Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do I know for sure the virus is gone?


  • This topic is locked This topic is locked
9 replies to this topic

#1 boredatwork

boredatwork

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 02 April 2009 - 06:44 PM

First time poster here... Before finding this site, I searched the internet to help me fix my virus problem, following advice for people with similar problems as I had... i ran things such as malwarebytes and combofix (sorry, i see you don't recommend that without being told to)

I have/had a virus that i first noticed when mcafee gave me an error msg saying i needed to reinstall security center. i uninstalled and went to redownload and noticed i couldn't connect to the download site. then i noticed i couldn't connect to any antivirus type site. while searching for help i noticed that when clicking on google links i would be redirected. aside from not being able to get any antivirus and being redirected my computer worked fine.

i used a diff computer to research my problem, managed to run malewarebytes by changed the name of the file, that got rid of some infected files and cured the redirecting issue. I was then able to reinstall mcaffee and run my scan. it found more infected files an deleted them. i was then left with two files both named NTOSKRNL-HOOK that would get deleted and then reappear the next scan. I then ran combofix which seems to have gotten rid of them. my mcaffee scan now comes up clean, but my question is how do i make sure there aren't any deeply hidden infections? I have my combofix log, but i read that i shouldn't post it here without being told to.

any suggestions would be much appreciated.

thanks!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:49 AM

Posted 02 April 2009 - 06:59 PM

**Vista users - right click on the IE icon and run as administrator

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
Close any open programs

Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
__________________
Chewy

No. Try not. Do... or do not. There is no try.

#3 boredatwork

boredatwork
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 02 April 2009 - 10:30 PM

The report is completely empty.

Edited by boredatwork, 02 April 2009 - 10:31 PM.


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:49 AM

Posted 02 April 2009 - 10:38 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
Chewy

No. Try not. Do... or do not. There is no try.

#5 boredatwork

boredatwork
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 02 April 2009 - 10:42 PM

I'm sorry I should have mentioned I have vista.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:49 AM

Posted 02 April 2009 - 10:49 PM

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Chewy

No. Try not. Do... or do not. There is no try.

#7 boredatwork

boredatwork
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 02 April 2009 - 11:13 PM

I followed all your directions, gmer did a short scan initially (didn't prompt me just did it automatically), then i checked my drives and clicked scan, it started the full scan and a couple minutes later I got a pop up box that said gmer stopped working and it shut down. I tried it again and I got a blue screen on my computer that said windows was shutting down and a bunch of other stuff, something about copying memory to something... I didn't have time to read it all before it restarted my computer. It gave me the option of how to start it up and i chose safe mode. my computer seemed to be working fine until i ran that scan...

should i try it in safe mode? or what?

Edited by boredatwork, 02 April 2009 - 11:16 PM.


#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:49 AM

Posted 03 April 2009 - 04:54 AM

I would suggest reloading the computer, it sounds like the infection may have caused some damage, or you should post in our HJT forum where they can use some special tools and expert analysis to find and remove the remaining infection.

McAfee may be your key issue here, that's why I would reccomend a reload of windows.
Chewy

No. Try not. Do... or do not. There is no try.

#9 boredatwork

boredatwork
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 03 April 2009 - 06:21 AM

thanks, i'll try the HJT forum

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,949 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:49 AM

Posted 03 April 2009 - 02:29 PM

Hello boredatwork,

Now that you have a log posted here: http://www.bleepingcomputer.com/forums/t/216390/redirect-trojan-maybe-more/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users