Solve : I need help with a virus problem? – InterviewSolution

InterviewSolution

1.	Solve : I need help with a virus problem?
Answer» I ran a virus scan with AVG 6.0 and this is a LIST of all that was found. I have tried to remove them with AVG and it says they can't be removed. I don't have a clue on how to get rid of them. I have tried to search the help sites with no luck. I have not found these virus names on any site. If someone knows how I can remove them please let me know. Thanks!! Results of Complete Test, date and time 9/28/2004 1:01:40 : Testing C:\ volume LOCAL DISK serial 3938-1B06 C:\_RESTORE\TEMP\A0043201.0 Downloader.Alchemic.A C:\_RESTORE\TEMP\A0043208.0 Downloader.Agent.2.AA C:\_RESTORE\TEMP\A0044523.0 Downloader.Istbar.4.AD C:\_RESTORE\TEMP\A0044526.0 Downloader.Alchemic.A C:\_RESTORE\TEMP\A0044527.0 Downloader.Agent.AS C:\_RESTORE\TEMP\A0044528.0 Downloader.Istbar.4.H C:\_RESTORE\TEMP\A0044868.0 Downloader.Dyfica.2.AB C:\_RESTORE\TEMP\A0044871.0 Downloader.Dyfica.2.AB C:\_RESTORE\TEMP\A0044874.CPY Downloader.Istbar.4.AM C:\_RESTORE\TEMP\A0049167.0 Downloader.Dyfica.2.AA C:\_RESTORE\TEMP\A0049168.0 Downloader.Agent.2.AA C:\_RESTORE\TEMP\A0049169.0 Downloader.Dyfica.2.AC C:\_RESTORE\TEMP\A0051764.0 Downloader.Dyfica.2.AK C:\_RESTORE\TEMP\A0051765.0 Downloader.Dyfica.2.AE C:\_RESTORE\TEMP\A0051766.0 Downloader.Dyfica.2.AE C:\WINDOWS\TEMP\HPOTDD000.log Cannot open; not checked! Test finished, duration 00:10:20.7 s 12197 objects tested, 15 found infectedtandkand3a....I do not believe the items you listed are viruses ....but rather spyware , malware , adware and possibly page hijackers. ( pests ) ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc. I would suggest D/L Ad-Aware SE and Spybot and then watch them run......lol Have you not looked for them in the path which your AV gave you.......because thats where they are . Have you noticed anything else odd about the way your pc is running ? You failed to mention what operating system you have . let us know dl65 My OS is Windows ME. I check and install updates on a regular basis. I also run Ad-aware SE and Spybot. Both of those scans show the computer as clean. I have tried to search for the files and can't find them on the computer. They are gone or I am not looking in the right place. I have not experienced any problems with my computer, it seems to be operating normal. Should I run Hijackthis? tandkand3a...... TROJ_ALCHEMIC.A ......trojan This memory RESIDENT Trojan is capable of downloading and installing additional applications without first notifying the user. The downloaded file may be updates to other adware programs. It may act as a Browser Helper Object (BHO), which is ABLE to monitor all Web sites visited. It may also display popup advertisements. It runs on Windows 95, 98, ME, NT, 2000, and XP. Dyfica.2.AB ....... another trojan Agent.2.AA ....... another trojan Istbar.4.AD ........ yet another trojan Try this: Remove Trojan horse Downloader.Istbar.4.H this way: Close all programs. Turn off System Restore Run AVG Complete Scan Turn on System Restore. If you can't find Trojan horse Downloader.Istbar.4.G, AVG may have moved it to the Virus Vault. Check the Virus Vault. Disabling System Restore on Windows ME In Windows Millenium there is System Restore. Windows ME creates backup copies of the essential system files so they can be restored if they get corrupted. Sometimes this makes the disinfection difficult since the backup files can get infected. In those cases Windows will copy the infected file in the place of the clean one. This feature can be disabled with the following steps 1. Right-click on the My Computer icon and select Properties 2. In the System Properties windows select the Performance tab 3. Click on File System... button 4. In the Filesystem Properties window select the Troubleshooting tab 5. Check the Disable System Restore checkbox 6. Click Apply button 7. Close the windows using the Close button 8. Click Yes when prompted for reboot The System Restore feature can be enabled again with the same steps. At step 5. you have to uncheck the Disable System Restore checkbox. If this doesnt get rid of the trojans......then run hijackthis ....but I dont think you should have to. let us know how you make out dl65 I checked the Virus Vault and it is empty. I ran AVG again and tried to remove the 15 files and they could not be removed. The system restore function is turned off. I did run Hijackthis but it will not let me post the log on here. It says that the message is to large. Both Ad-aware and spybot shows the system clean. Any ideas on how to post the log or other solutions.Run AVG in Safe mode.tandkand3a........If you post your log in 2 PIECES rather than one you should be able to post it ok. And it looks like your trojans are residing in your restore files........have you looked there ? let us know dl65 I have run AVG in Safe Mode and the results are the same. Here is part of the Hijackthis log. Logfile of HijackThis v1.97.7 Scan saved at 11:07:48 PM, on 9/29/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\TPWRTRAY.EXE C:\WINDOWS\SYSTEM\TFNCKY.EXE C:\WINDOWS\SYSTEM\TOSHIBSU.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\PROGRAM FILES\NETGEAR\WG511\UTILITY\WG511WLU.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE C:\PROGRAM FILES\RAM\RAMBOOSTER.EXE C:\WINDOWS\RunDLL.exe C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE C:\WINDOWS\DESKTOP\PC HEALTH\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centralkansas.cox.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgrhttp://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgrhttp://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://members.cox.net/mycrosmith/ R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.2.1P.DLL O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL Here is the second part of the log. O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TFncky] TFncky.exe O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37893.3547569444 O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab forget ad-aware spy-bot try this one its beat bother of them>http://www.webroot.com spysweeper... and do you use kazza or aol..or if you really get fed up re-install winme....locate the c:\windows\options\cab folder next to the scanreg icon ....is the famous icon called setup click this will re-install winme..without losing any files and disable system restore its not needed...and dont use ie6 either...Thanks Merlin_2 your advice worked. I did re-install Windows and everything is working great now. Thanks to EVERYONE who helped me. This is a great forum!!

Discussion

No Comment Found

Related InterviewSolutions