0

Hello,

I am having trouble removing that virus. I have scanned with malvarebytes - full scan, avg antivirus, ad-aware quick scan, now doing ad-aware fullscan. Those programas find virus, remove them, but the virus still exists, because AVG throws a window with infected files.

Do you know what tools should I use to remove them completely?

7
Contributors
27
Replies
29
Views
5 Years
Discussion Span
Last Post by McLaren
0

I downloaded hijack this and scaneed the system, and here is a log, this might help to find the problem:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:57:30, on 2011.10.12
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.19088)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\taskeng.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\system32\wbem\unsecapp.exe
E:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
E:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Users\Darius\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Users\Darius\AppData\Local\Google\Update\1.3.21.69\GoogleCrashHandler.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\conime.exe
C:\Program Files\PC Connectivity Solution\Transports\NclToBTSrv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Winamp\winamp.exe
E:\Program Files\Last.fm\LastFM.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe
E:\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe
C:\Users\Darius\AppData\Local\Google\Chrome\Application\chrome.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - e:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Tildes Biuras - {1E6700F0-0F85-40fd-8022-7EB60AB46F10} - E:\Program Files\Tildes Biuras\IEjosla.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: DebugBar BHO - {69FC0024-10EB-480A-BBF2-3BF4E78E17B1} - e:\Program Files\Core Services\DebugBar\DebugInfoBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: uTorrentBar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: Tildes Biuras - {1E6700F0-0F85-40fd-8022-7EB60AB46F10} - E:\Program Files\Tildes Biuras\IEjosla.dll
O3 - Toolbar: DebugBar - {3E1201F4-1707-409F-BB45-A5F192381DA0} - e:\Program Files\Core Services\DebugBar\DebugToolBar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - e:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ITC] C:\Windows\system32\itc.exe 0
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [DicBrowser] E:\Program Files\Tildes Biuras\DicBrowser.exe /startup
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Google Update] "C:\Users\Darius\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SoftAuto.exe] "C:\Program Files\Creative\Software Update 3\SoftAuto.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PC Suite Tray] "E:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - Startup: CCC.lnk = ?
O4 - Startup: Dropbox.lnk = Darius\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Bitmeter2.lnk = E:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://e:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://e:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://e:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://e:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with Tilde Dictionary - res://E:\Program Files\Tildes Biuras\DicBrowserBHO.dll/201
O8 - Extra context menu item: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Darius\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Darius\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra button: PDC Poker - {4f34c291-5837-4f45-ade1-da5502c69fef} - C:\Users\Darius\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PDC Poker\PDC Poker.lnk (HKCU)
O9 - Extra button: Unibet - {58D38D2E-86B5-48BC-8B48-E7E81556A6B5} - C:\Microgaming\Poker\unibetpokerMPP\MPPoker.exe (HKCU)
O9 - Extra button: TrioBet - {EEACF3E7-6AE0-4A97-95CC-DEA343118F5D} - C:\Microgaming\Poker\triobetMPP\MPPoker.exe (HKCU)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acunetix WVS Scheduler v6 (AcuWVSSchedulerv6) - Acunetix Ltd. - C:\Program Files\Acunetix\Web Vulnerability Scanner 6\WVSScheduler.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: B-Service - Unknown owner - C:\Users\Darius\AppData\Roaming\Mikogo\B-Service.exe
O23 - Service: BitComet Disk Boost Service (BITCOMET_HELPER_SERVICE) - www.BitComet.com - E:\Program Files\BitComet\tools\BitCometService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Freemake Service (FreemakeUtilsService) - Freemake - C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Tracking Security Service (ITCS) - - C:\Windows\system32\ITCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: M4-Service - Unknown owner - C:\Users\Darius\AppData\Roaming\Mikogo 4\M4-Service.exe
O23 - Service: NitroPDFReaderDriverCreatorReadSpool2 (NitroReaderDriverReadSpool2) - Nitro PDF Software - C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: PostgreSQL Server 8.3 (postgresql-8.3) - PostgreSQL Global Development Group - C:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\Windows\System32\StkCSrv.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - e:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 14523 bytes

-1

if you can find the exact location of the virus you can delete their manually hope it works for you....

Votes + Comments
Bad advice. Manually attempting to remove an infection without truly knowing what you are doing is a bad idea. Suggesting that, even more so.
0

In another forum, one person recomended combofix, so I tried it and until now at least there is no trojans on my computer, will see later. Now I am installing newest version of AVG

0

too bad combofix didn't remove those also :( can you suggest me something to do from this log I posted earlier?

0

if you can find the exact location of the virus you can delete their manually hope it works for you....

.Very bad advice. Attempting to remove a virus manually without knowing all files involved can really cause major problems.

You have been cautioned about this in the past and yet you continue to not follow the rules. If you are going to post advice please follow the rules given for First Responders
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/368036
If you do not adhere to these rules then we do reserve the right to delete your posts.

Edited by jholland1964: n/a

0

Hello, I read the instructions and was executing those steps, but too bad I had to stop it. I was doing step 7 (Please run the GMER Rootkit Scanner.) I needed to turn of my computer so I did hibernate it. But in the morning I found that hibernation resuming does not work, so I had to boot it normaly. So I will need to scan it again. But now I cannot, because I go to work, and I am living in not my own house, and the owners don't let even leave monitor in sleeping mode so I am not even asking them to leave my computer turned on while I am at work. Sorry that I cannot do those things quickly. I will try them this evening or on weekend.

You are attempting some dangerous things really,especially running Combofix without direction

I was directed in another forum, this guy said he is computer technician, or something like that, I don't remember. And I ran combofix just to see the menus actualy, but it started scanning automatically, I didn't have to even choose from some menu.

BTW, maybe I should just reinstall my windows? Because its vista now, so win 7 is better anyway, so not to waste time, maybe then the viruses will be gone? I don't want to format my whole pc and viruses might be in another disc, but maybe they will not be active anymore or something like that? But if its worth I could format my C disc (where windows are installed)

Edited by McLaren: n/a

0

It's your choice as to what to do with your computer, however I have several pieces of advice.
#1. You absolutely cannot correctly clean an infected computer in a "piece meal" way, half a tool today and the other half tomorrow. All of the tools are meant to be run from beginning to end without pausing them or stopping them in the middle and then attempting to restart it. Doing this can cause more damage on top of the damage caused by the infections.You certainly cannot turn off of hibernate a computer while it is in the middle of running a tool, as you have see this causes major problems.

#2. You have said you have run multiple tools but we have only seen one log, HiJackThis. HiJackThis is essentially not a cleaning tool but a scanning tool to give a picture of what "may be" on the computer. There are some very simple clean ups that can be done with HJT but removing an infection is usually not one of them. I truly cannot say with certainty what was/is the infection on the computer without seeing other logs but I do see from the HJT log are 14 windows from google chrome browser. Right there is another mistake, all tools should be run with the browser totally closed unless it is an online scan. In that case there should only be ONE instance of the browser open and that would be the one where the scan is taking place. With this many browser windows open during the HJT scan, which doe not require the use of a browser to run at all, this tells me you were doing other things online while HJT was running. When running clean up tools on an infected computer the only thing being done at that time is running the tool, everything else should be stopped until the tool completes its run.

#3. I have no idea what the forum is where you originally posted your problem but requesting help and using suggestions from two or more forums at the same time to remove infections is a very bad idea. The steps given from different forums may conflict and cause major problems. That does not mean that the steps given you there were wrong each forum uses basically the same tools, however some forums use one tool and another may not use it and that is where the conflict would come into the picture Combofix, for instance, which we also often recommend here also, is a very powerful tool that should be run one time, the log should be posted and then the person who recommended the running of Combofix would read the log and then may give additional steps that would be run using Combofix. Those instructions should be given by that first helper, he is the one who requested it and therefore would be reading and interpreting the log. As you said, it has no options menu, it runs in a very specific way and no choices are given. It runs one way only. I would advise you to return to that original forum and work with them.

#4.As to whether a reformat of "C" drive would remove the infection, probably, from "C" drive only. However since your HJT log shows the use of P2P there is NO GUARANTEE that the infected file is not stored on another drive in one of the P2P shared files, it likely is stored on one of those other disks as you called them. Will it hurt those stored files? No probably not, but the minute you use that file that contains that infection by accessing it from drive "C" then the infection WILL return to drive "C" and begin it's work again. If it were my computer I would wipe them all or take the time to scan each and every one of those stored files for infection. This shows the very real danger of using P2P to share files with unknown persons, yes, you can get something you should pay for and get it illegally for free, but sooner or later you will get a lot of "unknown extras" each time you use P2P and it is very likely how you got this Trojan in the first place. You also mention putting Windows 7 on the reformatted drive instead of Vista, which would likely be all right, if the copy is a legal copy. If it is not a legal copy then it cannot be updated which also puts the computer at great security risk.

#5. This type of Trojan is designed to open a security hole on your computer or "backdoor" as it's name implies, on your computer. This security hole is then used by remote hackers to gain access to your computer. This means that a remote hacker might steal your online banking passwords, change your system settings, or download additional malware onto your computer. You need to really "rethink" what you are doing online. You also would be advised to change ALL of your passwords and notify your bank and credit card companies that you have this infection.

Edited by jholland1964: n/a

0

thanks for a long answer, but now I am going to sleep, so tomorrow I hope I will have time for a whole day, no work, no other stuff, so I will try to clean up my computer

And I have log on from GMER when I did that scan if it is usefull:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-13 21:49:30
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HTS541616J9SA00 rev.SB4OC70P
Running: 3br923ys.exe; Driver: C:\Users\Darius\AppData\Local\Temp\pwdirpod.sys


---- System - GMER 1.0.15 ----

Code 899517BC NlsAnsiCodePage

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 856201F8
Device \Driver\atapi \Device\Ide\IdePort0 856201F8
Device \Driver\atapi \Device\Ide\IdePort1 856201F8
Device \Driver\atapi \Device\Ide\IdePort2 856201F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 856201F8
Device \Driver\afxlieyy \Device\Scsi\afxlieyy1Port4Path0Target0Lun0 8673E1F8
Device \Driver\afxlieyy \Device\Scsi\afxlieyy1 8673E1F8
Device \FileSystem\Ntfs \Ntfs 856211F8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Tcp nltdi.sys
AttachedDevice \Driver\tdx \Device\Udp nltdi.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service E:\Program (*** hidden *** ) [MANUAL] BITCOMET_HELPER_SERVICE <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


I see that there is something with bitcomet, but I was not running it during scan with GMER

Edited by McLaren: n/a

0

IF it's useful??? Did you see this in the log?

BITCOMET_HELPER_SERVICE <-- ROOTKIT

Notice the program noted...BitComet, one of your P2P programs.

Continue with the scans ONLY. Do NOTHING else online except the steps noted in the Read Me Sticky. I say again, nothing else online, no surfing, no email, no downloading, nothing. The more you do the more you will be adding more infections.
A rootkit is a type of malicious software that is activated each time your system boots up. Rootkits are difficult to detect because they are activated before your system's Operating System has completely booted up. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard.

Edited by jholland1964: n/a

0

I think you can try kasper sky anti virus,it is good enough to protect the pc.

The poster is in the middle of a clean up, purchasing another anti-virus isn't going to remove this Rootkit. No matter what anti-virus a person is running continuing to do dangerous things on the computer like P2P will catch up sooner or later.

0

Hello again,

today I installed windows 7. I formated the disc C and istalled them on it. After instalation, I downloaded windows updates, and then ran fullscan with windows defender. I didn't even open disk E and didn't browse the interned until the scan was complete. It found 3 viruses left in my disk E and removed them. Hope its clear now. But we will see. Now downloading avira antivirus, as windows says me that I should instal some AV. But one guy who worked at enigma software says that we don't need another AV if we use windows defender, because its waste of recourses. (If I remember correctly).

And for kaspersky - I tried its removal tool before reinstaling windows, and it didn't help.

Thanks for your time. If I will still have problems, I will say then, but now I hope I got rid of them :)

Attachments virusai.png 48.44 KB
0

Windows Defender is NOT an antivirus program, it is an anti-malware program. It really is a worthless tool because of conflicts with other tools and the most common recommendation from most respectable forums is turn it off and leave it off. It was formerly known as Microsoft AntiSpyware and comes automatically with Vista and Windows 7.
Even Microsofts own anti virus program turns off Windows Defender when it is installed. It rarely works well with any other and more highly rated anti virus programs or anti-malware programs and will often stop fixes done by other programs.

Edited by jholland1964: n/a

0

yeah, I probably confused with those two tool. Probably this guy recomended me microsof security essentials. I didn't know that microsoft had two different tools, so I just found one and I thought that the defender is the tool recomended by that person. So I am now installing microsoft security essentials.

0

yeah, I probably confused with those two tool. Probably this guy recomended me microsof security essentials. I didn't know that microsoft had two different tools, so I just found one and I thought that the defender is the tool recomended by that person. So I am now installing microsoft security essentials.

You previously said you were installing Avira, I certainly would choose that over Microsoft Security Essentials. It scores MUCH higher than MSE, in fact many programs score higher than MSE. If you want I have instructions on the install of Avira 2012 Free. It is an excellent program and very easy to use.

0

You previously said you were installing Avira, I certainly would choose that over Microsoft Security Essentials. It scores MUCH higher than MSE

my colegue, who worked at enigma software, said that soft from MS finds viruses pretty well. He said he used to work with virustotal.com a lot so he saw which software finds viruses well. So thats why he recomended me avira or microsoft tool.

0

I would still go with Avira. It beats MSE hands down. As does Avast.
Look at the results in my print screens from the most recent AV-Comparative testing. This is an independent lab by the way, nothing to do with any of those programs tested.

Attachments AV_Detection_rates.JPG 60.71 KB Awards.JPG 43.95 KB
0

interesting. Ok, maybe later I will reinstall AV, now I am tired of all those intalations allready :)

Just interesting - then how my colegue could see in virustotal.com that MSE is performing very good. He said he worked a lot, as I mensioned with virustotal. So it shouldn't be a coincidense :/

0

Look, do what you want. I didn't say MSE was bad, I said Avira and Avast scores higher on independent testing. Virustotal isn't a program that is even installed on the computer it is an online service that allows you to upload a suspicious file from your computer to be scanned by multiple, more than 30, anti virus engines. MSE, Avira, Avast are only three of them.

I gave the info I have and I know to be true. Do whatever you want. But if you are running only Windows Defender then you absolutely, do not have an anti-virus program on the computer and it WILL become infected again.

Edited by jholland1964: n/a

0

Ok, I will definitely at least consider instaling another antivirus, probaly avira. Thanks for the info.

0

Ok, I will definitely at least consider instaling another antivirus, probaly avira. Thanks for the info.

Consider????
Well it's your computer. But remember you have all ready put virtually every piece of personal information you have on the computer out there for anyone to take it and use it as their own, somebody may be doing that right this minute, but of course you won't know this until you suddenly discover you have purchase a $5000 home entertainment center and a $15,000 cruise around the world. Rather than clean a rootkit you decided to reformat and install another operating system. You are doing P2P file sharing, which is how you were infected in the first place and bear in mind there are some rootkits and bootkits that pretty much toast the computer.

Your choice, good luck.

Edited by jholland1964: n/a

0

they cannot steal that much from me because I probably have only like 3000$, not more :D

0

Not to mention the fact that there may be some reluctance for future assistance to people who will not help themselves :).

0

I have installed avira. I don't htink its worth to spend money if avira in test is better than kaspersky and its free

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.