PDA

View Full Version : HELP......virus/adware



Methanolandbrats
10-06-07, 08:32 PM
Worked on this problem for hours........time to call in the Mensa Brigade from OffCamber. A daughters XP machine with IE contracted spyware/virus. I run Spysweeper with AV. The symptom is when she opens IE, it goes to MSN and all kinds of windows open advertising crap. Her usual homepage is Google. CPU usage is 100% no matter what. I did a full scan and found lots of stuff that I quarantined. The problem persists and I found virtumond and webbuying, both adware are still on it. Here's the strange part, there are three users on the machine and the malware has only infected her user profile. Can this be cleaned? I'm ready to wipe the hard drive and restore from my last Acronis backup which is about a week old.

devilmaster
10-06-07, 08:45 PM
my usual bit is to open processes and look at the programs running. sometimes one of them is the virus/adware program and googling that name (scvhost.exe as an example) will get you to info that will tell you how to delete it.

Take a look at your processes before you open your browser, and then open it and watch the processes list. usually you can see the virus/adware file open.

* - scvhost.exe is an actual adware file. the name is slightly altered from svchost.exe (which is a required process), so that most people wouldn't catch it. don't go deleting svchost.exe files....

beyond that, go to trend micro and run their free scanner, and run the usual spybot/adaware programs.

hth.

racermike
10-06-07, 08:51 PM
When problem is solved, switch to Mozilla Firefox browser

IE continually has more security holes than a truckload of swiss cheese.

My sister had some REAL nasty virii on her PC last week. Took me almost 6+ hours eradicating it from her system. (it kept replicating itself everywhere in the registry)

Insomniac
10-06-07, 09:11 PM
I'd go with the good backup if you can. You know it's clean. Beats trying to remove adware IMO.

WickerBill
10-07-07, 09:34 AM
If you can, just restore her profile from your backup.

If you can't, read up on HiJackThis (http://www.spywareinfo.com/~merijn/programs.php) and how to use it. Works especially well for removing stubborn, ground-in spyware.

Check add/remove programs for programs like "Smiley Central", "Hotbar", "Entertainment Wallpaper", "Fun Web Products", "Cool Web Products", etc. Basically, find *anything* that has to do with wallpaper, screen savers, cursors, toolbars, etc., that was not purchased commercially, and remove them. All of them. I don't care if she really likes the wallpaper, it is almost certainly infesting your system with spyware and bots.

Then run HiJackThis and look for those names that you found in Add/Remove programs. Eliminate them there as well (yes it's true, most of that software does not really remove itself with add/remove).

This will *help*. No guarantee to fix.


Obviously, restore is a faster, better option, if indeed she really was NOT infected a week ago.


I 100% agree with switching to Firefox. No question, no doubt about it.

Methanolandbrats
10-07-07, 10:08 AM
Thanks all, I'll have another go.

Wabbit
10-08-07, 10:53 AM
Once a machine has been infected with a virus, it can't be trusted again.

Nuke it and start clean.

TravelGal
10-08-07, 03:21 PM
While we are on the gunked up computer topic, can someone point me to the thread (or repeat here) how to determine which processes should be running?

My laptop is about 4 years old and has accumulated about 45 processes at startup, which I'm thinking is at least a couple dozen too many.

Methanolandbrats
10-08-07, 03:44 PM
Once a machine has been infected with a virus, it can't be trusted again.

Nuke it and start clean. I'm in the process of wiping the drive and reinstalling an Acronis backup from two weeks ago before all this happened. Here's hoping. I saved her documents folder on an external which I will restore file by file so she does'nt loose anything from the last two weeks.

cameraman
10-08-07, 04:44 PM
My laptop is about 4 years old and has accumulated about 45 processes at startup, which I'm thinking is at least a couple dozen too many. That depends, they add up quickly. Mine has 40 when sitting absolutely idle. Eight are due to Windows XP running on a Macintosh & McAfee virus scan adds six to the list for example. I just keep a list of what should be there. It makes it much easier to find new things.

devilmaster
10-08-07, 05:13 PM
While we are on the gunked up computer topic, can someone point me to the thread (or repeat here) how to determine which processes should be running?

My laptop is about 4 years old and has accumulated about 45 processes at startup, which I'm thinking is at least a couple dozen too many.

The best way gal, is to google each process you run yourself. if you type in the name svchost.exe; winampa.exe; explorer.exe into google, there are websites that will explain what each process does, and whether or not you need it.

usually the sites you want to read come up as google hits like: svchost.exe - process information.

Knowing your processes is an excellent way of knowing whether or not your computer has malware/viruses.

WickerBill
10-08-07, 05:54 PM
Windows XP should be in the mid 30s for processes after boot and sitting idle for a few moments. If you have 45, it isn't terrible, but I bet you have a couple baddies on there.

The worst machine I've ever seen had 208 processes running. It was, needless to say, unusable.

Wabbit
10-08-07, 07:10 PM
Windows XP should be in the mid 30s for processes after boot and sitting idle for a few moments. If you have 45, it isn't terrible, but I bet you have a couple baddies on there.

The worst machine I've ever seen had 208 processes running. It was, needless to say, unusable.

I had a friend that was sooooo infected, you could click on the start button, make a pot of coffee, and the menu would just start to appear. She had no backups of her files. That was a fun support call.

Cam
10-08-07, 07:32 PM
The best way gal, is to google each process you run yourself. if you type in the name svchost.exe; winampa.exe; explorer.exe into google, there are websites that will explain what each process does, and whether or not you need it.

usually the sites you want to read come up as google hits like: svchost.exe - process information.

Knowing your processes is an excellent way of knowing whether or not your computer has malware/viruses.

http://www.liutilities.com/products/wintaskspro/processlibrary/

TravelGal
10-08-07, 09:48 PM
Cam, you are THE MAN. I have to admit to a huge dose of lazy when it comes to researching stuff I do not have a great chance of understanding but I was going to Google it all and plow my way through it. This website makes it loads easier. At least it saves key strokes. :)

Now that I know I may not have waaaaaaay to many processes, I'll set the project aside for next weekend unless it starts to bug me again. No pun intended. I'll report back.

devilmaster
10-08-07, 10:03 PM
well, i'll just go over to the corner and die then.







;)

Sean Malone
10-08-07, 10:16 PM
http://www.liutilities.com/products/wintaskspro/processlibrary/

I clicked everyone of those process links and got the virus for each one. Now what do I do? (I'm writing this from a seven year old palmpilot I wired into my cell phone.)

SteveH
10-08-07, 10:51 PM
Keep your cell phone bill paid in full. :D

I'm guessing a clean install is about the only sure way out.

Good luck.

TravelGal
10-08-07, 11:04 PM
well, i'll just go over to the corner and die then.


;)

Don't feel bad mr dm man. I'm SURE you gave him the idea. ;)

Methanolandbrats
10-09-07, 09:31 AM
Whoohoo. :D Copied daughters docs and settings to external. Wiped the drive, restored with Acronis image from two weeks ago, scanned doc and settings on exteral to make sure it's clean and copied them back. Scanned her drive with Spysweeper plus Antivirus and it found and quarantined a few things. Trojan and adware were not among them. Swept it again, it's clean and she has all her data. Now running Avast, Spysweeper and Firefox. Thanks again. This experience demonstrates why it's critical to have a backup plan and follow it.

Sean Malone
10-09-07, 09:37 AM
Whoohoo. :D Copied daughters docs and settings to external. Wiped the drive, restored with Acronis image from two weeks ago, scanned doc and settings on exteral to make sure it's clean and copied them back. Scanned her drive with Spysweeper plus Antivirus and it found and quarantined a few things. Trojan and adware were not among them. Swept it again, it's clean and she has all her data. Now running Avast, Spysweeper and Firefox. Thanks again. This experience demonstrates why it's critical to have a backup plan and follow it.

Or do like I do and keep your kid firewalled. ;)

My 17 year old can hose a computer within hours. I tell her it's a "gift".

Methanolandbrats
10-09-07, 09:58 AM
Or do like I do and keep your kid firewalled. ;)

My 17 year old can hose a computer within hours. I tell her it's a "gift".
I've got 15 year old twins and "firewalling" them is not an option :D They are actually pretty good with computing. I have cookies blocked except the ones they allow. I taught them to do backups and other stuff. No toolbars or crap and they ask before downloading anything. I think this attack happened because some friends were over and one of them clicked on a Facebook audio file just before all hell broke loose with the popups. I've now got Spysweeper set to block downloads too........hopefully.

Sean Malone
10-09-07, 10:43 AM
I've got 15 year old twins and "firewalling" them is not an option :D They are actually pretty good with computing. I have cookies blocked except the ones they allow. I taught them to do backups and other stuff. No toolbars or crap and they ask before downloading anything. I think this attack happened because some friends were over and one of them clicked on a Facebook audio file just before all hell broke loose with the popups. I've now got Spysweeper set to block downloads too........hopefully.

Sorry, I should have been more clear, I meant I actually keep a wall of fire between her and the computer. :D Works like a charm. Now if I can just talk her into a chastity belt. "Hey, it doesn't look that uncomfortable and you'll be the only kid in school with one!"

datachicane
10-09-07, 10:53 AM
A daughters XP machine with IE

Welllll, there's yer problem right there!
:rofl:

Methanolandbrats
10-09-07, 11:04 AM
Welllll, there's yer problem right there!
:rofl:
Been fixed with Firefox :)

Ankf00
12-29-07, 09:56 PM
what a/v and other security software should I install on the new HD?

I remember hearing good things about AGVirus or something like that? I have adaware, spybot, and SBC/Yahoo's spyware tool. I had Zone Alarm Pro + a full Mcafee suite on the old HD

Cam
12-29-07, 10:02 PM
what a/v and other security software should I install on the new HD?

I remember hearing good things about AGVirus or something like that? I have adaware, spybot, and SBC/Yahoo's spyware tool. I had Zone Alarm Pro + a full Mcafee suite on the old HD

http://free.grisoft.com/
http://free.grisoft.com/doc/5390/us/frt/0?prd=asf

Ankf00
12-29-07, 10:21 PM
thanks dude :)

Methanolandbrats
12-29-07, 10:41 PM
Spysweeper + Antivirus. Nothing works better.

EDwardo
12-30-07, 12:16 AM
Trend Micro's FREE online virus scanner
Trend Microâ„¢ HouseCall is an application for checking whether your computer has been infected by viruses, spyware, or other malware. HouseCall performs additional security checks to identify and fix vulnerabilities to prevent reinfection.

http://housecall.trendmicro.com/us/index.html

I've used Housecall for years. The latest version finds and lists all the latest exploits for Microsoft software that you haven't downloaded fixes for.
I think it works quite well and has found spyware several times that none of my other spyware programs found.

Cam
12-30-07, 07:35 AM
http://housecall.trendmicro.com/us/index.html

I've used Housecall for years. The latest version finds and lists all the latest exploits for Microsoft software that you haven't downloaded fixes for.
I think it works quite well and has found spyware several times that none of my other spyware programs found.

For an on-line scanner housecall is excellent. depending on the infection and the DNS corruption it can be rendered useless however.

TravelGal
12-30-07, 02:51 PM
For an on-line scanner housecall is excellent. depending on the infection and the DNS corruption it can be rendered useless however.

I decided to run it when I read EDwardo's post. It found nothing but the usual suspects: the cookies from the sites I had visited that day. I thought that was a good thing. Now I'm not sure. Thanks Cam. LOL!

OW
12-30-07, 05:59 PM
Grisoft Grisoft Grisoft
Been keeping me, tons of friends, and my 80 year old mom protected for 5 years. Been on auto pilot, and Windows accepts it as a bonifide agent.

One thing to know.....

Sorry if this is already stated...didn't read all the posts thouroughly...
But BEYOND adware, and viruses, there is a catagory called Malware...It is not a virus, nor watching you for where you go, just is a pain in the butt. Mallicious. It will give you suggestions to pay them and they will "fix it". It is like a body shop sledge hammering your car and then offering the fix.

3 years ago I spent 6 hours cleaning up a malware attack on a friend...now GRISOFT has a malware cleaner.

Only thing about Grisoft is, that you have to be careful to find the free stuff. Usually way doen at the bottom.

Good Luck,
OW

TravelGal
12-31-07, 02:45 AM
I use AVG (grisoft) and have been wondering if I should switch to their malware program when my Webroot Spy Sweeper subscription ends.

Any comments on that?

Cam
12-31-07, 08:51 AM
I use AVG (grisoft) and have been wondering if I should switch to their malware program when my Webroot Spy Sweeper subscription ends.

Any comments on that?

Have not used the spyware scanner personally M. Your mission if you so accept it. ;)