MSN virus/several trojans help?!?

I appreciate any help i can get with this one…
Was at my little brothers house today getting some files off his comp. He’s on xp sp2 with all current updates and using firefox browser. When i opened up ‘My Computer’ there were about a dozen bizarre files just sitting there, not even a second later his AVG anti-virus kicked in, finding all these trojans (silly me forgot to grab names) located in different places, some in system restore, i moved all to ‘vault’. Also a google window opens up , blank, and wont close unless you go through ‘alt+ctrl+del’. He said he got it through one of the msn viruses, a link appeared in a message from one of his contacts and silly boy clicked on it. I plan on working through all this for him to get his system back up properly. However, i would rather install AVAST instead of AVG, preferably before doing anything else, as it’s what i’m used to. So my 1st question throughout this no doubt ordeal is… Can i uninstall AVG anti-virus, while there are files in the vault, and just install AVAST? Should i just remove all files from vault 1st and just get rid of avg and let avast take care of it once i put that on?
Any help is greatly appreciated…

Well, you’ll lose the files in Vault.
Plug an USB drive, right click the files in Vault and choose ‘Restore File(s) as’, moving them to the USB drive.
Hey, take care, they’re infected. But just in case they were false positives or necessary files to boot.
Then, uninstall AVG, boot, install avast, boot.

Only if you don’t want to get rid from that files either…

Cheers. ;D I have tried asking on the AVG forum but they aren’t as prompt as u guys, (or as friendly :wink: ) and like i said, i’m familiar with avast and prefer it myself. But in this instance because they’re mainly tojans and such should i just work with AVG until they’re gone and then put avast on? Also am i right in thinking that mt first steps are:to run CCleaner, AdAware, Spybot, then Ewido, then anti-virus, reboot, run all again. Then once clean run in safe mode to be sure? I’ve heard this msn virus can be a doozy to remove though, will i need to do more?

Cheers. ;D I have tried asking on the AVG forum but they aren't as prompt as u guys, (or as friendly Wink ) and like i said, i'm familiar with avast and prefer it myself.
You have now found another decision in your choice of AV, support and as You have found AVG is lacking in that department.

You will be fine with avast and no single security program is going to cut it nowadays, so you need anti-adware/spyware defence also to provide a multi application defence, ones that don’t conflict is important and you seem to have that covered.

Running Ewido from safe mode is usually very effective at removal of malware that would otherwise be difficult to deal with. I’m not sure it is a good idea to stick with AVG until you deal with these trojans, 1) we don’t use AVG so couldn’t offer any productive help, 2) avast offers a boot-time function that isn’t available to AVG. So I would suggest you follow Tech advice of backup the files in the vault. Note the original location of the files in the Vault so you can restore them if they later prove to be OK. Take care.

For sure, AVG forum is far behind avast one. I can say by experience here and there.

Better. Do a full AVG scanning, send the infected files to vault.
Uninstall AVG and install avast, running a boot time scanning after that.

Ok.

Better an avast boot time scanning.

Thanks again Tech and DavidR. Hope to fix this thing in the next few days. Have been investigating other peoples problems with this one and it seems Hijack This comes in quite handy. I’ve been studying up alot on how to use it and what everything means and such but i do realise it’s still quite in depth and can cause some damage if used incorrectly, are you guys able to help with that if it has to go that far?

Possibly although I am running one at the moment, However you could mosey over to http://www.geekstogo.com/forum/You_Must_Read_This_Before_Posting_A_Hijackthis_Log-t2852.html to get started

Program & Tutorial - Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3

There are a number of people that can help with hijackthis log analysis, there are also on-line analysis sites that give reasonable advice, but nothing is ever 100%. They give indications of Nasty, Possibly Nasty, Unknown, etc, these are the ones that need further investigation (google search on file name, etc.) before committing to a fix.

On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2 The first of these also has a means of uploading the suspect files for AV scanning.

But you can also seek advice here there are other places that specialise in this advice (as essexboy mentions).

Cheers! A most helpful site. Will check out the others too. Will keep u posted on progress!
Thanks heaps guys. Honestly can’t praise you enough for your help !

Hey guys! Hows it going? Got some updates on this for you…
Upon further inspection of his computer, i ran AVG anti-virus and it detected over 110 worms and trojans, in all manner of place scattered about his pc. Not having the time or the patience to sit and write details of each i just moved them all to chest. I then went to ‘restore files as’ to try and copy them in case something goes wrong, but i couldn’t send them to D: drive to burn, so left in the chest. That was a week ago, and he said everything is running ok, so should i clean all files or just delete? I don’t want to remove avg and install avast until system is clean.
Also there were several dodgy as processes running that i shut down prior to scanning.As i said, there were soo man6y trojans n stuff i didnt grab all names n stuff, but a few of the infected files look like such; c:\kybrdff_e54.exe ( as well as 50.exe, 47.exe, 41.exe, 40.exe ); c:\dfndrff_e54.exe ( and 51.exe, 50.exe, 47.exe, 44.exe, 43.exe) ; c:\mte3nd160d6xgnew.exe; plus some in sys restore. Whenever you open ‘My Computer’ a blank google window pops up and the only way to close it is to go through alt+ctrl+del.
I then ran ccleaner, adaware, spybot s&d, and am yet to run ewido/avg, (after turning off system restore). One of these (cant remember which) detected smitfraud-c , amitfraud-c.Toolbar888, and coolwwwsearch among others.
As you can see his system is severely infected. He’s had problems like this before and mum won’t pay to get it fixed anymore, so i’m his only hope. And as i’m just starting out in this sort of stuff, you guys are my only hope!
So my main question here is, what to do now? Clean or delete files in avg chest? Should i just run hijackthis now, or are there any other steps i should follow first?
Is this even going to be possible to fix?
Eagerly awaiting your reply AND thanking you in advance.
Cheers.
(oh btw- i 4get what kind of puter he has, i know it’s an acer, running winXP sp2, pretty sure he uses firefox/mozilla browser)

:slight_smile: Hi Pandammonia :

 Your brother's computer should have the guidance of "Malware Experts" that are usually
 found on antiSPYWARE Support forums. They are volunteers who are very experienced
 in dealing with an "infected" computer. I recommend the one at www.landzdown.com
 because they are little known, resulting in fast turnaround times.
 IF you have NOT already put the "HijackThis" program on your brother's computer,
  download HijackThis (© Merijn) from:  www.thespykiller.co.uk/files/HJTsetup.exe  . 

Note: This is a complete installer that installs HijackThis to your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut. If HijackThis is used from a temp folder, it is in danger of being accidentally deleted by clean up tools.

At the download prompt, choose “Save”. After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it to complete the installation.

It doesn`t matter how much energy you put in with AVG , you are still going to get some left on the system when its finished that Avast! will detect.
As soon as Avast! is installed you will be prompted to run a boot scan and this is where you will find and deal with the leftovers. Try to move as much to chest as you can but some may be delete only.
try to stay off the net until the system is clean and has a firewall and AV installed so have those programs loaded onto disks or flashdrive for easy access.
good luck and by all means post HJT log if you need any help :slight_smile:

spiritsongz-
Yeah i know. Total of 133 items in his vault. Will check out landzdown, cheers. One question for u though… i have read on other forums that if HJT is installed in C:\ some trojans/viruses can hide from it, also if you label it HiJackThis this can happen?
Clossau- hey fellow aussie.! I know, AVG anti-virus blows big time. As i said earlier i want it off so i can work with avast!.
Got him to run ewido again- kept detecting same file,(c:\windows\system32\dxdlib303562752.dll) no matter how many times it was cleaned and sent to vault.Also “project1” has shown up under running programs, and whenever he logs on, a firefox window pops-up saying ‘powerzip self extractor is extracting files. Please wait…’.
I have searched google and numerous forums for answers but am now so oerwhelmed with conflicting information i’m getting addled, befuddled, bemused, confused, cranky,and irritable.His system is a mess!
Would i be right in this method;
Restore all files from AVG vault to disk/flash.
Uninstall AVG, install AVAST!
Boot time scan.
Turn off system restore.
Run CCleaner.
Run in safe mode- adaware, spybot s&d, AVG anti-spyware (ewido).
Run HJT (should this be done in safe mode?)
Post log!

Hi Pandammonia,

I’m a little surprised that AVG is suddenly finding all this stuff: did he disable the anti-virus, I wonder, or did some malware disable it for him?

If you want to use the tools at hand to clean the system, make sure you run scans in safe mode where possible:

http://www.pchell.com/support/safemode.shtml

Run a scan in safe mode with AVG and AVG anti-spyware and Spybot, and also Ad-Aware and a-Squared free if you don’t have these already.

AVG have a rootkit scanner, which I’d recommend you run before all these scans:

http://www.freewarefiles.com/downloads_counter.php?programid=22524

If your brother is relying on the Windows firewall, the malware has probably brought it down: I’d recommend downloading a good third-party firewall like Zone Alarm of Kerio and installing that.

If you update all your programs, go off line and chugg through all the scans, install the firewall, come back on line and post a HijackThis! log, we can clean up anything remaining and you can uninstall AVG and install avast! if you want to.

As your brother has had similar problems in the past, it may be a good idea to make yourself the computer administrator and give him a limited user account with locked-down security. At the very least, you need to educate him about how he is getting infected. New viruses appear on MSN/Yahoo messenger hourly, and nothing is guaranteed to catch all of them, so if he doesn’t learn some caution, he’s going to undo all your good work in about five minutes once you let him loose again.

http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html

http://www.castlecops.com/article-6112-nested-0-0.html

http://www.castlecops.com/postlite7736-.html

Frank- Thanks for prompt reply.( Thats why i use avast forums rather than others, so quick on the ball).
I’m not too sure as to why AVG didn’t catch it as it came in. It is possible he disabled it manually, he does stupid stuff like that. He just doesn’t read things properly before he clicks.
Is a-squared the old name for AVG anti-spyware/ewido?
Will do the rootkit scan tomorrow and run all in safe mode. Do i do HJT in safe mode too?
Your advice re the administrator thing is something i didnt know. Will do that one once were clean.

Well… it will be better using both the antivirus and the forum of avast :wink:

So… ;D ;D ;D

No. They’re different products. Ewido was bought by Grisoft (AVG), not a-squared.

It won’t hurt…

Thanks again tech!
I know i cant wait to put avast on it. As frank said too though, i’d rather do that once it’s all clean just so nothing interferes. Will be doing all this tomorrow, so will post back HJT log when done these steps. Cheers.

I think you need to do the HijackThis! scan in normal mode, otherwise it won’t show any malware processes that are running in normal mode but not in safe mode.

It can be more effective at removing malware entries in safe mode, but a log file needs to be done in normal mode.

In a user account, your brother won’t be able to disable security programs or open executable files.

He may not be too happy if he can’t install new programs, but this may be a better alternative to having the computer overwhelmed by malware again. You need to talk to him about this- maybe talk over the reasons why he’s getting infected and make him promise to change his ways.

Frank- Cheers again! I know im probably repeating myself but is this course of action correct:
Download and update necessary programs- adawre,spybot,avg,a-squared + firewall.
Turn off sytem restore
Run avg rootkit scanner.(btw what does this do?)
Run programs in safe mode.
install firewall
post hjt log
When i post hjt should i post other scan results too?
I read on someone else who had similar problems that msn messenger is now stuffed and must be re-installed. Should i uninstall it prior to the above process(if correct). Also should i try and stop processes and tasks of strange looking things before doing this scan, (checking them with processlibrary 1st of course)
Sorry if im repeating myself and bugging u.

No worries!

A rootkit scanner checks for malware (viruses, Trojans, spyware etc) that uses sophisticated techniques to hide from anti-virus and anti-spyware programs. If you find a process, dll, service etc that is detected as malware but cannot be removed, it may well be because a rootkit is hiding a Trojan or some spyware that is spawning that process, dll or service.

Another good rootkit detector I should recommend is BlackLight fron F-Secure:

http://www.f-secure.com/blacklight/

Run it just to check nothing else nasty is hiding on the computer.

I would recommend leaving System Restore on: any malware in there is inactive, and if you do delete something that causes system problems, at least you can use System Restore. Of course, if you do a system restore, you also restore any viruses that were backed up, so you have to start cleaning again…

The order to proceed is otherwise spot on.

Yes, please post any scan results. We are obviously going to look for infections reported but not cleaned, in which case we will maybe recommend some special tools.

I reckon if MSN Messenger is infected, one of the programs you use will either clean it or break it. I don’t really think it matters if you reinstall before or after cleaning, but it may well be a wise precaution as you have been informed.

I would suggest not trying to kill strange processes. You will probably find that some are protected anyway- when you try to kill them, something else starts them up again straight away. Other processes may be hidden inside legitimate processes, so you won’t even notice them.

Some anti-malware programs are good at killing malware processes- AVG Anti-Spyware for example will search all processes in memory and kill any bad ones. Other programs will prompt you to reboot and delete files during reboot before they are loaded into memory.

If anything survives all the scans you are doing, it should show up in the HijackThis! scan, in which case we might ask you to manually stop,delete or fix something, but for the moment, let the scanners do their work.

Don’t hesitate to ask if you have any more questions.

Good luck with the scans.