TechSpot

"Safewebnavigate.com" virus - please help

By oteensdad
Sep 7, 2007
  1. Hello,

    My XP has been infected. Explorer windows are popping up, trying to connect to safewebnavigate.com. In addition, all the other symptoms described by "Fairly" in his thread (http://www.techspot.com/vb/all/windows/t-85466-Unknown-Icons-on-the-Desktop.html) are also present.

    Could some of the experts guide me through the process of cleaning this up.

    I guess I should start with HijackThis?

    Thanks in advance.
     
  2. Daveskater

    Daveskater Banned Posts: 1,687

    Hello and welcome to Techspot :wave:

    the best thing to do to start with would be to look at this thread here and follow the instructions then post on this thread again to let us know how you get on
     
  3. oteensdad

    oteensdad TS Rookie Topic Starter

    HijackThis log from the computer in question

    Thanks Dave. I hope it is OK to attach the HijackThis log before following your link.
     

    Attached Files:

  4. Daveskater

    Daveskater Banned Posts: 1,687

    that's fine, i'll take a look through that now and i expect howard will be along in a bit ;) i don't know how he manages to post so much :D

    edit ---

    before you post another hijack this log (i think that link i gave you asks for one) rename the hijack this executable file to Crusty.exe, if you right click on the file and press rename and change it to Crusty then press enter it'll be sorted. we get people to change the name of the file because some nasties are clever and hide from the standard file name ;)

    edit (again) ---

    have hijack this fix this:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    that should fix the popup problem

    also what's BeInSync? did it come with some hardware you have like a pda etc?
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected with a variety of malware.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of oteensdad only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. oteensdad

    oteensdad TS Rookie Topic Starter

    Thanks Dave and Howard.

    I am following the steps in the long preliminary procedure. I have printed out all the instructions. Doing it all is going to take a few days. Everything is working at 1/100 of normal speed.

    I will come back here as soon as I am done with the preliminary procedure.

    Thanks again!
     
  7. oteensdad

    oteensdad TS Rookie Topic Starter

    I think I am fine now!

    Hi,

    I'm back. This has been a long journey.

    All the symptoms that I know of are gone. They were gone as soon as I ran the SmitfraudFix. Also, most of the other tools reported on cleaning up dozens to hundreds of items each, including adware and backdoor trojans. I am not posting those logs (as per your instructions).

    The AVG Antirootkit, however, returned "Nothing found" and "Congratulations".

    I seem unable to find the AVG Antispyware log. I did follow the instructions. I did set "How to act". It did quarantine all the items it found. There is no report available. What I am able to come up with is a screenshot collage showing the items it cleaned up. While I am aware I must have done something wrong, I hope it is still OK (it did clean up things and the final Hijack/CrustyThis seems clean). If you still want me to do something about this, I will follow your further instructions.

    Thank you for what you are doing!
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete any files that may be in AVG Antispyware quarantine.

    Please post a fresh HJT log from normal mode.

    Regards Howard :)

    This thread is for the use of oteensdad only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. oteensdad

    oteensdad TS Rookie Topic Starter

    Attached.

    Thanks!

    Hi,

    1. After the clean-up procedures, should I stop/checkpoint/whatever the System Restore? I don't think I have done that.

    2. There are many empty *.exe files in C:\WINDOWS, C:\WINDOWS\system32 and possibly other places as well. I am attaching a sample list. What's up with that?

    Thanks!
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Configuration Loader (bF)

    Close the services window

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Stop any of the .exe processes that are in your empty-exe-files.txt list.

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O20 - AppInit_DLLs: vb5dmspo.dll

    O23 - Service: Configuration Loader (bF) - GRISOFT, s.r.o. - (no file)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\SYSTEM32\vb5dmspo.dll
    C:\Qoobox

    Delete all the files in your empty-exe-files.txt list.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of oteensdad only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. oteensdad

    oteensdad TS Rookie Topic Starter

    I'm back

    Hi again,

    Done.

    All the empty *.exe files that I have deleted were dated August 2005. I have deleted 265 of them. I still have the following three empty *.exe files, but they are not associated with that "bundle" (their names are not random), and I assume they are not related to malware:

    WINDOWS\system32:

    12/31/2003 11:46 AM 0 cpuidlexp.exe

    WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CXGDS38Z:

    02/04/2004 06:40 AM 0 WksPatch[1].exe
    02/04/2004 06:40 AM 0 WksPatch[2].exe

    I am attaching a fresh HJT log from normal mode.

    Should I create a new System Restore checkpoint, to prevent restoring any malware?

    Thanks again!
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply.

    Also, please run the Ccleaner programme as per the instructions in step9 of this thread HERE.

    This thread is for the use of oteensdad only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. oteensdad

    oteensdad TS Rookie Topic Starter

    Done.

    I am attaching the avenger log.

    The reason it could not find c:\qoobox is that I had deleted it as per your previous post. I don't know about c:\VundoFix Backups. The only file I have with a similar name is C:\vundofix.txt.

    How am I (is my computer) doing right now?

    Should I run the CCleaner regularly?

    Thanks!
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The Avenger log says the nasty files were deleted.

    Unless you`re having any further problems, you should be good to go.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of oteensdad only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. oteensdad

    oteensdad TS Rookie Topic Starter

    Thanks. Done.

    1. The last batches of nasty files were not found by any tool. I "picked" them "by hand", as they looked odd. Is there anything I can do about any possible left-overs?

    2. Since I started this thread, you have helped me clean up a huge amount of malware. You have done an amazing job. Most of the malware that got accumulated was a result of my son's careless usage. The symptoms tend to appear shortly after he comes home. He uses ICQ, iTunes, eMule, Messenger, social networking Web sites (such as FaceBook), etc. I uninstalled his Kazaa a long time ago. Could you help me with some sensible guidelines for good precautions for my son? He is a young adult and I would like to teach him safer surfing without preaching abstinence.

    Thanks again!
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Which remnants are these? You`ll need to be as specific as possible.

    Yes, go and read this thread HERE and also, get your son to read it.

    Unless your son stops doing what he is, your infection problems are just going to return time and time again.

    Regards Howard :)

    This thread is for the use of oteensdad only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. oteensdad

    oteensdad TS Rookie Topic Starter

    I don't know of any specific remnants. As of this morning, the computer is stable (but my son will get home for a few days later today).

    I have taken up more than enough of your time, and I have no further questions related to my original post. This is a good time to suggest moving this thread to the solved issues section if that is what you usually do (unless you want me to perform any further steps).

    I appreciate your kind help. Thanks!
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Nope, I think we`re done mate.

    Hopefully, your son will take notice of what you tell him and it`ll all be plain sailing from then on.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of oteensdad only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. Daveskater

    Daveskater Banned Posts: 1,687

    oteensdad, if you like you can post in this thread and show your appreciation for howard ;)

    he's the only person on techspot to get a tribute thread as far as i know :D

    he'll probably hate me for giving you the link though :D and i quote: "Oh come on guys, this is starting to get a little embarrassing" ;)
     
  20. oteensdad

    oteensdad TS Rookie Topic Starter

    Thanks Dave

    Done. Thanks Dave for the tip.

    *** Now that my issue is solved and this post is not important anymore, I hope it is OK to ask something wildly off-topic. ***

    Dave: board? in-line? street? bowl? are you good? I love watching it on TV, it's not so popular where I live.
     
  21. Daveskater

    Daveskater Banned Posts: 1,687

    haha i wondered when somebody would ask ;) i've been here over a year and you're the first person :D

    board :grinthumb i'm ok, had to stop for a bit though cos i was in a really bad car crash ad it messed my back and neck up, i think it did for everyone really (there were 5 of us in the car and one of my mates had to be brought back with the electric heart starty thingy - can't remember the name) i had quite bad whiplash and they wanted to take me on a spinal board but ran out of ambulances :evil: but i'm digressing now ;)

    me and all my friends go down the local skate park quite a bit and obviously when we walk round with our boards and hoodies the elderly villagers think we're going to rob them, which of course we will not, but again, i digress ;)
     
  22. oteensdad

    oteensdad TS Rookie Topic Starter

    Infected again?

    I'm glad you are in one piece Dave, must have been an awful experience. If I ever come to the vicinity of Oxford, UK, I'll watch you guys do your tricks.

    My son is not home yet (he has just called, is on his way). Nevertheless:

    I upgraded my WebRoot SpySweeper last night. The new version has removed 16 items belonging to two threats: trojan-ace-x and trojan-backdoor-finlizerevil.

    I have no idea whether this is an old infection, or a new one, or a false positive.

    Both AVG Antispyware (safe mode) and SS&D (safemode) come back clean.

    I am attaching a fresh HJT log from normal mode.

    Am I infected again?

    Thanks!
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Nope, nothing nasty in your HJT log.

    Different spyware removers, tend to find different things.

    Regards Howard :)

    This thread is for the use of oteensdad only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. Daveskater

    Daveskater Banned Posts: 1,687

    it wasn't exactly the best experience ever i'll say that much ;)

    sounds good :D i'm from a village about 10 miles from Oxford but it's the nearest city so that's why i put it in the location thingy, i expect more people will have heard of Oxford than Freeland haha ;)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...