Antivirus 360 - 8 steps failed

[Firepig]

Hello,

My son's laptop (XP Pro) has a bad case of Antivus 360 and associated nasties. I manually removed the Antivirus 360 application but Windows crashes except in Safe mode, and even in Safe mode software cannot be installed, browser diverts to adverts, antivirus software won't run. I've looked for TDSSserv.sys and its aliases but this is something different.

My attempts at the 8 steps were not the greatest success:

1 AVG did a full scan and found nothing.

2 CCleaner installed and worked OK

3 was easy: the virus had already disabled the AVG realtime scanner

4 MBAM wouldn't install - the installer just shows an hourglass for a few seconds then stops. An internet connection is available.

5 Similar for SAS, except that it gave an error message

6 Java downloaded OK, but then wouldn't install - message said insufficient privileges, but user has Administrator privileges

7 Didn't attempt HJY because the instructions say the other steps should be completed, but did try to install it - similar result to 4.

8 No logs to post!

Firepig

EDIT: managed to run HJT by running from its original location rather than downloading - posting the log. Thanks for any help - Firepig

EDIT2: also got MBAM to install by running from its original location, but it still won't run, either immediately from installation of otherwise. SAS won't install, evn by this method.

 

[touch]

Hello Firepig

There are some infections in the hijackthis log, there only can be removed with scan tools.

Have you tried a systemrestore ?
Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
On the Welcome screen, click Restore my computer to an earlier time, and then click Next.

If you can restore the computer till before the Antivus 360 infection, please run the 8 steps guide, and provide us with attached log´s

From:
Malwarebyte
Superantispyware
Hijackthis

 

[Firepig]

Tried System Restore

Thanks Touch,

Yes, I tried a System Restore, but nothing happened - it just died. Since then I have been trying to follow advice from other threads, including advice to turn off System Restore in order to avoid reinfection - which I understand means all Restore points will now have been wiped.

Yesterday after many attempts I managed to install and run (in Safe mode) the trial version of AVG Security 8.5, which is supposed to include cleansing of rootkit infections. It only found one item of malware, as shown on the attached log, and the system instability remains. In normal (not Safe) mode XP crashes within a few seconds of starting up on most occasions, and always when attempting to run the cleansing software.

EDIT: uploading a fresh HJT log. Differences seem mainly to relate to installing AVG8, but there is also reoval of ShoppingAdsHelper, the item found by AVG.

 

[touch]

Ok. I actually don´t expected system restore worked, but it was worth a try

We probably need to do things slightly differently, to get rid of the infection.


From safe mode with network download combofix ->

Please download Combofix:
(http://www.forospyware.com/sUBs/ComboFix.exe)
Geeks to Go (http://subs.geekstogo.com/ComboFix.exe)
<<< Rightclick - Save as.

And save to the desktop. << Save it as mike. exe

Close all other browser windows.

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Attach the contents of that log in your next reply

 

[Firepig]

Success!

Renaming Combofix was the key. I had previously downloaded it but could not get it to run. After renaming it ran. It objected to the presence of the AVG on-access scanner but I allowed it to run anyway, as I couldn't find a way of disabling the AVG scanner from within Safe mode. Anyway, it seemed to run correctly, restated the computer into Normal mode, deleted a load of stuff and Hey Presto! I seem to have a functioning computer again.

The ComboFix log is uploaded. I am now able to run MBAM and SAS, so their logs are also uploaded (SAS to follow as it is still running), along with a fresh HJT log. MBAM found four entries for Trojan.FakeAlert, and SAS detected seven entires for Adware Vundo Variant; I have not allowed them to clean these yet, until I have your further advice.

Thanks, you're a lifesaver!

EDIT: SAS lob now uploaded. SAS needed a reboot to finish, so I allowed it to clean the items it found.

 

[touch]

Great, it´s a good job you have done

It is safe to fix/delete what malware have found.

I´ll look to the combolog, and post asap.



Open notepad and copy/paste the text in quote below into it:


-------------------------------------------------------------------------------

Killall:

Snapshot::

File::
c:\windows\system32\winconfig.dll
c:\windows\system32\hblogon.dll
F:\RunMe.exe
D:\bot2.exe
E:\servet.exe
G:\Start.exe

Folder::
c:\program files\ShoppingAdsHelper


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}]
[-HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[-HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[-HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[-HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]
[-HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[-HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[-HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[-HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hblogon]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28af3393-c07c-11dd-8a6d-001b9e1b0838}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37f5617a-912d-11dc-8a02-001b9e1b0838}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5aee9b4-04d7-11de-8a7d-001b9e1b0838}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5aee9b8-04d7-11de-8a7d-001b9e1b0838}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5aee9b8-04d7-11de-8a7d-001b9e1b0838}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc853dff-9479-11dd-8a5d-001b9e1b0838}]

--------------------------------------------------------------------------------------
Save this as:
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe

Then attach fresh combofix log, along with fresh hijackthis log.

Nb. Is it AVG8 Freeware version you have ?

 

[Bobbye]

Might want to have Firepig run the Norton Removal Tool:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Two entries still loading:

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe--

Also, make sure this is gone:
O20 - Winlogon Notify: hblogon - C:\WINDOWS\SYSTEM32\hblogon.dll
HBLOGON.DLL is Trojan/Backdoor.

 

[Firepig]

So far so good...

Thanks to both touch and Bobbye.

I have:

1 run the ComboFix script provided by touch and uploaded the log.
2 downloaded and run the Norton removal tool as suggested by Bobbye (how I hate Norton - 3MB for a removal tool! Bring back the 48K Spectrum, I say).
3 Run HJT and uploaded the log.

Note I have not done anything about Bobbye's other suggestions, pending advice from touch - don't want to do anything that might conflict.

Thanks again, Firepig

 

[Bobbye]

Hey, if you got rid of Symantec'/Norton, it was worth the trip! ComboFix removed the 020 entry, but I'll let Touch handle the rest.

You would be amazed at the number of people who have Symantec entries in their logs! And some never even used the program!

 

[touch]

We can only agree about Norton. Norton are hogging resources and slowing systems down, and almost impossible to get rid of, even you have run the uninstall tool, you still have two Symantec/Norton folders, you´ll have to remove manually:
c:\program files\Common Files\Symantec Shared
c:\program files\Norton Security Scan

It is possible you´ll have to do it from safe mode

It´s an old version of Sun java you have on the computer ->
"Vulnerabilities in old Sun Java versions may be partly responsible for Vundo/Winfixer/Virtuemonde infections.
It is very important not only to keep Sun Java up to date, but also to remove older versions which have security holes and can be exploited by malware."

In preparation first download the latest version:

http://www.java.com/en/download/index.jsp

Required: You must accept the license agreement to download the product.

Uninstall ALL old versions of Sun Java via Add/Remove Programs in controlpanel.
Click the Remove or Change/Remove button.

Restart your PC once all Java components have been removed.

Then install the downloaded java file.

If AVG8 Antivirus are the Free version, I´ll recommend you uninstall it, using this tool -

Here is the 32Bit version: [http://www.grisoft.cz/filedir/util/avg_arm_sup_____.dir/avgremover.exe

Then install Avira Free AntiVirus
: http://www.free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html

Update it, and run a complete scan.

Download Flash_Disinfector.exe by sUBs from http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.

Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Then, please tell how you´r computer are running ?

 

[Firepig]

More progress...

Thanks again Touch, and Bobbye.

Overnight I ran a full MBAM scan, and it found eight entries, though four apparently already quarantined; I allowed it to fix those. I am uploading the log.

I have deleted the two Symantec folders, apparently with no difficulty, from Normal mode but i will check that they don't reappear after reboot.

Sorry, I should have responded before about AVG; before the problem I had AVG AntiVirus 7.5 Free installed, but before we cured the main infection I managed to install and run AVG Internet Security 8.5 trial version; I understand that is the full version and is supposed to deal with rootkits, though it hasn't achieved a great deal so far. I will now uninstall it as you suggest and install Avira, and the same on our other PCs. We also use Zonealarm free version firewall, though it is currently disabled on the PC we are working on, as is the AVG on-access scanner..

I tried to update Java as part of the 8 Steps but the infection prevented it running at the time. I have now uninstalled the two versions previously installed and then installed the new version as you suggested, except that I failed to restart the computer in between as you asked; if that's an issue I can uninstall and reinstall.

The Flash_Disinfector link was broken; I can't locate it elsewhere from a source I trust.

Computer now appears to be running fine, with none of the previous symptoms.

 

[touch]

I was glad to help, and that´s good news your computer are running fine

No need to uninstall and reinstall java, just make sure they are gone from add/remove program.

See if you can download FlashDinfector from ->
HERE

Now your computer problems are solved, it is time for the clean-up procedure.

Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->
Uninstall ComboFix. Delete its related folders and files.
Reset your clock settings. Hide file extensions.
Hide the system/hidden files. And resets System Restore again.

I also suggest you read Tony Klein´s article.
So how did I get infected in the first place:
http://www.spywareinfoforum.com/index.php?showtopic=60955

 

[Firepig]

All done

Touch, many, many thanks for your help.

ComboFix successfully uninstalled. AVG removed. Avira installed, found nothing on initial scan.

The link to the Flash cleaner is still broken, though.

Just remains to reinstall the firewall and run the tools again to make sure nothing has been missed, but all appears normal, then switch to Avira on the other family PC's. Is ZoneAlarm still as good as any of the free firewalls?

The advice in the article is all well known, but stopping teenagers clicking on things is practically impossible.

 

[touch]

My pleasure

If You don´t have problems with ZoneAlarm, I´ll suggest you keep it, and (just My opinion) is it still as good as any of the other free firewalls.
If you want another, I can recommend Online Armor:
http://www.tallemu.com/free-firewall-protection-software.html

Yes, I know teenagers are clicking on any link they see.

Tony Klein recommend the user/ you install Spywareblaster. The program blocks installation of many known malicious ActiveX objects.

If you also install MVPS HOSTS:
http://www.mvps.org/winhelp2002/hosts.htm
Are you well protected, however, it won´t stop teenagers clicking on things, but the malicious sites won´t open.

That´s odd FlashDisinfector won´t open. Try to rigthclick on th link - save as.