Hey folks - Sandi & kinda new around here - I Have half of a Windows 7 (64bit) OS, so suspect I may become a fairly regular visitor to the Windows 7 area (since I spent the last 5 weeks chasing my tail removing Badware from this infernal machine - now I have a list of driver and app compatability issues to contend with!) Nevermind, sure I'll get there - but it's not actually my Laptop I'm here about today...

~~~~

I mentioned 'badware' - What started out yesterday as an excercise in trying to speed up and reduce a friends painfully long lap-top re-start time got me a little worried and my concience has bought me here in search of a little assistance. Would like to ensure we're not re-infecting each other after seeing (what looks to me like) an awful lot of 'Groovey' thingys going on, would like a 2nd opinion. (my browser is being an Ass again today and I'm struggling to get to any of the trusted malware helpsites i have used in the past) guess I'm not out the woods yet

His system - Vista home prem 32bit on a Toshiba Satelite laptop, unsure of exact spec, pretty sure it's a 2gig pentium duel core with 2gig of installed RAM

Although he's not currently having any major hassles with it, it's slow, gets a little overheated - a fair amount of petty glitchy things going on - and the re-boot time is painful! Managed to get several things disabled from running at start yesterday and removed some superfluous software installations - no problems, in fact there wasn't much left checked at all in msconfig list by time we finished - so was rather surprised by the volume of things Silent runners found afterwards.



- my reasons for worrying -

Norton had quarantined a file a long ago, which was apparently 'allowed' to run at start - I wasn't aware at 1st, so got him to run the Norton removal tool after spying a little Norton/Symantic residue. I would assume the tool should have removed the vault and the file too? Or no, maybe it was unable? Well anyway it was 'VMware - Virus Trigger'? something like that - none of the listed known registry entries associated with that malware were present so went ahead and deleted the file - all good, although his laptop did abruptly re-boot - I read somewhere that usually comes bundled with other things - I'm unsure exactly what Norton found back then.

Other concerns - unknowly had defender running alongside AVG for ... erm ... unknown amount of time. Not sure, but when I was running AVG free - was given the immpression that isn't wise? and AVG auto switches that off? So he's potentially had compromised AV protection?

He wasn't able to download HJT for a while system wouldn't allow it, even with re-naming - pointed him to a standalone downloader link and we got in the end.

Live messenger (Grrr) - advised him a link to Bleeping Computers site I sent was a reported attack site and a couple of times Windows Live crashed (both ends mine & his but not simultaneous) when I attempted sending links to MW resources and MW removal info - don't think that can be a good sign ... ? Windows live sharing folder WAS resposible for some of my laptop issues...

'Groove monitor' ? I am aware there's a valid reason for that with MSO installed - but sooo many instances of running thingys?? Erm yer, well spotted .. I'm hoping to get his office software removed and replaced, as soon as I'm sure it's safe to do so - Along with IE browser probably, I also think a fresh AVG and Windows Live install wouldn't go amiss? Please feel free to tell me if I'm being paranoid - my laptop has made me that way lately - yes I am aware

I have nothing to loose on my laptop for now - yet another new install is no bother for me, but he has months of Uni work and stuff I'd prefer he didn't loose on account of something I may have given him

Attached silent runners and HJT log if anyone 'in the know' could please take a look and see for me and maybe offer a little guidance?

Thanks in advance
Sandi

Hello,

Your HiJackThis log shows nothing particularly nasty. There are however a few empty entries that should be removed. This is just housework and does not indicate the presence of a virus. Please download the latest version of HiJackThis (you are using 2.0.2 and the latest is 2.0.4) and run a scan without generating a log file. Carefully put a check next to the following entries and click "Fix Checked".

Code:

O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?DK (file missing)

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: TOSHIBA Bluetooth Service - Unknown owner - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (file missing)

Please then immediately restart your computer. If any of these entries reappear, just ignore them, this is normal. I will have a look at your Silent Runners log when I get round to it.

Richard

Hello,

There are three more things you should do on both computers. Please make sure that I know which logs came from the same computer, and that you know which logs come from which computer.

Please press the Windows Key + R to open the Run dialogue. Type cmd and press enter. In Prompt, type "ipconfig /flushdns" without the quotes, noting the space. Press enter and make sure that the DNS flushes correctly. Immediately reboot your computer.

NOTE: This was not originally written by me, but still applies.

Download GMER Antirootkit from here.
Mirror location: here. This version will download a zip. If you use this mirror, please unzip it to a folder that you create such as C:\Gmer\.

Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. a1afk10a.exe) and allow the gmer.sys driver to load if asked.
For mirror version, double-click Gmer.exe to run the program.
When the program opens, click the ">>>" Tab
Click the "Rootkit/Malware" Tab.
Select all drives that are connected to your system to be scanned.
Click the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into a text file by clicking Edit -> Paste or Ctrl + V
Save the gmer scan log to your desktop.
Close Gmer.

Download RSIT by random/random from here and save it to your desktop.

* Double click on RSIT.exe to run RSIT.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open. If it does not automatically open, then these logs can be found at %systemdrive%\rsit folder (typically C:\rsit)

Post back with GMER log + both RSIT logs. Post each log in separate post, or ideally upload them rather than posting them in-line.

Thanks!

Richard

Hello,

Have looked at your Silent Runners log. One interesting thing has popped up.

Here is a reason why he might have a virus. You need to find out if it worked, because one of these things that I can't mention not executing an installer etc. means that a virus has just been installed (and usually a very nasty one at that)

Code:

{64A1D39C-8140-42E5-8234-14C0B92AD16E}" ->  launches: "C:\Windows\system32\pcalua.exe -a "C:\Users\Jens\Desktop\Programmer\HyperCam ver. 2.14.01 all laguages plus cracks(w___olf.inc)\english\HC2Setup.exe" -d "C:\Users\Jens\Desktop\Programmer\HyperCam ver. 2.14.01 all laguages plus cracks(w___olf.inc)\english"" [MS]

Please scan that file (HC2Setup.exe NOT pcalua.exe) with VirusTotal - Free Online Virus and Malware Scan and tell me if anything shows up.

Richard

Thank you all for replying. Apologies for the delay getting back here, not total ignorance, a few hours later everything went very wrong again with my laptop. Think I'm sorted now though *stable laptop since the 12th *touches wood* plucked up the courage to get it online yesterday and so far so good!!

*stable - provided I dont need the soundcard & wlan card to work at the same time AND expect my battery to charge. I found out the hard way that my ac adapter was doing Jack....! Nevermind it's working right now, I'll sort it - another time - had enough fixing this thing for now - I have surfing, games and a rather fine new os to catch up with!

......

Snow(conFed) Thank you - Sound advice, much appreciated

Have been using Security Essentials for a while. I think it's great and very unobtrusive. Seems to be working well with new 64bit OS too, so will continue to use - Malwarebytes is probably the only other malware software I've ever actually installed - Never really had any virus/malware problems until this recent issue, and from reading around the net, a lot of which possibly self inflicted, my bad

Not tried the PCtools firewall, I'll check it out. Am a bit naïve about these matters - Should I use that in prefererance to the MS wall? I am behind a router at home, configured to ignore pings, disabled upnp etc and of course I TRY to practice 'safe-surf'.

Was hoping that the wall bundled with Win7 would suffice - maybe not? Although I don't want overkill and potentially make problems with software the whole time. My recent Malware research seems to indicate Windows 7 is a bit 'holey' and hackable? You Tube is bursting at the seems with Windows 7 hacks in fact Guess I should up the ante with net protection, not sure what's best for me really. Java plug-ins and such are a necessary evil for me, but I'm told they can be exploited easily? Will a firewall prevent those kind of things?

Neimero
Very much appreciate you taking a look at that for me

Found a bit more out about the software there, knowing him as I do - was surprised to see myself, student-ness and Internet security ignorance to blame me finks.... the group he studies with use VMware to 'share' at Uni - the file Norton had quarantined was called 'VMware' total guess, but I would imagine that means the VMware is also ... and Norton found the crack as a virus?

Time difference means I'll have to him to run gmer later today or as soon poss this week, will get a log posted soonest - and make sure those empty entries get tidied up too. Thanks once again for your time.

And thanks too to mitchell for the links and info - will look at those further right now.

Sandi

Hello,

Do not worry about your late reply, and thanks for giving us such a good update. The experts do agree that you should avoid the Windows Firewall, however, due to its convenience (exceptions ae easy to add, installers often add them anyway, and the Unblock/Block window is really useful) I always use it. I have been very happy with it and have only had one massive virus (and no other viruses have even disturbed me) With a good router, antivirus, and a bit of sense, I am very happy to use this very convenient Firewall, but be aware that it is not quite as good (apparently) It is your choice. Its main fall down point is all the exceptions that have been created and its hackability, viruses can get through most Firewalls on http://.


When it comes to cracks, be very careful. A lot of them contain very nasty viruses. Also note that they are illegal and this forum does not endorse them in any way. Anyone admitting the use of, asking for, or publishing cracks will be banned permanently. Some things you should be aware of:

• If the crack comes out to be less than 1 megabyte, it is almost certainly a virus (and a very nasty one at that)
• If a website is offering you a "Full Version", a "Fast Version", a "Full Speed" version etc. and they all come out to less than 1 megabyte, they are all a virus and should be deleted immediately. In particular if they are all exactly the same size.
• Any crack without an icon is quite possibly a virus.
• If you run a crack and nothing happens, a virus has just been installed

As I have said earlier, they are illegal and should not be used (and even cracks that work sometimes have viruses in them)

I would assume you are right that VMWare is a virus in this case and I will do my best to help you to remove it.

Richard

Don't worry. It was to protect me (I do not endorse cracks in any way) than to be constructive.

Richard