Disinfecting Friend's Computer

Discussion in 'Malware Help (A Specialist Will Reply)' started by Miss M, Dec 27, 2010.

  1. Miss M

    Miss M Private E-2

    I am helping a friend disinfect her business laptop. She runs a monogramming and sewing business at a local flea market, and she was at the market when some sort of unfamiliar (not from her security) virus warning popped up. She knew not to believe it, but, instead of going to Task Manager to kill it, she clicked on the "X". When she did, her screen went blue. This was in early November.

    Once she recovered from the blue screen, she noticed that the computer started running slowly. It would be slow about going to a website, and then it would navigate some of the time but not all.

    Then, about a week before Christmas, the computer started saying, "Congratulations, you won!" at random intervals.

    I have walked her through the Read & Run. She has 64-bit Windows 7. Her security is Windows Firewall and Trend Micro Titanium. This computer is two or three months old.

    We did not download RootRepeal, since it is a 64-bit OS, and Combofix would not complete. It got to stage 52 and then caused the computer to reboot and it would put up the "Windows has recovered from an unexpected shut down..." bit. MGTools appeared to be having some issues as well, something about something not being a valid win32 application, and it kept repeating that a 64-bit operating system had been found.

    I have attached the three logs we were able to get. Her computer is running much better now, since we have done the Read & Run.

    Thank you so much for any help you can give us! We will be improving the security when it is clean. :)
     

    Attached Files:

    Miss M, Dec 27, 2010
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below folder seems veryt suspicious. Do you know what it is for? The date of creation seems to be from when the problems began. What is in this folder?
    C:\ProgramData\dAlCm02099

    The below file is also questionable.
    C:\ProgramData\nPvBXm.dat


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (file missing)
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

    After clicking Fix, exit HJT.

    Other than the above, the logs are pretty good. How are things currently working?
     
    chaslang, Dec 27, 2010
    #2
  3. Miss M

    Miss M Private E-2

    This file is in it: C:\ProgramData\dAlCm02099\dAlCm02099
    We cannot tell what the extension is for this file. The file type is "file". Previous versions for the folder: 12-26-10, 12-24-10, two on 12-22-10, 12-21-10, 12-18-10 has four, 12-17-10, and 12-16-10. No previous versions for the file inside. Attributes: AL, all permissions except "special permissions" allowed under Security. We have no idea what the folder and file are for, and the details of it provide no clues, except that the date of creation is, as you saw, 11-11-10. She thinks she got the warning popup the Saturday prior to this date.

    Date created 12-16-10, modified 12-17-10. Opens with Windows Shell COMMOR. 112 bytes. Attributes: AL, all permissions except "special permissions" allowed under Security. We have no idea what this file is for.

    Also in the ProgramData folder are two Norton folders. One is named "Norton", and the other "Norton Installer". Norton was supposedly (according to the Geek Squad guy at her store) partially installed on the machine, and he "finished uninstalling it". Can we just delete these Norton folders?

    We completed this. The computer is running really well now! :)
     
    Miss M, Dec 28, 2010
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is no extension. Put a copy of the file into a ZIP file and attach it here. This is likely something you don't need and since your computer is running good right now then this file is probably not causing any current problems. However it sure looks like it could be due to malware so it would be worth trying to look at.

    Also put a copy of the C:\ProgramData\nPvBXm.dat file into the same ZIP.


    Yes if no Symantec/Norton programs are still installed then you can delete these.
     
    chaslang, Dec 29, 2010
    #4
  5. Miss M

    Miss M Private E-2

    I have attached the zip file for you. :)

    She noticed when booting her computer that a Bing toolbar comes up and it has a Norton thing on it, so I think that's why the Norton folders are there. She's uninstalled the Bing (MSN) toolbar now, but it came up again when she rebooted, but it is no longer in add/remove programs. *sigh* We'll worry about that later, I guess. It doesn't seem to be something that would interfere with installation of Online Armor and Avast on her computer, does it?

    She's noticed "Zalman Frisbee" in her start menu... what is that? I can find only one thing about it online, and that's someone else who had an infection. No one has answered him, so I don't know what it is. Do you?

    Trend Micro Titanium will not uninstall. Not no way, not no how. So we will begin a search and destroy campaign against it, and then run CCleaner to finish it up. I hate software that will not allow you to uninstall it. Grrrr. :banghead
     

    Attached Files:

    Miss M, Dec 29, 2010
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I cannot tell anything positive or negative from that. I would leave them alone for now or try renaming them and see if anything negative happens after reboots and running the system for a couple days. If nothing complains, then they can likley tjust be deleted.

    Bing has nothing to do with Norton. It is a Microsoft Search Tool ( like Google). It is also not malware. If you have any issues related to it, you can post about them in the Software Forum.

    Nope! ;)

    I believe it is junk that comes along with some rogue search tools. It was not in any of the logs you had attached either. Is this new?

    Software Forum or TrendMicro Forums. Also see the below:

    http://esupport.trendmicro.com/1/How-do-I-remove-old-or-new-versions-of-Trend-Micro-products-in-my-comp.aspx
     
    chaslang, Dec 29, 2010
    #6
  7. Miss M

    Miss M Private E-2

    Thank you, Chaslang! Sorry for the software questions; I try to remember to leave them out, but sometimes I just dump my thoughts out without thinking to edit them. :-o

    We'll go ahead and rename those files and see what happens, like you suggested. If they were important system files, I would think it would be quite easy to find information about them, but there is nothing. So I have a feeling you are correct, and we'll be able to delete them in a few days.

    About "Zalman Frisbee"...

    I do not know how long it has been there, or why it would not have showed up in the logs. She's used the computer only for a little monogramming (her business) since we started cleaning it up. I told her to use it only when necessary, and so she's had it on (besides cleaning and scanning it) only twice for about 30 minutes each, and not online. The only times she's been online is to download stuff for the scans and such, and to email me her logs. It's in her start menu, but not in Add/Remove Programs. We'll work on removing it, whatever it is, because I can't imagine she needs it. I was concerned it was malware-related, so I'm glad you think it's just junk.

    Thank you so much for your time and your help! Is it time to run the final steps now? :)
     
    Miss M, Dec 30, 2010
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I said in my last message it is likely from a rogue search tool. It may have been already remove with previous scans. It is probably not installed anymore and any files or folders for it can be deleted.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Dec 30, 2010
    #8
  9. Miss M

    Miss M Private E-2

    We'll go ahead and do that, Chaslang! Thank you again so much for your help! I can get only so far myself with removing malware, and I know my shortcomings, so I genuinely appreciate you and the others on this forum who help people bring their computers back from infection. Thank you. :)
     
    Miss M, Dec 30, 2010
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Dec 31, 2010
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds