Infected or not infected, that is the question.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JimGary, Jan 31, 2007.

  1. JimGary

    JimGary Private E-2

    I thought I was infected because I was having a problem with 100% CPU utilization but after going through the entire procedure and only finding what I think are a couple of false positives and one or two minor ad/spyware problems I really don't know. I tried two of the alternative scans but neither TrojanScan nor Trend Micro worked even though I'ved dled the latest Java pack and removed the older versions. Here are the first three logs. I was unable to get logged on in safe mode with network support so BitDefender and Panda were run in normal mode.
     

    Attached Files:

  2. JimGary

    JimGary Private E-2

    ... and the rest. Thanks for your time and effort!!!
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to run CounterSpy again and this time fix what it finds. You ignored everything and these are not false positives and the last two can be really nasty. Attach a new log after doing this.

    Also what Panda found is this: http://www.symantec.com/security_response/writeup.jsp?docid=2005-071312-5833-99

    Is this a continuation of your thread commenting on Ares using all of your CPU? If so, you should have stayed in that thread.
     
  4. JimGary

    JimGary Private E-2

    >> You need to run CounterSpy again and this time fix what it finds.

    Sorry, first time using these tools. I sent you the log from before the last two were fixed. I was pretty much positive that the first item (backweb-7288971.exe) came with the Kodak software for my camera but as I'm also pretty sure that software's not being updated anymore, I went ahead and blew that one away, too.

    It still shows a cookie but I'm not worried about that. If somebody wants to know the sad fact that I spend most of my time on English Grammar ESL sites, they have less of a life than I do. :)

    >>Also what Panda found is this: http://www.symantec.com/security_response/writeup.jsp?docid=2005-071312-5833-99

    I did some research on that one. The file length (I know that's not a foolproof indicator) isn't the same and (up-to-date) Norton AV hasn't tagged that one as a threat for the last couple of years so should I assume it's a legitimate vchelper.dll or go ahead and get rid of it just in case?

    >> Is this a continuation of your thread commenting on Ares using all of your CPU? If so, you should have stayed in that thread.

    Sorry, assumed that this was the first formal request for help. I didn't realize that the only people who could reply were the experts.

    Here's a clean CounterSpy log and thanks again.
     

    Attached Files:

  5. JimGary

    JimGary Private E-2

    Found this in my inbox but it's not a part of the thread?

    I deleted everthing but what you commented on as best I could so I may not have responded to one of your comments.

    Here is the message that has just been posted:
    ***************
    >> You should not allow Ares to load at startup! But why is this still here
    >> when the program does not appear to be installed?
    >> O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

    I don't let most of this stuff load normally but the instructions said not to let MSConfig manage the startup, so EVERYTHING is loading. I don't know why Ares is still there. It's not installed. I did another HJT run and it still shows.


    >> "DisplayName"="QQ2005 Formal" <--- this is considered adware.
    >>See these:
    http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453083549
    http://www.siteadvisor.be/sites/qq.com/downloads/1332861/

    Oh QQ is HORRIBLE!! Annoying, resource hog, adds 5 minutes to my boot up time, constantly getting requests to chat from people I don't know... BUT all that being said, it is
    THE (nothing else comes close) IM in China and to encourage my students to practice with the language I must use it. I would be so happy if I could send it to silicon hell where it belongs.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually I did not mean for you to work on that message with QQ and other items yet. The procedure was incomplete. It just got to late to continue. So I saved it and did what we call a soft delete which hides it from being viewed. The problem is that the system immediately sent you an email notification about the message.

    As long as you are know that QQ is adware and understand the problems associated with it, then keeping it is your decision.

    As far as vchelper.dll is concerned. Put a copy in a ZIP file and attach it here. Also you could try renaming it to vchelper.ddd and then after reboots and running your system for a few days, you should know whether it is needed for anything or not. This way it can be restored if necessary.

    Are you still having high CPU usage problems? If so, what process or processes are using all of it?

    Attach new logs from ShowNew and HJT.
     
  7. JimGary

    JimGary Private E-2

    >> As far as vchelper.dll is concerned. Put a copy in a ZIP file
    >> try renaming it to vchelper.ddd

    Done and done

    >> Are you still having high CPU usage problems?

    No, after getting rid of Aries and the initial problem with Explorer.exe also taking over the cpu, I haven't had any more problems but I wanted to make sure there's nothing hanging around waiting to cause the problem again or if, in fact, the problem had nothing to do with any infection. That seemed to be the most likely suspect so eliminating that as a possibility seemed to be the first step. I am concerned that neither TrendMicro nor TrojanScan are able to load. If I were a trojan, I'd try to make sure that effective clean up tools wouldn't be able to clean me. It could easily be network issues but still...

    >> Attach new logs from ShowNew and HJT.

    Done
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The vchelper.dll file appears to be adware. It looks like it is this: http://research.sunbelt-software.com/threatdisplay.aspx?name=VCbar&threatid=44374

    Leave it renamed for now and if no problems occur, delete it in a couple days.


    Okay now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
    C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt SoftwareC:\Program Files\Sunbelt Software

    Since you uninstalled Ares, you should just have HJT fix the below line to stop it from trying to load at startup:
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h


    Other than that, you are clean! If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds