Need help with a virus

ericd · September 5, 2008, 2:29am

My computer has windows xp service pack 2 and I have the comodo firewall 3 and the comodo antivirus 2. A couple of days ago I got a lot of error messages saying I am infected and that I should download anti-spyware master to protect the computer. Well, when I tryed to download it the antivirus told me that it was a virus. By then though the program was already on the computer and it started to download x-rated stuff onto the desktop. I got that to finally stop but it is still trying to gain access to the internet again so it can start it all over again. When that happened a folder call pchealth popped up in the program files and windows folders. The program inside of it is not pchealth instead it is something else that I don’t know, because I am on a friend’s computer and can’t look it up now. When I scanned the computer it did find seven virus and about 8000 suspicious files and when I try to submit them the firewall says that rundll.exe is trying to get shutdown privileges. When I hit deny, it shuts down the internet connection. Now the firewall pop ups don’t have the writing on the tops on them anymore. Is there anything that I can do or is it a lost cause. Thinks for any help.

grayhair · September 5, 2008, 3:42am

Yikes!! I don’t know anything specifically about this “antispyware master.” My first words of advice would be not to connect it to the internet right now, as you may have unintentionally installed some sort of downloader, and being connected could make things worse. Besides Comodo Firewall v.3 and Comodo antivirus 2, what other security programs do you have installed? There are things you can do–the worst being a reformat of your operating disc. Do you have backups of your documents, important files, installation programs, etc.? If not, don’t try to back things up right now, as the malware could be scattered around your computer. Be patient, hopefully help will be on the way here.
Anyone know anything specific about this “Antispyware Master?”

grayhair · September 5, 2008, 3:55am

I Googled a little bit about the AntiSpyware Master thing. It does appear to be nasty. I did see in one forum that someone had good results in getting rid of it by installing and running SuperAntiSpy (which is very legitimate!). Here is the link to SuperAntiSpy:

Edit: I hit the wrong key and sent this on its way incomplete. Now the finish:

http://www.superantispyware.com/

If your friend will let you, I would download SuperAntiSpy on your friends computer, save the install file on a CD, then install it on your computer from the CD. After installation it will want you to update it–maybe just do a COMPLETE scan first, and see what it picks up. Then maybe connect the computer to the internet, update the program, and do another complete scan.
Probably SuperAntiSpy won’t be the only thing you will need to run, but it is a start.

Second edit: just download the free edition of SuperAntiSpy for now.

ganda · September 5, 2008, 4:09am

or… maybe you can try DrWebCureIt . it’s portable, no installation needed. don’t forget to scan your comp with it or superAntiSpyware on safe mode. :-TU goodluck (:WAV)

ericd · September 5, 2008, 4:45am

I have ad-aware 2008 and spy sweeper. I don’t if you count winpatrol as a security program but it did help close one part of the virus. Thinks for the suggestions I am going to try that and hope it gets rid of it, and I’ll let you know the results of it.

system · September 5, 2008, 2:23pm

Recommendation:

Remove Ad-aware & Webroot Spy-Sweeper (If you paid for it then keep it).

Download, Install, Update & Scan with:
Malwarebytes’ Anti-Malware
SUPERAntispyware

Josh

Info-Sec · September 5, 2008, 2:49pm

Use malwarebytes, it is the most effective ive found at removing rogue antispywares such as antispyware master.

Agent_007 · September 5, 2008, 3:06pm

He!!o ericd. . . (:WAV)

Take 3xist advice! and replace your CAVS2.0 with AVIRA Free. you can download it here: http://www.download.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=10877501

:Beer :Beer :Beer
:Beer :Beer :Beer
:Beer :Beer :Beer

ericd · September 5, 2008, 10:04pm

I tried running dr web cureit and it found like 20 different virus and Now i am running super anti-spyware and it has already found like 20 more viruses. Now I am going to try the mal-ware bytes thing. I will let you all know the results of the scans. Thanks for all the help that you all have given me.

system · September 5, 2008, 10:05pm

You are most welcome,

Superantispyware works better while in safe mode

CG

grayhair · September 5, 2008, 10:40pm

Some good news! And just in time for the weekend LOL. :Beer

Don’t be afraid to run these various scans several times. I have found that in a very infected machine sometimes it takes the first scan (sometimes two) to “make the bunnies run.” Have you installed Avira Free yet? I would do that, and again make sure it has the latest updates, and run the thing several times. Avira would be a better AV than Comodo ver.2 right now. Comodo ver. 3 should be out soon, and promises to be much better. Let us know how this thing all turns out.

Good luck.

Info-Sec · September 6, 2008, 6:13am

While your running scans run a spybot search and destroy scan, it isnt as good as it used to be, but generally if it dosnt detect anything then your system should run fine.

system · September 6, 2008, 6:18am

Thanks.

Try that for now and let us know how things go.

Josh

ericd · September 7, 2008, 6:14am

Super Anti-Spyware finished running and it found like 400 different objects, and I downloaded and installed Avira Antivirus and it found about 10 Trojans and a couple of viruses. I ran the Malware bytes thing and it found like 10-15 infected registry keys. I have been running the scans and it has been finding nothing. However the pchealth folder that has the virus or whatever in it, sometimes come back after I delete the folder, so maybe there is something that the scans are missing. Is there something wrong or am I just paranoid? Thanks for any help.

system · September 7, 2008, 7:09am

Is your PC Running OK?

Are the scans removing threats found?

Josh

ericd · September 9, 2008, 2:42am

The scans are removing the threats and the computer is running like it used to. Is it fine or is there something else I should do? Thanks for all the help.

fazio93 · September 9, 2008, 3:40am

hijack this?

grayhair · September 9, 2008, 4:17am

What a journey you seem to have had. If I could ask, what firewall are you using? what anti-virus are you using? I used to have “stuff” get on my computer also (what led me to Comodo). I now use Comodo firewall, and no more “stuff.”

SELF EDIT: I read back and see what firewall and AV you have. I would drop the Comodo ver.2 simply because the Comodo team stopped doing much of anything to keep that going some time ago. Right now I am using a trial of Avast while waiting for CAVS3’s release.
Are your bugs all gone? Hopefully. You could run other scans like CCCleaner to clean up any left over registry items, or even Spybot–even though it gets a thumbs down from some here (although sometimes I see it find “stuff” the other scans miss). Maybe do as fazio93 suggested, and run HijackThis (you could post a log here for someone to analyze). But, ultimately you need to determine when you machine is cured. Sounds like you did a good job. Congrats!

system · September 9, 2008, 5:23am

It does sound like your cured.

Perhaps multiple people can Analyze your HijackThis Log which you can download
here.

Josh

ericd · September 9, 2008, 11:40pm

here is a HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:09 PM, on 9/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM…\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM…\Run: [COMODO Firewall Pro] “C:\Program Files\COMODO\Firewall\cfp.exe” -h
O4 - HKLM…\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe

–
End of file - 2138 bytes