Google redirect - rootkit and gootkit virus issues

Solved
By gunawaj
May 16, 2010
Topic Status:
Not open for further replies.
  1. Hello!
    Seems like I'm also having serious problems with attempting to remove the rootkit and gootkit viruses from my computer. I've performed the 8 step preliminary removal instructions and attached the log files to this post. However, i was unable to update my Adobe Reader to the latest version due to an error accessing the following during the installation process:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

    I don't know if this is related to the virus infection on my computer. Thanks in advance for your assistance!

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    gunwale, please do the following to start:

    Click on Start> Run> type in services.msc> double click on Remote Procedure Call> Set the Startup type to Automatic> Start the Service> Exit Services.
    ===================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =============================
    After the scan with Combofix, do the following:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    
    DDS::
    Hosts: 89.149.249.198 www.google.com
    Hosts: 89.149.249.198 www.google.de
    Hosts: 89.149.249.198 www.google.fr
    Hosts: 89.149.249.198 www.google.co.uk
    Hosts: 89.149.249.198 www.google.com.br
    Hosts: 89.149.249.198 www.google.it
    Hosts: 89.149.249.198 www.google.es
    Hosts: 89.149.249.198 www.google.co.jp
    Hosts: 89.149.249.198 www.google.com.mx
    Hosts: 89.149.249.198 www.google.ca
    Hosts: 89.149.249.198 www.google.com.au
    Hosts: 89.149.249.198 www.google.nl
    Hosts: 89.149.249.198 www.google.co.za
    Hosts: 89.149.249.198 www.google.be
    Hosts: 89.149.249.198 www.google.gr
    Hosts: 89.149.249.198 www.google.at
    Hosts: 89.149.249.198 www.google.se
    Hosts: 89.149.249.198 www.google.ch
    Hosts: 89.149.249.198 www.google.pt
    Hosts: 89.149.249.198 www.google.dk
    Hosts: 89.149.249.198 www.google.fi
    Hosts: 89.149.249.198 www.google.ie
    Hosts: 89.149.249.198 www.google.no
    Hosts: 89.149.249.198 www.google.ru
    Hosts: 89.149.249.198 www.google.ua
    Hosts: 89.149.249.198 www.google.pl
    Hosts: 89.149.249.198 www.google.ro
    Hosts: 89.149.249.198 www.google.co.nz
    Hosts: 89.149.249.198 www.google.in
    Hosts: 89.149.249.198 www.google.th
    Hosts: 89.149.249.198 www.google.tr
    Hosts: 89.149.249.198 www.google.hu
    Hosts: 89.149.249.198 www.google.cr
    Hosts: 89.149.249.198 www.google.lv
    Hosts: 89.149.249.198 www.google.lt
    Hosts: 89.149.249.198 www.google.bg
    Hosts: 89.149.249.198 www.google.be
    Hosts: 89.149.249.198 www.google.vn
    Hosts: 89.149.249.198 www.google.ve
    Hosts: 89.149.249.198 www.google.sw
    Hosts: 89.149.249.198 search.yahoo.com
    Hosts: 89.149.249.198 us.search.yahoo.com
    Hosts: 89.149.249.198 uk.search.yahoo.com
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
    
    Registry::
    Driver::
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
  3. gunawaj

    gunawaj Newcomer, in training Topic Starter

    Hi Bobbye,

    Thanks for responding to my post. Much appreciated. I've attached the Combofix log from the initial scan (ComboFix.log) and following the scan with the CFScript (ComboFix2.log) running with ComboFix.

    -jason

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please download sUBs' SvcQuery.exe and save to your desktop.
    • Double click the file to Open
    • A window will open. When prompted to provide a service name, type in the following:
      yapnnnxo
    • Press Enter
    • The tool will create a log. Please leave that in your next reply.
    ======================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\sysprep\PEDrv.sys
    c:\windows\system32\config\systemprofile\Application Data\rbuwzv.dat
    c:\documents and settings\LocalService\Application Data\rbuwzv.dat
    c:\sysprep\Drivers\ioport.sys
    Folder::
    
    Registry::
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    
    Driver::
    SVRPEDRV
    IO_Memory
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Are you aware that Azureus (which is now named Vuze) is still on the system from 2006-11-25 01:12? This is a file sharing (P2P) program.
  5. gunawaj

    gunawaj Newcomer, in training Topic Starter

    I've attached the requested logs. I do realize that Azureus is installed on my computer, it hasnt been used in a while. Your help is much appreciated!

    -j

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Did you type in the Service name I left> yapnnnxo?

    How is the system running now? Let me know if any of the original malware related problem haven't been resolved.

    I will have you reset the host files. Please download MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

    If you would like, I can remove Azureus and all it's files. (I tend to be pushy about removing P2P programs because I see how much malware comes from them!)

    Please download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  7. gunawaj

    gunawaj Newcomer, in training Topic Starter

    Hi Bobbeye,

    I did originally enter the service name "yapnnnxo" when i first ran SvcQuery, however, on a second attempt after i read your most recent post, the service name was not recognized by the program.

    My computer appears to be running normally. There's no redirect issue when doing a search with Google. However, I have not recently run a scan with any of my AV programs since going through this process with you to verify the existence of any malware.

    I do have an issue with trying to enable auto protect with my Symantec AV program. Even though i have it clicked, it still claims that it is disabled and I'm ensure how to restore the auto protect. I'm assuming this has to do with the recent viruses on my computer?

    I can uninstall Azureus on my own, thanks though.

    Many thanks for you continued help, you can find bellow the most recent HijackThis log:

    ---------------------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:32:02 AM, on 5/19/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Media Apps\MagicDisc\MagicDisc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Startup: MagicDisc.lnk = C:\Program Files\Media Apps\MagicDisc\MagicDisc.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

    --
    End of file - 9766 bytes
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Check and make sure this Service is set to Automatic Startup type and running:

    Click on Start> Run> type in services.msc> double click on Symantec AntiVirus Client> Set Startup Type to Automatic> Start the Service.
    (This is the real-time component of the Symantec antivirus protection program- it may show as Norton AntiVirus Server)

    I'm not sure what's going on though because the file that the Service causes to run is rtvscan.exe and that shows as running in the HJT log.

    The following Symantec Services are running in the HijackThis log:
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


    --
  9. gunawaj

    gunawaj Newcomer, in training Topic Starter

    All the Symantec Antivirus Services are running on Automatic start-up according to the Services list, except for the one called "Symantec Network Drivers Service" which was listed as "Disabled". I changed that one to "automatic" but it did not change anything. The "enable auto protect box" in the configuration is still listed as "disabled". Do you think it requires a re-installation of the program?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I think it would be easier to just reinstall it. According to the HijackThis log, the Real Time process is running:
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    It could have been damaged by the malware. Let me know how the reinstall goes. Then I'll have you remove the cleaning tools and old restore points.
  11. gunawaj

    gunawaj Newcomer, in training Topic Starter

    reinstall did the job, seems to be working normally
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Did you reset the Host files per my Reply #6?

    Run this online scan to make sure nothing's been missed. If it's clean, I'll have you remove the cleaning tools and old restore points:

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  13. gunawaj

    gunawaj Newcomer, in training Topic Starter

    Argh. There still appears to be several pieces of malware on my computer despite the fact that it isnt causing any noticible disruptions to it operation. There's no redirect problem when using Google as well. I dont know if some of the malware is due to the quarantined section to which Norton places the viruses it can't remove upon my initial scans? I've attached the Eset log file.

    Attached Files:

     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    There is actually only one new malwre entry in Eset: But the problem is that it isn't a new infection. It's a recurrence of a worm that was previously removed. I think there is a good chance that your network is infected and also a flash drive if you've been using one. I can move this entry, like I've done for others, but I'm going to describe what the infection is, then let you decide what you want to do:

    The entry is another one of those weird names: C:\WINDOWS\system32\xbcwykfjw
    The malware is Win32/Pinit virus> this same infection shows previously removed and in the Qoobox where Comboficx sends the quarantined files. They are not active in your system. And System Volume which is the System Restore points. These entries are no longer active on the system. the only harm they can do is if you do a system restore and happen to choose on of the infected restore points.
    ========================
    About Win32/Pinit and this was also found earlier:
    1. Aliases: Trojan-Dropper.Win32.Agent.aaki (Kaspersky), Generic Dropper (McAfee), W32.Spamuzle.D (Symantec)
    2. Win32/Pinit.B is a worm that spreads via shared folders> The worm tries to copy itself into shared folders of machines on a local network.
    3. It may be that another PC on your network is infected and it's trying to infect that PC, probably because of improper sharing permissions.
    4. The following usernames are used: * administrator
    5. Win32/Pinit.B is a worm that steals passwords and other sensitive information. The worm can send the information to a remote machine. The HTTP protocol is used.

    You an see more details on this Eset site: http://www.eset.eu/encyclopaedia/pinit_b_trojan_dropper_agent_aaki_generic_dropper_spamuzle_d

    I recommend that you try to disable all your shares, including the default shares
    If you can do this from a computer that is not on the network, change all of your passwords and and monitor any online financial transactions.
    Wipe the drive and reinstall the operating system.
    Once that is done. Change all your passwords again.

    A note of saving files: The worm acts as the Administrator so anything done under that account is at risk.

    I'm sorry- I know tis isn't what you want to hear. But the recurrence by the same Worm means it's source wasn't found and removed-or-that it's getting reinfected through the network.
  15. gunawaj

    gunawaj Newcomer, in training Topic Starter

    Yikes, that does not sound to good. The infected laptop is not part of a network as I dont actually have any shared drives/folders, but I do in fact have a USB flash drive (a USB key) thats plugged into the computer that has been infected which i do copy my files into. Could that be the source?

    Can we try to move the malware as before? I'm assuming something will also have to be done with the USB flash drive. I'd like to treat the reformating of my hard drive and re-install of the O/S as an ultimate last resort; however, does it seem likely that it's going to be absolutely necessary?

    Thanks again for your continued efforts with this!
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Then the source is most probably the flash drive. You can disinfect it:

    • [1]. Download Flash_Disinfector and save it to your Desktop.
      [2]. After downloading, double-click on Flash_Disinfector to run it.
      [3]. Just follow the prompts and continue until it begin scanning.
      [​IMG]
      [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
      [5]. It will scan removable drives, wait for the scan to finish. Done.

    When that has been done:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      :Reg
      
      :Files  
      C:\WINDOWS\system32\xbcwykfjw
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    When you have finished, reboot the computer and run the Eset scan again.

    And just so you know where I'm coming from, I never recommend a reformat and reinstall unless I do consider it the ultimate last resort. But we'll give it a try.
  17. gunawaj

    gunawaj Newcomer, in training Topic Starter

    I've attached the latest ESET scan log. It looks like the file was moved, and it did not detect any "new" viruses.

    Attached Files:

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay- reboot and run another scan with Eset.

    If it hasn't recurred, I'll have you remove the cleaning tools. Be sure you disinfect the flash drive.
  19. gunawaj

    gunawaj Newcomer, in training Topic Starter

    So i disinfected the USB flash drive and ran the ESET as per your post from May 23rd, and re-ran the ESET scan again as per your latest post and it appears there are no new viruses anymore. crossing my fingers!

    Attached Files:

  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Very good! Let's clean up:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Let me know if you need more help/
  21. gunawaj

    gunawaj Newcomer, in training Topic Starter

    Alright, I've uninstalled Combofix, ran OTCleanIt and created the new System Restore point. I think everything looks good now. Thanks again for all your help with this matter it was a pleasure working with you!
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You're very welcome- glad to help. Here are some tips to help keep the system clean.

    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
    4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
    5. Use an AntiVirus Software(only one)
    See Virus, Spyware, and Malware Protection and Removal Resources

    6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
    Comodo or Zone Alarm
    7.Consider these programs for Extra Security
    • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know. .
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.