HijackThis/ComboFix/AVG Antispyware

Status
Not open for further replies.
C

crystalline

Posts: 19   +0
Hi... I have followed all the instructions for the preliminary cleaning of an infected computer with the following exceptions:

1. AVG Anti-Spyware would not install. I kept getting a message that told me installation could not be completed due to my computer not restarting after I uninstalled the program (I was told it could be infected, and that I should remove and reinstall). After restarting the computer, I continued to get the same message, and don't know how to get the program to install.

2. I did not run Ad-Aware 2007. The installation seemed to go successfully, but when I try to run the program, both in safe mode and in normal mode, I get an error message saying the program cannot be accessed.

Panda Anti-Rootkit scan found the following rootkit:
C:\ProgramFiles\KGB\MPK.exe

I am not certain but I believe that is some sort of extension from the KGB keylogger I have installed to monitor my children's usage. However, I will remove it if need be.

My current computer symptoms are as follows: I have no more fake security alerts, my desktop is back to normal (it was hijacked with an anti-spyware message before), but loading up Windows is EXTREMELY slow. Applications DO work, such as the internet, and once they are loaded, they seem to work normally, but getting them to load is torturous.

I have attached the HJT log, and the Combo Fix log, and I do not have an AVG log to post, as previously mentioned. Any help would be much appreciated.

Thank you so much.
 

Attachments

  • hijackthis.log
    6.4 KB · Views: 5
Hi crystalline, and welcome to Techspot

You have a rather nasty infection that is becoming common.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
First of all DO NOT use Internet Explorer unless the instructions specifically ask you to while we remove this.

Download Firefox and use this for now. It is a more secure browser, but I will leave it up to you if you want to keep it afterwards.

Firefox link = http://www.mozilla.com/en-US/firefox/
-------------------------------------------------------------------------------------------------------------------------------------------------------------------

It shows you have AVG installed. Go to Start -> Settings -> control Panel -> Administrative Tools -> Services

Stop the AVG Anti-Spyware Guard and a-squared Free Service (a2free)
services from running by right-click it and choose Stop. Right click it again and choose Properties. In the Properties dialog box that appears, choose Manual from the Startup Type drop-down list and choose Disabled.

Now uninstall AVG Anti-Spyware through Start -> Settings -> Control Panel -> add/remove programs

Highlight and select remove, then you can attempt to reinstall, or we can use a different program altogether just let me know.

If it doesn't work we can remove it and I will give instructions on a substitute program.
------------------------------------------------------------------------------------------------------------------------------------

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.
-------------------------------------------------------------------------------------------------------------------------------------
Open Internet Explorer

click tools -> internet options.

Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.


Warning! Do not click the links below in the qoute box.
Then, click the privacy tab and click the sites button. In the address bar type

www.whataboutadog.com and click the Block button. Do this for

www.whataboutarabbit.com and www.doginhispen.com and www.b.skitodayplease.com as well.
Click to expand...

Click ok, then ok again and close IE. reboot your system.

----------------------------------------------------------------------------------------------------------------------------------------
1)Update your Java Runtime Environment
  • First try going to Start -> Control Panel -> double click Java
  • Select the Update TAb at the top of the Java console
  • Click the Check for Updates button at the bottom
  • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
  • After it installs the newest version Go back to Control Panel -> Add/remove programs
  • Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.
  • Click the following link
    Java Runtime Environment 6 Update 5
  • The 4th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
--------------------------------------------------------------------------------------------------

2) I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.


    How to prevent it from being recreated every time you run the AOL software:
    • Open AOL
    • Go to Help on the toolbar
    • Select About AOL
    • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.
---------------------------------------------------------------------------------------------------------
FindAWF

Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to Press any key to continue.
  • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
  • Attach AWF.txt file in your next reply.
----------------------------------------------------------------------------------------------------------------------------------

If you get AVGAS to run, attach the log in your next reply. Run a scan and save a log with Hijackthis again and also attach this log after completing the above. Also the FindAWF log

So logs needed =
1)AVG log if it works
2)New Hijackthis after completing instructions
3)FindAWF log


The instructions in this thread are for the use of crystalline only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Wow.

I'm not even sure where to begin here... my computer must be more screwed up than I gave it credit for, because half of those steps I wasn't able to complete. I will reply to everything in the order you instructed me to try it, with the accompanying error messages.

1. Mozilla Firefox installation successful. I am using it currently.

2. For AVG Anti-Spyware and A Squared, the control panel showed them as already not running, but I did do the disable and manual setting you requested. When I went to the Add/Remove Programs, AVG Anti-Spyware did not show up at all for me to remove it. I believe this is due to my prior uninstallation of the program.

3. The trusted Sites Domain fix ran successfully.

4. Successfully added the domains you listed to the blocked list.

5. When I went to update JAVA, the problems started. I have a very old version of JAVA, and it does not have an Update tab. I looked everywhere and couldn't find it. I went to the link you supplied, and was not successful in completing the download. I'm not sure if there are technical difficulties with the Sun Download Manager, or what, because it just kept stopping and restarting. I gave it about 5 minutes of stopping and restarting before I gave up on it.

6. Successfully deleted Viewpoint Manager.

7. I need another way to disable the manager from reinstalling, because I do not have AOL software installed. The only AOL-related software on my computer is AIM. Does it have the same secret toolbar?

8. The fun really began when I tried to run AWF. It installed perfectly, and started, but when it began the scan I was given the following error message: "C:\Windows\System32\AutoExec.NT The system file is not suitable for running MS-DOS and Microsoft Windows applications. Click Close to terminate the application.

9. I got HijackThis to run, and I am posting the new log.

I also think it bears mentioning that the computer gives me an error message whenever I try to do certain things, like change the desktop background, open up properties, Add or Remove programs, etc... but I believe this is due to Kaspersky internet security. When I first realized I had the infection, I was advised to put the application in training mode, and disallow any action I didn't know what it was. I believe I inadvertently blocked a needed Windows file. This is the message I usually get.

03/15/2008 1:16:11 PM Process C:\WINDOWS\system32\rundll32.exe (PID: 672): attempt to load new or modified module was blocked.

I am so frustrated right now... I appreciate your timely reply. Thanks so much for all of your help. I apologize for not being able to complete all the actions; I hope I haven't ruined my computer for good :/
 
Can you get into the Kaspersky settings and unblock it?

In your add/remove programs do you have anything to do with FreeDAccelerator!?

Do you use Mail.com?

Open task manager(alt+ctrl+del), click the processes tab and end the following processes.

QdrModule9.exe

Open up HJT and select do a system scan only,
put a check next to the following entires, (if there)
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O8 - Extra context menu item: &Download with FreeDAccelerator! - C:\Program Files\Free Download Accelerator 2\FreeDAccelerator.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)

Reboot and run HJT again and post a new log back.
 
1. I looked in the Kaspersky settings, but am leery to do anything, because everything on the block/unblocked list, etc, is all Greek to me. I'm scared I'll restore something virus-related, or disable something else I need. Do you have any suggestions on how to find out what exactly I should do, or do I need to get in contact with the support team from Kaspersky? I have a registered product, so if I need to do that, I can.

2. I do not show a FreeD Accelerator anywhere in my Add/Remove.

3. I do not use Mail.com. I haven't even heard of it.

4. That process was not running when I opened the task manager, but I have fixed the requested items in HJT. Here is my new log.
 
I was going to suggest to disable Kaspersky but lets try this first.

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click System, click the Advanced tab, and then click Environment Variables.
3. In the User variables for User_Name list, click TMP, and then click Edit.
4. In the Variable value box, type c:\winnt\temp, and then click OK three times.
5. Close Control Panel.

Now try running FindAWF again
 
I changed that setting, and then tried. It still didn't work so I disabled Kaspersky and then tried, still nothing.

:(
 
1. Click Start, click Run, type C:\windows\repair, and then click OK.
2. Right-click the Autoexec.nt file, and then click Copy.
3. Click Start, click Run, type C:\Windows\system32, and then click OK.
4. In the System32 folder, press Ctrl + V to paste the Autoexec.nt file in this folder.
 
Ok, your autoexec.nt file was corrupt we just replaced it from a backup that is installed for that reason.

Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\AOL\1143335202\ee\bak\AOLSoftware.exe"
Click to expand...
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press 2 then Enter
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please attach AWF.txt file in your next reply along with a fresh HJT log


These instructions are for the use of crystalline only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok do the exact same instructions again but this time run it from safe mode. Also I need to know when you ran Smitfraudfix, did you select option 2. If you only ran option 1:Follow smitfraudfix first and use options 2. then do Findawf instructions. Also in Safe mode
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Write any of this down that you need to, or print it out, or save it in a notepad file to your desktop so you have it while in safe mode.

Run Smitfraudfix
  • Download Smitfraudfix by S!ri from HERE if you haven't already
  • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
  • Double-click SmitfraudFix.exe
  • Select 2 and hit Enter to delete infected files.
  • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
  • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

Write any of this down that you need to, or print it out, or save it in a notepad file to your desktop so you have it while in safe mode.

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\AOL\1143335202\ee\bak\AOLSoftware.exe"
Click to expand...
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press 2 then Enter
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please attach AWF.txt file in your next reply

Show me rapport.txt if you still need to do smitfraud and awf.txt
 
Fix AWF Folders
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\QuickTime\bak
C:\Program Files\Common Files\AOL\IPHSend\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\AOL\1143335202\ee\bak
Click to expand...

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.
  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please attach the AWF.txt file in your next reply.

Run Fix AWF one more time and press 4, then press Enter.
 
Thats all gone now. Could you do another HJT scan and post a log back here? How is the computer running now?
 
Launch Hijackthis and click Misc tools , and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK. Copy and paste each of the following one at a time pressing OK after each:

O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

After that click Main Menu at the bottom middle and select Do a System Scan Only then put a check next to:

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)


Close all browsers (including this one) and other windows then select Fix checked
----------------------------------------------------------------------------------------------------------------------------------------------------------------

Open Internet explorer and vistit www.update.microsoft.com to see if you are missing any updates

Try again to update your java runtime
  • Click the following link
    Java Runtime Environment 6 Update 5
  • The 4th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
 
When I tried to remove those three NT services, HJT told me that it couldn't find them in the registry. But when I did the scan to fix the Google Toolbar line, I could see them, so I'm not sure what that's about... I copy/pasted exactly as you said. I was successful downloading the new Java, and I deleted the old one. Do you need a new HJT log?
 
Was there any missing updates from microsoft?

Go to Start -> All Programs -> Accessories -> Command Prompt

At the command prompt type exactly

sc delete Google Updater Service
Click to expand...
press enter

sc delete AVG Anti-Spyware Guard
Click to expand...
press enter

sc delete a-squared Free Service
Click to expand...
press enter

Close the command prompt

Run a scan and save a log with Hijackthis

These aren't really a big deal as they are just referencing removed anti-malware programs.
 
Status
Not open for further replies.

Similar threads

J
Macrum Reflect free Update confusion
Replies
0
Views
437
joe935
J
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
M
Articles or advertising?
Replies
3
Views
559
mbk34
M

Latest posts

Back