Yesterday, one of my father’s computers got infected by malware. As I understand, it was called Win32Adware.gen according to Avast.
These files has also been affected:
system32\wininstr.exe
system32\univrs.exe
An application called TRdww doesn’t shut down automaticly when restarting the pc.
Also, a popup appear every time windows starts (when not in safe mode), saying that the computer is infected and wants to start a scan. Not sure what it is, but surely fake I guess…
We are using windows xp (sp 1). Avast is up-to-date. We have a hardware firewall in our netgear router. Ad-aware (up-to-date) has been used for scanning for malware.
I read one other thread on this forum with a similar issue, and I followed the advice to turn off the System Restore feature. After many restarts, the most recents in safe mode, Avast isn’t finding as many infected files as before.
First of all I would get SP2 on this computer ASAP. A couple of years ago I setup a computer with only SP1 (unknowningly) and it was instantly infected. Three days later I had all the computers in my office network cleaned up (the first machine nailed them all). I am sure you will get lots of advice here. I would start with the latest version of Spybot. I have good luck with that as a first step to eliminate malware. There are lots of (reputable) online scanners. Some off the top of my head are Nod32, HouseCall, McAfee. Should you run the “scan” that is offered when the computer starts up?..HELL NO! As malware is found write down the details on a piece of paper so that you can make sure it is really gone later. Once the computer is cleaned up I would recommend Comodo’s firewall 3.0 (but only AFTER it is cleaned up–the Clean PC mode in CFP 3 assumes the stuff running on your computer is already safe, best to make sure it is).
Anyway, start with Spybot, and one of the (reputable) online scanners, and look for more advice on this thread, as I am sure there will be more arriving.
The computer seems to be clean, CBO appear to have done a great job. My father will make a complete scan with Avast, Ad-aware and Spybot, and at least one of the online scanners you suggested. We will also install SP2 as soon as we have the time.
The comodo firewall, is it much better than the firewall that comes with SP2? I’m sure it’s more secure, but when it comes to firewalls I’m allways worried that it asks permisson about every application.
Hey Andervaeld,
from my experience I can claim that CFP is not very noisy. You just have too many possibilities to configure it the way you want it: from chatty to mute - anything goes. And it’s always your best bet firewall - IMO. Just make sure to have a clean computer before you install it as it starts in “clean pc mode” by default, which means it assumes that all files that are on your computer upon installation are safe. Well, you can check the files with the built-in malware scanner but that’s certainly not your best bet. Whether it is possible to change from “clean pc mode” into another mode before it assumes any baddies that are already on your system safe - I don’t know.
So, two possibilities come to mind:
Very safe and you can sleep well in the future but time-consuming:
Wipe your HD. Reinstall Windows. Make sure to immediately update to SP2 and every other security patch. (Better download with a clean comp and install from disc.) Download CFP, avast! and other security software you like with a clean and secured computer, put on a disc or stick and install from there.
Hope you’ll succeed and do not hesitate to ask any questions about CFP (should you install it - and you should ;D ). People here are always happy to help.
Hope this helps.
Cheers
grampa
Sorry, off-topic:
Hey Red,
I’ve had so much work to do that I can hardly come here and write something. No time at all. Will hopefully change soon. Maybe next month there’ll be a big change - job wise. Maybe it’ll be another 6 months. But then I’ll be back here and spam the forums like only Ganda can do (sorry mate).
Red, I’m glad you still remember me - I sure remember you.
Hope to be able to post more soon and once again become part of the great “Comodo family” :-*
Cheerio
grampa
(Sorry, that there’s nothing on-topic in this post. I promise this won’t happen again. 88)
I will take your advice and make a log from HijackThis. I will try to check them myself, but also post a copy here for you experts to go through, if you have the time.
So, now I’ve made a log with hijack this. According to the analyzer Grampa linked to, I think most looks good. I highlight the ones I’m unsure of.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:22:46, on 2008-04-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Hey,
I don’t want to scare you - don’t be, I’m far from being an expert. I’ve just googled around a little bit - SO THESE INFORMATION MIGHT BE WRONG !!!
What I found:
O4 - HKCU..\Run: [xrt_Shell] C:\Documents and Settings\ArT\xrt_atkh.exe
(from: www.castlecops.com/s15845-xrt_exe.html)
!! THIS IS A STARTUP PROGRAM AND NOT A TASK MANAGER PROCESS ITEM !!
Field Value
Name xrt_Shell
Command xrt_*.exe
Status X
Description Added by the Troj/Gozi-Gen TROJAN! Note: Located in %userprofile%\ Note: The * in the filename represents some random characters.
Viewed 391 times since 23 May 2005, 1825 Hours UTC-4.
STATUS KEY:
“Y” - Normally leave to run at start-up
“N” - Not required - typically infrequently used tasks that can be started manually if necessary
“U” - User’s choice - depends whether a user deems it necessary
“X” - Definitely not required - typically viruses, spyware, adware and “resource hogs”
“?” - Unknown
[b] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://arsenal.se/hem/[/b]
What to do:
If you recognize the URL at the end as your homepage or search engine, it’s OK. If you don’t, check it and have HijackThis fix it.
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
Sorry, I cannot comment on them. Looks ok though.
- to help you identify potential baddies.