My friend has a virus he can't get rid of

[Stg-Flame]

Screenshot

The screenshot shows what it is. He said he scanned and found some minor adware on his laptop. He got rid of them and then restarted the computer. When it booted back up, the Security Toolbar was installed. He said that he gets non-stop pop-ups and spam when he gets on the net.

He also said that he did three system restores and the Toolbar keeps installing itself. He doesn't know where it is nor how to get rid of it.

Any information is appreciated.

 

[mechBgon]

Hi Chaoticpenguin666, your screenshot doesn't work but I'm guessing it's the Security Toolbar that Zlob trojan horses always install? A couple green buttons and a red bar that claims the system security is "4.1"?

Removing Zlob trojans can be done several ways. Microsoft has some extremely solid heuristic detection for them, and Kaspersky Lab has fairly good signature-based detection, maybe because SOMEONE keeps sending them samples every day :evil: So you might start with these tactics:

1) download the Malicious Software Removal Tool from here, save it to the desktop, restart the computer in Safe Mode, run the tool and do a full scan with it.

2) reboot into Safe Mode With Networking and run the F-Secure online scanner, which uses the Kaspersky engine and also can detect rootkits too.

3) while you're in Safe Mode With Networking, also run the Microsoft Live OneCare online scanner to get the latest & greatest of Microsoft's detection.



If problems persist, run HijackThis and post a log, and/or plunk the log into http://hijackthis.de/en for an analysis. Do this while the system is in Safe Mode With Networking. It also may be enlightening to hear what sort of pop-ups specifically, what sites and stuff.

If it is a Zlob, be aware that Zlob trojans are typically installed by someone getting fooled by tactics similar to this pic or this pic, so be aware of that.

 

[Stg-Flame]

http://img296.imageshack.us/my.php?image=fuckoffam5.jpg

Here is the link. I didn't want to post it like this before because of the title of it. If you require that I change it, I can save the image, rename it, and then upload it to my Imageshack.

Thanks for the links, I shall make sure these get to him.

UPDATE: He says:
terrex. Tool Nov 29th. says:
Lol when i try to dl the file
terrex. Tool Nov 29th. says:
it closes right away
terrex. Tool Nov 29th. says:
like i click on it to downlad, hit save and closes Lol

 

[mechBgon]

Originally posted by: Chaoticpenguin666
http://img296.imageshack.us/my.php?image=fuckoffam5.jpg

Here is the link. I didn't want to post it like this before because of the title of it. If you require that I change it, I can save the image, rename it, and then upload it to my Imageshack.

Thanks for the links, I shall make sure these get to him.

UPDATE: He says:
terrex. Tool Nov 29th. says:
Lol when i try to dl the file
terrex. Tool Nov 29th. says:
it closes right away
terrex. Tool Nov 29th. says:
like i click on it to downlad, hit save and closes Lol

That looks like a Zlob, all right. Have him try downloading the necessary stuffs while in Safe Mode With Networking and see if that works better.

 

[mechBgon]

BTW, SuperAntispyware has a good free spyware remover and will help remove more than just the fundamental components of the infection, so that would be worth using as well: http://www.superantispyware.com

 

[SunnyD]

Keep in mind the reason my system restore isn't removing it is because it has probably cached itself into the restore points by now.

 

[Stg-Flame]

mech, what do you make of this?

http://img152.imageshack.us/my.php?image=wordub2.jpg

It just popped up on his computer.

 

[mechBgon]

Hmm it looks like his computer is pwned... how's that for an analysis Can he try these steps:

1) get the RapidRelease virus updates from Symantec, which he can find here, to get the very, very latest virus definitions

2) reboot into Safe Mode and run a full virus scan of the whole computer with Symantec, and see if it can get rid of it then

3) it couldn't hurt to also run the other online scanners I mentioned for extended assurance, since no single company can detect everything



If it were my computer, I'd be face-down in a full reformat & reinstall to be certain the malware is gone. You don't want the bad guys getting hold of, say, your WoW or Steam logins, your CC number, etc.

 

[Stg-Flame]

He is going to follow those instructions tomorrow. Since I have college tomorrow, I will reply either right before 5 PM or after 9 PM as I am at the college from 7:35 AM - 9:15 PM.

Thanks for the help.

 

[Medea]

Zlob is a tell-tale sign of the presence of a smitfraud infection. If he doesn't have the infection too bad, the above suggestions should work. The problem with smitfraud is that it can be pervasive and usually a specialized tool is needed to get it off your system.

If you haven't tried one of the above suggestions or, if you have and the infection is still present, drop me a PM and I'll give you the step-by-step instructions for running the tool.

 

[mechBgon]

Medea is a specialist, so definitely take him up on that offer if problems persist or you just want to be extra-sure :thumbsup:

 

[Stg-Flame]

Well, he just informed me that he followed those instructions you gave and his laptop is working fine now.

Greatly appreciated mech. And thanks for the extra information medea.

 

[Medea]

Good to hear it. :thumbsup:

Edit: As a final step, tell him to run CCleaner to clean out any leftover crap that may be in his Temp folders.