Help? Trojan found in PC Health Center

February 28, 2009

Hey everybody, so i'm having some issues w/ a trojan virus that avast and

spybot S&D have detected during scans. The folder location is under program

files/ pc health center, as far as i understand, PC health center is spyware

that runs as legitimate antivirus software, making it difficult to detect.

I'm currently using avast, spybot search and destroy and adaware (all free

versions). Avast and spybot both pickup malicious files in the PC Helath

center folder, but i'm unable to move the file to the avast chest or delete

it w/ any of the antivirus programs i have. I've also ran several boot scans

but am unable to perform any action on these supicious files, ther's always

an error message and i can't do anything w/ the files. I've even tried to

erase the files w/ the eraser program using a psuedorandom 3X overwriting

data pass, but am unable to. 411 - spyware.com claims to have manual

instructions for complete removal of the pc health center folders / files /

registry etc., they also claim that for 30$ you can purchase their software

which will automatically remove all related components of the PC Health

Center infection. Mcafee says that the site seems safe, but other sites have

said that 411 - spware.com will install spyhunter which contains junk i

don't want. I'm unclear of who to trust and what i should do, has anyone

dealt w/ this same problem? I've done some minimal research and it seems

that PC Health Center (under program files) is something i should remove

from my computer, any advice, any help is greatly appreciated, thanks.

March 1, 2009

On Sat, 28 Feb 2009 13:48:15 -0800, EI wrote:

> Hey everybody, so i'm having some issues w/ a trojan virus that avast and

> spybot S&D have detected during scans. The folder location is under program

> files/ pc health center, as far as i understand, PC health center is spyware

> that runs as legitimate antivirus software, making it difficult to detect.

> I'm currently using avast, spybot search and destroy and adaware (all free

> versions). Avast and spybot both pickup malicious files in the PC Helath

> center folder, but i'm unable to move the file to the avast chest or delete

> it w/ any of the antivirus programs i have. I've also ran several boot scans

> but am unable to perform any action on these supicious files, ther's always

> an error message and i can't do anything w/ the files. I've even tried to

> erase the files w/ the eraser program using a psuedorandom 3X overwriting

> data pass, but am unable to. 411 - spyware.com claims to have manual

> instructions for complete removal of the pc health center folders / files /

> registry etc., they also claim that for 30$ you can purchase their software

> which will automatically remove all related components of the PC Health

> Center infection. Mcafee says that the site seems safe, but other sites have

> said that 411 - spware.com will install spyhunter which contains junk i

> don't want. I'm unclear of who to trust and what i should do, has anyone

> dealt w/ this same problem? I've done some minimal research and it seems

> that PC Health Center (under program files) is something i should remove

> from my computer, any advice, any help is greatly appreciated, thanks.

Preferred practice is to 'flatten' and rebuild a computer that has been

exposed to malware.

http://www.microsoft.com/technet/community...gmt/sm0504.mspx

http://support.microsoft.com/kb/918884

http://www.winsupersite.com/showcase/winvi...grade_clean.asp

http://www.5starsupport.com/tutorial/vista-clean-install.htm

It is defenitely advantageous to create an 'image' of the operating system

and create a data/file backup of the affected PC.

The image can then restored to the impacted PC and the user's data/file is

subsequently restored to the operating system.

An experienced and properly prepared user can do that in substantial less

time than scanning with complex and sophisticated AV applications.

Alas, since many users are less prepared and/or lacking the experience;

Scanning with an AV apps. is the only option, unless the user consults a

computer technician.

1.Clear the (IE) temporary Internet files and the history cache.

Click 'Start' and then click 'Run'... then type (or copy/paste)

"inetcpl.cpl" (w/out quotation marks) into the box, then click the 'OK'

button.

In Internet Properties panel 'General' tab, under 'Browsing history', click

'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete

all...' button then place a checkmark into the box beside 'Also delete

files and settings stored by add-ons', Click 'Yes' and exit the Internet

Properties panel by clicking the 'OK' button.

2.Clean HDD

Delete files using Disk Cleanup

http://windowshelp.microsoft.com/Windows/e...7139d91033.mspx

3.Download/execute:

MalwarebytesÂ© Corporation - Anti-Malware

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

--and--

SuperAntispyware - Free

http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

--and/optional--

KasperskyÂ® Virus Removal Tool

http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/

http://www.kaspersky.com/support/viruses/avptool?level=2

--and/optional--

Dr.Web CureIt!Â® Utility - FREE

http://www.freedrweb.com/cureit/

--and/optional--

a-squared (aÂ²) Free or a-squared (aÂ²) Command Line Scanner

http://www.emsisoft.com/en/software/download/

--and/optional--

BitDefender10 Free Edition ( NOT FOR VISTA )

http://www.bitdefender.com/site/Downloads/...onVersion/1/42/

--and/optional

Sophos Anti-Virus (SAV32CLI), is a 32 bit free command line scanner used in

an emergency as a disinfection utility for Windows NT, Windows 2000,

Windows XP and Windows 2003.

To use the Sophos command line software follow the steps below:

a) Download SAV32CLI

http://downloads.sophos.com/tools/sav32sfx.exe

--and--

extract the contents by double clicking the file.

style_emoticons/ Add the latest IDE (virus definition) files to the folder.

These can be downloaded here

http://www.sophos.com/downloads/ide/

c) Read Scanning Options with SAV32CLI.

http://www.sophos.com/support/knowledgebas...icle/13252.html

See removing malicious files with SAV32CLI for basic information on virus,

spyware, Trojan and worm removal with SAV32CLI.

http://www.sophos.com/support/knowledgebas...icle/13251.html

NOTE:

The above mentioned applications are not capable for real-time protection

of your computer; They are on-demand scanners.

KasperskyÂ® Virus Removal Tool, Dr.Web CureIt!Â® have no update feature (so

they don't turn into full blown scanners). As soon as your computer is

cleaned you are supposed to remove these tools from your operating system

and revert back to your (updated) resident (real-time) AV application.

Re: KasperskyÂ® Virus Removal Tool; To uninstall/move this program 'enable

self-defense' must be unchecked!

To scan your computer with the most up-to-date KasperskyÂ® AVPTool and

Dr.Web CureIT!Â® virus databases next time you should download new

KasperskyÂ® AVPTool and Dr.Web CureIt!Â® packages.

BitDefender10 Free Edition, a-squared Free or a-squared Command Line

Scanner, Sophos Anti-Virus (SAV32CLI) and the free version of MalwarebytesÂ©

and SuperAntispyware have an update feature; You may wish to keep a couple

of them installed in addtion to your resident AV/A-S applications and scan

frequently.

Both free versions of MBAM and SAS are on-demand scanners and offer no

'real-time' protection. Keep them installed and use them as

'second-opinion' scanner which is purposely (by design) recommended by

their respective authors.

After the software is updated, it is suggested scanning the system in Safe

Mode (this does not apply to MBAM).

"Malwarebytes actually performs better in Normal Mode" says Dustin Cook,

Malwarebytes Researcher of MBAM.

Start your computer in safe mode (Vista)

http://windowshelp.microsoft.com/Windows/e...c904a11033.mspx

http://www.bleepingcomputer.com/tutorials/tutorial61.html

4.Download and execute HiJack This! (HJT)

http://www.trendsecure.com/portal/en-US/to...ools/hijackthis

Please, do not post HJT logs to this newsgroup.

Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0

http://www.spywarewarrior.com/viewforum.php?f=5

http://forums.tomcoyote.org/index.php?showforum=27

http://www.bleepingcomputer.com/forums/forum22.html

http://www.malwarebytes.org/forums/index.php?showforum=7

http://www.5starsupport.com/ipboard/index.php?showforum=18

http://www.theeldergeek.com/forum/index.php?showforum=29

NOTE:

Registration is required in any of the above mentioned fora before posting

a HJT log and read the 'stickies' (instructions/guidelines) for the

respective HJT forum.

5.Routinely practice Safe-Hex.

http://www.claymania.com/safe-hex.html

Additional references:

How to optimize or reset Internet Explorer 7

http://support.microsoft.com/kb/936213

Applies to: Windows Internet Explorer 7 in Windows Vista

How to use Reset Internet Explorer Settings (RIES)

http://support.microsoft.com/kb/923737

Read: "What you must know"

Applies to: Windows Internet Explorer 7 for Windows XP and

Windows Internet Explorer 7 in Windows Vista

GMER - is an application that detects and removes rootkits.

http://www.gmer.net/index.php

For additional assistance in relation GMER scan results consult either

http://antirootkit.com/forums/index.php?si...781ffe4361c3a17

--or--

http://www.thespykiller.co.uk/index.php?board=3.0

CCleaner - Free

Cleans temporary internet files, cookies, history, recent urls, application

MRUs, etc. ...( Tune out the registry scanning/fixing option! )

http://www.ccleaner.com/download/builds/downloading-slim

If Windows Defender is utilized go to Applications, under Utilities

uncheck "Windows Defender" (so it won't delete the history of WD).

If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner

when the computer starts'.

--or--

Setup CCleaner to Automatically Run Each Night in Vista or XP

http://www.howtogeek.com/howto/windows-vis...in-vista-or-xp/

Good luck style_emoticons/

March 1, 2009

You did not say what the problem is with the manual instructions; I assume

you mean:

http://www.411-spyware.com/remove-pc-health-center

I don't know if you can trust xp-vista.com but I think so; it looks

legitimate. Their instructions look easy; see:

http://www.xp-vista.com/spyware-removal/pc...al-instructions

Everything I know I learned using the following:

http://www.altavista.com/web/results?itag=...%22&kgs=0&kls=1

However it would probably be more effective to search without the spaces;

just search for PCHealthCenter.

"EI" <eirwin58@roadrunner.com> wrote in message

news:O1v2I5emJHA.1288@TK2MSFTNGP02.phx.gbl...

> Hey everybody, so i'm having some issues w/ a trojan virus that avast and

> spybot S&D have detected during scans. The folder location is under

> program

> files/ pc health center, as far as i understand, PC health center is

> spyware

> that runs as legitimate antivirus software, making it difficult to detect.

> I'm currently using avast, spybot search and destroy and adaware (all free

> versions). Avast and spybot both pickup malicious files in the PC Helath

> center folder, but i'm unable to move the file to the avast chest or

> delete

> it w/ any of the antivirus programs i have. I've also ran several boot

> scans

> but am unable to perform any action on these supicious files, ther's

> always

> an error message and i can't do anything w/ the files. I've even tried to

> erase the files w/ the eraser program using a psuedorandom 3X overwriting

> data pass, but am unable to. 411 - spyware.com claims to have manual

> instructions for complete removal of the pc health center folders / files

> /

> registry etc., they also claim that for 30$ you can purchase their

> software

> which will automatically remove all related components of the PC Health

> Center infection. Mcafee says that the site seems safe, but other sites

> have

> said that 411 - spware.com will install spyhunter which contains junk i

> don't want. I'm unclear of who to trust and what i should do, has anyone

> dealt w/ this same problem? I've done some minimal research and it seems

> that PC Health Center (under program files) is something i should remove

> from my computer, any advice, any help is greatly appreciated, thanks.

>

March 1, 2009

Try Malwarebytes.

And do your scanning in Safe Mode, since you can not remove it in Normal mode.

http://www.malwarebytes.org/mbam.php

Malwarebytes is as the name says, a Malware Remover!

For the Free version scroll down their page to either download from

Download.com, or Major Geeks.com

Download, install, and update.

Important re: Safe Mode

If you happen to find a problem that you canÃ¢â‚¬â„¢t uninstall / delete, reboot

the computer, and go into Safe Mode.

To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow

key to get to Safe Mode from list of options, then hit ENTER.

RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D

while in Safe Mode.

If unable to install above Programs in Normal Mode:

Sometimes Trojans, Viruses, Malware, etc stop you installing and/or updating

Programs to remove them.

If that happens, reboot into Safe Mode with Networking (from F8 list of

Startup Options), and install, update and scan from there.

--

Mad Mike

"EI" wrote: