Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help after infection by various trojans and viruses

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help after infection by various trojans and viruses

Unread postby ziggley » September 20th, 2010, 11:11 pm

Not much backstory as it is my son's laptop, all he has said is he was looking through pictures on google before multiple messages popped up saying threats were detected. The free version of Avira AntiVir Personal is what is installed on the system.

There is about 45 quarantined objects after running multiple scans in safe mode with Avira.

The detections showing include:
- TR/Dropper.Gen trojan (1)
- W32/Pedalac.A windows virus (38)
- HTML/Rce.Gen HTML script virus (3)
- HTML/Crypted.Gen HTML script virus (3)

The number in brackets is the amount of files each appears to have infected.

Majority of the programs on the computer no longer work properly, I can only access internet browsers in safe mode with networking. I assume part of this is because a good chunk of the infected files are required .dll and .exe files.

A few of the files infected were on an external hard drive. That hard drive has since been unplugged, but will need fixing as well I assume.

The following, is my HijackThis log, run after a normal start up (I was unsure if I was supposed to run in safe mode):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:03 PM, on 20/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.realgm.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [{D888B51C-3B37-82F6-48F0-F37894C1823B}] "C:\Documents and Settings\Brennan Hermann\Application Data\Touh\batae.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Unknown owner - C:\Program Files\HPQ\shared\hpqwmi.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 4226 bytes

Also, as requested, the Uninstall list:

Avira AntiVir Personal - Free Antivirus
Broadcom 802.11 Wireless LAN Adapter
ConvertXtoDVD 3.0.0.1
Duplicate Finder
HijackThis 2.0.2
HP Help and Support
HP Update
HP User Guides 0001
Intel(R) Graphics Media Accelerator Driver for Mobile
InterVideo WinDVD
J2SE Runtime Environment 5.0
Java(TM) 6 Update 17
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.3)
MSN
QuickTime
RealPlayer
RealUpgrade 1.0
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
TuneUp Utilities 2009
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
VLC media player 1.0.5
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11

I appreciate any help that is offered, and look forward to guidance in correcting these issues. If any additional information is required, please let me know and I'll get that as soon as possible. Thanks!
ziggley
Active Member
 
Posts: 6
Joined: September 20th, 2010, 9:41 pm
Advertisement
Register to Remove

Re: Help after infection by various trojans and viruses

Unread postby Airscape » September 23rd, 2010, 12:47 pm

Hello and welcome to the forum.
My name is Airscape and I'll be helping you with your malware issues.
The logs can take a while to research. Please be patient with me.

Take note of the follwing before we begin.
  • Post to this thread only and please stick to it until you are given an All Clean. Absence of symptoms does not mean that your computer is clean.
  • The instructions I give are for This computer only and should not be used on any other pc.
  • Do NOT run any tools/scans unless I instruct you to.
  • Try not to install/uninstall any programs while we work. This will add extra time researching your logs.
  • If you have found assistance elsewhere and no longer require our help, please say so, and this topic will be closed.
  • If you have any problems, please stop and ask before proceeding with any fixes.
  • ALL USERS OF THIS FORUM MUST READ THIS FIRST

Note: As I'm still in training here at MRU everything I post must be checked by a teacher first. So there may be a slight delay in between posts.

Important:
Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any important files and folders that you don't want to lose before we start.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Help after infection by various trojans and viruses

Unread postby ziggley » September 23rd, 2010, 2:46 pm

Alright, thank you. I await your initial suggestions.

Also, if you could tell me if I should have the external hard drive plugged in or not throughout the process that would be helpful. I unplugged it for fear of it being infected more so than it was already, majority of the important data is saved on it.
ziggley
Active Member
 
Posts: 6
Joined: September 20th, 2010, 9:41 pm

Re: Help after infection by various trojans and viruses

Unread postby Airscape » September 24th, 2010, 12:29 pm

Hi ziggley,

I'm sorry to have to inform you that you have a very serious infection... a Polymorphic File Infector known as Virus:Win32/Ramnit.A Which infects .exe, .dll and .HTML/HTM files. Is similar to the Virut infection. All viruses belonging to the Virut family also contain an IRC-based backdoor, that provides unauthorized access to infected computers. In addition, when it infects, it will sometimes destroy the file it infected. For these reasons, you really can't truly fix Virut or other file infectors. The tools we use, to combat serious infections, can cripple a machine if used on a file infector.

You will need to reformat and reinstall, the operating system on this machine!
Please refer to these instructions, how to perform Windows XP: Clean Install

Because of it's backdoor functionality... You are strongly advised to do the following:
  1. Disconnect the computer from the Internet and from any networked computers immediately.
  2. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
    If you don't mind the hassle, change all your account numbers.
  3. From a clean computer, change all your passwords
    (Internet login, your email address(es), financial accounts, PayPal, eBay, Amazon...any online activities you carry out which require a username and password).
    Do NOT change your passwords from this computer, the attacker can still get all the new passwords and transaction records.

I would strongly suggest you backup all of your valuable and personal data... (ie. documents, pictures, movies, songs, etc...)
Do NOT backup any applications or installers. Do NOT backup any .exe, .scr, .htm, .html, .xml, .zip, .rar files... as these files may be infected as well.
If you back them up...then replace or reinstall them, you will re-infect your system again.
How do I respond to a possible identity theft and how do I prevent it
When should I re-format? How should I reinstall?
Windows XP - Reformat And Re-Install Guide
How to Reformat and Reinstall your Operating System

Let me hear your thoughts on this?

Thanks.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Help after infection by various trojans and viruses

Unread postby ziggley » September 24th, 2010, 1:33 pm

If it was not used for banking or anything with personal information, should I still be worried if it was still connected through a router to computers that were used for that sort of thing?

Reformatting the machine isn't really a big deal to me, however I'm unsure how to go about backing up the files. If they aren't any of the file types you listed, are they safe to transfer to another computer? If I have none of those file formats on the external hard drive, then plug it in to another computer, could it go on to infect those files formats on the other computer?

Thanks for the info
ziggley
Active Member
 
Posts: 6
Joined: September 20th, 2010, 9:41 pm

Re: Help after infection by various trojans and viruses

Unread postby Airscape » September 24th, 2010, 5:46 pm

If it was not used for banking or anything with personal information, should I still be worried if it was still connected through a router to computers that were used for that sort of thing?

In my personal opinon, I'd say yes, though it may depend on how the network is set up. We can't say for sure if other computers are infected. Are you aware if you changed the routers default password when it first got connected up?

Some more info for you:
http://www.microsoft.com/security/porta ... mnit.A!dll
http://www.microsoft.com/security/porta ... 2fRamnit.A
http://www.threatexpert.com/report.aspx ... 33fdee1ae9
http://www.threatexpert.com/report.aspx ... ce8a1ae531
"A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment"
Reformatting the machine isn't really a big deal to me, however I'm unsure how to go about backing up the files. If they aren't any of the file types you listed, are they safe to transfer to another computer?

In my opinion I would not backup "any" executable files. (the ones I listed above plus .com, .cmd, .ocx, .sct, .vbs, .sys, .wsf, etc...) after you reformat and reinstall the pc you can install programs/applications again. I would only backup all of your valuable and personal data... (ie. documents, pictures, movies, songs, etc...), and make sure you scan them with an updated antivirus program to be sure.
How to copy information to a CD in Windows XP
How to Backup Computer Files on a CD
If I have none of those file formats on the external hard drive, then plug it in to another computer, could it go on to infect those files formats on the other computer?

I can't say for sure but you should consider all external drives/usb etc (that are able to transfer files) and have been connected to this machine, compromised.

Let me know what you have decided to do, and if no other questions, the thread can be closed.

Thanks.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Help after infection by various trojans and viruses

Unread postby ziggley » September 25th, 2010, 4:29 am

Well I've changed my passwords, the important ones anyways, and run scans on all my other machines that are on the network. The other machines are connected to the router directly, and the laptop had a wireless connection. I'm quite sure I've changed the password on the router.

I'll attempt to burn numerous .mp3 and .avi files to cds/dvds before reformatting, not much else of value on the machine. Firefox bookmarks are backed up in .json files or something like that... should I be concerned about those at all?

Is there a way to reformat external hard drives? It's a western digital my book essential 250 GB if that helps at all. I think it may have come with a disk? I'll probably need to dig that out.

Also, should I expect there to be any damage being done while in safe mode?
ziggley
Active Member
 
Posts: 6
Joined: September 20th, 2010, 9:41 pm

Re: Help after infection by various trojans and viruses

Unread postby Airscape » September 25th, 2010, 4:46 pm

Hi again,

Firefox bookmarks are backed up in .json files or something like that... should I be concerned about those at all?

This below was posted in the link earlier :)
"Copy all your data to a separate drive, CD, DVD, etc. twice for extra security, if possible.
This is not just a case of copying the My Documents folder but also items such as My Favorites, browser profiles (for example Firefox and Opera), and Email. Open applications/programs and check where each saves data."
It should be ok but I would try and keep the pc as fresh as possible.

Is there a way to reformat external hard drives? It's a western digital my book essential 250 GB if that helps at all. I think it may have come with a disk? I'll probably need to dig that out.

How to install, partition, and format a WD drive on Windows (7, Vista, XP, 2000) and Mac OSX.
If it were my computer, I would run flash disinfector with all of my USB devices (external hard drives, cameras, phones, etc.) and I would reformat the external drive as shown in the link.


Please download Flash_Disinfector and save it to your desktop.
http://download.bleepingcomputer.com/sU ... fector.exe
  • Double click the file to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Also, should I expect there to be any damage being done while in safe mode?

If you mean does this infection do damage to safe mode, then yes. It will "likely" corrupt/destroy system files that load the pc into safe mode.


If nothing left the thread can be closed... Let me know?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Help after infection by various trojans and viruses

Unread postby ziggley » September 27th, 2010, 12:12 am

My only other concern now is the computer I use for banking and what not. It started up pretty slow today and I'm curious if perhaps it has become infected as well. I could also just be paranoid and thinking it took longer than it did, but I'd rather be safe than sorry.

If I were to run Hijack This on it, would I be able to continue using this thread, or must I start a new thread?
ziggley
Active Member
 
Posts: 6
Joined: September 20th, 2010, 9:41 pm

Re: Help after infection by various trojans and viruses

Unread postby Airscape » September 27th, 2010, 6:38 pm

Sorry for the delay.

If I were to run Hijack This on it, would I be able to continue using this thread, or must I start a new thread?

You would need to start a new thread. This is not my view personally... the forum rules state one log per topic.

I would scan the other computers with Avira. If there's no detection it's unlikely there's a file infector. Still worth starting a new topic though if you notice problems.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Help after infection by various trojans and viruses

Unread postby ziggley » September 27th, 2010, 10:19 pm

Alright, thanks for all the help and insight.

This topic can be closed now.
ziggley
Active Member
 
Posts: 6
Joined: September 20th, 2010, 9:41 pm

Re: Help after infection by various trojans and viruses

Unread postby Airscape » September 28th, 2010, 9:02 am

Ok, thanks for letting me know :)
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Help after infection by various trojans and viruses

Unread postby Carolyn » September 29th, 2010, 6:22 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 308 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware