User talk:Xp54321/Archive 13

Ref desk help
Thanks for helping out. I've posted the scans to my talk page, including my most recent AVG scan. When I was first downloading the software, my browser was forced to close before it could be downloaded, but was I able to download after trying a second time for each. After rebooting as instructed by Malwarebytes following the scan, the red headings are gone from my browser; it does crash often, however, and the tab symbols are still absent. I've got to log off for the night, so I'll attempt the antivirus programs tomorrow. Thanks again for your assistance. -- Commdor    { Talk }  02:04, 28 April 2009 (UTC)

Your welcome. You can move forward with uninstalling AVG Free and installing avast! or Avira AntiVir (But not both!) after un-quarantining one object I've mentioned. A quick look-through of the MBAM log revealed there was malware set to auto-run on startup; there was also downloader Trojans; fake-alert Trojans; Zlob, Koobface; and numerous other threats. The SUPERAntiSpyware log revealed Smitfraud and Vundo. [I can give you description of what the detected threats do but that is not necessary at the moment and may cause confusion] I'd recommend a full scan when you can as both scans you ran were quick.

Uh-oh. The AVG log is of concern. (The tracking cookies are not a major threat but can be safely removed) We have possible backdoor Trojans. (They have been detected by heuristics) Backdoor Trojans are of major concern as they may allow malicious access to your computer. Google searches for "autochk.dll" (The suspected backdoor) show it is associated with rogues and rootkits. Your system may have rootkits. [This is a threat that will probably require more specialized tools for removal; please do not attempt rootkit removal right now] Seems like AVG had a false positive with another detected threat though: "C:\Program Files\Sony\VAIO Event Service\VESMgr.exe (1772);"Trojan horse BackDoor.Generic11.HUH" This was detected by heuristics and it is a safe process that allows use of the VAIO hotkeys. It should be restored from quarantine.

This concerns me the most: C:\WINDOWS\system32\userinit.exe;"Virus identified Win32/Cryptor";"Object is white-listed (critical/system file that should not be removed)

Without userinit.exe you will not be able to login into your own computer! However AVG whitelisted it as a critical file and did not mess with it. You appear have one of the nastier strains of rogueware then--rogueware that actually messes with critical system files. [We will need the Windows install CD if userinit.exe really is infected; however don't fret over it right now] The other detected threats appear to have been real but please double-check to make sure they weren't part of something legitimate.

Please do not delete anything from the MBAM or SAS quarantine areas. [There may have been false positives though this seems unlikely at the moment.]

Your browser (Internet Explorer, I presume?) could be crashing for a number of reasons so that will have to be dealt with later. Try using an alternate browser for now.

Further looking over the logs shows you have Windows XP Service Pack 3. Please make sure all updates and patches are applied. This is one of the most important parts of preventing malware from even getting on your computer in the first place. [We can attempt to figure out how the rogueware got after clean-up is concluded :-)]

Cheers and good luck! --Xp54321 (Hello! • Contribs ) 04:36, 28 April 2009 (UTC)


 * I've just completed the two full scans with the programs, now on my talk page. The most serious problems appear to be past; my browser no longer crashes (it does seem slower than usual, however, and the tab symbols are still gone, but negligible issues at the moment), and things are almost back to normal. I have checked and I do have the latest updates for Windows XP, but I don't think I have a Windows install CD if that is really needed. My computer is a Sony VAIO laptop from 2007, model VGN-FE790, and all I found in the packaging was the laptop, a carrying case, and a few ad-coupons (oddly, no instructional manual, but that may be normal. I guess human technology has surpassed the need, I'm barely on the tail end of high school and I already understand what it means to be "old-fashioned"). Anyway, I'll presently start downloading Avira. Hopefully my troubles are nearing an end, I just need this laptop to last until this summer, when I can (optimistically) get a newer one for college. If there's anything further to do, let me know. Once more, I'm extremely grateful for your timely help. -- Commdor    { Talk }  21:18, 28 April 2009 (UTC)

Your welcome! I must commend you for remaining so calm and not panicking. :) I apologize if I was rude in any way or not very clear about what to do at anytime throughout this clean-up process. I'm redirecting the problem of the infected userinit.exe to the WOT forum for further opinions on what to do next. [Remember not to delete it; userinit.exe is a critical system file required for login] Avira should clean up any remaining problems. (You can never be 100% you are clean except after a fresh install) I recommend you regularly update and scan with MBAM, SAS, and Avira. :-) Never let your guard down. :) Please make sure you have an effective firewall installed PC Tools Firewall Plus and Online Armor are some of the best free ones. I currently do not recommend Comodo. (You may use Comodo if you wish) Using the Windows Firewall with a hardware firewall is also an option however Windows XP's firewall is not considered that effective (Lacks outbound protection) so install an effective and free one instead. Vista's firewall is considered adequate but it's best if combined with a hardware firewall. Note: A firewall is not meant to block malware. Rather they are meant [From the Wikipedia article] "to block unauthorized access while permitting outward communication"

Now for your debrief. I cannot determine the exact source of all your (now removed) infections [Except for the userinit.exe] as usually all it takes is one infection to open up a hole for other ones to come through. However, in the future:
 * Always be wary when using e-mail; e-mail is commonly used to distribute malware; don't forward chain mail either; spammers can use them to add e-mail addresses to their to-be-spammed list
 * Be wary when using a social networking site such as MySpace and Facebook. Both have been used to distribute malicious code before.
 * Don't surf adult entertainment sites (Read "porn")
 * Always be wary of where you're downloading something from; only download from trusted sources
 * Install the Web of Trust - WOT add-on (For both Internet Explorer and Firefox); this add-on will help keep you safe online; you'll be surprised just how many sites are dangerous...(It is far superior to McAfee Site Advisor!)
 * Please install, update, and apply the protection of SpywareBlaster; this will help to "harden" your browsers against malicious ActiveX controls, malicious sites, and tracking cookies
 * Please download and apply the MVPS hosts file to help prevent future infections by blocking known malicious sites
 * Please download and install ThreatFire to help protect against new or unknown infections; if you plan on using Online Armor as your firewall; you may have two programs asking you to Allow/Block a potentially malicious action. PC Tools Firewall Plus works perfectly alongside ThreatFire however.

You appear to be a user of Internet Explorer (Based on where the tracking cookies were found by SUPERAntiSpyware). Mozilla Firefox is highly recommended as the better browser. However, if you insist on using Internet Explorer, it's probably best if you reinstall it at this point. Internet Explorer 7 download and Internet Explorer 8 download. (Download the one you are currently using and reinstall; you can upgrade to IE8 if you wish but while it is more secure than IE7, it is a bit more sluggish to respond.) Internet Explorer will require a reboot to install so finish what you need to do first before beginning the installation of Internet Explorer.

Cheers and good luck!--Xp54321 (Hello! • Contribs ) 22:25, 28 April 2009 (UTC)


 * The VirusTotal link is on my talk, at the bottom. And to respond to your statements, yes, I was panicking a little (I just don't see why I can't panic and retain a modicum of courteousness at the same time); and no, you weren't rude in any way. Are you sure you're not going too far out of your way to help me? I'm thankful I was lucky enough to have someone so knowledgeable help me out, I wouldn't want to inconvenience you at all. But I digress, Avira's up and running its first full scan, and I'll get to your other instructions momentarily. You're a life saver. -- Commdor    { Talk }  23:10, 28 April 2009 (UTC)
 * A little bit of panic is ok. ;) Thanks for such quick responses. :-) Based on the VirusTotal scan, the file is likely infected.--Xp54321 (Hello! • Contribs ) 23:54, 28 April 2009 (UTC)


 * The C:\WINDOWS\ServicePackFiles\i386 file you asked for was present, and the new VirusTotal link for it is on my talk. The scan came up clean so I'll proceed with switching out the corrupted file with the clean one. -- Commdor    { Talk }  21:24, 29 April 2009 (UTC)


 * Great! When you have a chance, scan with Avira and tell me the results. :-) You should also post the HijackThis log. There are additional clean-up options available but we don't want this clean-up to last too long. ;) The logs of Avira and HijackThis will help to decide whether or not additional tools are needed. Most likely all that is left is a sweep of the system for rootkits with GMER.--Xp54321 (Hello! • Contribs ) 22:16, 29 April 2009 (UTC)


 * The HijackThis log is now on my talk. I userinit.exe files should be switched out. I'll start the Avira scan now, should be done in an hour or so. -- Commdor    { Talk }  23:20, 29 April 2009 (UTC)


 * Great, thanks! I'll look through the log now. Don't forget the Avira scan will require "baby-sitting" as it will ask you what to do with detected threats. Just quarantine for now. Reboot if necessary. Feel free to ask questions if you have any. :-) Cheers and good luck!--Xp54321 (Hello! • <font color="4CBB17">Contribs ) 23:43, 29 April 2009 (UTC)

--MISC-- Miscellaneous analysis of log:
 * You have the download manager for IGN.com and FilePlanet.com
 * You have iTunes and QuickTime
 * You have Napster
 * You have a Hewlett-Packard PSC 2100, 2200, 4100, or 6100 series printer?
 * You have the AOL toolbar installed
 * You have an Intel CPU. Is this right? This guess is based on the presence of:


 * O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system\igfxtray.exe
 * O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
 * O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

--END MISC--
 * Etc.

It's great to see (From the HijackThis log) that you now have Avira, PC Tools Firewall Plus, ThreatFire, and WOT installed. [Plus the more secure Internet Explorer 8] However, Symantec's LiveUpdate appears to be installed and running on your computer. Do you have any of Symantec's products installed? (Norton AntiVirus, Norton Internet Security, Norton 360, etc) Be warned that having two anti-viruses can cause serious problems. (If my posts have seemed weird so far; it's because I type them out as I make observations on the logs; I apologize if this causes any confusion) Uh-oh. We still seem to have malware running on your computer. It appears to be rogue remnants. Please fix:


 * O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\CONNOR~1\protect.dll,_IWMPEvents@16


 * O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\DEFAUL~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')


 * O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\DOCUME~1\DEFAUL~1\protect.dll,_IWMPEvents@16 (User 'Default user')

--ADDITIONAL--

Additional "fixes" would be:

O15 - Trusted Zone: http://*.trymedia.com (HKLM) [Trymedia is rated yellow by WOT; it should not be in Internet Explorer's trusted zone]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66016 The WOT scorecard has many negative comments for it I personally do not trust Crawler that much. In fact, Kaspersky Internet Security's Banner Ad Blocker prevents the site from even loading. I'd suggest using Google, or Yahoo! search instead. Instructions on how to do so (Change your search bar provider; you use HijackThis for this fix but it'll revert it to Microsoft's Live Search which I have found slower compared to say, Google. To change to a provider different than Live Search; use the Windows Help article I linked to; the default search provider to revert a registry setting to can also be changed in HijackThis's configuration but I see no reason to do so at the moment.--<font color="0070FF">Xp54321 (<font color="4CBB17">Hello! • <font color="4CBB17">Contribs ) 00:32, 30 April 2009 (UTC)

--END ADDITIONAL--

Well, that's it for the initial analysis of your first HijackThis log! :-) [See how much information it revealed?]--<font color="0070FF">Xp54321 (<font color="4CBB17">Hello! • <font color="4CBB17">Contribs ) 00:23, 30 April 2009 (UTC)


 * Hmm, it appears we're on the home stretch. Let's see... I did have Norton Antivirus as my protection program a while ago, I think the subscription ended early 2008, when I then switched to AVG. I know I uninstalled Norton, I'm guessing the Live Update thing somehow got left on. I'll see if I can remove it. As for the three malware files and the two additional fix items, that's what I would use Hijack This to remove, right? -- Commdor    { Talk }  00:59, 30 April 2009 (UTC)
 * Alright, I saw the files on Hijack this, figured it out, and all are now fixed; also, those Symantec files were removed, the uninstall program left them behind somehow when I removed Norton back in early 2008. I'm done for the day, so if you have anything further I'll get on that tomorrow. -- Commdor    { Talk }  01:55, 30 April 2009 (UTC)
 * Anti-virus uninstalls tend to be rather messy as they are deeply integrated into the operating system or the uninstallers just like to leave behind a mess. [Norton does leave behind LiveUpdate; even for things like Norton Security Scan] I remember once rebooting three times just to get rid of McAfee....(It literally had me uninstall component by component!) When removing an anti-virus; using the official removal tool from the company's website tends to work best. :-) I think that's it for today. I've decided one follow-up scan with A-Squared Free and GMER should be sufficient; but we'll take care of that tomorrow. :) In the future though, update all the security software you now have installed daily and scan regularly. (At least once every few days or once a week) You can schedule the scans to be overnight if it takes too long during the day. Cheers and good luck!--<font color="0070FF">Xp54321 (<font color="4CBB17">Hello! • <font color="4CBB17">Contribs ) 04:13, 30 April 2009 (UTC)


 * I have the GMER log, but it's massive (over 600 kilobytes). Did I do something incorrectly, or if that's how it's supposed to be, do you really want the whole thing posted? The A-Squared scan is running, can't tell when it will be done (the progress bar hasn't moved for ten minutes). -- Commdor    { Talk }  20:53, 30 April 2009 (UTC)


 * 600 KB, you say? Don't post the whole thing then. ;) Did you use the right GMER? Only post any red highlighted items. Those are likely rootkits or rootkit components as identified by GMER. :-)--<font color="0070FF">Xp54321 (<font color="4CBB17">Hello! • <font color="4CBB17">Contribs ) 22:13, 30 April 2009 (UTC)

The a-Squared scan is up, and yes, that was the GMER I used. I'll try it again, maybe I looked at the wrong part or something. -- Commdor    { Talk }  22:21, 30 April 2009 (UTC)
 * Right, only list items marked as red by GMER. :-) Did Avira pick up anything when it scanned?--<font color="0070FF">Xp54321 (<font color="4CBB17">Hello! • <font color="4CBB17">Contribs ) 22:24, 30 April 2009 (UTC)
 * I put the Avira scan up, it says it found 8 viruses. And with the GMER, I was supposed to click the scan action, right? -- Commdor    { Talk }  22:31, 30 April 2009 (UTC)
 * Boy, that Trojan (autochk.dll) just won't leave... Avira is set to delete it upon next boot. :-) As for the hidden registry entries; they do appear rather suspicious. They're randomly named (Like a lot of Trojan components) and are hidden. (Like a lot of rootkit components) among other things. Boot sectors are clean; that's good. For GMER: download the ZIP archive, extract, and run it. Press scan to begin looking for activity indicative of rootkits. It will alert you at the end if it does find such activity. If it does, post the detected threats here. (They'll be in red)--<font color="0070FF">Xp54321 (<font color="4CBB17">Hello! • <font color="4CBB17">Contribs ) 01:25, 1 May 2009 (UTC)
 * Note: in a future scan, leave this option on: "Integrity checking of system files..: off" [Should be on to check integrity of system files; you don't have to do this all the time and it will probably cause the scan to take longer but try using this option with a monthly scan perhaps]--<font color="0070FF">Xp54321 (<font color="4CBB17">Hello! • <font color="4CBB17">Contribs ) 01:27, 1 May 2009 (UTC)
 * GMER came back clean twice, no red files. Apparently the huge logfile was just the list of everything scanned. -- Commdor    { Talk }  01:33, 1 May 2009 (UTC)
 * All right! Your appear to be rootkit-free then. :)Have you rebooted yet to allow Avira to kill off those Trojans? Go ahead and do so if you haven't. :-) Otherwise your problems seem to be resolved. I can't guarantee that of course, ;), but it does seem like it. :D One last option. If you're still feeling a little unsure about your computer being clean (I would be, somewhat, as we had a couple of nasty Trojans that managed to stick around for a while) is to download and run Dr. Web's CureIt! Again there is the potential for false positives and your computer appears to be mostly clean at this point so I'd call this an "optional suggestion". It's up to you. Hope you can enjoy using your computer again but without annoying and malicious rogueware. If you have any questions about anything, don't hesitate to ask. This case is concluded. :-)--<font color="0070FF">Xp54321 (<font color="4CBB17">Hello! • <font color="4CBB17">Contribs ) 02:20, 1 May 2009 (UTC)

Thanks for everything. I noticed above that you had already received one of these recently, but I can't let a good turn go unrewarded. -- Commdor    { Talk }  19:24, 1 May 2009 (UTC)
 * Thank you! If you ever have a question or need help; don't hesitate to ask. :-) Cheers! :D--<font color="0070FF">Xp54321 (<font color="4CBB17">Hello! • <font color="4CBB17">Contribs ) 01:10, 2 May 2009 (UTC)