Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mysterious infections...help?


  • Please log in to reply
17 replies to this topic

#1 CrutchyT

CrutchyT

  • Banned
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 30 December 2008 - 11:59 AM

Hi,

I've only owned a computer for a couple months and set up my nephew's HP dv5t 32 bit /Vista Premium for Christmas. Antivir Personal found 177 viruses on his yesterday and seemed to block them. I assumed this was from a couple games sites he visited, Tangent and freewebarcade (Installing AntiVir was one of the fist things I did upon setup. It found virus in Tangent Games package included in installation-I delted the whole thing). I've heard tangent installs a driver which may or may not be classified as spyware and sends spybot s&d into a tizzy. Subsequent scans turned up nothing.

Anyway, I thought it might be a false poz, but have since scanned with Dr. Web and found about 9 possible infections: a couple suspected Dloader trojans, a few "archive"contains infected objects" including a couple exe.s, many on HPhelpassistant. Mind you, subsequent scans with Antivir, Threatfire, the free Avast & Kapersky scanners/removers did not find any of them. Neither did his four spyware apps.

Just for a comparison, I ran a Dr.Web scan on mine (dv-7 64 bit/Vista Premium and found many of the same possible infections.

Both our computers are running fine. though. Are these false positives? benign infections? Should I delete all on Dr.web at the risk of deleteing something essential? I've already moved a couple.

Any help would be geatly appreciated.I'm a quick study and have learned a lot the past couple months, but still very much a beginner.

Edit: Moved topic from Vista to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 30 December 2008 - 12:31 PM

Hello and welcome.please see quietman7's comments on Wild Tangent in post #4 here... http://www.bleepingcomputer.com/forums/ind...;hl=WildTangent

Then run the scanthere and post back the log,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 CrutchyT

CrutchyT
  • Topic Starter

  • Banned
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 30 December 2008 - 03:04 PM

Hi boopme-or whomever else this may concern,

Just to touch base, I've restarted complete Dr. Web scan on my nephew's comp. He already has Superantispyware, which started a scheduled scan before I even read your response. Dr.Web is about3/4 through and found the same suspected infections as before. SAS is two hours into scan with no threats detected. Is it OK to run both the at the same time?

Edited by CrutchyT, 30 December 2008 - 03:06 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 30 December 2008 - 03:26 PM

This will both, make them take longer and run the risk of them searching each others database,not good.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 CrutchyT

CrutchyT
  • Topic Starter

  • Banned
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 30 December 2008 - 03:29 PM

Superantispyware is complete, no harmful detections found.

Dr. Web is complete with 9 items listed, 6 say "archive contains infected objects, three say "probably DLoader"

Summary claims 3 suspicious, and two removed. I'm just trying to figure out how to access a complete report to paste here. The site is a somewhat ambiguous and has a bit of a learning curve. Well, to me, anyway.

#6 CrutchyT

CrutchyT
  • Topic Starter

  • Banned
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 30 December 2008 - 03:35 PM

Ugh.

Yeah, I thought SAS was taking a bit longer. I ran scans of all of his anti-malware yesterday, including SAS, yesterday with no detections on any of them, including:

Antivir Persona
threatfire
Ad-awre free
defender
Avast! virus remover online scan
Kapersky online remover scan
None of them found anything.

Although I JUST noticed this very moment that the paths for every item in Dr. Web scan say C:\Documents and settings\Tommy\DoctorWeb\Quarantine....

Should I start Dr.Web and SAS again, one at a time? Or has Dr Web quarantined all items, and the machine is clean?

Edited by CrutchyT, 30 December 2008 - 03:46 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 30 December 2008 - 03:40 PM

Actually lets first run a Quick scan with MBAM... then we can do SAS again.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 CrutchyT

CrutchyT
  • Topic Starter

  • Banned
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 30 December 2008 - 03:48 PM

Please check my last post which I just edited. I'll run malwarebytes in the meantime.

#9 CrutchyT

CrutchyT
  • Topic Starter

  • Banned
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 30 December 2008 - 03:57 PM

Malwarebytes quick scan completed. No malicious items detected.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 30 December 2008 - 04:10 PM

It appears that the items are all quarantined and the computer is safe from them and clean.. Are there any more signs? Pop ups slowness page redirects?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 CrutchyT

CrutchyT
  • Topic Starter

  • Banned
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 30 December 2008 - 04:29 PM

No signs at all. My nephew's computer has worked fine, the only problem was that initial warning about the 177 viruses, but even then, it never affected performance. Dr Web gives my computer the same Quarrantined report as his, so I'll assume it's ok, too.

However, just for the record, a few days ago, my computer was unable to restart or emerge from sleep, and seemed sluggish. Later that same evening, I came home to find Blue Screen of Death. I turned it off, went to bed, restarted the next morning and it's been working fine ever since. I had turned on/off administrator mode earlier that day though, I don't know I did something to it. Again, it works fine now.

I'll check back in later just to confirm that everything is in working order. Thanks you so much for your help! You've certainly earned a donation from me and my nephew:)

#12 CrutchyT

CrutchyT
  • Topic Starter

  • Banned
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 30 December 2008 - 04:35 PM

Here is Dr Web report, BTW. Sorry if it's not well organized: Object, Path, and Action are all bunched together.

stream005\gtdown.ocx;C:\Documents and Settings\Tommy\DoctorWeb\Quarantine\HP Active Support Library.msi\stream003\hpnetworkassistant.msi\stream005;Probably DLOADER.Trojan;;
pcconnect.exe\BrowserPlugins\GTDown.ocx;C:\Documents and Settings\Tommy\DoctorWeb\Quarantine\HP Active Support Library.msi\stream003\hpnetworkassistant.msi\stream005\p;Probably DLOADER.Trojan;;
pcconnect.exe;C:\Documents and Settings\Tommy\DoctorWeb\Quarantine\HP Active Support Library.msi\stream003\hpnetworkassistant.msi\stream005;Archive contains infected objects;;
stream005;C:\Documents and Settings\Tommy\DoctorWeb\Quarantine\HP Active Support Library.msi\stream003\hpnetworkassistant.msi;Archive contains infected objects;;
hpnetworkassistant.msi;C:\Documents and Settings\Tommy\DoctorWeb\Quarantine\HP Active Support Library.msi\stream003;Archive contains infected objects;;
stream003;C:\Documents and Settings\Tommy\DoctorWeb\Quarantine\HP Active Support Library.msi;Archive contains infected objects;;
HP Active Support Library.msi;C:\Documents and Settings\Tommy\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
PCConnect.exe\BrowserPlugins\GTDown.ocx;C:\Documents and Settings\Tommy\DoctorWeb\Quarantine\PCConnect.exe;Probably DLOADER.Trojan;;
PCConnect.exe;C:\Documents and Settings\Tommy\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;

Edited by CrutchyT, 30 December 2008 - 04:41 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 30 December 2008 - 04:39 PM

Looks like your good to go :thumbsup:

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 CrutchyT

CrutchyT
  • Topic Starter

  • Banned
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 30 December 2008 - 10:13 PM

I *think* I've performed the restore point correctly at least on his computer, an HP dvt5; Those directions seem to be for XP while my nephew and I both have Vista Premium, but I think I managed to do the Vista equivalent (I wasn't asked to name restore point, but was given a date and time for it, which I hope is ok). However, I'm still not sure if I performed a broader restore operation and not just a mere restore point, so I have a few questions, just to be safe:

His software is all here, comp is running fine, although the malwarebytes anti-malware has been deleted. That's to be expected because it was a just a one time, temporary application, right?

I've followed the exact same procedure on my computer, an HP dv-7, but it's taking a LONG time :thumbsup: . A good four hours so far and it's still says "Please wait while your windows files and settings are beingg restored. System Restore is initializing..."

Mine's a higher-end entertainment model, and I do have a ton more software on it than his does, but should it really take this long? My nephew's only took about 20-30 minutes.

Edited by CrutchyT, 30 December 2008 - 10:33 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 30 December 2008 - 10:35 PM

The last line is for Vista

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

We don't want to do a System Restore. Only clear the old and create a NEW restore POINT.
If you're doing aa System Resore cancel it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users