Remove Malware using recommendations

Status
Not open for further replies.

howard8

Posts: 7   +0
Having read topic58138.html I have gone through the 15 steps.

Symptoms: My son's PC lost loads of desktop icons, the startup menu disappeared; the C:/ drive disappeared from My Computer; the clock showed the time plus "Virus Alerts!!!" and the shortcuts to Error Cleaner, Privacy Protector, Spyware & Malware Protection appeared on the desktop along with regular popups with various warnings and links to "helpful" software. The whole thing alost ground to a halt.
Eventually I found your suggestions, downloaded the various software and tools on another PC, installed them onto my son's via a memory stick and slowly worked through everything.

1. The Panda Antirootkit found no known or unknown rootkits.
2. I attach the three logs, HJT, Combofix and SAS as requested. The first SAS scan revealed 130+ infections! ( The only software that wouldn't run was the smitfraud.exe tool.
)
3. I use Windows Firewall because I have a conflict between the WiFi connection and ZoneAlarm.
4. The Safemode scans in step 14 went OK.
5. Since completing the 15 steps the PC is know looking and working as per usual. All shortcuts are bcak; all drives now visible ; no popups; clock is clear; and sluggishness is as before.
6. Out of interest I have since run SpyBot and SAS again. SS&D revealed a Virtumundo infection and SAS a AdWare.Vundo Variant/Rel infection. Both were deleted. As ADAware2008 was running AVG Resident Shield found a Downloader.Zlob.ZGC trojan horse in a .dll file in C:/System Volume Information/_restore directory. Does this mean these may appear at random times or that once you have seen the log files you can give further advice on how to clean them up?

I hope you can help and thank you for your help so far. At least my son can use the PC for basic games/internet use as long as he doesn't use it for financial transactions.

Regards
Ian
 
NOTE: I did not check your logs. But regarding this:
found a Downloader.Zlob.ZGC trojan horse in a .dll file in C:/System Volume Information/_restore directory.
It means that the infection is in the System Restore files. When you are clean, you can turn off System Restore. That will drop all current restore points. Then turn it back on. But while you are going through the cleaning process, do NOT do a System Restore or you will reinfect the system.
 
Thanks for the warning about System Restore. I had been thinking about doing that at some time. I will now wait until my logs have been reviewed and the advice given as to the next steps.
Thanks
 
hey ok first make sure to delete everything superantispyware found

download SDFix from the link below to your desktop then run it SDFix will create a folder in your C drive boot into safe mode and go to C:\SDFix and run --->RunThis.bat. Post the log it creates here. to boot into safe mode reboot computer and start tapping the F8 key until you get to a menu select safe mode.

SDFix:
http://www.bleepingcomputer.com/files/sdfix.php

Also download vundofix from the link below to your desktop

* Double-click VundoFix.exe to run it.
* When VundoFix opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Double-click VundoFix.exe to run it.
* When VundoFix opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.


http://www.atribune.org/ccount/click.php?id=4

Please post a fresh hijackthis log after running the software
 
Response to xxdanielxx

Thanks for that.

All infections from detected by SAS and others had been removed.
I ran SDFix and attach the report.txt log.
I reran VundoFix and nothing was detected.
Attached is the latest HJT log, hijackthis_0712

Out of interest I cannot enter SafeMode by pressing F8. I have to go to msconfig. When I press F8 all I get is the window asking me to select which boot drive to run, Floppy, CD-Rom or the Hard Drive. Is that just a setting on my PC or as a result of these infections?

Thank you again
 

Attachments

  • hijackthis_0712.txt
    10.7 KB · Views: 5
When I press F8 all I get is the window asking me to select which boot drive to run, Floppy, CD-Rom or the Hard Drive
Select Hard Drive, then immediately select F8 again (repeatively) until you see the Safe mode menu
 
A comment, FYI. If any slow down is an issue for you, I would like to bring your attention to the large numbers of cab files being loaded. a 'cab' file, or 'cabinet' file contains several or many compressed files. The 016 designation in the HijackThis logs means it's an Active X Object from a downloaded program file. "The legitimate purpose of ActiveX objects is to allow website creators to embed small programs in their sites which will interact with your browser to provide an enhanced experience to the visitor. Because of its nature, ActiveX makes a very good platform for installing spyware, adware, dialers, and hijackers."

Most, but no all of these are for games:
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://uk.games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

The following were also in that group and I advise removing 'at least' these two:
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
 
I will check your log as soon as I get a chance as for the 016 please wait till I check to remove them. You can removed them with out damaging your computer the only thing that would happen is that next time you go to the site they will ask you install the Active X
 
Please note. I made the post about the Active X processes as an FYI and did not suggest anything be deleted at this point.
 
That's so strange, yes you both stated to remove stuff


Maybe make your replies more clear, if you do not want users to remove anything.

Please re-read my post I did not say to remove anything I said I would check his log and advice and as for the 016 I said he can remove them all if he wants to but it is better if I check first
 
Sorry- that was my goof! I did suggest removing two and shouldn't not have done that while the malware removal is going on. My apology.

But I did mean well. I know there is much to the cleaning process and that you are looking for specific entries. sometimes- like two antivirus programs- something gets overlooked and I wanted to user to be aware of possible security problems with so many Active X cabs around.
 
Thanks for the various comments. I had already removed the two 016 entries mentioned by bobbye before the toing and froing between the three TechSpot advisors. No problems have come to the surface so I look forward to receiving some comments and advice when the logs have been reviewed. He does play a lot of games on & offline. Your comments about cab files is interesting. Maybe a lot of stuff just hangs around the PC over the years. Curious to know what sibelius.com is. I'm hesitant to go there in case it's a nasty!

My son has started using the PC again with strict instructions to not do any financial transactions. He is commenting that it is a bit sluggish compared to pre-virus. Out of interest we think he picked them up when he was getting patches and updates for HalfLife2 which he had just bought through Amazon UK.

The Vundo Variant seems to reappear if I do a scan with SAS or SpyBot. Perhaps it's still in the System Restore area like someone said earlier and will continue to reappear until the cleaning process is complete. VundoFix found nothing when I ran that again.

Being a newbie I do appreciate your comments and please don't fall out on my account. Thanks again.
Did I spot that one of you is from St Pete? in Florida. I'm a Naples convert myself so I'm planning my retirement there - I wish!
 
The discussion about the removal was entirely my fault. I should not have interrupted the cleaning process, even for an FYI. There was nothing wrong with removing them- it was just not the time in what is a very orderly process.

When this process is finished, we can explore some of those files if you want.
 
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [30f810d5] rundll32.exe "C:\WINDOWS\system32\yfpfxbav.dll",b

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\yfpfxbav.dll

After that, Reboot, and post a new HijackThis log here in a reply
 
Thanks for your response. I ran HJT and deleted the 04 entry as suggested and then, from Safe Mode, checked if the .dll file was in the windows/system32 folder. It wasn't.

Attached is a new HJT log, hijackthis_180708.txt; HJT was run after a reboot in normal mode.

Are we getting there?

Thanks again.
 
run hijackthis and remove the following

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTSvcCDA.EXE (file missing)


-----------------------------------------------------

Please run an on-line virus scan at http://www.kaspersky.com/virusscannerKaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++

If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro.
 
Hi
I have run HJT and deleted the appropriate entries. I used Kapersky online virus checker, scanning Critical Areas and My Computer. No viruses or infections were detected. FYI as I was installing Kaspersky I was asked to install the latest Java Platform v6u7 as discussed by another TechSpot advisor, Bobbye, above.

Attached is the HJT log, hijackthis_190708.txt, taken after the virus scan last Saturday.

I was encouraged by the fact that Kapersky found no infections.
Hear from you soon.
Thanks
 
Your logs look clean. Its time to clean up also how is your computer running

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

----------------------------------------

Uninstall ComboFix

  • Click Start then Run
  • Now Type Combofix /u in the runbox
  • Make sure there's a space between Combofix & /u
  • Then hit Enter

The above procedure will Delete the following:
  • ComboFix & it's associated files & folders.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide system/hidden files, if required.
  • Set a new, clean Restore Point.

------------------------------------------------------------------

OTCleanit! by Oldtimer

  • Download OTCleanIt
  • Click the CleanUp! button.
    (It will go thorugh the list & remove all of the tools it finds and then delete itself) Requiring a reboot

--------------------------------------

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

-------------------------------------------

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  5. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  6. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  8. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  9. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
xxdanielxx
 
Thank you for your recent post.
I have run ATF Cleaner, uninstalled Combofix, run, OTCleanit, created a fresh restore point. I have also installed IESpyAd (now linked to ZoneOut) and installed SpyWareGuard. I will encourage my son to use Trillian if you believe it is more secure when he is using MSN. Windows is up to date with SP3 and recent updates.

For the record I attach an hjt log, hijackthis_230708.log

Fingers crossed all is now relatively well. Having done all this to get his PC repaired we will soon be going out to get a new Vista based laptop as he is going to University in September! But it has been worth it and has been an immensely enjoyable learning experience for me. All of the Techspot advisors have been great and made invaluable contributions. But thanks mainly to xxdanielxx who has persevered. The instructions were clear and relatively easy to implement. And some of the broader security advice I can apply to our other PCs.

Thank you again.
 
Status
Not open for further replies.
Back