Infected computer -> trojans+virus

Hello there,
I’m having problems with this on my brother’s computer, multiple trojans as Donwloader.generic7.admp, generic10.bcly, psw.small.ac or virus such as killav or win32/polycript are jumping on this computer every time.
He’s using currentelly a program Arcawir2008 but it seems not to be working as it should, perhaps we should go to Avast. As addicional information I have installed Spywareblaster to try stop this and also AVG that detected all this problems - most part of them went to “the vault” (can I erase them?). I made another scan using Panda Online, it detected me more than 50 infections(Report attached just in case), and spybot seems that doesn’t reaches these malware.
I really appreciate your help I would like to clean and protect this computer the best as possible once for all, i’m sending you my HJT attched. Many thanks for your time!

DO NOT INSTALL AVAST NOW we’ll do that later
A complete AVG removal is needed and that would be a distraction at this time
If you have already done it- post back and good luck

do NOT erase anything in the AVG vault

evidently you have Spybot search and destroy?
did you try a scan in safe mode?

CAn you follow instructions EXACTLY if not wait for someone to look at your HJT

let’s start with
Win32/NSAnti (Win32-Polycrit)

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.
Like T-Timer, AVG whatever- all of them

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. 

They can interfere with SDFix and remove some of its embedded files which may cause “unpredictable results”.
trust me you do NOT want “unpredictable results”

* Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

http://www.bleepingcomputer.com/forums/topic114351.html

* Remember to re-enable the protection again afterwards before re-connecting to the Internet.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
* Instead of Windows loading as normal, the Advanced Options Menu should appear
* Select the first option, to run Windows in Safe Mode, then press Enter
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to the clipboard ready for posting back on the forum).


* Remember to re-enable the protection again afterwards before re-connecting to the Internet.
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

ramosy keep busy and ignore this

polonus -
http://messageboards.aol.com/aol/en_us/articles.php?boardId=471321&articleId=117565&func=6&filterHidden=true&filterUnhidden=false&filterRead=false

Trojan.PSW.Small.ac
Aliases:
PSW.Generic2.LWL GRISoft AVG 7.5.516/1280 15-Feb-2008
TR/PSW.Small.AF Avira AntiVir/Win32-Console Version 7.4.0.15 15-Feb-2008
Trojan-PSW.Win32.Small.af Kaspersky Lab KavCon 1.0.0.48 15-Feb-2008
Trojan.Pws.Small.AF SOFTWIN BitDefender BDSCAN 1.01 15-Feb-2008
W32/Agent.PQZ Norman NVCC 5.91.10 14-Feb-2008
W32/Pws.HG Frisk Software FPCMD 4.4.3 14-Feb-2008
Win32:Small-AUA [trj] ALWIL avast! ashCmd 4.7/080214-0 14-Feb-2008

OK, I’ve done it. I’m sending in attachement the 2 files required for you to analize, I will wait for futher instructions from your side.
Thanks once again.

Hi
I am hoping Polonus will come along and take a look at your HJT
we got a trojan with SD-Fix good work

what is
ArcaVir Installed or the On line scan?
I know nothing of this program
Does AVG still work? update? scan? etc?
if so if ARCAVIR is installed -uninstall it-- did someone buy it or is this a demo/ free trial?

I see spyware Doctor- which version? Is it a paid type version with realtime protection (or google toolbar version)?
is it up to date? if so why not run a scan and post up the results?

http://www.bleepingcomputer.com/startups/vsnpstd.exe-11086.html

do you use this
http://www.howtogeek.com/howto/windows-vista/what-is-ctfmonexe-and-why-is-it-running/

what is the autoconnect.exe winfixer? ADSL thingie? whose is it?

Hi ramosy28,

Fix this with HijackThis:
O4 - HKLM..\Run: [msennger] C:\WINDOWS\system32\drive\calling.com
O4 - HKLM..\Run: [Paner cPanle] cPanele.com
These are nasties (wirusy)
If you do not know what it is also fix this one:
O17 - HKLM\System\CCS\Services\Tcpip..{A410CAF1-0613-4443-A9B9-602D805D8CA4}: NameServer = 213.241.79.37 83.238.255.76
If Arcavir is the only resident anti-virus program, it would not be harnful.
Never use two resident anti-virus programs because this will make things much worse, they are going to
interfere with each other and find each others malware signatures, (z deszczu pod rynne!)
You should also install a Firewall, apparently you have none. And you could install the latest service packs for your OS,
I think wyrmrider will come up with the same results,

pozdrawiam,

polonus

Polonus beat me to it- do what he says- I just got in

IS AVG STILL WORKING? after you run the HJT FIX update and run a scan
nuke either AVG or the other one

RUN HJT again and fix the obvious nasties and the others as appropriate

Look at two of the 04 entries, the one with msenngr] calling.com &
the one with cPanele.com in it are nasty.

O4 - HKLM..\Run: [msennger] C:\WINDOWS\system32\drive\calling.com
O4 - HKLM..\Run: [Paner cPanle] cPanele.com

Then the entry 017 NameServer, if unknown , should be fixed.

O17 - HKLM\System\CCS\Services\Tcpip\..\{A410CAF1-0613-4443-A9B9-602D805D8CA4}: NameServer = 213.241.79.37 83.238.255.76

Do you know what this is? you can try and google the CLSID but that goes nowhere
Does Tony Klein’s database show this?

if you removed the other AV these should be gone with the next HJT
O9 - Extra button: ArcaVir >> - {40525A66-DB98-480D-BCF9-7AF88C1AF438} - C:\Program Files\ArcaBit\WebExtensions\ie\ArcaIEExt.dll
O9 - Extra ‘Tools’ menuitem: ArcaVir >> - {40525A66-DB98-480D-BCF9-7AF88C1AF438} - C:\Program Files\ArcaBit\WebExtensions\ie\ArcaIEExt.dll

If they are not gone with the next HJT and you have removed the AntiVirus then let us know

you need to run Secunia software inspector I see your Java is up to date but there will be a new version soon
you have no firewall get one ASAP
Outpost, PC Tools whatever

Well, too many thinghs to do, I think I’ve done most part them with a good succesfull rate :slight_smile:

Let’s see one by one:

1- I already uninstalled AVG and kept Arcavir2008 which is a polish program that basically has the same functions as Avast or AVG. It also has a firewall option that is always enabled. I find it weird if doesn’t shows to you when I show my system details and so my question is if it’s better to disable this firewall in order to avoid conflict during instalation of PCTools firewall, if it comes better to do it.

2- As I have Arcavir sometimes it catches virus/malware that i’m sending to the vault. As it’s shown there option to do it, can I clean the vault, or I should keep like that?

3- I’ve fixed the two items 04 and also the 17 with HJT. Everything went well, I’m sending new HJT log in attachement.

4- I’ve cleaned the cftmon.exe and instructed, all looks ok now.

5- I’ve performed scan with Registrybooster 2 - result: 520 problems - that are already fixed. Hope that improved a lot this cleaning!! :wink:

6- I updated computer few days before, I have Service pack 3 running -most probabably because of it I was not secure as I should with SP2…

7- Autoconnect.exe is a tool installed that opens and keeps my internet connection.

8- I ran Secunia and some updates had to be done, as Flash player, Opera, Skype… I think I’m updated in most part of items. Thanks for the tip it will be useful in the future.

9- The only problem now is that Arcavir keeps finding these two bugs which I send everytime to quarantine:

Riskware.ScKeylog.Titanium —> found in file A0038189.exe - AV catches this same riskware daily since few days ago but under different file name as A0040835.exe or A0038372.exe.

Trojan.Agent.Hp.mr —> found in file A0038258.dll - AV catches this same trojan daily since few days ago under different file name as A0038185.dll or A0038258.dll.

It looks like It changes name very often, can you help me to destroy it?

Thanks!! :slight_smile:

Hi ramosy28,

Here is the removal tool for ScKeylog: http://www.exterminate-it.com/malpedia/remove-sc-keylog-pro
Trojan Agent removal instructions go here: http://www.xp-vista.com/spyware-removal/trojanagent-removal-instructions
Write up in Notepad and print, to meticulously perform step by step,

polonus

Well, I’m not sure if it’s good or bad but as it regards

1- Sc-keylog-pro

I’ve made step by step and I found nothing either when searching files&folders either when looking on Windows Registry. Is it normal?

2- Trojan agent

As it regards unregister .dll files I read the instructions however I’m afraid to do something wrong. Is it safe to do all those steps in those files?

From the list of keys I checked all and found match with this only, so I erased
FF5137B5-C506-4D9B-8682-E0BE4675B899

From the list of files I had match with:

pmspl.dll in c:/windows/system32
msvideo.dll in c:/windows/system32
MSVIDEO.DLL in c:/windows/system

As it regards these last two should I erase them too?

Thanks

Hi ramosy28,

If they match with the manual malware removal instruction then remove,

polonus

Hi,

I already done everything, but i’m not sure if I fixed this problem either with ScKeylog.Titanium and agent.Hp.mr.

How can I check it? If they still here it must be a way to nuke them once for all!!

Can I erase all the files from the vault/quarantine in Arcavir2008?

Thank you for your time.

did you run the new avg removal tool?
uninstall your current AV temporarially
have a copy of whatever AV you are going to reinstall on hand

go here
http://www.pchell.com/virus/uninstallantivir.shtml
and start on this line

“What if Windows Security Center Shows AntiVir or other muliple Antivirus products installed”
and do what it says for the rest of the page

Run the Registry cleaner
Reinstall your favorite AV

( many AV leave fragments which cause problems down the road- now that you are resonably clean it’s time to do some housecleaning)

Double check that your firewall is working

run ccleaner
defrag
new restore point

post back and let’s talk prevention

I uninstalled Arcavir2008 and following your steps I ran ccleaner and I installed AVAST. Everything went well, it showed me only one registry key to clean from an old program -bitdefender- that I had once.

Now I wanted to start defrag, however computer doesn’t respond to my command after select c: disk and click on defrag. Nothing happens, I went to task manager and on the processes it shows dfrgntfs.exe open but not running.
Is it normal and should I wait more time until it starts? Can we make something about it?

Well after that I was supposed to do new restore point.
Right now as protection, I have the following programs:

AVAST 4.8 Home Edition
Spyware blaster
Register Booster2
Spybot -S&D
Firewall Windows is running ok.

Thanks/

Are you guys running as administrator?
if so stop and set up a couple of user accounts and use those

Get a real firewall (and turn xp off)

run secunia software inspector and update everything

spybot s&d are you running v 1.6? update and reimmunize every Wednesday

you have no real time anti malware/ anti spyware protection at least turn on spybot t-timer and SD-helper
If interested post back

bvvc with any reg tools

we gotta stay at this till you guys are protected

no idea about the defrag non start- anybody???

Topic Summary
Posted on: Yesterday at 09:57:12 PMPosted by: wyrmrider
Insert Quote
Are you guys running as administrator? No i’m using one diferent account.Different from the Administrator one.
if so stop and set up a couple of user accounts and use those

Get a real firewall (and turn xp off) I have installed PC Tools - it looks running ok.

run secunia software inspector and update everything - I ran again, everything is updated, I have done it before.

spybot s&d are you running v 1.6? update and reimmunize every Wednesday - I have version 1.6 no threats were found after running test.

you have no real time anti malware/ anti spyware protection at least turn on spybot t-timer and SD-helper
If interested post back
I was checking and have SD helper and Tea Timer marked as active, and also have SpywareBlaster but I really appreciate if you could tell me if something more must be done.

bvvc with any reg tools. This I don’t understand, my computer skills are not going so far… :wink: Please advise in other way for me to know what has to be done.

we gotta stay at this till you guys are protected

no idea about the defrag non start- anybody??? Well I keep trying and nothing happens…weird…any help can be good. Thanks!

something more must be done?

answer
I’d install a hosts file MVPS or HP Hosts
Win patrol is also light on resources and will protect your host file

the BVVC was in caused by this in your post
Register Booster2

I’m away today but are you running IE or Firefox or?

If any of our members have any idea why defrag is not working please post up

BVVC = Be Very Very Careful

Well, I’m must confess that at this point i’m little confused about all this. ???
Please forgive me, but As I said before my computer skills are average or even low, so I’m not following what you wrote in your last post.

I have RegistryBooster v.2 installed and so far has catched and fixed few problems as it regards the Registry files.Is the problem coming from there?

I’m using currentelly IE7 as well as Opera.
Please advise. Thanks. :slight_smile:

not likely registry boost is the problem
but as with all of these tools removing a critical system file can ruin your day