Please help..on a virus and my computer...

Discussion in 'Malware Help (A Specialist Will Reply)' started by topshelf1227, Apr 14, 2008.

  1. topshelf1227

    topshelf1227 Private E-2

    I am writing to ask you some quesitons about my PC. About two years ago, my uncle, who works with computers for a living, helped me by installing a new heard drive and loading Windows XP Pro when my old hard drive had crashed.

    Here's what's going on ...

    When the computer starts I get this message immediately:

    ____________________________________

    Award Medallion BIOS v 6.0
    Copywright (c) 1984-2001, Award Software, Inc.

    ACPI BIOS Revision 1002

    Award Plus and Play BIOS Extension v 1.0 A
    Initialize Plug and Play Cards...
    PNP Init Completed

    Detecting Primary Master...WDC WD 1600JB-00GVCD
    Detecting Primary Slave...ST 380020A
    Detecting Secondary Master...HL-DT-STDVD-ROM GDR8160B
    Detecting Secondary Slave...SONY CD-RW CRX175E
    SMART Failure Predicted on Primary Slave: ST380020A

    WARNING: Immediately back up your data and replace your hard disk drive. A failure may be imminent.


    Press F1 to continue, F2 to enter setup


    12/18/2001 - I845 - P4B266LM

    ________________________________________________________

    So I click on F1 and it loads up just fine. But I have for the last week been receiving on my AVG antivirus a THREAT DETECTED! in my C:\Cocuments and Settings\Administrator\Local Settings\Temp\b.138.exe

    It says it's a Trojan Horse Generic10.KOE
    Backup copy
    Infected

    I have run scans on the computer and yesterday was getting this THREAT DETECTED! message every 3 minutes it seemed like. I downloaded and ran spysweeper, but it was a trial version and it wasn't able to remove any malware or adware or viruses, only locate them. It did locate about 158 threats.

    I did remove all temporary Internet Files from both IE and Firefox. I downloaded a program called CCcleaner, which brought me through removing words.exe as well as cleaning up the registry and removing uneccesary files from temp folders.

    I did have a firewall on my computer that was put on by my uncle, but I did shut it down because it was giving me problems updating and I had major issues with Firefox one day because of it. Firefox stopped working, couldn't connect to the internet, and when I checked Internet Explorer, it was working. So I knew it had something to do with Firefox. So I uninstalled it and reinstalled it, and it still was an issue. When I checked on Google for this problem, it said that this can be caused by the firewall, so I stopped the firewall. Now I don't even have one running.

    I haven't received any messages about a virus today as of yet. But I didn't do anything, no virus scan on my own or anything like that. I know my AVG scans at 8 am every morning. I leave my computer running all the time.

    Because I was given another version of XP that was given to me by my uncle, I did have this star in the bottom right by the clock saying "Your system may be at risk". I try to download MS updates, but because I didn't have licensed software, it won't let me do a full update. Therefore, I may be vulnerable? I did download a bunch of files yesterday from this site, www.majorgeeks.com, and one of them is removewga.exe, which removes that Windows Genuine Notification alert, which I was getting. The other programs I have downloaded are all from this page, which tells a user how to clean Windows XP. http://forums.majorgeeks.com/showthread.php?t=139313

    I have not run anything yet, though I did also download a defragment program and defragmented my hard drives. I also removed a program called words.exe. I did turn off system restore on all drives yesterday, and rebooted in safe mode with networking. But after some efforts to try to remove the virus, I decided to turn it back on again and return to normal mode.

    Here's the latest info on my computer, as found when I click properties on "my computer":

    General
    System:
    Microsoft Windows XP
    Professional
    Version 2002

    Registered to:
    John T (this is not me)


    Computer:
    512 MB of RAM

    Computer Name:
    jj1
    WORKGROUP

    Automatic Updates:
    Every Monday at 3:00 AM

    System Restore:
    ON

    Through the website PCPitstop.com:

    Test Results Summary
    Computer Name: JJ1
    Date Tested: Mon Apr 14 21:49:02 EDT 2008

    This system performs well on our benchmarks, and should have plenty of power for most applications. You may be able to add a few system upgrades or tweak some Windows settings to improve performance. Regular system maintenance is also important to keep your system running in top condition.

    Customized Tune-up Tips
    • Upgrade your OS Service Pack
    • Update AntiSpyware
    • Reduce System Restore space (Drive C, G)
    • Update outdated device drivers
    • Install more memory
    • Auto-filling Forms with IE May Present a Security Risk
    • Saving Web Page Passwords with Firefox May Present a Security Risk
    • Auto-filling Forms with Firefox May Present a Security Risk
    • Install Backup Software
    • Unusually low performance (Drive F)

    Configuration Summary: Our analysis was based on the data collected from this computer. A summary of the data collected is shown below. Click on any of the subsystem names or flags in the table below to see more information, or use the test details to see all the data on one page. For a list of programs running on your computer, including spyware, see the Windows details page. The test history page has a summary of previous tests for this configuration. See how your system compares to others we've tested.

    Subsystem Status Description
    System Intel Pentium 4, 1600 MHz
    Memory 512MB RAM
    Disk Drives C, F, G
    Video NVIDIA RIVA TNT2 Model 64
    Internet MSIE 6.0; Embedded Web Browser from: http://bsalsa.com/; (R1 1.6); .NET CLR 2.0.50727
    Windows Windows XP Pro
    Security
    Compare



    I have installed and run JkDefrag to defragment my drives. I did download Hijack This but I haven't installed it yet.





    I also downloaded but didn't install superantispyware.exe, combofix.exe, spybotsd152.exe, ZoneAlarm.



    What should I do at this point?



    How does my computer's health look overall? What things can I do to optimize it? Do I look to upgrade in areas? Is my computer outdated and I would be wise to invest in a new one?

    and what about that virus?


    Please help. Thanks.



    Jeremy
     
    topshelf1227, Apr 14, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The message you are posting is not malware. It is because your hard disk will soon be failing.

    For malware issues, which the above is not, the below are the required steps!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, Apr 14, 2008
    #2
  3. topshelf1227

    topshelf1227 Private E-2

    Okay I followed the steps listed and here are the logs...


    Edit by chaslang: Inline logs attached.


    One last thing....Combo fix changed my clock to 24 hour setting, but never changed it back. How do I fix this?

    And...if my hard drive, which was the original backup hard drive, (used to be drive F but is now drive G) will soon fail...what should I do?

    Thanks....
     

    Attached Files:

    Last edited by a moderator: Apr 16, 2008
    topshelf1227, Apr 15, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow instructions properly from now on. You are supposed to attach all logs as requested in the instructions. You posted some of them inline. I will change them into attachments for you this time.

    You can fix your clock from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.

    Your Windows version is way out of date with updates and represents a major security risk! Why haven't yuou updated? After we finish cleanup of any malware issues (which we will begin in my next message) you MUST get you PC updated
     
    chaslang, Apr 16, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 11
    Java(TM) 6 Update 2

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Policies\Explorer\Run: [{D83D6023-064E-1033-1218-010703010001}] "C:\Program Files\Common Files\{D83D6023-064E-1033-1218-010703010001}\Update.exe" te-110-12-0000213
    O4 - HKUS\S-1-5-21-1417001333-706699826-1801674531-500\..\Policies\Explorer\Run: [{D83D6023-064E-1033-1218-010703010001}] "C:\Program Files\Common Files\{D83D6023-064E-1033-1218-010703010001}\Update.exe" te-110-12-0000213 (User '?')
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1142cf49a8a27579c904/netzip/RdxIE601.cab

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 16, 2008
    #5
  6. topshelf1227

    topshelf1227 Private E-2

    Okay...I have done all that you had said...but first let me say that I want to thank you for doing this to help me and the countless others who have computer issues. I know you guys do this on your own time and for free, and I look up to you guys and salute you. I raise my glass to all of you! Cheers!

    Thanks again...

    Now..

    I removed windows messsenger.

    I uninstalled Java and J2SE

    I ran HiJack This, and I couldn't find the following line to remove - it wasn't there, so i skipped it: O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" but I did click and remove all other lines.

    I did receive a success message about adding to the registry.

    I ran the Avenger - log is attached.

    When I rebooted and after I logged in, however, I got the following error message:

    cmd.exe
    X There is no disk in the drive. Please insert a disk into drive E.

    I didn't know what else to do, so I clicked Continue.

    Installing Java Runtime Environment, it did say that this was an unsupported Windows version, and that it is not recommended on my machine. However, I just installed it anyway, because I figured you know about that and how we can fix it.

    As far as updating Windows, I do want to update it, but remember what I said about having my uncle install Windows XP Pro? I originally had Windows XP Home Edition, which came with my computer, but he installed Widnwos XP Pro, which is a copy form work. This was not my idea, but he said that Windows XP Pro was better to have for my computer. Therefore, it will not allow me to install some updates from the Windows site. What can I do?


    My updates want to put Windows XP Service Pack 2. Should I do it? What about WGA Notifications, as the updates want to put that on there as well.


    The logs are attached. I appreciate your attention to all this!

    How am I looking so far?
     

    Attached Files:

    topshelf1227, Apr 16, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    A new one took it's place after installing the new version of Java.

    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

    It is not malware. It is just a startup that is not required as long as you periodically check for updates yourself. It avoids the waste of System Resources and avoids the additional boot up delays caused by allowing it to always run.


    As long as this is not happening at each boot up then it is not an issue.


    It should work okay, but it will be better once you get updated.

    Purchase a valid license or reinstall the version you have a license for.

    I thought you just said above it will not allow you to install updates. You need to have WGA installed. If that does not verify your Windows copy to be legal, then you need to get legal. Old/non-updated versions of Windows like you are running have many security issues and are susceptible to some serious infections.


    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    3. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had you run Avenger, you can delete all files related to Avenger now.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Apr 18, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds