windows pop up baloon says 'Malicious software was removed' - is this a virus?
Hi,
I'm remotely fixing someone PC' as they have a virus and I though it had gone. However, still getting some strange behaviour.
Therefore I recenlty completed a windows update of the sysmtem after spybot compleining a fix on reboot, however after leaving the PC for a few hours after rebooting I see this windows baloon has poped up with the message as shown in the screen shot.
I started running a spybot scan again and it still says one of the malware is still there.
While I acknolwege there are still some issues with the PC, I just want to know whether this baloon is a genuine windows baloon or not.
I ask because one of the updates I done before this was a Windows Malcious software remover for April 2010 and wonder whether it has found something.
Made all the harder as I'm accessing the PC remotely so any input apprecaited.
Note I had previous run many other anti spyware and virus including Malwarebytes which have all removed things, but I think there may be still something lurking there.
Thanks
Virus-Probably.PNG
I'm remotely fixing someone PC' as they have a virus and I though it had gone. However, still getting some strange behaviour.
Therefore I recenlty completed a windows update of the sysmtem after spybot compleining a fix on reboot, however after leaving the PC for a few hours after rebooting I see this windows baloon has poped up with the message as shown in the screen shot.
I started running a spybot scan again and it still says one of the malware is still there.
While I acknolwege there are still some issues with the PC, I just want to know whether this baloon is a genuine windows baloon or not.
I ask because one of the updates I done before this was a Windows Malcious software remover for April 2010 and wonder whether it has found something.
Made all the harder as I'm accessing the PC remotely so any input apprecaited.
Note I had previous run many other anti spyware and virus including Malwarebytes which have all removed things, but I think there may be still something lurking there.
Thanks
Virus-Probably.PNG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Run Malwarebytes and Hijackthis and post the logs. It appears that you have only run Spybot..
Yes.. I think that this balloon is maybe generated by a fake antivirus (the virus itself).
Run NOD32. (get a trial from http://www.eset.com/
It will clean your PC from dangerous viruses.
Than you can run the spybot snd.
Run NOD32. (get a trial from http://www.eset.com/
It will clean your PC from dangerous viruses.
Than you can run the spybot snd.
In addition to the other great suggestions posted; if they all fail, try creating a bootable antivirus CD. If that doesn't fix it, then you've got some serious problems. It's always good to keep on hand at anytime:
https://www.experts-exchange.com/questions/25347695/anti-infection-CD-solution.html
https://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html
What I like is that there are just some pesky items that can't be removed while in Windows. I run from a bootable source first, then go into Windows and see what's left over and then deal with it after. The bootable CD sometimes will take care of 80-100% of the infected items; making it that much easier. Best of luck to you.
https://www.experts-exchange.com/questions/25347695/anti-infection-CD-solution.html
https://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html
What I like is that there are just some pesky items that can't be removed while in Windows. I run from a bootable source first, then go into Windows and see what's left over and then deal with it after. The bootable CD sometimes will take care of 80-100% of the infected items; making it that much easier. Best of luck to you.
ASKER
OK I 'm a bit stumped at present.
I ow have all the main virus checks reporting nothing, but I still get some browser rediretion going on and can't get onto windows update (Althgouh auomatic updates seems to chug along). There are remenat of soemthing but a deep scan of malware bytes yields no resutls as do spybot ad super anti spyware.
Using log me in I have now rebooted into sfae mode. There is some things in Hijack this that I cannot remove. I select to fix them but they come back and they are the o23 entries.
So currenlty I am loged in remotely in safemode with networking.
See Hijack this log below. Note I have since removed successfully the o16 entires. Not being with the PC is a bit of a bummer but hopig I can fix it without visit. Overall the C eems OK, but I know there is something there a for example, if I google hijack this and then click on the link toanalysie the results, the browser takes me elsewhere. (I've not tested since deleteing 016 entires in hijack this)
I ow have all the main virus checks reporting nothing, but I still get some browser rediretion going on and can't get onto windows update (Althgouh auomatic updates seems to chug along). There are remenat of soemthing but a deep scan of malware bytes yields no resutls as do spybot ad super anti spyware.
Using log me in I have now rebooted into sfae mode. There is some things in Hijack this that I cannot remove. I select to fix them but they come back and they are the o23 entries.
So currenlty I am loged in remotely in safemode with networking.
See Hijack this log below. Note I have since removed successfully the o16 entires. Not being with the PC is a bit of a bummer but hopig I can fix it without visit. Overall the C eems OK, but I know there is something there a for example, if I google hijack this and then click on the link toanalysie the results, the browser takes me elsewhere. (I've not tested since deleteing 016 entires in hijack this)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:58:20, on 17/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\LMIE8C1.tmp\unattended_srv.exe
C:\WINDOWS\LMI1359.tmp\LMI_Rescue_srv.exe
C:\WINDOWS\LMI1359.tmp\LMI_Rescue_srv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LMIE8C1.tmp\unattended.exe
C:\WINDOWS\LMI1359.tmp\LMI_Rescue.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.example.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.0.4.*;127.0.0.*
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PspUsbCf] pspusbcf.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096897747974
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217285727299
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://www.lillehammer.no/cam/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = example.local
O17 - HKLM\Software\..\Telephony: DomainName = example.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = example.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = example.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Application Management AppMgmtwinvnc (AppMgmtwinvnc) - Unknown owner - C:\WINDOWS\System32\a.exe (file missing)
O23 - Service: COM+ System Application COMSysApplanmanserver (COMSysApplanmanserver) - Unknown owner - C:\WINDOWS\system32\adsmsextg.exe (file missing)
O23 - Service: COM+ System Application COMSysApplanmanserver COMSysApplanmanserverWZCSVC (COMSysApplanmanserverWZCSVC) - Unknown owner - C:\WINDOWS\system32\acluiw.exe (file missing)
O23 - Service: COM+ System Application COMSysAppWinDefend (COMSysAppWinDefend) - Unknown owner - C:\WINDOWS\system32\1767DA3E-7E60-4cbf-8AB8-CFF4D42C6D04i.exe (file missing)
O23 - Service: DHCP Client DhcpPlugPlay (DhcpPlugPlay) - Unknown owner - C:\WINDOWS\system32\accessp.exe (file missing)
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Health Key and Certificate Management Service hkmsvcNetDDE (hkmsvcNetDDE) - Unknown owner - C:\WINDOWS\system32\12520850w.exe (file missing)
O23 - Service: Health Key and Certificate Management Service hkmsvcNetDDE hkmsvcNetDDEseclogon (hkmsvcNetDDEseclogon) - Unknown owner - C:\WINDOWS\system32\advpackw.exe (file missing)
O23 - Service: LogMeIn Rescue (845350) (LMIRescueUA_845350) - LogMeIn, Inc. - C:\WINDOWS\LMIE8C1.tmp\unattended_srv.exe
O23 - Service: LogMeIn Rescue (cd54bf24-414e-4b2d-945e-2326c53c82ec) (LMIRescue_cd54bf24-414e-4b2d-945e-2326c53c82ec) - LogMeIn, Inc. - C:\WINDOWS\LMI1359.tmp\LMI_Rescue_srv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Removable Storage NtmsSvcRemoteRegistry (NtmsSvcRemoteRegistry) - Unknown owner - C:\WINDOWS\system32\3com_dmib.exe (file missing)
O23 - Service: Removable Storage NtmsSvcScheduleTlntSvr (NtmsSvcScheduleTlntSvr) - Unknown owner - C:\WINDOWS\system32\activedsg.exe (file missing)
O23 - Service: Routing and Remote Access RemoteAccessAudioSrv (RemoteAccessAudioSrv) - Unknown owner - C:\WINDOWS\system32\1042w.exe (file missing)
O23 - Service: Task Scheduler ScheduleTlntSvr (ScheduleTlntSvr) - Unknown owner - C:\WINDOWS\System32\a.exe (file missing)
O23 - Service: Shell Hardware Detection ShellHWDetectionlanmanserver (ShellHWDetectionlanmanserver) - Unknown owner - C:\WINDOWS\system32\'j.exe (file missing)
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 9939 bytes
ASKER
Just treid to go to http://www.hijackthis.de/ again in safe mode and it redirects to some other website which I close immedietly.
Tough one.
Tough one.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Run combo fix and post the log
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Did you try Hitmanpro?
Also try Tdsskiller http://support.kaspersky.com/viruses/solutions?qid=208280684
Run all of them in normal mode as do the same with Combofix and post their logfiles along with Malwarebytes logfile which found things.
Although those entries say "file missing" there ok.
Run above scanners and then re run Hijackthis as well
Also try Tdsskiller http://support.kaspersky.com/viruses/solutions?qid=208280684
Run all of them in normal mode as do the same with Combofix and post their logfiles along with Malwarebytes logfile which found things.
Although those entries say "file missing" there ok.
Run above scanners and then re run Hijackthis as well
ComboFix stops connection while it's scanning but resumes connection once done.
Also try gmer in case it's the new TDSS variant, shows up in Gmer just make sure Sections box is checked.
Download GMER Rootkit Scanner
http://www.gmer.net/gmer.zip
Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan.
In the right panel, you will see several boxes that have been checked.
Ensure the following are UNCHECKED:
* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)
* Show All (don't miss this one)
Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the Save.. button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
Post the log.
Also try gmer in case it's the new TDSS variant, shows up in Gmer just make sure Sections box is checked.
Download GMER Rootkit Scanner
http://www.gmer.net/gmer.zip
Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan.
In the right panel, you will see several boxes that have been checked.
Ensure the following are UNCHECKED:
* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)
* Show All (don't miss this one)
Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the Save.. button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
Post the log.
ASKER
Right I'm back on this now and have to get completed by today ( as well as many other things - boo hoo).
OK currenlty I'm remotely in, using Safe mode. I notice that when I run malware bytes (note that latest definitions install fine) it crashes during the run, so there is something still werid going on. In non safe mode it completes and does not find anything.
I've not tried hit man pro yet. Always like to get fammilar with a new bit of software before running it, but you say this is good right?
OK currenlty I'm remotely in, using Safe mode. I notice that when I run malware bytes (note that latest definitions install fine) it crashes during the run, so there is something still werid going on. In non safe mode it completes and does not find anything.
I've not tried hit man pro yet. Always like to get fammilar with a new bit of software before running it, but you say this is good right?
ASKER
Actually running a full scan again now in non safe mode and so far found 8 infected objects! Scan not complete yet and hopefully it will not crash before it completes.
ASKER
OK Malware bytes did comeplte the scan and below is the log.
Running it again on quick scan after reboot as requested. Could this have finally nailed it?
Running it again on quick scan after reboot as requested. Could this have finally nailed it?
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4003
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
18/04/2010 15:37:18
mbam-log-2010-04-18 (15-37-18).txt
Scan type: Full scan (C:\|)
Objects scanned: 375638
Time elapsed: 3 hour(s), 18 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP759\A0049723.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP759\A0049724.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP762\A0050698.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP762\A0051698.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP762\A0051703.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP763\A0051739.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP764\A0051789.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP764\A0051864.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\topdevice.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\224308626.exe (Backdoor.IRCNite) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3595818381.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
Still run the others.
You can run Hitmanpro and choose at the end if you want to remove detections.
If you dont want it after, uninstall it but its good.
Run in normal mode as it will be more efficent.
>It would be safer to also run Gmer and post its logfile :)
You can run Hitmanpro and choose at the end if you want to remove detections.
If you dont want it after, uninstall it but its good.
Run in normal mode as it will be more efficent.
>It would be safer to also run Gmer and post its logfile :)
ASKER
OK thanks. One thing I'm noticing is the scanners crash a lot. E.g. I just went back to the PC to find that spybot had crashed and I had to press "end Now". Very annoying.
I will try this hitman software next.
I will try this hitman software next.
ASKER
Hey, what do you know, in about 5 mins Hit man pro found about 13 infections. It's rebooted and rescanned and found nothing. I've tried the browser site teh previoulsy redirected and it seemed to be fine!
OK lots more tests to run, but certainly looks good (and so fast!)
OK lots more tests to run, but certainly looks good (and so fast!)
Thats good :)
Can you open Hitmanpro, hit settings and history tab
Post a screen shot of what was found.
Can you open Hitmanpro, hit settings and history tab
Post a screen shot of what was found.
ASKER
OK still get malware bytes crashing (And then it logs out user when I prss cancel or end program) when I tried to run it then afrewards but I've not tried a reinsatll.
anyway pics attachd. I'hve hidden users name for privacy reasons.
himman2.PNG
Hitmanprofind.PNG
anyway pics attachd. I'hve hidden users name for privacy reasons.
himman2.PNG
Hitmanprofind.PNG
Does malwarebytes give you an error message
More than likely there is something still hidden on machine
Run Tdsskiller and post its logfile thats produced>link is above
Also run Gmer as Rpggamergirl suggested
Run Tdsskiller and post its logfile thats produced>link is above
Also run Gmer as Rpggamergirl suggested
Run Gmer on that system and we'll see what the log shows.
Make sure the "Sections" box is checked.
And Ensure the following are UNCHECKED:
* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)
* Show All (don't miss this one)
Those bogus 023 entries that you're trying to remove but come back could be because of a registry monitoring programs running.... the user has Tea-Timer running and that can interfer with Hijackthis fixing entries.
Temporarily disable TeaTimer by doing the following:
Run Spybot-S&D.
Go to the Mode menu, and make sure "Advanced Mode" is selected.
On the left hand side, choose "Tools" -> "Resident".
Uncheck "Resident TeaTimer" and "OK" any prompts.
Make sure the "Sections" box is checked.
And Ensure the following are UNCHECKED:
* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)
* Show All (don't miss this one)
Those bogus 023 entries that you're trying to remove but come back could be because of a registry monitoring programs running.... the user has Tea-Timer running and that can interfer with Hijackthis fixing entries.
Temporarily disable TeaTimer by doing the following:
Run Spybot-S&D.
Go to the Mode menu, and make sure "Advanced Mode" is selected.
On the left hand side, choose "Tools" -> "Resident".
Uncheck "Resident TeaTimer" and "OK" any prompts.
ASKER
Much good input here. But it was the hitmanpro application that was the real gem. I was lazy to try it on first suggestion but would have saved a lot of time if it I did.
Thanks again for all input.
Thanks again for all input.
Not to worry :)
Machine ok now>no redirects?
Machine ok now>no redirects?