Solved 8-step Preliminary removal instructions closed thread

[francis793]

Issues: Google Chrome is crashing before anything loads. FireFox and IE links are being redirected when clicking on link through a search, however function properly when address is typed directly in, occasional pop-ups. FireFox and IE also occasionally crash. GMER log is not included because only able to run scan if safe mode and screen would not alllow me to scroll down to save. When running GMER in standard mode, it runs for a few minutes, then gets blue screen. Also, not sure if this is related, but computer will not stay in sleep mode.

Much thanks in advance

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4258

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

6/29/2010 5:20:34 PM
mbam-log-2010-06-29 (17-20-34).txt

Scan type: Quick scan
Objects scanned: 143873
Time elapsed: 18 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

I see you did a Restore Operation on 6/28/2010> what kind of restore and was this before or after the problem started. There are about 300 entries for this date and 6/29, one of them being Windows XP Home Edition, Deutsch

There are almost no running processes. There is a proxy.mcghi.mcg.edu:8080 which looks to be a remote connect for the Medical College of Georgia and/or Medical College of Georgia Healthcare Inc.
There is a very small hard drive and almost none of it left: C: is FIXED (NTFS) - 56 GiB total, 4.343 GiB free.

There are multiple errors for a Xerox Scanner model fu621d and several errors that could indicate a network isn't set up correctly.

Can you give me some ides of your setup so I'll know what to recommend?

 

[francis793]

I had "AV Security Suite" virus. I used the Malwarebytes' Anti-Malware and it appeared to get rid of it. Google Chrome was still not working, which is my primary browser, so I did a Windows restore to see if that would help it (not sure if that answers your question about what kind of restore but it is all I know to say). The current issues must have been present the whole time, but I was not aware of them when I did the restore. So to answer your question, I did the restore after the problems started.

My wife does software consulting for hospitals, so the proxy.mcghi.mcg.edu:8080 is from a previous client. She no longer uses this computer for work, so anything related that can be taken off.

As far as the hard drive, it is a bit small. The computer is three years old, Dell Latitude D820, Windows XP Professional. I am not sure what is taking up all the space. It has been quite awhile since I have done any maintenance on it. It has been running fine prior to this.

We have an HP printer at the house, so I am guessing the Xerox Scanner model fu621d is also from a previous client and does not need to be on here.

I am considering just reformatting and starting fresh. There are a few things that I would want to back-up prior to, but I am not sure if the virus would come with the back-up. Is this advisable?

The current role of this computer is to hang around the house, do spreadsheets, and browse the web. She has basically been retired to leisure activities.

I really hope this answers your questions. If not, let me know and I will give it another shot.

Thanks

 

[Bobbye]

Sorry- my router went out Thursday night and I just got a replacement this afternoon.

About the Restore: I'm, squeezing you here> there isn't actually any 'Windows restore.'
Did you do a System restore to a few days before the problems started?
Did you do a "Last Known Good Configuration" restore?
Did you do a repair?

It has been quite awhile since I have done any maintenance on it. It has been running fine prior to this.

Sooner or later, not taking care of the system is going to catch up. It's like never doing the laundry, or taking a shower, mowing the grass or taking out the trash.

I think doing a reformat/reinstall is the best option. And if you do that, set up a good maintenance program> disc cleanup, error check, defrag, removing programs, files and folders that are no longer used.. Let's run this first and see if anything gets picked up:


Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Anvirisus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

The Chrome crashes and sleep problems are most probably related tot he condition of the system and not malware.

 

[francis793]

Sorry for the delayed response. Had a busy holiday weekend.

I did a restore to a few days before the problems started. Here is the log for the ESET:

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetesets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=662232520fb1ec44be10f6904ed19fa4
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-07 03:25:22
# local_time=2010-07-06 11:25:22 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 614354 614354 0 0
# compatibility_mode=3584 16777175 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=104621
# found=2
# cleaned=0
# scan_time=16854
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Program Files\blstoolbar\blstoolbar.dll probably a variant of Win32/Adware.BHO.MegaSearch application 00000000000000000000000000000000 I

 

[Bobbye]

If you aren't going to do the reformat/reinstall, please run this scan to remove what Eset found:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  :Reg
  
  :Files 
  C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe
  C:\Program Files\blstoolbar\blstoolbar.dll
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============================
An FYI about the Triton Suite: from Wiki:

The successor to AIM version 5.9 was originally named AIM Triton. Compared with version 5.9, Triton's programming code was rewritten and featured a brand new UI engine called Boxely. The first beta version of Triton (0.1.12) supported only Windows XP[4] upon its release. For the first time in the development of a new version of AIM, these preliminary versions were made publicly available on the AIM home page for any user to test and provide feedback.

On September 29, 2006, Triton was renamed to AIM 6.0 and a new beta version was made available.

The file with the malware is the setup for the program- what you get on the desktop (or wherever the default download location is). It is very outdated and should not be executed because it is infected.

The 'blstoolbar' is put out by Bell South. It's important to understand that while a program itself might be clean and legitimate, if you download it from an site with malware- such as a torrent site-then you will get malware with it.
=====================================
If you want to continue, please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.

 

[francis793]

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe moved successfully.
C:\Program Files\blstoolbar\blstoolbar.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 16972158 bytes
->Flash cache emptied: 1750 bytes

User: Shannon J
->Temp folder emptied: 15306022 bytes
->Temporary Internet Files folder emptied: 224989 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 39894292 bytes
->Google Chrome cache emptied: 557424 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 564 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3741921 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 525824 bytes

Total Files Cleaned = 74.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 07072010_100550

Files moved on Reboot...
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\1x1[1].gif moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\;subTagID=100;subTagName=;clickTrack=;impactTrack=;cb=1336544098[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\afr[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\connect-css[2].css moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\fw-nonplayer-banner[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\fw-nonplayer-banner[2].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\GAM-Deluxe-300x250[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\gamesweaseltv_mevio_com[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\general-real-estate[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\names[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U7XGH61K\twilight-home7[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T3H9JB6C\01[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T3H9JB6C\20100707131207[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T3H9JB6C\53386b343630773068445141426a6e63[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T3H9JB6C\B4137193[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T3H9JB6C\Drive-160x600-Double[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T3H9JB6C\GAM-Deluxe-160x600[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T3H9JB6C\GAM-Deluxe-728x90_Bottom[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QD0CHO8L\01[2].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QD0CHO8L\857[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QD0CHO8L\ads[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QD0CHO8L\ads[2].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QD0CHO8L\click[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QD0CHO8L\GAM-Deluxe-728x90_Top[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QD0CHO8L\st[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\01[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\01[2].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\01[3].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\01[4].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\grab[1].cur moved successfully.
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\page_bg[2].jpg not found!
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\play-trans[1].png not found!
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\popup_windows[1].js not found!
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\psp[1].gif not found!
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\q[1].gif not found!
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G4A79B0M\server[1].js not found!
File C:\WINDOWS\temp\Perflib_Perfdata_7f4.dat not found!

Registry entries deleted on Reboot...


ComoboFix is attached.

Thanks

 

[Bobbye]

Have you decided what you are going to do? I will need for you to open the Combofix log and look and the multiple entries for 8/17/2001 +/- a day or two. Since you haven't done any maintenance, you are going to need to decide that those drivers are for and if you're still using them.

74MB were recovered after files were moved in OTMoveIt.

 

[francis793]

And how would one determine if they are being used?

All browsers are now working properly, including Google Chrome, with no pop-ups or redirects.

I would like to reformat, but I would like to backup itunes, quicken, and a few documents. I just want to make sure that no viruses are going come along for the ride. It appears, at least to me, that the viruses have been extinguished. Do you agree with that assessment? Do the drivers need to be dealt with in order to reformat?

Many thanks

 

[Bobbye]

If you think about it, you want to have your cake and eat it too! You want me to make sure the system is clean so you cad throw it out, reformat and reinstall! Doesn't make a whole lot of sense! (this is meant as a 'tongue-in-cheek' comment and no offense is intended)

There are way too many entries for 8/17/2001 for me to check. You should either do a search on the internet for the file names, or perhaps do a date search on your computer to see what might have been installed on that date.

I cannot guarantee you that all of the files are free of malware. While I did my best to guide you into cleaning the system, just knowing you haven't done any maintenance for years does leave the possibility that something could be hidden in an old file.

The time to backup is when you know the system is clean- before you have the malware that needs cleaning!

I suggest it would be better to put a good maintenance plan in practice, clean up the old files and folders, uninstall programs you're not using and stay with what you have. Here are some suggestions:

Maintenance for the Computer System

1. Error Checking (CHLDSK) This checks your hard drive for errors. With Windows XP, you will need to restart your computer after selecting this task for it to run.

2. Disk defrag, This takes all of the bits of data on your hard drive and puts them in order. If you use your computer a lot, you can have data scattered all over your hard drive. It makes you computer run slower when it is looking for this information.

3. Deleting temporary internet files, Each time you go to a site, a temporary file is placed on you computer's hard drive. These can add up to a lot of space if not deleted regularly.

4. Deleting cookies, These are small files web site put on your hard drive to identify you and track your surfing habits. If you have a password save for a certain web site, deleting your cookies will delete that as well. Over the years there have been some lively debates about how often to do this. I don't very often, others do it daily. It is really up to each person.

5. Delete History- This is similar to temporary internet files. But when you delete History, it deletes the URLs in the Address box drop-down menu. You can also change the time to keep History to fewer days.

6.. Checking for security and critical updates, This requires you to go to Microsoft.com and do an Windows update scan. Often there are security problems or hackers have found a vulnerable spot in Windows that needs to be fixed. I do this once a week. The updates are not that frequent but, while online, I'll just check and see if there are any.

 

[francis793]

Understood. I will check into the entries and clean her up. I sincerely thank you for your time and keep fighting the good fight.

 

[Bobbye]

You're welcome. I appreciate your taking my comment as meant- I never know if someine is going to fry me! After you get it cleaned up:

Please follow these simple steps to keep your computer clean and secure:


Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

Do regular Maintenance

• Remove Temporary Internet Files regularly:
  [o]ATF Cleaner by Atribune
  OR
  [o]TFC
• Disable and Enable System Restore:
  [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Have layered Security:

• Antivirus Software(only one): Both of the following programs are free and known to be good:
  [o]Avira Free
  [o]Avast Home
• Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
  [o]Comodo
  [o] Zone Alarm
• Antispyware: I recommend all of the following:
  [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  [o]Google Toolbar Get the free google toolbar to help stop pop up windows.