lfnetwork.com mark read register faq members calendar

Thread: Visually impaired leading the blind in virus removal
Thread Tools Display Modes
Post a new thread. Add a reply to this thread. Indicate all threads in this forum as read. Subscribe to this forum. RSS feed: this forum RSS feed: all forums
Old 05-26-2009, 05:28 PM   #1
Jae Onasi
Antiquis temporibus, nati tibi similes in rupibus ventosissimis exponebantur ad necem
 
Jae Onasi's Avatar
 
Status: Super Moderator
Join Date: Aug 2005
Posts: 10,912
Current Game: Guild Wars 2, VtMB, TOR
Alderaan News Holopics contributor Helpful! LucasCast staff Veteran Fan Fic Author 
Visually impaired leading the blind in virus removal

Well, my nephew was on a facebook page, got a popup that looked like the Norton security icon, and as you can guess, he not only clicked it, he followed the instructions to install it. They ended up with a virus. My sister, who is not computer savvy, ran a Norton AV scan (the real one, not the fake one). It picked up nothing. I had her run Avast instead, along with HijackThis (and told her not to touch any files that come up on Hijack). Avast reported that kernal32.dll, winsock.dll, and wsock.dll were infected. Unfortunately, she didn't send me the name of the virus itself. Hijack picked up some things I didn''t recognize. I can post the copy of the report she sent me later when I get home to my computer.

Any suggestions short of wiping the hard drive?


From MST3K's spoof of "Hercules Unchained"--heard as Roman medic soldiers carry off an unconscious Greek Hercules on a 1950's Army green canvas stretcher: "Hi, we're IX-I-I. Did somebody dial IX-I-I?"

Read The Adventures of Jolee Bindo and see the amazing Peep Surgery
Story WIP: The Dragonfighters
My blog: Confessions of a Geeky Mom--Latest post: Security Alerts!
Love Star Trek AND gaming? Check out Lotus Fleet.

Jae Onasi is offline   you may: quote & reply,
Old 05-26-2009, 05:56 PM   #2
jrrtoken
Senior Member
 
jrrtoken's Avatar
 
Join Date: Jun 2008
Posts: 1,995
Avast should usually pick up the virus, especially when you run it on "Through" mode, and tell it to scan archive files. Once it detects something, be sure to find out the names of the infected files, and if possible, quarantine it ("Move to Chest").

You shouldn't removal the actual trojan immediately, as there's always the possibility of it just exploiting the registry or another process to sustain itself postmortem. Research should be done, to try to find any loopholes that virus removal programs have with the certain trojan. I've never had any problems removing those certain trojans with Avast, but with McAfee and Norton, it's definitely a possibility.

EDIT: You said that you had DLL corruption, particularly those DLLs. If that's case, then this might help.
jrrtoken is offline   you may: quote & reply,
Old 05-26-2009, 07:28 PM   #3
Jae Onasi
Antiquis temporibus, nati tibi similes in rupibus ventosissimis exponebantur ad necem
 
Jae Onasi's Avatar
 
Status: Super Moderator
Join Date: Aug 2005
Posts: 10,912
Current Game: Guild Wars 2, VtMB, TOR
Alderaan News Holopics contributor Helpful! LucasCast staff Veteran Fan Fic Author 
@PastramiX--thanks--I'll send her the info right away.

Here's the HijackThis logfile:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:36 AM, on 5/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\PAV\pav.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Documents and Settings\Owner\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\Aware.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\Marker.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PAV] C:\Program Files\PAV\pav.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Owner\Application Data\Smilebox\SmileboxTray.exe"
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\Sen dTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1168901681671


O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1234232194781


O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab


O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


From MST3K's spoof of "Hercules Unchained"--heard as Roman medic soldiers carry off an unconscious Greek Hercules on a 1950's Army green canvas stretcher: "Hi, we're IX-I-I. Did somebody dial IX-I-I?"

Read The Adventures of Jolee Bindo and see the amazing Peep Surgery
Story WIP: The Dragonfighters
My blog: Confessions of a Geeky Mom--Latest post: Security Alerts!
Love Star Trek AND gaming? Check out Lotus Fleet.

Jae Onasi is offline   you may: quote & reply,
Old 05-26-2009, 07:52 PM   #4
jrrtoken
Senior Member
 
jrrtoken's Avatar
 
Join Date: Jun 2008
Posts: 1,995
One thing that stood out from all of the other programs in the log file was this registry startup entry:
Quote:
O4 - HKLM\..\Run: [PAV] C:\Program Files\PAV\pav.exe
PAV is Personal Antivirus, another wonderful hoax antivirus software designed to make you buy phony antivirus progs and to open a backdoor to host a malware kegger in your computer. It's a good chance that this is what was downloaded in the first place. I came across this guide to purge it from your system.

Hope this works out alright.

Last edited by jrrtoken; 05-26-2009 at 07:58 PM.
jrrtoken is offline   you may: quote & reply,
Old 05-26-2009, 08:09 PM   #5
Jae Onasi
Antiquis temporibus, nati tibi similes in rupibus ventosissimis exponebantur ad necem
 
Jae Onasi's Avatar
 
Status: Super Moderator
Join Date: Aug 2005
Posts: 10,912
Current Game: Guild Wars 2, VtMB, TOR
Alderaan News Holopics contributor Helpful! LucasCast staff Veteran Fan Fic Author 
Yep, that's exactly the one. Thanks for that link and the help!!

I also found this info for anyone who ends up with this lovely little bit of malware:

http://malwarecrawler.com/?tag=pavexe

http://www.microsoft.com/communities...r=US&sloc=&p=1 (this one may not be useful for removal per se, but I thought some of the other info might be useful to know)

http://www.symantec.com/security_res...525-99&tabid=3

http://www.bleepingcomputer.com/viru...onal-antivirus


From MST3K's spoof of "Hercules Unchained"--heard as Roman medic soldiers carry off an unconscious Greek Hercules on a 1950's Army green canvas stretcher: "Hi, we're IX-I-I. Did somebody dial IX-I-I?"

Read The Adventures of Jolee Bindo and see the amazing Peep Surgery
Story WIP: The Dragonfighters
My blog: Confessions of a Geeky Mom--Latest post: Security Alerts!
Love Star Trek AND gaming? Check out Lotus Fleet.

Jae Onasi is offline   you may: quote & reply,
Old 05-27-2009, 04:01 AM   #6
Astrotoy7
A Face from The Past
 
Astrotoy7's Avatar
 
Join Date: Apr 2002
Posts: 10,284
Notable contributor Helpful! Folder extraordinaire LFN Staff Member 
Great work PastramiX and Jae!

Those darn kids clicking popups ! Im glad my [fur] kids have no need for computer use, just catnip and tuna

mtfbwya


Asinus asinum fricat
Astrotoy7 is offline   you may: quote & reply,
Old 05-27-2009, 08:52 PM   #7
EnderWiggin
Sine Amore Nihil Est Vita
 
EnderWiggin's Avatar
 
Join Date: Jul 2004
Location: Pennsylvania
Posts: 3,395
Forum Veteran LF Jester 
Quote:
Originally Posted by Jae Onasi View Post
*brevity*
Sort of same thing happened to my mom last month. Virus from a facebook page - took me about 4 hours to fix it because I had to muddle through all of her work restrictions because it's a work laptop.

I also was on the phone with her IT director for 1 of those hours just trying to ascertain her networking settings and stuff. Luckily the IT director was my boss a few summers ago so we had a prior relationship. We spent part of that hour just making fun of my mom for picking the virus up

_EW_



Hello, Pot? This is Kettle. You're black. ~ Prime

Yes, I hate you.

J7 - thanks for accepting me as part of the 'family.'
EnderWiggin is offline   you may: quote & reply,
Old 05-27-2009, 10:20 PM   #8
Jae Onasi
Antiquis temporibus, nati tibi similes in rupibus ventosissimis exponebantur ad necem
 
Jae Onasi's Avatar
 
Status: Super Moderator
Join Date: Aug 2005
Posts: 10,912
Current Game: Guild Wars 2, VtMB, TOR
Alderaan News Holopics contributor Helpful! LucasCast staff Veteran Fan Fic Author 
My sister followed the advice given in your link PastramiX, and was able to successfully remove the PAV stuff. I installed Ad block and flashblock add-ons on their firefox while I was at their house, so hopefully that'll block some of the popups in the future. I suggested she also pick up one of the free anti-spyware programs along with one of the free registry cleaners at download.com.

@Astro--well, my kitty likes to walk on my keyboard when it's on my lap, which makes odd things happen sometimes. Or he'll lay on me while I lie in bed with the laptop on my lap. I love him to death, but he's so big that he blocks my entire view of my screen.

@EW--Heh--I can't laugh too hard at my nephew--he's 13. Not fun having to work so long on your mom's virus, though, but at least you had a good chuckle, even if it was at her expense.

Thanks again for the help!


From MST3K's spoof of "Hercules Unchained"--heard as Roman medic soldiers carry off an unconscious Greek Hercules on a 1950's Army green canvas stretcher: "Hi, we're IX-I-I. Did somebody dial IX-I-I?"

Read The Adventures of Jolee Bindo and see the amazing Peep Surgery
Story WIP: The Dragonfighters
My blog: Confessions of a Geeky Mom--Latest post: Security Alerts!
Love Star Trek AND gaming? Check out Lotus Fleet.


Last edited by Jae Onasi; 05-27-2009 at 10:26 PM.
Jae Onasi is offline   you may: quote & reply,
Old 05-28-2009, 08:20 AM   #9
jrrtoken
Senior Member
 
jrrtoken's Avatar
 
Join Date: Jun 2008
Posts: 1,995
Good to hear that it worked.

She mgiht as well uninstall Norton completely and just use avast! as her main scanner/active protection service. It's an entire waste of resources and money, IMO.
jrrtoken is offline   you may: quote & reply,
Post a new thread. Add a reply to this thread. Indicate all threads in this forum as read. Subscribe to this forum. RSS feed: this forum RSS feed: all forums
Go Back   LucasForums > Network > Community Discussion > General LFNetwork Forums > General Tech Discussion > Visually impaired leading the blind in virus removal

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 08:31 AM.

LFNetwork, LLC ©2002-2011 - All rights reserved.
Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.