Request Help - please help me!

Discussion in 'Malware Help (A Specialist Will Reply)' started by suffering, Nov 27, 2006.

  1. suffering

    suffering Private E-2

    Hi there,

    I've been looking after my brother's PC while he's kindly let me stay with him for a couple of weeks. However, he has managed to pick up several malware. Initially this changed the desktop image, with a message indicating that the computer was at risk. This also brought up fake alert messages in the bottom right hand side of the screen saying the computer was at risk. After much searcing I have managed to remove this, however I am still concerned the computer is infected for the following reasons:

    - PC is now extremely slow
    - PC running between 300 and 500 mb ram, although only 256 on the machine
    - ZoneAlarms kept finding Win32.Briss, but was not able to remove it

    I have managed to improve performance whilst stepping throught the READ & RUN ME FIRST page. However, Panda ActiveScan failed with out of memory errors (I have downloaded the lates version of the Sun JRE and run in Normal Mode). Before failing, the ActiveScan locates 3 malware and 1 HijackerTool.

    I have attached logs from counterspy (having trouble finding this as it has taken me over a week to get all the scans done - will re-run now), BitDefender, GetRunKey, newkey and HJT logs.

    Many thanks in advance for any help that you could offer me, I'm getting very close to having to re-install Windows - something that I'm not really looking forward to!

    Thanks again,

    Mike
     

    Attached Files:

    suffering, Nov 27, 2006
    #1
  2. suffering

    suffering Private E-2

    HijackThis log attached.

    I have also noticed in the HJT logs that LogitechDesktopMessenger and Python2 are listed as still being installed, although I explicitly removed these at the start of the process.

    Thanks again for all assitance.
     

    Attached Files:

    suffering, Nov 27, 2006
    #2
  3. suffering

    suffering Private E-2

    Hi,

    My biggest concern is that Panda ActiveScan finds 1 HijackerTool and 3 malware, but always fails with out-of-memory error - therefore not informing me what these are.

    Is there an alternative scanner that I can use? BitDefender no longer finds anything on the system.

    Thanks,

    Mike
     
    suffering, Nov 28, 2006
    #3
  4. suffering

    suffering Private E-2

    Finally managed to perform and ActiveScan, log file attached.

    This shows up the following things that concern me, additional items refer to SmitFraudFix, which I believe is ok?:

    Potentially unwanted tool:
    - Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
    - Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe

    Can you please advise how I can clean the system. The PC is currently running at 416Mb RAM, although the visible Mem Usage on Windows Task Manager only shows abou 120Mb Mem Usage.

    Sorry for the number of posts, this is the first time I have had to do anything like this and really appreciate the work that you all do.

    Thanks,

    Mike
     

    Attached Files:

    suffering, Nov 28, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below old version of software:
    Java 2 Runtime Environment, SE v1.4.2

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.
    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. HJT

    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Nov 29, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There was nothing in your Panda ActiveScan or Bitdefender logs of any concern. The HP items are all false positives. And cookies are not problems.
     
    chaslang, Nov 29, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know what you mean. Where are you getting these numbers from. What due you mean the pc is currently running at 416Mb RAM? You are not saying whatever it is that you want to say in terms that mean something to me. Tell me where you are quoting these numbers from (exactly where) and what the titles next to the numbers you are reading say.
     
    chaslang, Nov 29, 2006
    #7
  8. suffering

    suffering Private E-2

    Hi there,

    Firstly many thanks for your mail and apologies for any vagueness in my previous posts.

    I have successfully run the steps that you provided and have attached the related log files. Hopefully this all looks ok, the PC is now running so much quicker - no longer have to wait 5-10 minutes for iTunes to open!

    With regards to the memory stats, this may well be a mis-interpretation of the stats on my part and slightly misleading. The stats were taken from the following on Task Manager:

    - TaskManager->Performance->PF Usage was ranging between 300MB and 500 MB, this is now running around 240MB.
    - The memory usage I was refering to was TaskManager->Processes->MemUsage. The sum of the all applications' MemUsage column was totalling around 120MB, which obviously didn't match the value in PF usage.
    - TaskManager->Performance->CPU Usage was generally maxed out around 100%, but is now looking much healthier 1-10%.

    Do you think the system is clean now?

    Thank you so much for your help. Christmas shopping will be much easier if I can do it from the comfort of home!

    Best Wishes,

    Mike
     

    Attached Files:

    suffering, Nov 30, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean! Are you having any other malware problems?

    If you would like, you can even tweak things some more. The below are not malware but they are not necessary to load at startup. You can have HijackThis fix them if you want to see even more of an improvement.
    Memory usage is not the same thing as PF Usage. PF = Page File. Windows will use disk space to create page files.

    Page File Usage is a variable amount of hard drive space that is dedicated to your total system memory. When your free RAM is low, the computer will start using this space to store RAM instructions. Because hard drive access is much slower than that of RAM, this can reduce performance - but reduces the risk of your computer locking up due to low amounts of free RAM. The page file is also referred to as 'virtual memory' or the 'swap file'.
     
    chaslang, Dec 1, 2006
    #9
  10. suffering

    suffering Private E-2

    Excellent news! I'm not experiencing any other malware problems.

    I had been wondering how to remove the RealOne update, but having looked at the list I think I'd be happy removing all 4. So I'll do that over the weekend once I've recovered from the office Christmas party!

    Many thanks again for your help. I don't know how else I could have sorted this out.

    Thanks,

    Mike

    :)
     
    suffering, Dec 1, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!

    That's an early Christmas Party!
     
    chaslang, Dec 1, 2006
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds