Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing Viruses And Spyware


  • Please log in to reply
13 replies to this topic

#1 RobbieSnr

RobbieSnr

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edinburgh
  • Local time:09:06 PM

Posted 29 September 2007 - 03:51 AM

I am helping a friend sort out his computer. He has a W2K Dell with a dial up connection and was having problems with a slow computer and malicious spyware popups - he had no antivirus software or a firewall installed. Because his connection is so slow I took his computer home and connected it up to my router which has a broadband connection.

I purchased SpyHunter for him and this showed that he had over 10 malicious cookies and register entries etc and I got rid of these. I was concerned that I was using an open connection so wanted to install a firewall and some antivirus software. I downloaded the free versions of ZoneAlarm and BitDefender and disconnected the router connection. I tried to install ZoneAlarm but had trouble with this so went on to try installing BitDefender. This seemed to be going all right - it searched for viruses and found a very large number which apart from 2 it deleted and quaranteed the others. The installation didn't finish however - it seemed to want an internet connection at this stage, which I was reluctant to give it. However I did reconnect my router but the installation still didn't finish and I had to wind it back. His computer is still very slow.

My question is then how should I proceed to install the firewall and remove any viruses remaining. I don't want to go back to my friend's house and use his dial up connection - it's much easier to deal with it at my house because of my faster connection and the fact that I can leave the PC running while I deal with other things on my own PC.

I'd be grateful for any help on this, thanks.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 29 September 2007 - 07:49 AM

Have you tried doing your scans in "SAFE MODE"? Are you doing scans while logged into the Administrator's account or an account with administrator privileges?

If you don't have any anti-malware programs, see BC's list of Freeware Replacements For Common Commercial Apps. There are several free online anti-virus scans listed which you can perform. I would also recommend that you download and scan with SUPERAntiSpyware Free in "SAFE MODE".
Please update the defintions before performing a scan. If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.

If the computer still seems to be slow, read Slow Computer/Browser? Check here first; it may not be malware. There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 RobbieSnr

RobbieSnr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edinburgh
  • Local time:09:06 PM

Posted 29 September 2007 - 10:00 AM

Have you tried doing your scans in "SAFE MODE"? Are you doing scans while logged into the Administrator's account or an account with administrator privileges?

Many thanks for the reply.

No, I've not been doing my scans in Safe Mode - I'll do this in future. I'm signed on as my friend, who has the Administrator's account.

If you don't have any anti-malware programs, see BC's list of Freeware Replacements For Common Commercial Apps. There are several free online anti-virus scans listed which you can perform. I would also recommend that you download and scan with SUPERAntiSpyware Free in "SAFE MODE".
Please update the defintions before performing a scan. If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.

Thanks, I had seen this list and had selected ZoneAlarm and BitDefender - I use the latter already on my own PC. I'll try the SuperAntiSpyware, though, in Safe Mode for getting rid of the Spyware.

If the computer still seems to be slow, read Slow Computer/Browser? Check here first; it may not be malware. There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.

My friend just uses his computer for emails and the occasional Internet search and as he has hardly any extra programs installed I don't think that most of the problems mentioned will apply but I'll do a test of his hard disk and system files.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 30 September 2007 - 08:13 AM

Good luck. Post back if you continue to have problems.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 RobbieSnr

RobbieSnr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edinburgh
  • Local time:09:06 PM

Posted 03 October 2007 - 05:10 PM

Well things are much better now but I still have a problem.

I installed ZoneAlarm and ran SUPERAntiSpyware in safe mode and found about 8 Trojans which it deleted. I had installed BitDefender and tried to run it in safe mode but it wouldn't so I came out of safe mode and ran it there. It showed many different viruses which it either deleted or quaranteened. Even after all that I still found ZoneAlarm reporting that some tmp files were trying to access the Internet so I refused access. I saw that these tmp files were running as services but I couldn't stop the service so I went into safe mode again and deleted the tmp files. I saw a reference to ATF-Cleaner so I also ran it in safe mode and deleted all the tmp files. Having done all that I ran SUPERAntiSpyware again in safe mode and it again reported some spyware - 3 Conravirus Trojans and 1 Vundo Trojan which it deleted. Back in normal mode ZoneAlarm again reported yet another tmp file trying to access the Internet.

How can I finally get rid of all the spyware and viruses?

Incidentally the PC is running much better - I decided to install more RAM and improved things.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 03 October 2007 - 08:12 PM

Since Vundo was found, I would suspect more than one file so follow the the instructions for using Vundofix in BC's self-help tutorial "How To Remove Vundo/Winfixer Infection".

Download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed and updated with a special "clean driver" for removing persistent malware.)
Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions.

Then perform this online Virus scan: ESET Nod32 Online Scanner
(Requires Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 RobbieSnr

RobbieSnr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edinburgh
  • Local time:09:06 PM

Posted 05 October 2007 - 06:33 AM

Thanks for the suggestions. I'm not sure if everything is now cleaned off - here's what I did.

1. I downloaded all the programs I needed, including the instructions, and then killed my broadband connection by removing the cable to my router.
2. Before I started on your instructions I ran SUPERAntiSpyware in Safe mode to remove the spyware it found. Then just to be sure I ran SpyHunter which I'd purchased earlier - it still showed a couple of Systemdoctor cookies which I removed!
3. I ran Vundofix which showed several suspect files which I removed. However it couldn't remove a couple so it closed down the PC to try again. Incidentally when I got the close down message it mentioned that system32/lsass.exe had been terminated unexpectedly - not sure if this is another problem. When the PC started up again I tried to remove the two suspect files but it failed. Following the instructions I ran VirtumundoBeGone in Safe mode and this did the trick - running Vundofix again didn't bring up any suspect files.
4. I ran AVG Anti-Spyware as you suggested - this reported 19 suspect files. However 13 of these were in the SpyHunter backup folder and 1 had been quaranteened by BitDefender. Of the rest 2 were shown as Adware.Generic and 3 were Tracking cookies.
5. I now connected to my broadband connection and ran the ESET Nod32 online scanner. This showed 20(?) suspect files. I tried to copy the output but in trying this I moved away from the page showing this and lost it! However I had noticed an entry for Virtumonde so I ran Vundo again but this showed no suspect files. Perhaps again this is spotting the files quaranteened by SpyHunter and BitDefender?

It could be that everything is now OK but I'm not sure. I had installed HijackThis so I did a scan and saved a logfile. Should I perhaps upload this to the HijackThis forum so someone can check that everything looks OK?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 05 October 2007 - 06:52 AM

How is your system running? Are you getting any popups, browser redirects, etc? If not, I don't see a need to post a hijackthis log just yet. Sounds like you made significant progress. It also appears some scans are detecting items that have been quarantined.

When a program quarantines a file or moves it into a virus vault, that file is safely held there (and no longer a threat) until you take action to delete it. One reason for doing this is to prevent deletion of an essential file that may have been flagged as a "False Positive". If that is the case, then you can restore the file. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure.

When the file in the vault is known to be bad, you can delete it at any time. I suggest you delete the quarantined files and then do the following:

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked to reboot, click "Yes".
  • If not, select Close to exit the program and reboot normally.
Then rescan with ESET Nod32 online scanner to see if its still finding anything.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 RobbieSnr

RobbieSnr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edinburgh
  • Local time:09:06 PM

Posted 05 October 2007 - 05:50 PM

For the time since I completed all these scans, about an hour, I didn't have any popups or browser redirects, and the computer didn't seem to be so sluggish.

The first time I started following your instructions I forgot to delete all the quarantined files first and found that SUPERAntiSpyware was throwing up problem cookies and a Vundo problem - I couldn't understand how it had found some cookie problems despite ATF-Cleaner having deleted all cookies. It then dawned on me that I needed to delete the quarantined files so these were being picked up from the quarantine!

Having realised my error I started again and followed your instructions correctly. This time SUPERAntiSpyware didn't throw up any problems and neither did the ESET Nod32 online scanner - GREAT!

Many thanks for all your help - I've made a donation to one of the free services.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 05 October 2007 - 08:18 PM

Your quite welcome and thank you for the donation.

One last thing to do. Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 RobbieSnr

RobbieSnr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edinburgh
  • Local time:09:06 PM

Posted 08 October 2007 - 07:45 AM

One last thing to do. Now you should Set a New Restore Point to prevent possible reinfection from an old one.

Unfortunately this PC is running Windows 2000 and it seems that you can't set a restore point?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 08 October 2007 - 08:07 AM

In that case see "How to back up the registry in Windows 2000".

To protect yourself against malware and reduce the potential for re-infection, read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"PC World's: The 10 Biggest Security Risks".
"Seven ways to keep your search history private".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 RobbieSnr

RobbieSnr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edinburgh
  • Local time:09:06 PM

Posted 08 October 2007 - 10:16 AM

I've done that now - many thanks again.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 08 October 2007 - 12:10 PM

Your welcome. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users