/broadband and each time ir took 10-15 mins or so), but when I retried, I noticed it kept getting a bit further in the process each time, so I tried several times until the install was successful. However, during that time I noticed when I tried to get to the different pages in IE, there were sometimes two complete toolbars (Explorer/StatusBar, etc.) at the top of a single IE page, as if I had entered two searches at the same time, but there were NOT two tabs or two pages.

As I was doing the scan, and until I rebooted, the dark blue "bar" at the top of any message or IE page was "invisible" and the minimize/maximize or close buttons were missing unless I hovered there. Also heard sounds at several points during the downloads indicating there were "pop-ups" but the number of pop-ups blocked hasn't changed all afternoon, and the Active X bar wasn't showing up, although I knew I needed to approve that install for the download to complete. Thankfully the scan completed and the report from the scan (6 threats found) is attached as you requested.

After rebooting (which seemed to eliminate some of the craziness that had been occurring) I re-enabled the AVG (hope that was correct, double checked the thread and didn't see where I should have it disabled) and tried to do the Sophos Anti Rootkit download and install. First time, rec'd a message error from helper.exe "Not enough quota is available to process this command", and the location it was trying to install to was C:\Program Files\Sophost\Sophos Anti-Rootkit. Although I suspected it didn't matter as long as I could locate the file, you had said the default would be C:\SOPHTEMP, so I tried again and indicated that location, and then the helper.exe popped up with the message "Application failed to initialize properly (0xc 000012d) Click OK to terminate. Because I had such difficulty getting this to download to the desktop in the first place, I (with much regret) deleted that download and tried again. When I finally had "success" in downloading, running the scan, I got the message when it got to scanning local harddrives: "Error: Could not start the helper process- unable to complete scan. Please restart and try again. Incorrect function". Tried restarting the scan, and then restarting the computer and rescanning - to no avail. A fresh download and this time the download went smoothly, so I tried two more times to run the sargui.exe and got the same Error message at the same point in the scan. Saved the report to attach anyway, and when viewing the report, realized the same dumb thing was happening over and over, even the first time when the scan had appeared not to run. Pshew! I think that is all to report... I hope this helps, and am sorry for the lengthy post - just want to be sure I'm not leaving out anything important, and not sure I'd know what that is at this point!

Thanks for your patience,
Lin

 

Hi chaslang:

Thanks so much for all of your time and patience... don't know if it's a favor or not, but I have been telling all of my family/friends/students about your site - in hopes they'll visit BEFORE they ever need the malware assistance! Am still learning everyday, and can't tell you how much I appreciate finding MG's and feeling I can trust the information and help you provide.

I followed the remaining steps you recommended, installed our new anti-spyware (Comodo) and while waiting to hear from you yesterday I went in and tried to find any and all remnants of files from the McAfee/symantec downloads, etc., to clean up the system as best I could. Removed all of the specified files/folders from our "clean-up" today, yet I'm still having problems with reeeallly slow bootup, and downloading of e-mail or internet.

Yesterday I did a "print screen" of what is happening on the IE page so I can actually show you what I was referring to... if two search bars are trying to load on one page I'm sure it is slowing down the system, but cannot figure out why this started happening or how to fix it. If this is a question for another forum/thread, please refer me to the proper place and I will repost if necessary.

Other than that (and the failure to successfully run the root-kit yesterday - took me several HOURS to get those two steps completed to that point!) things are working more smoothly - if alot more slowly. If ther are any other recommendations you (or another forum) can suggest for that (more memory??), please let me know.


Attachment of IE "double bar" issue is below...

Thanks so much!! Have a great day!
Lin