Trovi Virus - help to remove please

Borg 386 · 17 Jul 2014

@Tousdae - Always go to the manufacturers site to get any kind of programs. Anytime you d/l it from another source, such as a site hosting the d/l, there is a good chance nowadays that it will have some unwanted extras. This is how the sites make their money. Some sites are up front about it with the option to opt out, others try to sneak it in because once it's in your system they get paid.

Once you have done a clean reinstall, (provided there were no rootkits & you got the Windows ISO from MS), you should have a clean system. You have to narrow down the possible places that re-infection is occurring from. Is it the HDD, a flash drive, infected personal files being re-introduced into the system or is it d/l ing files from sources other then the manufacturers site.

Slartybart · 17 Jul 2014

Tousdae said:

GM,

Here's the log. Thanks for telling me where it was. Um, 39 is a lot?

I wish I'd have thought of a screen shot when the program was finished running

Thank you. I've a busy day. This pc has been keeping me hostage at home. Be back later. Thank you so much.

Thanks for the log - it looks as though ESET picked up a lot of things from the AdwCleaner quarantine and other things from Windows.old (there's actually two Windows.old folders). There were remnants of the virus in both places that would have the potential for reinfestation.

It's interesting that there is a Windows.old folder - this is created when updating Windows, not when you do a clean install. So.... that sheds some light on the subject.

There are two paths you can take

Do a clean install.
I know you've already invested time in this process, but something was missed or misunderstood when you reinstalled the last time(s)

If the reinstall is done correctly, you won't have to run the scanners (ok, maybe AdwCleaner just to check).
Continue with the path you're on
- Once you clean up the Windows.old folder, the system looks fairly clean.
- Two more scans will give you the best idea if there's any other remnants.
- Some hosekeeping - remove the scanners you downloaded,
  it's always better to get a fresh version if needed weeks or months down the road
- Complete Windows Updates. This you will have to do in either case.

When you get back, run Disk Cleanup to get rid of Windows.old (if Disk Cleanup doesn't remove Windows.old - you can safely delete it using Windows Explorer. You might have to change the view to see hidden files - not sure)
See: Disk Cleanup - Open and Use
Steps 1-3 & 5. Make sure you tick all check boxes, scroll down to see more boxes.

Regarding c\Net -> the download manager contains additional offers that should always be unTicked. The mechanism c\Net uses to offer this 'extra' software is flagged as a PUP. That's why many members frown on c\Net - it has always been a reliable source for downloads, but when c\Net started bundling other 'crap' in with the software you really wanted, it earned it's Scarlet letter. Here's a thread that discusses the issues:
Okay I tested a Cnet download (results)

To Greg's point: there are better websites that don't bundle additional software. FileHippo, BleepingComputer, MajorGeeks, TwoCows, and of course the source is usually the wisest place.

Also, keep away from 3rd party utilities - optimizers, driver finders, registry cleaners..... most do very little for your system and some can harm your system.

I've learned a lot from Greg, I just have more time than he does.

Now, back to the work at hand

Let members know your plans, to continue disinfection or go all in with yet-another reinstall. Greg is actually the best person to help you do a Clean reinstall - he wrote a few of the tutorials. You'll have to respect his time though, it is spread among many threads.

If you decide to do a clean install, don't take any action until you have the full plan in place... I don't want you to go through the exercise again only to have to restart again. A clean reinstall is the surest way to get rid of anything that ails your system, if done correctly. The scan and clean is 97-99% sure, but not guaranteed.

Bill
.

Tousdae · 17 Jul 2014

I have 3 windows logs, I think, that I was going to ask how to remove. That is done automatically with reinstall.

Are you saying that Trovi is still on this machine? .............. I just put back over 3,000 mp3s .. >.<

Greg has helped me yes. Please. It's just about me being able to wrap my head around Bill's words better.

Slartybart · 17 Jul 2014

Three windows logs? Do you mean 3 Windows.old folders?

The folders are only created by an update install. It's a small difference in one option - interestingly you can do an upgrade of Windows 7 with Windows 7 - SF refers to that as a Repair install. It places all Windows system files in the correct place with the correct version. I think that's what you did instead of a Clean reinstall.

If you do a Clean re-install, the Windows.old folders are not created. They can't be created because there's nothing left of the previous install to create them from.

Anyway, back to your questions.

I don't think there are any viruses on your system, other than what's in AdwCleaner quarantine (safe place for them) and in the Windows.old folders.

Go back to post# 62 and run Disk Cleanup following the tutorial I linked. After it's done, use Windows Explorer to look for any Windows.old folders on the C:\ drive. If there any - manually delete them.

Launch AdwCleaner one more time and scan, then clean, then hit the uninstall button.
This will tell you if anything came back with files you moved. Let's hope not.
It will also remove the quarantine (it might ask, if it does say yes remove the quarantine).

Until the last two scanners tell you that the system is disinfected, please refrain from installing anything or moving files, thanks.
You're almost done.

Let me know when the Disk Cleanup has finished and there are no more Windows.old folders.
I'll post the last two scanners after that step. Thanks for bearing with me on the process.

Bill
.

Tousdae · 17 Jul 2014

I cannot delete those windows old files. It says I need permission from the administrator .... who'd be me. I did a disk cleanup about 30 mins ago, actually. I was trying to delete those windows old folders that way. Which didn't work. I went into the folders and I'm trying to delete the contents hoping the folder itself will delete. I just have Windows.old>Users>me. That folder is empty.

Tousdae · 17 Jul 2014

Ok 2 of the 3 folders are gone. The one left doesn't have anything in it. I'll do the disk clean up again then scan with adwcleaner.

Slartybart · 17 Jul 2014

Hmmm, Disk Cleanup didn't remove the Windows.old folders...

I was fairly certain it would.

The folder won't just delete itself. You might have to give your id privileges to the folder.

Do me a favor first,
Open an Elevated Command Prompt
In the Command Prompt widow type the following commands

cd \
dir /a windows.old > C:\listOldWin.txt
dir /a windows.old.* >> C:\listOldWin.txt
exit

The 1st command changes the current directory to the root of your C: drive (C:\)

The next command does a directory list of C:\ for anything named Windows.old and writes (>) the list into a text file named listOldWin.txt on your C:\ drive

the next command does a directory list of C:\ for anything named Windows.old.* and appends (>>) the list to the same text file

the last command exits command prompt.

Attach C:\listOldWin.txt (use the paperclip icon on the post menu) to your next post.
You can delete the listOldWin.txt file after you attach it.

Thanks

Bill
.

Slartybart · 17 Jul 2014

I guess you can forget the dir list - you've already managed to get rid of 2 of the 3.

We'll come back to Windows.old after AdwCleaner, ok?

You might try Disk Cleanup Run as admin - not sure if that will change anything or not.

Bill
.

Slartybart · 17 Jul 2014

1. Click here to dowload herdProtect

a. Click on the Portable version
b. Click Save on the download action bar (your downloads folder is the default save location)
c. Click Run when the download complete action bar is presented

1. Answer Yes to the UAC diaglog window
2. Click Next on the "This will extract the portable version..."
3. Specify the location for the extracted files (Thumb drive, or Hard drive)
4. Click Next
5. Click "I agree" on the license dialog window
6. Leave the checkbox ticked [a] Launch herdProtect
7. Click Finish

2. Click Scan

herdProtect is a cloud based service. Your computer must remain connected to the Internet while the scan runs.

a. Depending on your system it will take between 5 to 30 minutes for the scan to complete. The two buttons on each object detected provide more detail, but aren't very useful to the average user.

1. Click View to open the file location on your computer
2. Click Details to open the herdProtect knowledgbase for that file

3. Post a screen shot of the results window

Stop at this point
Leave the herdProtect window open

A member will review the information in the screen shot and advise you further. You might be asked to press the Details button to aid in determining the severity of the file reported.

There might be some false positives that can be ignored, but someone needs to determine if there is a real threat among the files reported.

This can be a lengthy process for the member on this side of your monitor - each file has to be researched.

This is a good final check to see if your other scans missed anything. The last scanner, ESET, looked fairly clean. It did uncover the hiding places though.

There's one more scanner after this, please be patient. I know you're chomping at the bit to get your machine back and I'm chomping at the bit to let you have it back :)

After the last scan, there is some house keeping, I'll post what that entails and you can do that at your leisure.

Tousdae · 17 Jul 2014

Image attached.

I forgot about Adw ... Right now that herd protect is running. I'll wait until that is done.