TechSpot

Following the virus/malware removal steps would like to know something?

By Jacal
May 13, 2007
  1. Does the AVG Antirootkit Programme need AVG Anti-virus to work?
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi,

    No it doesn't. You can install it and run it on its own. It will be saved to the same parent directory (C:\Program Files\Grisoft\) as the other AVG software.
    If you have any virus/malware related issues, may I suggest that you visit this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, please go ahead with the Viruses/Spyware/Malware, preliminary removal instructions steps to cleaning your computer.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.


    Regards,
    Your friendly Momok =)

    This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    Thanks for the infomation, its cause i already have Norton Internet Security installed on this machine. So was just wondering. Thanks again for clearing that up for me. I will attach the logs as soon as i am finished

    I have a problem :( ... I cannot get onto the site that Step 10 is carrying me too. Please help :( I have tried using both Mozilla Firefox and Internet Explorer. Non of them will load the page.
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    In that case please carry on with the rest of the steps, and post the requested log files (AVG Antispyware, HijackThis and ComboFix) when you are done.


    Regards,
    Your friendly Momok =)

    This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    Just the HijackThis and Combofix you gonna be getting because Norton is installed on the machine. hehe :p
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Please go ahead and install AVG AntiSpyware.
    It is different from AVG Antivirus and its role in the cleaning process is often important as it detects several infections and trojans that other software does not. (like norton) I will need to see the log at least once.


    Regards,
    Your friendly Momok =)

    This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    I have the Anti-spyware installed :p just not the anti-virus. I am doing the part where i am to be in safe mode now on the computer and talking through another.
     
  8. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    Here are the files from the process. Sorry it took so long.
     
  9. momok

    momok TS Rookie Posts: 2,265

    Hi,

    No worries =) I went to sleep anyway :p

    Your system is infected with a variety of malware

    (Please back up your registry before you do the next step)

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    BSplayer_WhenUSave_Installer
    user32.dll
    rare
    Shell23


    Go to start > Control Panel > Add and Remove Programs.
    Remove anything related to the following:

    BSplayer_WhenUSave_Installer
    Video ActiveX Access
    VideoEggPublisher


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    iesmn.exe
    VideoEggPublisher.exe


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)

    O4 - HKLM\..\Run: [BSplayer_WhenUSave_Installer] C:\Program Files\BSplayer_WhenUSave_Installer\BSplayer_WhenUSave_Installer.exe

    O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe

    Fix all O6 entries Do this if this is your personal system or the aministrator did not set any such restrictions.

    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe

    O21 - SSODL: rdihost - {14906C60-AA68-44FC-92E8-01F391E310F2} - rdihost.dll (file missing)

    O22 - SharedTaskScheduler: heterandrous - {735e980d-45d2-4777-af82-9923d3c8d3ae} - C:\WINDOWS\system32\kgkdbsk.dll (file missing)

    Close HJT.

    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\WINDOWS\Cafezee Client Uninstaller.exe
    C:\WINDOWS\system32\kgkdbsk.dll
    C:\WINDOWS\system32\Explorer.exe
    C:\Program Files\Video ActiveX Access\

    Go to Start > Run and type regedit. Press Enter.
    Navigate manually to HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run and delete the following keys:
    "Shell23"="C:\\WINDOWS\\system32\\Explorer "
    "BSplayer_WhenUSave_Installer"="C:\\Program Files\\BSplayer_WhenUSave_Installer\\BSplayer_WhenUSave_Installer.exe"


    Next, navigate manually to HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run and delete the following:
    "rare"="C:\\Program Files\\Video ActiveX Access\\imsmain.exe"
    "user32.dll"="C:\\Program Files\\Video ActiveX Access\\iesmn.exe"


    Also, press ctrl + F and search for all instances of the following and delete them.
    kgkdbsk.dll
    rdihost.dll
    Driveinfo.exe
    sxs.exe

    Close the program.

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT and ComboFix logs from normal mode as an attachment into this thread.


    Regards,
    Your friendly Momok =)

    This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    Umm i noticed that you have Cafezee in the list, but that program is the software that i use for the internet cafe that this computer is in, also could you please advise as to which are the registries that i am to back up. Thanks

    Another thing i noticed :p i read too fast lol .. umm the process to back up registry is for Windows 2000, where as this computer is running Windows XP Professional.

    Here are the new HJT and ComboFix logs.
     
  11. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Thank you for telling me about Cafezee. I just found it extremely suspicious since there were no hits in google, and I did not notice any similar software on your system.

    Please reboot into safe mode and show all hidden files and folders again.

    Open taskmanager and end the following processes if found:
    sxs.exe
    toy.exe
    driveinfo.exe


    Run HijackThis and fix the following entries:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

    Close HJT.


    Please use the search function in windows explorer and delete all instances of the following:
    sxs.exe
    toy.exe
    driveinfo.exe


    Also, do the same for the above 3 files in windows registry. (start > run > regedit. press ctrl + f)

    Reboot into normal mode and rehide your OS files.

    Thereafter, please post fresh HJT and ComboFix logs as attachments. Thanks.



    Regards,
    Your friendly Momok =)

    This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    Here you go :)
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Avi Player

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    AviPlayer.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKLM\..\Run: [Shell23] C:\WINDOWS\system32\Explorer

    O4 - HKCU\..\Run: [Avi Player] "C:\Program Files\Avi Player\AviPlayer.exe" hmw

    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Avi Player<Delete the entire folder.
    C:\WINDOWS\system32\Explorer.exe<This is nasty and the legit explorer.exe runs from the Window folder and not the system32 folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let us know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    First thing though, does the Explorer.exe look anything like a blue square-ish symbol, if so that is part of the Cafezee program, because it is through that i can use the main computer and set all the other computer's main homepages.
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Explorer.exe looks like a mycomputer icon and runs from the C:\windows\explorer.exe. Yours is running from C:\windows\system32. However, if you have doubts as to whether the file is legit or not, I suggest you do the following.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\WINDOWS\system32\Explorer.exe
    * Click Open
    * Please let me know the results.

    Regards Howard :)

    This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    Don't worry I am sure that it is apart of the Cafezee program, because when i deleted last time it had a problem running the program because of that file missing. The Program has a Server and Client mode, the server mode does not have it but the Client mode does because from the Server you can set the Explorer home page for the Clients from the Server.
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  18. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    Alright I will. Jotti says the file is ok and kaspersky says the file is too big to scan.
     
  19. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Please post the requested log files when you are done with the instructions.
    Thanks.


    Regards,
    Your friendly Momok =)

    This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    Hey sorry this took so long had some guy on the computer that just wouldn't want to get off it to let me continue working on it (customers -sigh- ). Well here are the logs and the system so far is moving a lot better, have not seen any pops from since starting this process. Thanks much guys.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please post a fresh HJT log from normal mode.

    Regards Howard :)

    This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    Gah my week has been too busy >.< sorry.

    Well here is the HJT log normal. Somebody went on some bad sites so i do not know if anything has gotten onto it to change it.
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    I suggest you stop people from going on dodgy websites, otherwise, your system will be infected again real soon.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. Jacal

    Jacal TS Rookie Topic Starter Posts: 83

    Thanks much for the help again :D :D :D, i will try my best to monitor peoples activities but that is the best I will be able to do.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...