TechSpot

Help required - Virus removal

By iturkington
Feb 2, 2009
  1. Hi,

    I'm wondering is someone can give me some help or advice on virus removal.

    The machine was infected by a virus. The symptom was new processes requesting access to the internet. These were blocked by the fire wall, and as a result there was no internet access.

    I've read and followed the "8-step Viruses/Spyware/Malware Preliminary Removal Instructions" post on this forum.

    The virus appears to have been removed successfully. But there is one stubborn bit of malware which will not go away!

    I have virus scanned with AVG Anti Virus Free (latest version). This is now showing no infections, and no warnings.

    I'm basically wondering if the machine is now clean. Or how I cna get rid of the last bit of Adware.

    I've attached the following log files...
    (1) mbam-log-2009-02-02 (09-50-27).txt
    (2) SUPERAntiSpyware Scan Log - 02-02-2009 - 12-23-15.log
    (3) hijackthis 2009-02-02.log (hijackthis.exe was renamed before running.)

    Any help appreciated.

    Thanks,
    Ian
     

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi iturkington

    Run HJT select and remove the below
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

    Were there other runs with MBAM and SAS are these the only logs?

    Do the below..

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    =========================================
    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Regarding the 020 entry in the HijackThis log:
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

    acnotify.dll is a part of Access Connections software.
    The following was found by some to be a problem with their IBM Lenovo machines:

    New Intel 2200bg and 2915abg update:
    New Intel PRO 2200bg and 2915abg Mini PCI adapter wireless software (wireless driver from IBM/Lenovo) for Windows 2000, XP - ThinkPad R5*, T4*, X31, X32, X4*, Z60m, Version: 9.0.4.8

    I am quoting one of the users here:
    This might be of help to you.

    Mike I came across this in a search and thought it worth sharing.
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    10-4

    Good to know! I always uninstall that Lenova Acer and Dell stuff anyway but did not know there was a specif issue with it.

    Thanks Bobbye
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome Mike. It's been my experience that the average user does not check for the pre-loaded software and continues to have it all start on boot and run in the background. Toshiba is another bad one, then Sony VAIO. I use to think Dell was the worse, but it's a poor fourth compared to these others!
     
  6. iturkington

    iturkington TS Rookie Topic Starter Posts: 18

    Mike,

    Thanks for the reply, I'm following the steps now.

    You mentioned other logs. I'd ran them several times to get the PC as clean as possible, and only attached the final logs.

    So I've attached here if you are interested.

    Thanks again,
    Ian
     
  7. mflynn

    mflynn TS Rookie Posts: 2,655

    Good job Ian!

    Yes it is good to know what you had in case we need to take extra steps.

    Get me the rest of my last post. SDFix and ComboFix. And we will finish this up.

    Mike
     
  8. iturkington

    iturkington TS Rookie Topic Starter Posts: 18

    Mike,

    I've run SDFix. All worked fine. Log file attached.

    ...BUT...

    When I run COMBOFIX.EXE I get the following...

    (1) prep.com has encountered a problem and needs to close.

    (2) AVG Resident Shield alert
    threat detected!
    Filename: C:\Doc and Settings\Grace\Local Settings\Temp\9.tmp\b2b.dll
    Threat name: Trojan horse BackDoor.SmallX.VX
    Detected on open.

    Any suggestions? I didn't want to turn off the resident shield without getting advice first!

    Thanks,
    Ian
     
  9. mflynn

    mflynn TS Rookie Posts: 2,655

    Unplug network cable turn off AVG and run.

    If still issues run combofix from safe mode.

    Mike
     
  10. iturkington

    iturkington TS Rookie Topic Starter Posts: 18

    Without AVG Combofix completed.
    (although left the laptop locked)

    Now restarted and combofix log file attached.

    Thanks,
    Ian
     
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    Great you are good to go!

    Look carefully at Bobbye's post #3!

    Other than that lets close this one and cleanup some of these special tools, after you give me a status report on your computer.

    Mike
     
  12. iturkington

    iturkington TS Rookie Topic Starter Posts: 18

    And a new HJT log.
     
  13. iturkington

    iturkington TS Rookie Topic Starter Posts: 18

    Mike,

    Thanks for your help.

    PC appears to be working fine now. In fact there were no symptoms after running all the stuff in the "8-step Viruses/Spyware/Malware Preliminary Removal Instructions", but I hought I'd get some advice on the logs.

    I'll run a few more scans overnight tonight and hopefully it will get a clean scan report.

    With regards to Bobbye's post. The laptop is an IBM ThinkPad T41, and I always connect to the LAN using wireless. But I've not be doing anything to the drivers, and it appears to be working fine. So I'm inclined not to interfere with it.

    Thanks,
    Ian
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    He just had IE open when he ran HJT!

    No problem!

    Mike
     
  15. iturkington

    iturkington TS Rookie Topic Starter Posts: 18

    Should I run HJT one last time,
    without IE running and check?
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    Won't hurt but that was what it was!

    Look in taskmgr for iexplore first if it is there and you do not have it open then that will be a problem.

    tragicallyhip is confusing the Windows Explorer (Explorer.exe) (the windows GUI, My Computer) with iexplorer.exe which is the Microsoft Internet explorer.

    Mike
     
  17. iturkington

    iturkington TS Rookie Topic Starter Posts: 18

    Mike,

    Checked task manager and ran HJT without IE running and all looks fine to me.

    Thanks again,
    Ian
     
  18. mflynn

    mflynn TS Rookie Posts: 2,655

    tode ye so!:D

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...