TechSpot

HijackThis/ComboFix/AVG Antispyware

By crystalline
Mar 14, 2008
  1. Hi... I have followed all the instructions for the preliminary cleaning of an infected computer with the following exceptions:

    1. AVG Anti-Spyware would not install. I kept getting a message that told me installation could not be completed due to my computer not restarting after I uninstalled the program (I was told it could be infected, and that I should remove and reinstall). After restarting the computer, I continued to get the same message, and don't know how to get the program to install.

    2. I did not run Ad-Aware 2007. The installation seemed to go successfully, but when I try to run the program, both in safe mode and in normal mode, I get an error message saying the program cannot be accessed.

    Panda Anti-Rootkit scan found the following rootkit:
    C:\ProgramFiles\KGB\MPK.exe

    I am not certain but I believe that is some sort of extension from the KGB keylogger I have installed to monitor my children's usage. However, I will remove it if need be.

    My current computer symptoms are as follows: I have no more fake security alerts, my desktop is back to normal (it was hijacked with an anti-spyware message before), but loading up Windows is EXTREMELY slow. Applications DO work, such as the internet, and once they are loaded, they seem to work normally, but getting them to load is torturous.

    I have attached the HJT log, and the Combo Fix log, and I do not have an AVG log to post, as previously mentioned. Any help would be much appreciated.

    Thank you so much.
     

    Attached Files:

  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hi crystalline, and welcome to Techspot

    You have a rather nasty infection that is becoming common.
    -------------------------------------------------------------------------------------------------------------------------------------------------------------------
    First of all DO NOT use Internet Explorer unless the instructions specifically ask you to while we remove this.

    Download Firefox and use this for now. It is a more secure browser, but I will leave it up to you if you want to keep it afterwards.

    Firefox link = http://www.mozilla.com/en-US/firefox/
    -------------------------------------------------------------------------------------------------------------------------------------------------------------------

    It shows you have AVG installed. Go to Start -> Settings -> control Panel -> Administrative Tools -> Services

    Stop the AVG Anti-Spyware Guard and a-squared Free Service (a2free)
    services from running by right-click it and choose Stop. Right click it again and choose Properties. In the Properties dialog box that appears, choose Manual from the Startup Type drop-down list and choose Disabled.

    Now uninstall AVG Anti-Spyware through Start -> Settings -> Control Panel -> add/remove programs

    Highlight and select remove, then you can attempt to reinstall, or we can use a different program altogether just let me know.

    If it doesn't work we can remove it and I will give instructions on a substitute program.
    ------------------------------------------------------------------------------------------------------------------------------------

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.
    -------------------------------------------------------------------------------------------------------------------------------------
    Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.


    Warning! Do not click the links below in the qoute box.
    Click ok, then ok again and close IE. reboot your system.

    ----------------------------------------------------------------------------------------------------------------------------------------
    1)Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
    --------------------------------------------------------------------------------------------------

    2) I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect.

    Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
    I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :
    1. Click Start, point to Settings, and then click Control Panel.
    2. In Control Panel, double-click Add or Remove Programs.
    3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.


      How to prevent it from being recreated every time you run the AOL software:
      • Open AOL
      • Go to Help on the toolbar
      • Select About AOL
      • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.
    ---------------------------------------------------------------------------------------------------------
    FindAWF

    Click here to download FindAWF.exe and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Attach AWF.txt file in your next reply.
    ----------------------------------------------------------------------------------------------------------------------------------

    If you get AVGAS to run, attach the log in your next reply. Run a scan and save a log with Hijackthis again and also attach this log after completing the above. Also the FindAWF log

    So logs needed =
    1)AVG log if it works
    2)New Hijackthis after completing instructions
    3)FindAWF log


    The instructions in this thread are for the use of crystalline only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That may look like a lot but just take it one step at a time.
     
  4. crystalline

    crystalline TS Rookie Topic Starter Posts: 19

    Wow.

    I'm not even sure where to begin here... my computer must be more screwed up than I gave it credit for, because half of those steps I wasn't able to complete. I will reply to everything in the order you instructed me to try it, with the accompanying error messages.

    1. Mozilla Firefox installation successful. I am using it currently.

    2. For AVG Anti-Spyware and A Squared, the control panel showed them as already not running, but I did do the disable and manual setting you requested. When I went to the Add/Remove Programs, AVG Anti-Spyware did not show up at all for me to remove it. I believe this is due to my prior uninstallation of the program.

    3. The trusted Sites Domain fix ran successfully.

    4. Successfully added the domains you listed to the blocked list.

    5. When I went to update JAVA, the problems started. I have a very old version of JAVA, and it does not have an Update tab. I looked everywhere and couldn't find it. I went to the link you supplied, and was not successful in completing the download. I'm not sure if there are technical difficulties with the Sun Download Manager, or what, because it just kept stopping and restarting. I gave it about 5 minutes of stopping and restarting before I gave up on it.

    6. Successfully deleted Viewpoint Manager.

    7. I need another way to disable the manager from reinstalling, because I do not have AOL software installed. The only AOL-related software on my computer is AIM. Does it have the same secret toolbar?

    8. The fun really began when I tried to run AWF. It installed perfectly, and started, but when it began the scan I was given the following error message: "C:\Windows\System32\AutoExec.NT The system file is not suitable for running MS-DOS and Microsoft Windows applications. Click Close to terminate the application.

    9. I got HijackThis to run, and I am posting the new log.

    I also think it bears mentioning that the computer gives me an error message whenever I try to do certain things, like change the desktop background, open up properties, Add or Remove programs, etc... but I believe this is due to Kaspersky internet security. When I first realized I had the infection, I was advised to put the application in training mode, and disallow any action I didn't know what it was. I believe I inadvertently blocked a needed Windows file. This is the message I usually get.

    03/15/2008 1:16:11 PM Process C:\WINDOWS\system32\rundll32.exe (PID: 672): attempt to load new or modified module was blocked.

    I am so frustrated right now... I appreciate your timely reply. Thanks so much for all of your help. I apologize for not being able to complete all the actions; I hope I haven't ruined my computer for good :/
     
  5. kritius

    kritius TS Guru Posts: 2,084

    Can you get into the Kaspersky settings and unblock it?

    In your add/remove programs do you have anything to do with FreeDAccelerator!?

    Do you use Mail.com?

    Open task manager(alt+ctrl+del), click the processes tab and end the following processes.

    QdrModule9.exe

    Open up HJT and select do a system scan only,
    put a check next to the following entires, (if there)
    O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
    O8 - Extra context menu item: &Download with FreeDAccelerator! - C:\Program Files\Free Download Accelerator 2\FreeDAccelerator.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)


    Reboot and run HJT again and post a new log back.
     
  6. crystalline

    crystalline TS Rookie Topic Starter Posts: 19

    1. I looked in the Kaspersky settings, but am leery to do anything, because everything on the block/unblocked list, etc, is all Greek to me. I'm scared I'll restore something virus-related, or disable something else I need. Do you have any suggestions on how to find out what exactly I should do, or do I need to get in contact with the support team from Kaspersky? I have a registered product, so if I need to do that, I can.

    2. I do not show a FreeD Accelerator anywhere in my Add/Remove.

    3. I do not use Mail.com. I haven't even heard of it.

    4. That process was not running when I opened the task manager, but I have fixed the requested items in HJT. Here is my new log.
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I was going to suggest to disable Kaspersky but lets try this first.

    1. Click Start, point to Settings, and then click Control Panel.
    2. Double-click System, click the Advanced tab, and then click Environment Variables.
    3. In the User variables for User_Name list, click TMP, and then click Edit.
    4. In the Variable value box, type c:\winnt\temp, and then click OK three times.
    5. Close Control Panel.

    Now try running FindAWF again
     
  8. crystalline

    crystalline TS Rookie Topic Starter Posts: 19

    I changed that setting, and then tried. It still didn't work so I disabled Kaspersky and then tried, still nothing.

    :(
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    1. Click Start, click Run, type C:\windows\repair, and then click OK.
    2. Right-click the Autoexec.nt file, and then click Copy.
    3. Click Start, click Run, type C:\Windows\system32, and then click OK.
    4. In the System32 folder, press Ctrl + V to paste the Autoexec.nt file in this folder.
     
  10. crystalline

    crystalline TS Rookie Topic Starter Posts: 19

    Alright! :)

    Here is the log that AWF gave me upon completion.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, your autoexec.nt file was corrupt we just replaced it from a backup that is installed for that reason.

    Fix AWF Infection
    Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Press 2 then Enter
    • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for bak folders.
    • It may take a few minutes to complete, so please be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please attach AWF.txt file in your next reply along with a fresh HJT log


    These instructions are for the use of crystalline only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. crystalline

    crystalline TS Rookie Topic Starter Posts: 19

    Here are the logs.
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok do the exact same instructions again but this time run it from safe mode. Also I need to know when you ran Smitfraudfix, did you select option 2. If you only ran option 1:Follow smitfraudfix first and use options 2. then do Findawf instructions. Also in Safe mode
    -----------------------------------------------------------------------------------------------------------------------------------------------------------
    Write any of this down that you need to, or print it out, or save it in a notepad file to your desktop so you have it while in safe mode.

    Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE if you haven't already
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Write any of this down that you need to, or print it out, or save it in a notepad file to your desktop so you have it while in safe mode.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Fix AWF Infection
    Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Press 2 then Enter
    • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for bak folders.
    • It may take a few minutes to complete, so please be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please attach AWF.txt file in your next reply

    Show me rapport.txt if you still need to do smitfraud and awf.txt
     
  14. crystalline

    crystalline TS Rookie Topic Starter Posts: 19

    Alrighty, here are those two logs after running in safe mode.
     
  15. kritius

    kritius TS Guru Posts: 2,084

    Fix AWF Folders
    Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
    • Press 3, then press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
    • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
    • The program will proceed to remove the bad folders and will perform another scan for .bak folder
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please attach the AWF.txt file in your next reply.

    Run Fix AWF one more time and press 4, then press Enter.
     
  16. crystalline

    crystalline TS Rookie Topic Starter Posts: 19

    Here is the AWF log.
     
  17. kritius

    kritius TS Guru Posts: 2,084

    Thats all gone now. Could you do another HJT scan and post a log back here? How is the computer running now?
     
  18. crystalline

    crystalline TS Rookie Topic Starter Posts: 19

    It's running much better now; I have no complaints at the moment. :)

    Thank you SO much. Here's the HJT log.
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Launch Hijackthis and click Misc tools , and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK. Copy and paste each of the following one at a time pressing OK after each:

    O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)


    After that click Main Menu at the bottom middle and select Do a System Scan Only then put a check next to:

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)


    Close all browsers (including this one) and other windows then select Fix checked
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------

    Open Internet explorer and vistit www.update.microsoft.com to see if you are missing any updates

    Try again to update your java runtime
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
     
  20. crystalline

    crystalline TS Rookie Topic Starter Posts: 19

    When I tried to remove those three NT services, HJT told me that it couldn't find them in the registry. But when I did the scan to fix the Google Toolbar line, I could see them, so I'm not sure what that's about... I copy/pasted exactly as you said. I was successful downloading the new Java, and I deleted the old one. Do you need a new HJT log?
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Was there any missing updates from microsoft?

    Go to Start -> All Programs -> Accessories -> Command Prompt

    At the command prompt type exactly

    press enter

    press enter

    press enter

    Close the command prompt

    Run a scan and save a log with Hijackthis

    These aren't really a big deal as they are just referencing removed anti-malware programs.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...