My Computer Needs Help; trojan and worm found

[MelissaY]

Hello and thank you in advance for your help.

I have followed the instructions posted on your website and need your help in getting rid of spyware, etc. The four logs are attached.

Kindest Regards, MelissaY

[jholland1964]

Hi Melissa, you need to run that Eset Scanner again and this time allow it to fix everything it finds.

Your HJT log shows that you DO NOT have an anti-virus program OR firewall installed and running on your computer.

These two are absolute musts, as you now see, 240 Win32/VB.D worms (ALL from .zip files) in your Eset log and one Win32/Agent Trojan which is a Trojan that downloads and installs other malware on the infected system.. For your information...Win32/VB.D worms are usually transmitted via P2P file sharing in zip files. Very dangerous business really, something we do not recommend or condone here, but of course that is users choice to take a giant risk I suppose.

I liken P2P file sharing to this...if somebody delivered a box to your house, you have no clue who the sender is because he doesn't use his own name, he makes one up and you don't have a clue as to where he is or how clean he is, BUT you open it anyway. Inside the box is a sandwich, with several bites taken out of it...would you eat it? I doubt it. But daily people share programs and files with unknown people from anywhere in the world because they can get costly programs for free. Well the old saying, "you get what you pay for" certainly holds true here.

Now 238 of these infected zip files are located in C:\Documents and Settings\XPUser\Complete\
So I don't know if you downloaded these files via the web or if they came onto the system via a flash drive or something similar. But they are all infected, each and every one of them. The other three are located in C:\Program Files\winupdates\a.tmp and C:\Program Files\winupdates\a.zip then the Trojan is located in C:\WINDOWS\browser.exe

MBAM found and deleted 6 instances of MyWebSearch which is malware and also removed a Rogue Antivirus program.

Now you uninstall list shows several programs, Radialpoint Security Services (I have no idea what this is though evidently it comes from Verizon), also showing is Authentium AntiVirus SDK - 2, so there are two security programs not being used. If there is a reason you have them but are not using them can you tell us why? If you don't want to use them then uninstall them and pick one from the link I will give below. There are three on that link which are excellent. Choose one and install it.
Other entries from your uninstall list which also must be uninstalled are the three noted below.
PPSDKRedistributables, Viewpoint Media Player, Viewpoint Toolbar

Please run the Eset Scanner again and allow it to fix whatever it finds. Save the log and post back here with it.

You need to get an onboard anti-virus program and firewall ASAP. XP has a built in Firewall...it's free, it is all ready on the computer. There are other Free ones to use and readily available if you don't want to use the built in one. Go here
and pick one of the FREE anti-virus progams and download, install and update and USE it...do a full system scan and have it fix/remove/quarantine all it finds. There are also FREE firewalls linked there if you don't want to use the built in firewall.
Run the Eset scanner again, run the new antivirus program you download and then run a new scan with HiJackThis. Post the new logs here.

[MelissaY]

Hi Melissa, you need to run that Eset Scanner again and this time allow it to fix everything it finds.

Your HJT log shows that you DO NOT have an anti-virus program OR firewall installed and running on your computer.

These two are absolute musts, as you now see, 240 Win32/VB.D worms (ALL from .zip files) in your Eset log and one Win32/Agent Trojan which is a Trojan that downloads and installs other malware on the infected system.. For your information...Win32/VB.D worms are usually transmitted via P2P file sharing in zip files. Very dangerous business really, something we do not recommend or condone here, but of course that is users choice to take a giant risk I suppose.

I liken P2P file sharing to this...if somebody delivered a box to your house, you have no clue who the sender is because he doesn't use his own name, he makes one up and you don't have a clue as to where he is or how clean he is, BUT you open it anyway. Inside the box is a sandwich, with several bites taken out of it...would you eat it? I doubt it. But daily people share programs and files with unknown people from anywhere in the world because they can get costly programs for free. Well the old saying, "you get what you pay for" certainly holds true here.

Now 238 of these infected zip files are located in C:\Documents and Settings\XPUser\Complete\
So I don't know if you downloaded these files via the web or if they came onto the system via a flash drive or something similar. But they are all infected, each and every one of them. The other three are located in C:\Program Files\winupdates\a.tmp and C:\Program Files\winupdates\a.zip then the Trojan is located in C:\WINDOWS\browser.exe

MBAM found and deleted 6 instances of MyWebSearch which is malware and also removed a Rogue Antivirus program.

Now you uninstall list shows several programs, Radialpoint Security Services (I have no idea what this is though evidently it comes from Verizon), also showing is Authentium AntiVirus SDK - 2, so there are two security programs not being used. If there is a reason you have them but are not using them can you tell us why? If you don't want to use them then uninstall them and pick one from the link I will give below. There are three on that link which are excellent. Choose one and install it.
Other entries from your uninstall list which also must be uninstalled are the three noted below.
PPSDKRedistributables, Viewpoint Media Player, Viewpoint Toolbar

Please run the Eset Scanner again and allow it to fix whatever it finds. Save the log and post back here with it.

You need to get an onboard anti-virus program and firewall ASAP. XP has a built in Firewall...it's free, it is all ready on the computer. There are other Free ones to use and readily available if you don't want to use the built in one. Go here
and pick one of the FREE anti-virus progams and download, install and update and USE it...do a full system scan and have it fix/remove/quarantine all it finds. There are also FREE firewalls linked there if you don't want to use the built in firewall.
Run the Eset scanner again, run the new antivirus program you download and then run a new scan with HiJackThis. Post the new logs here.

jholland, hello and thank you very very much for the quick reply. my friend bought a pc from some guy and she did not know what was going on with her pc when it started operating very slow, freezing and needing to reboot a lot. she sent me a link to get smiley's and i said to her that was the reason her pc was getting funky - then i enlisted myself into helping her and begin the IANAG process.

i was aware that there was no anti-virus program and that the only firewall running was from windows xp.

i saw the results-spyware; trojan and worm. i dont know if she unknowingly downloaded this stuff or the previous owner. but the seller of the pc didnt even give her the operating system installation disks at the time of purchase. the drive had a lot, if not all, of his old files. my friend only downloaded the sweetim, not knowing what it does. and i agree, i would not want to take a bite of a sandwich that came in an unmarked box from someone i didnt know. eww.

i saw the results-virus too; 238 infected files.
i recognized the mywebsearch, fun products, smiley central, and the rogue anti-virus crud as well.

regarding the two anti-virus programs-radialpoint security and authentium anti-virus sdk2; again, the seller may have installed them and left them there. i dont recognize the names and could not identify them by sight. the seller even left his epson printer installed and one of them had 37 documents pending to print.

i will uninstall the two anti-virus programs (radialpoint and authentium), i will check out the others you've been so kind to provide via the link, and i will uninstall; ppsdkredistributables, viewpoint media player and viewpoint toolbar.

afterwards, i will re-run the est scanner and allow fixes, save and re-post the log for your review and advisement.

i will ensure my friend gets onboard with a new anti-virus and firewall program, and then re-run hijackthis - posting the new logs for your review and advisement.

i will be at her house first thing tomorrow morning and make my posts here for further advisement.

again, i cant thank you guys enough for your speedy and excellent expertise!
take care and kindest regards. MelissaY

[jholland1964]

MelissaY, happy to help. Now since she doesn't have the operating system disks she is going to have to be very careful on what and how things are removed, you don't want any key files damaged which cannot be replaced. You might try, before running that Eset Scan, going into Safe Mode and removing all those zip files manually by deleting them...all the way out. Then run the Eset scanner and let it fix what remains. Be sure NOT to remove the Folder in which they reside C:\Documents and Settings\XPUser\ leave that remaining, just try to get rid of that Complete folder and all it's infected files.

[MelissaY]

MelissaY, happy to help. Now since she doesn't have the operating system disks she is going to have to be very careful on what and how things are removed, you don't want any key files damaged which cannot be replaced. You might try, before running that Eset Scan, going into Safe Mode and removing all those zip files manually by deleting them...all the way out. Then run the Eset scanner and let it fix what remains. Be sure NOT to remove the Folder in which they reside C:\Documents and Settings\XPUser\ leave that remaining, just try to get rid of that Complete folder and all it's infected files.

thanks jholland. i'm at my friends house now. i'm going to begin implementing this procedure now as well as the others-as per instructed. also, will be very careful with what and how things are removed. i'm trying to get her to secure the original operating system disk, et. al. from the seller because of the risks you've mentioned.

melissay

[MelissaY]

MelissaY, happy to help. Now since she doesn't have the operating system disks she is going to have to be very careful on what and how things are removed, you don't want any key files damaged which cannot be replaced. You might try, before running that Eset Scan, going into Safe Mode and removing all those zip files manually by deleting them...all the way out. Then run the Eset scanner and let it fix what remains. Be sure NOT to remove the Folder in which they reside C:\Documents and Settings\XPUser\ leave that remaining, just try to get rid of that Complete folder and all it's infected files.

jholland, i booted into safe mode and attempted to delete the 'complete' folder. at safe boot startup, it showed 'adminstrator' and 'my computer'
i selected 'adminstrator' and proceeded to navigate to c:\documents and settings\xpuser

with the mouse pointer over 'complete' folder a balloon pop-up indicated 'folder empty'

i tried to double-click the 'complete' folder to view the contents and an error message pop-up read 'folder can not be opened. xpuser c:\documents and settings\xpuser\complete is not accessible. access is denied'

i tried to delete the 'complete' folder with the delete key and an error pop-up message read 'can not delete 'complete' access denied. make sure the disk is not full or write-protected and that the files are not currently in-use'

i re-booted back into normal mode and i dont know if i should try re-booting into safe mode again, and select the 'my computer' option instead.

please also advise if i can try to delete the 'complete' folder and its contents in normal mode since safe mode is not working to do this.

thanks melissay

[jholland1964]

can you go in as XPuser?

[MelissaY]

can you go in as XPuser?

there is no 'xpuser' option in safe mode, just 'administrator' or 'my computer'

in normal mode, i can view and access all the files, but i have not tried to delete them in normal mode.

[MelissaY]

can you go in as XPuser?

the 'complete' folder has not been deleted yet. i'd like to delete the 'complete' folder in normal start up mode. right now i'm re-scanning with the eset online scanner with the same options checked as indicated. what can i do?! :-)

[jholland1964]

Hey, let the Eset scanner run and remove the baddies. Once that is done then try removing that folder in normal mode. You want to get all remainders of the former user off that you can...sounds like he had not paid careful attention to anything. Also be sure to get those old anti-virus programs off of there too.