Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware that I simply cannot get rid of! Please help...

  • Please log in to reply
No replies to this topic

#1 kmarzi


  • Members
  • 1 posts
  • Local time:03:36 PM

Posted 27 April 2010 - 05:52 PM


I hope you're all well and I really hope you can help me.

So, I'm having problem with some malware on my PC that I simply cannot defeat... It's driving me crazy. I think I got infected yesterday (maybe earlier but the problems began yesterday) and spent most of the day (yesterday) and the whole of today trying to find this malware (more of this later!).

Basically, I know something is lurking on my C drive (or possibly my F drive - external hard drive). Symptoms include the following: yesterday, my browser was "out of date", apparently. I was prompted to install something or other. I ignored the prompt and closed down the prompt via Task Manager. A short while later, a new tab suddenly pops up in Firefox (note: 99% of the time I use Firefox) - this new Firefox tab directs me to a healthcare website. This keeps on happening (although, the site may not necessarily be a healthcare website each time). I'm not sure whether this malware has been designed by my girlfriend, as I think it's trying to direct me to a website to buy Viagra. Maybe she's trying to tell me something? I'm joking, of course - in an attempt to find the lighter side of this problem (which is driving me crazy!) Indeed, Mysterious new "tabs" keep on appearing in Firefox. Now, I keep on getting the following "pop-up/prompt":

Just-in-time debugger.

Within this pop-up/prompt, I am given an option which says something like "new instance of Microsoft script editor". Again, I ignore this prompt and try and close it down (it repeatedly appears when I close it down). I'm sorry - I didn't take a screen-grab. I will do this next time it appears.

Now, as I mentioned, I've been trying all day yesterday and all day today trying to find this virus. After 2 full days... I think I'm defeated! Here's what I've done so far:

I have all the latest definitions for Panda Cloud (Free - my anti-virus), Spybot, Super Anti-Spyware and Malwarebytes. I have scanned with all in normal mode and with Super Anti-Spyware and Spybot in Safemode. My Panda Cloud anti-virus has been deleting a few viruses over the past 2 days (2 viruses, to be precise). Here's what it detected and deleted:

Sinowal.gen (twice).

I have the report saved but I can't find how to post an image here...

I then searched with Super Anti-Spyware in normal mode. It found nothing. So, I scanned in Safe Mode and it found 2 trojans - which I duly deleted.

Here's what Super Anti-Spyware found and deleted:


I then scanned again with Super Anti-Spyware in Safe Mode - it found nothing. However, the mysterious new tabs and debug prompt, as mentioned above, continued...

So, I scanned with Malwarebytes (in Normal Mode). It found another Trojan. Hurray! Here's the log:

Files Infected:
C:\System Volume Information\_restore{BBC624B5-2188-49B8-89B5-ABCFFD649C7D}\RP917\A0339848.exe (Trojan.Agent) -> Quarantined and deleted successfully.

I just restarted my PC and........ Drum-roll........ The problems as mentioned above persist... Almost immediately. Now, I was going to reinstall Firefox and all my Anti malware software, but, on the advice of my friend, decided to post here first. I haven't ran HijackThis or anything either yet, as I don't really understand the report HijackThis produces.

I also had a quick look in msconfig for Start-up programs, etc. I unticked the "tfswctrl" as this looks a bit dodgy (it's located in WINDOWS\system32\dla\tfswctrl.exe. I haven't restarted since I deselected it, as I've literally just come onto this forum to seek help. I have a screenshot but I don't quite now how to upload this image to my post).

I'm not sure how I got infected. I think it may be background pictures which I downloaded (I downloaded 3). I haven't yet deleted these files as I decided to await further instruction from this forum. But should I delete them anyway?

In all honesty, I'm absolutely at a loose end now. I've tried everything within my power and I really, really can't get to the bottom of it. If you can help, then I would be really, really grateful.

[Ah!! Panda Cloud has literally just deleted 2 more viruses as I type! Unfortunately, Panda Cloud does not recognise the names of these viruses. Nonetheless, it deleted them.]

Thank you in advance for your help and patience.

Take care and I hope to hear from you soon.


EDIT: here is a log from my Panda Cloud Anti-virus (this morning, it has found another virus, as well as one more last night. So the total now is 4. They seem to be mutating!).

Suspicious file detected Location: C:\WINDOWS\Temp\3766226641.exe28/04/2010 08:58:23 Neutralized

Trojan detected <A href="malwareinfo">Unknown name</A> Location: C:\Documents and Settings\Administrator\Local Settings\Temp\pdfupd.exe27/04/2010 23:15:06 Deleted

Trojan detected <A href="malwareinfo">Unknown name</A> Location: C:\System Volume Information\_restore{BBC624B5-2188-49B8-89B5-ABCFFD649C7D}\RP915\A0339567.exe27/04/2010 23:14:51 Deleted

Virus detected <A href="malwareinfo">Trj/Sinowal.gen</A> Location: C:\WINDOWS\system32\sdra64.exe26/04/2010 09:20:32 Neutralized

Virus detected <A href="malwareinfo">Trj/Sinowal.gen</A> Location: C:\WINDOWS\system32\sdra64.exe25/04/2010 10:42:17 Neutralized

Edited by kmarzi, 28 April 2010 - 03:04 AM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users