Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
My daughter's laptop seems to be infected with spyware, popups, etc. She thinks it originally got infected through an instant message. I've run Ad-Aware, Spybot Search and Destroy,and her Symantec antivirus, with no sucess. I am hoping that the Hijack This log below might shed some light on the situation. Thanks in advance for any assistance.
Logfile of HijackThis v1.99.1
Scan saved at 1:34:28 PM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
OK, we have quite a bit going on here, lets deal with one specific thing first.
Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.
Right click the file on your Desktop, and choose Extract All.
Click Next.
In the box to choose where to extract the files to:
Click Browse.
Click on the + sign next to My Computer
Click on Local Disk (C: ) or whatever your primary drive is.
Click Make New Folder
Type in BFU
Click Next, and uncheck the Show Extracted Files box and then click Finish.
Download sidekickFix.bat (rightclick on that link and choose save as)
Place sidekickFix.bat in your C:\BFU - folder. (Important!)
Close all browsers and explorer folders.
Double-click on sidekickFix.bat
Click Yes and follow the prompts, when prompted to restart the PC please do so.
Then:
Please download, install, and update the NEW free version of Ewido Anti-Malware:
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. Select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Once the above have been done, please post a fresh HJT log file along with the Ewido report.
We will still have many things to get to depending on what Ewido removes.
Thanks for the welcome, although I have been here for a while. Anyway, things have gone from bad to worse, before I even have had a chance to try your suggestions. When I try to boot up the laptop, I get a message that says, Novell Security Message. The tree or server cannot be found. Choose a different tree or server. Select the Workstation only checkbox to login to the local workstation. Would you like to try to log in to Windows? Yes or No.
Either choice I make, the computer takes about an hour to boot up. When I eventually get to the desktop, anything I click on or try to do freezes up the computer.
This is a new one on me. With my own computers, even when they are messed up, I have always been able to at least run the various corrective programs suggested by this forum. At this point, my daughter is considering driving two hours back to her college (where she got the laptop) and having the tech support there wipe the drive. She would like to avoid this if possible, as she has a lot of stuff from her first year in college on the machine.
Well, my daughter is hoping I can get her laptop working right again through advice given by the experts here at the forum. She really doesn't want to have to have the drive wiped clean. So, if anyone here can provide any assistance, we would both appreciate it.
Well, my daughter is hoping I can get her laptop working right again through advice given by the experts here at the forum. She really doesn't want to have to have the drive wiped clean. So, if anyone here can provide any assistance, we would both appreciate it.
Very well, just do as instructed above in my first post, this will remove the one specific infection, after that we will need to continue on to get the rest.
OK, I'll give it another try, but as I mentioned earlier, when I try to do anything on the laptop, it freezes up. I can't get it to access the Internet, so I downloaded those programs onto my computer, burned them on a disk, and have tried unsucessfully so far to get them onto her laptop. I'm wondering if the operating system has been damaged by this problem.
I'll give it another shot, but I'll have to wait until after work tomorrow.
OK, I managed to get the freezing up problem resolved by using System Restore. Next, I followed the instructions as best as I could.
I put Hijack This in its own folder, although I never saw where it was on the desktop.
The instructions concerning Brute Force Uninstaller and sidekickFix.bat were followed without any problem.
When I followed the Ewido link, it took me to a program called Ewido Anti-Spyware, not Anti-Malware. I hope this was the correct program. Some of the instructions weren't possible to follow exactly, as choices weren't presented to me in the same manner as indicated in TeMerc's post. Since it's been a week since the instructions were given, I wonder if perhaps an updated version of the program had been issued, or the link changed. That might explain the differences in the instructions. Anyway, below are the logs from the Ewido program and from Hijack This.
The Ewido log might be a bit misleading. I did it prior to taking action on what the program found. I actually deleted everything it found with the exception of C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : No action taken.
C:\WINDOWS\hyitwxjr.exe -> Adware.BookedSpace : No action taken.
C:\stub_sca3.exe -> Adware.BookedSpace : No action taken.
C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : No action taken.
C:\WINDOWS\system32\mptft.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\system32\tfthot.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\system32tfthot.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\system32\gbe90qs.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\system32\nr1rnqm8.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\system32\ssn6tuu.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\booterror.exe -> Downloader.Adload.bo : No action taken.
C:\svchost.exe/booterror.exe -> Downloader.Adload.bo : No action taken.
C:\wd7gi8n.exe -> Downloader.Agent.ala : No action taken.
C:\ac2_0003.exe -> Downloader.Small.cpu : No action taken.
C:\526_620.exe -> Dropper.Mudrop.bq : No action taken.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : No action taken.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 7:45:22 PM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
When I followed the Ewido link, it took me to a program called Ewido Anti-Spyware, not Anti-Malware. I hope this was the correct program. Some of the instructions weren't possible to follow exactly, as choices weren't presented to me in the same manner as indicated in TeMerc's post. Since it's been a week since the instructions were given, I wonder if perhaps an updated version of the program had been issued, or the link changed. That might explain the differences in the instructions.
Yes, Ewido did indeed have a program version upgrade, and a change in name, after just recently changing it to Anti-Malware....
Lets do some fixing and see what transpires. I think you have a Qoologic infection still lurking, so we'll once again use BFU.
Please download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please do the following.
Please go to Add/Remove, and if found, uninstall the following:
Viewpoint
Secret Smilies
Please go to 'Task Manager' by hitting Ctrl+Alt+Delete and 'End Task' on the following process(es): C:\WINDOWS\system32\RSX.exe
Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.
Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\Viewpoint<<<<---folder
C:\Program File\SecretSmilies<<<<---folder
C:\WINDOWS\system32\orgyi.exe<<<--file
C:\WINDOWS\system32\RSX.exe<<<--file
C:\WINDOWS\system32\xipuiq.exe <<<--file
To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.
Do I need to now unselect the Show hidden files and folders and check the Hide protected operating system files? If so, do I need to go back into Safe mode to do so, or do it from regular mode?
Of the files I was told to search for and delete, the only one I located was C:\WINDOWS\system32\RSX.exe<<<--file
Below is my latest HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 10:19:54 AM, on 6/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
In Add/Remove Programs, there were three entries related to Viewpoint, which I deleted. There was nothing there for Secret Smilies.
Do I need to now unselect the Show hidden files and folders and check the Hide protected operating system files? If so, do I need to go back into Safe mode to do so, or do it from regular mode?
OK, be sure there are no odd or unknown entries in Add\Remove, it's possible SecretSmilies could be under a different name. It's no longer in the HJT log file, so I just want to be sure nothing else is lurking.
The files may be reverted back to hidden if you like, and this can be done in either normal or safe modes.
Your log file is now clear of any indicators of malaware, how is the machine currntly running? Let me know please.
To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:
SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.
To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.
And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v9.8.1.0.
Links for tutorials for all the apps I mentioned can be found on my site as well.
And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here: Calendar of Updates
Subscribe to update alerts for all the above security apps here.
You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed. TeMerc Test Box Forum
