(New Avast User) Infected with Viruses Please Help

Hello,

I recently downloaded Avast Anti Virus Home Edition today. It scanned my system once when I had to restart my computer after installing Avast, plus I did a thorough scan earlier. According to Avast there are 19 objects on my computer infected. I got rid of AVG Anti Virus (free version) today as well due to it not being free anymore, so I’m assuming it missed some things whenever it scanned my computer. I am using Windows XP Home Edition. Any kind of information/help would be greatly appreciated. Below are the objects that are infected, and are categorized by each virus type.

Win32:Trojano-967 [Trj]
File Name: polall1b.exe.remover - Folder: C:\Documents and Settings\Owner\Local Settings\Temp

Win32:Trojan-gen {Other}
File Name: uemzlhm.ex$ - Folder: C:\WINDOWS\system32
File Name: systb.dll - Folder: C:\WINDOWS
File Name: mm_reco.exe - Folder: C:\Documents and Settings\Owner\Local Settings\Temp
File Name: farmmext.exe - Folder: C:\Documents and Settings\Owner\Local Settings\Temp\THI1CFE.tmp
File Name: farmmext.exe - Folder: C:\Documents and Settings\Owner\Local Settings\Temp\THI6418.tmp
File Name: farmmext.ex$ - Folder: C:\WINDOWS
File Name: BTGrab.dll - Folder: C:\Documents and Settings\Owner\Local Settings\Temp\THI6E9F.tmp

Win32:Ebamom [Adw]
File Name: EbatesMoeMoneyMaker1.exe - Folder: C:\Program Files\Ebates_MoeMoneyMaker
File Name: A0136564.exe - Folder: C:\System Volume Information_restore(a bunch of numbers and letters are found here, if needed let me know)

Win32:Adware-gen [Adw]
File Name: randreco.exe - Folder: C:\Documents and Settings\Owner\Local Settings\Temp
File Name: MMaker2.exe - Folder: C:\Documents and Settings\Owner\Local Settings\Temp\THI1CC7.tmp
File Name: MiniBug.exe - Folder: C:\Documents and Settings\Owner\Local Settings\Temp
File Name: disp350.exe - Folder: C:\Program Files\Ebates_MoeMoneyMaker
File Name: BTGrab.dll - Folder: C:\Documents and Settings\Owner\Local Settings\Temp
File Name: BTGrab.dll - Folder: C:\WINDOWS
File Name: A0136563.exe - Folder: C:\System Volume Information_restore(a bunch of numbers and letters are found here, if needed let me know)

Win32:Ad-Agent [Adw]
File Name: randreco.exe.remover - Folder: C:\WINDOWS\system32
File Name: btgupg.exe.remover - Folder: C:\Documents and Settings\Owner\Local Settings\Temp

As you can see it’s quite a bit of a mess, and I’m very unsure of how to fix any of these problems. Also, when I first installed Avast and my computer restarted doing a virus scan before entering windows desktop it attempted to repair these files but I recieved this error: ‘Repair: Error 42060’. Just wanted to mention that incase it would help. Any form of help is greatly appreciated. Thank you in advance to anyone who replies.

Its surprising AVG let so much through. Was it terribly out of date?

Was any of the malware you list able to be put in the chest or are they all still active on your computer?

Please download and scan with the free versions of the following programs, putting anything found in quarantine whenever possible

AVG Antispyware: http://free.grisoft.com/doc/20/lng/us/tpl/v5
A-Squared: http://www.emsisoft.com/en/software/free/
Super AntiSpyware: http://www.superantispyware.com/
AdAware SE: http://www.lavasoftusa.com/download_and_buy/product_comparison_chart.php

An on-line scan with Trend Micro Housecall would also be useful

http://housecall.trendmicro.com/

After each scan let us know what was found.

Hi Galskygge,

AVG is still free- you just need to download the new version, 7.5.

These infections seem to be mostly adware- which the free version of AVG does not detect.

In addition to the programs recommended by mauserme, I recommend Spybot Search & Destroy:

http://www.safer-networking.org/

Some of these adware infections can be difficult to remove and require a specialist tool- please let us know if you still see pop-up ads after running all the scans.

Cleaning up your temporary internet files before scanning would be a good idea. Try CCleaner:

http://www.ccleaner.com/

Most of the adware you have is IE specific stuff: avoid it by using Firefox or Opera.

Hello,

AVG wasn’t out of date. I’m very conscious in regards to keeping my computer safe, but apparently that didn’t work out too well ???

Everything I listed was sent to the chest immediately upon finding it when I realized I could not repair it.

I had already scanned my computer with Ad-Aware SE before previously posting the viruses that were found. If I need to continue with using the other programs you listed please let me know. Thank you for your help!

By the way, I can’t copy and paste both of the logs, not even just one, into a post because I get a message about the post exceeding the maximum amount of characters allowed. Is there another way to show the logs on here?

Hello, FreewheelinFrank, I do not use Internet Explorer. I use Firefox, however Internet Explorer is on my computer. Does that mean I should delete it?

You can’t remove IE, but you can improve security by updating to IE7 and installing and using SpywareBlaster.

I installed IE7 not too long ago. Is SpywareBlaster something like Ad-Aware SE? If so, should I only use Spyware Blaster?

SpywareBlaster is different: it adds killbits to IE to prevent ActiveX spyware from running, and adds bad sites to the restricted zone of IE so that they cannot run malware scripts etc to attack your computer should you visit the site. It doesn’t scan at all like AdAware or Spybot Search & Destroy, although Spybot has a similar function called ‘Immunize’.

SpywareBlaster doesn’t run in the background- just install, update and enable all protection. Check for updates every month or so and enable protection again.

All the programs mentioned in this thread you can keep on your computer and scan with from time to time without them taking up resources, with the exception of SuperAntiSpyware, which has a residual process which will take up resources. AVG Anti-Spyware has real-time protection during the month-long free trial, which again will take up some resources, but will revert to an on demand scanner at the end of the trial which doesn’t take up resources.

A random Google for one of the items detected suggests your problem may be adware which comes bundled with free software:

This is not a virus or trojan. There is more than one version of this Application.

This is a process or IE Browser Helper Object that monitors addresses entered into web forms. These addresses are sent to a remote location and are recorded into a database.

This program is generally installed by certain 3rd party applications, generally freeware. The third party installer installs all the files for this program. Once the application is run, it creates a registry entry to run the program at startup:

http://vil.mcafeesecurity.com/vil/content/v_100622.htm

As the write-up says, this is not a virus or Trojan. AVG Free does not detect “potentially unwanted programs” like this (you have to get the pay version for that) but avast! does.

The answer is to only download free programs from sites which have a no-spyware policy. My personal favourite is snapfiles.com.

EDIT: Typo and link.

These infections seem to be mostly adware- which the free version of AVG does not detect.
Frank - are you saying AVG Free doesn't detect [i]any[/i] adware, or just that those listed above are not among its detections? If its the former I thank you for that information. I wasn't aware of it.
If I need to continue with using the other programs you listed please let me know.
Anytime that much finds its way onto a computer I feel its best to throw all the available tools at it. It's time consuming but better to deal with the problem now rather that risking a larger problem later.

FreewheelinFrank’s suggestion about installing SpywareBlaster is a good one but make sure your computer is clean first. Installing it with active malware can cause problems. Even more reason to run additional scans.

You could save the logs as text files and attach them.Click the additional options located right below where you type in a post. Don’t preview before posting.

Or split them up into separate posts.

Frank - are you saying AVG Free doesn't detect any adware, or just that those listed above are not among its detections?

Like Antivir Free, AVG Free does not detect “potentially unwanted programs”. The AVG Free homepage says the free version does not detect “spyware”, but the program certainly does detect Trojan downloaders associated with spyware. In the recent computer shopper test here, AVG Free had the best detection of “web-based threats”, beating even Kaspersky. These "Web-based threats were described as “malicious” “Spyware”.

My interpretation of “potentially unwanted programs” is adware, but I don’t know how exactly Grisoft define the phrase: some forms of ad-displaying programs which don’t ask for permission to install and which resist removal might well fall outside the definition.

Hey,

Sorry it’s been about 5 (i think) days since last I responded. I have been fairly sick. Anyway, I installed SpywareBlaster along with Spybot Search & Destroy. Everything that Spybot Search & Destroy found it was able to repair. I’m going to try attaching a copy of the 2 logs that I have from Ad-Aware SE. Hopefully it works.

Update: I installed SUPERAntiSpyware Free Edition on my computer and did a scan with that. It found a total of 16 objects, which were sent to quarantine. Here is the scan log:

SUPERAntiSpyware Scan Log
Generated 02/26/2007 at 08:35 PM

Application Version : 3.5.1016

Core Rules Database Version : 3190
Trace Rules Database Version: 1200

Scan type : Quick Scan
Total Scan Time : 00:42:22

Memory items scanned : 591
Memory threats detected : 0
Registry items scanned : 774
Registry threats detected : 0
File items scanned : 20862
File threats detected : 16

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.reunion[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adknowledge[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ath.belnk[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atwola[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@azjmp[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@banner[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@belnk[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@dist.belnk[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@icc.intellisrv[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@keywordmax[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@login.tracking101[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@media4.sitebrand[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tracking[2].txt

Adware.APHelper
C:\WINDOWS\SYSTEM32\APHELPER.DL$

I would think that I could delete the first 15 objects (cookies) that are in quarantine, correct? But what about Adware.APHelper? I’m guessing that’s a virus, and if it is, since it’s in that particular folder I will need to find something to remove it/repair it, etc.

The cookies can be quarantined or deleted. They’re really not worth keeping since they will be recreated if you visit the same web sites again. I usually clear all of mine when I’m finished browsing.

C:\WINDOWS\SYSTEM32\APHELPER.DL$ looks like more adware. Is SuperAntispyware unable to quarantine it?

I’ll take care of the cookies right away then, and yes, SuperAntispyware was able to quarantine C:\WINDOWS\SYSTEM32\APHELPER.DL$

I’m just not sure what to do with it now that it’s been quarantined.

Thanks for your response, by the way.

There are two reasons to put files in quarantine. First, it could be a false positive in which case removing the file can break a program that used to be OK. Second, some adware can be linked to software you want and will render that software inoperable if its removed. If you deleted the file your options are limited.

Putting the file in quarantine for a couple weeks gives you a chance to work with your programs and see if anything is malfunctioning. If nothing is wrong you can delete it but, if something is going awry, you can scan the file again to see if its still detected as adware. If it is still detected you need to make a decision as to whether to live with the ads or live without the associated software. Most adware is, afterall, more of a nuisance than anything particularly damaging.

Thank you, I’ll let it sit around in quarantine for a bit and then take it from there.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 29 different scanners.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you probably can’t do this with the file in quarantine, you will need to move it out to a temporary folder.

You can post the results.

If multiple AVs detect it send a sample to avast, if you are not getting a virus warning that you believe is a new, undetected malware, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus or false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

Thank you, DavidR. I really appreciate your response. I’ll do a scan with those two and then possibly run a scan once more with Avast. After that pending on what goes on I will send the stuff in to Avast. Again, thank you for your help.

Your welcome.