Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do I Still Have Virusheat On My Pc?


  • Please log in to reply
11 replies to this topic

#1 VirusHeatEvil

VirusHeatEvil

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 15 February 2008 - 11:11 PM

Hi

I picked up VirusHeat (silly me!) and I went into the Control Panel (I am running XP) and then into 'Performance and Maintenance' when I saw something called 'system restore'. I selected this and 'restored' the system to a date two days before I became infected.

I have now tried the manual fix from this site and I cannot find ANY of the .dll files, am I still infected?? I don't seem to have the virus heat program files either.

Please help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:12 PM

Posted 15 February 2008 - 11:54 PM

You should be free of it. Did you by any chances save a copy of the notepad report from ...
Step 11. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.
If so post that back.

The SmitFraudFix report can be found at the root of the system drive, usually at C:\rapport.txt
You may even have a Panda ActiveScan log saved.
Look and post them.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 16 February 2008 - 08:32 PM

Thanks very much for your help.

Here is a copy of the Notepad report

SmitFraudFix v2.290

Scan done at 11:56:37.15, Sun 17/02/2008
Run from C:\Documents and Settings\Mark\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2DFAC9DD-4A2B-4C4A-B137-A79E9E270E4C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2DFAC9DD-4A2B-4C4A-B137-A79E9E270E4C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2DFAC9DD-4A2B-4C4A-B137-A79E9E270E4C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Unfortunately I cannot run the Panda Scan and I do not know why. I have downloaded the ActiveX control but when I try to select the 'local disks' it says 'error on page' and nothing happens.

#4 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 16 February 2008 - 08:39 PM

Wow!

The smitfraudfix left a folder on my desktop and when I opened it my AVG went crazy detecting threats from downloader.zlob among others.

AVG says it has either 'healed' them or placed them in the virus vault. Spyware Doctor is finding nothing on a full system scan.

Any advice on how to proceed would be much appreciated.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:12 PM

Posted 16 February 2008 - 09:38 PM

Ok looks good. The files that are removed and/or quarantined cannot harm your PC any longer. Files are quarantined in case they are important files for the proper operation of the PC. They are there in case you need to get them back. If there are no issues with the PC's operation in a few days they can be deleted also.
To be on the safe side with this Zlob thing I want you to do this.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 16 February 2008 - 11:52 PM

Thanks very much. Here is a copy of the log - All clear

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/17/2008 at 03:40 PM

Application Version : 3.9.1008

Core Rules Database Version : 3404
Trace Rules Database Version: 1396

Scan type : Complete Scan
Total Scan Time : 00:52:02

Memory items scanned : 243
Memory threats detected : 0
Registry items scanned : 5868
Registry threats detected : 0
File items scanned : 43236
File threats detected : 0

I managed to get Panda Online running which 'detects' 15 'spyware applications' in the first few thousand files scanned and then the IE Window dissapears entirely from the desktop preventing me from finishing the scan. It also wants $12.95 to clean the infected files which was not mentioned in your original instructions form removing VirusHeat. Should I be concerend about this?

PC seems to be working fine. My primary concern is preventing the transfer of information to third parties.

Thanks again for your help!

#7 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 17 February 2008 - 12:38 AM

UPDATE

I installed, updated and ran Ad-aware free version which found nothing but tracking cookies (did not want to post the whole log without checking first as it is very long) and SpyBot Search and Destroy which found nothing.

Do you think I am in the clear?

Thanks Again!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:12 PM

Posted 17 February 2008 - 12:46 AM

You look clean. Good Work. Update and scan with AVG again in safe mode.
The Panda scan is recommended as it will remove the viruses free the other stuff we can remove tthru ATF and SAS.

You can also run the OOnline scans from Safe Mode with networking option.
If you like to try another try this.
ESET Online Scanner

Let me know if anything comes up as there is one last step after this.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 17 February 2008 - 02:44 AM

Thanks

Ran AVG in Safe Mode as suggested (and SpyBot) and the only notification from AVG was a change to 'Hosts' which was me I guess as I installed IE-Spyad?

Nothing else came up and nothing came up in the ESET online scanner.

Do you know where the Active-X for Panda Online is likely to be found so that I can remove it?

Please advise of the last step!

Thanks again, you really should be paid for this!

#10 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 17 February 2008 - 04:02 AM

UPDATE

As part of my investigations I noticed that I can set Spyware Blaster to '0 items have protection disabled' and then surf around a bit, including the homepages of some dubious sites (ie porn, but NO downloading) and when I come back to Spyware Blaster it says '12 items have protection disabled'??

Can Malware disable Spyware Blaster automatically?

#11 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 18 February 2008 - 04:48 AM

Hoping you can get back to me on this one!

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,895 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:12 PM

Posted 18 February 2008 - 11:59 AM

Some types of malware are known to mess with Trusted Zones, Ranges and ProtocolDefaults in IE but usually when SpywareBlaster encounters a problem where items have protection disable, the issue can be traced to other security programs. If you use Spybot, SpywareBlaster and IE-SPYAD together, there is some overlap of protection. Each one offers a different list but they are not completely identical. Thus, if you undo or disable the protection in one product, it may remove some of the protection installed by the other. If your using Webroot SpySweeper, it may prevent SpywareBlaster from enabling Restricted Sites protection. This is a known issue. See the discussion here. There are aslo reports of Spyware Doctor and Norton Internet Security 2007 disabling some of SpywareBlaster's protection entries.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users