Virus help needed!
Discussion
I'm trying to help a friend with a virus problem on his computer. Normally in his situation I would wipe the PC and reinstall, but unfortunately this doesn't seem to be an option - he has proprietary software from a company which doesn't exist any more, and he has lost the install media (yes - I've already told him he's an idiot).
We seem to have cleaned up the viruses using a combination of Malwarebytes, Spybot and drugged Mars Bars, and the pc is running quite normally, with one exception:-
Internet Explorer 8 won't work properly - sometimes it doesn't start properly (although there is one instance in Task Manager) - sometimes it does start (about 1 minute after double-clicking the icon, with 2 instances in Task Manager, which I understand to be normal). When you close Internet Explorer, the iexplore.exe instances keep running in Task Manager. Restart and 2 more appear - until there are mutiple versions running which kill the speed. There are no "ghost" verions starting which could be caused by viruses
, it's just that IE8 fails to close properly.
If we remove it, IE7 runs and works fine. Upgrade to IE8 brings all the problems back.
I've spent the whole morning on this, and my hand is creeping towards the big hammer. It seems that on this occasion, google is not my friend.
Can anyone suggest anything?
Thanks!
P.S. For the hard of reading - reinstall is on this occasion not an option
We seem to have cleaned up the viruses using a combination of Malwarebytes, Spybot and drugged Mars Bars, and the pc is running quite normally, with one exception:-
Internet Explorer 8 won't work properly - sometimes it doesn't start properly (although there is one instance in Task Manager) - sometimes it does start (about 1 minute after double-clicking the icon, with 2 instances in Task Manager, which I understand to be normal). When you close Internet Explorer, the iexplore.exe instances keep running in Task Manager. Restart and 2 more appear - until there are mutiple versions running which kill the speed. There are no "ghost" verions starting which could be caused by viruses
, it's just that IE8 fails to close properly.
If we remove it, IE7 runs and works fine. Upgrade to IE8 brings all the problems back.
I've spent the whole morning on this, and my hand is creeping towards the big hammer. It seems that on this occasion, google is not my friend.
Can anyone suggest anything?
Thanks!
P.S. For the hard of reading - reinstall is on this occasion not an option
I personally would start with a windows repair and then run all the latest updates.
Out of interest which Virus is it? I have found recently that a number of viruses that you think you have cleaned from a machine come back after some time.
ETA. all the options above are valid!
Out of interest which Virus is it? I have found recently that a number of viruses that you think you have cleaned from a machine come back after some time.
ETA. all the options above are valid!
Edited by VEA on Tuesday 19th October 11:16
Percy Flage: Would prefer to get IE up and running. Installing another browser seems to me a bit of a bodge (i.e. doesn't solve the problem). Would prefer not to get into a debate over the merits of different browsers.
VEA: Malwarebytes showed multiple entries of the following:
Worm Archive
Trojan.Fakealert
Malware.Trace
Rootkit TDSS
Rogue.SecurityEssentials
Rogue.SecurityEssentials2010
Windows Update seems also to be a bit borked, but I'm nervous about doing a windows repair install because of the issue with the special software he has installed.
I have also just seen that the hosts file has been modified and is much larger than normal, but all the entries claim to be inserted by Spybot and point to localhost (127.0.0.1), so maybe this is just a way to block as many known malware sites as possible. There are certainly some known dodgy names in the list.
VEA: Malwarebytes showed multiple entries of the following:
Worm Archive
Trojan.Fakealert
Malware.Trace
Rootkit TDSS
Rogue.SecurityEssentials
Rogue.SecurityEssentials2010
Windows Update seems also to be a bit borked, but I'm nervous about doing a windows repair install because of the issue with the special software he has installed.
I have also just seen that the hosts file has been modified and is much larger than normal, but all the entries claim to be inserted by Spybot and point to localhost (127.0.0.1), so maybe this is just a way to block as many known malware sites as possible. There are certainly some known dodgy names in the list.
sunbeam_alpine said:
VEA: Malwarebytes showed multiple entries of the following:
Worm Archive
Trojan.Fakealert
Malware.Trace
Rootkit TDSS
Rogue.SecurityEssentials
Rogue.SecurityEssentials2010
Windows Update seems also to be a bit borked, but I'm nervous about doing a windows repair install because of the issue with the special software he has installed.
I have also just seen that the hosts file has been modified and is much larger than normal, but all the entries claim to be inserted by Spybot and point to localhost (127.0.0.1), so maybe this is just a way to block as many known malware sites as possible. There are certainly some known dodgy names in the list.
A windows repair should not affect any software installed on the machine.Worm Archive
Trojan.Fakealert
Malware.Trace
Rootkit TDSS
Rogue.SecurityEssentials
Rogue.SecurityEssentials2010
Windows Update seems also to be a bit borked, but I'm nervous about doing a windows repair install because of the issue with the special software he has installed.
I have also just seen that the hosts file has been modified and is much larger than normal, but all the entries claim to be inserted by Spybot and point to localhost (127.0.0.1), so maybe this is just a way to block as many known malware sites as possible. There are certainly some known dodgy names in the list.
What did the virus do? what were the symptoms?
BliarOut said:
Combofix is your friend 
Thanks for your reply.I've used Malwarebytes and Spybot. The PC is running much better now. I've looked at the Combofix web site and it seems to me to be a similar package. Do you think that it finds problems which Malwarebytes and Spybot have missed?
sunbeam_alpine said:
VEA said:
What did the virus do? what were the symptoms?
PC was running very slow. IE took a couple of minutes to start after double-clicking the icon.Machine is starting and running fine now, it's just IE8 that's giving problems. IE7 works fine.
I'm aware that Java Plugin-2 SSV Helper (add-on) causes very slow responses/startup and best disabled in IE8.
Also try this from the command line: regsvr32 actxprxy.dll
I suspect though there is still remnants of attack. I would try a online scanner such as eset or f-secure and run HiJack this (free utility). I'm happy to take a look at the log (hijack this) and give my opinion.
Also try this from the command line: regsvr32 actxprxy.dll
I suspect though there is still remnants of attack. I would try a online scanner such as eset or f-secure and run HiJack this (free utility). I'm happy to take a look at the log (hijack this) and give my opinion.
sunbeam_alpine said:
BliarOut said:
Combofix is your friend
Thanks for your reply.I've used Malwarebytes and Spybot. The PC is running much better now. I've looked at the Combofix web site and it seems to me to be a similar package. Do you think that it finds problems which Malwarebytes and Spybot have missed?
http://sites.google.com/site/rootrepeal/
http://support.kaspersky.com/viruses/solutions?qid... (tdsskiller) I have had success with this but it depends on which version of tdss it is.
Hi everyone.
Thanks for all the replies.
I removed IE completely as VEA suggested, then reinstalled IE7, then upgraded to IE8. It seems to be OK now.
Malman - the PC is running normally and it's not making any unexpected outgoing connections (it's behind a firewall which logs outgoing and incoming connections, with only a selection of ports open). I'm not seeing any weird processes in Task Manager. Do I need to check any further?
Thanks for all the replies.
I removed IE completely as VEA suggested, then reinstalled IE7, then upgraded to IE8. It seems to be OK now.
Malman - the PC is running normally and it's not making any unexpected outgoing connections (it's behind a firewall which logs outgoing and incoming connections, with only a selection of ports open). I'm not seeing any weird processes in Task Manager. Do I need to check any further?
Edited by sunbeam_alpine on Tuesday 19th October 13:28
rootkits don't show in task manager. I would check anyway. just to be safe. when tdss is fully running and doing its stuff its usually pretty obvious as it redirects google search results as one of its major signs of infection. When bits of it aren't running I have seen it do strange things to IE (basically what you described and more)
I would be very surprised if what you have run got rid of it all though.
I would be very surprised if what you have run got rid of it all though.
Last quick update - tried all the additional tools and they found nothing - so I'm hoping that he's OK. We're also going to be cloning his hard drive so that he's still got that program if his hard drive fails.
Thanks to all who made suggestions - I really appreciate the time you took.
Thanks to all who made suggestions - I really appreciate the time you took.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff