Spyware/viral infection - possible

By Bizarro
Jan 9, 2009
Topic Status:
Not open for further replies.
  1. This is my first post here. My normal spyware kept getting hits for a Bifrost (labeled it as backdoor) and a KazaA (P2P) for a few days. I then went and originally ran through the malwarebytes and superantispy-ware and it found nothing up relogging in. However, I'd see them from scan to scan.

    My real-time virus scanner the same day (5 days ago), hit several Vmalum. viruses when I wasn't browsing. It killed them.

    My question is this, what can I do to make sure my system is really clean. I've gone through the 8 step post guidelines, and am attaching the appropriate logs.

    Thank-you very much, in advance.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    The only malware entry in all three of the logs is: O20 - AppInit_DLLs: ztcqxj.dll

    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    O20 - AppInit_DLLs: ztcqxj.dll

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot inti Safe Mode:

    Start> Search> Files & Folders> Tools> Folder options> View tab> CHECK 'show hidden files and folders'> type ztcqxj.dll into the search box and search> if found, do a right click> delete. (Please go back and 'rehide' the files when through)

    Reboot into Normal Mode.

    1. Download and Install SDFix
    * Download SDFix from HERE
    and save it to your Desktop.
    * Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    2. Boot into Safe Mode
    * Restart your computer and start pressing the F8 key on your keyboard.
    * Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    3. Run SDFix
    * Open the extracted SDFix folder and double click RunThis.bat to start the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    * Attach Report.txt back here

    Please rescan with HijackThis when through and attach both logs.
  3. Bizarro

    Bizarro Newcomer, in training Topic Starter

    I have done this, and attached both reports.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Looks good to me AppInit file is now gone!

    CA describes Bitfrost here:
    http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453148203
    and the spyware program in the suite should have removed it-or your previous runs with Malwarebytes and should have found and quarantined it. You can remove if from there. KazaA is a file sharing, usually music download site. It is very easy to get malware with any file sharing-P2P program.

    I didn't see any evidence of the server.exe file from Bitfrost in these logs.

    Some malware is 'user induced'. Be careful of these sites:
    You might want to read this content:
    File Behavior: ULTIMATEBET.EXE has been seen to perform the following behavior:
    http://www.prevx.com/filenames/1513460210692091515-0/ULTIMATEBET2EEXE.html

    and seriously consider removing any processes from it.

    You should also stay away from the file sharing sites like BitTorent, uTotent, KazaA, Limewire and others.

    If you found TrackingCookie when you ran SuperAntispyware, do this:
    Reset Cookies:
    Are you having any system problem similar to what you had before cleaning the system? DON'T use the System Restore. We will remove the old points as they can have malware and cleaning programs do not remove it from those files.
  5. Bizarro

    Bizarro Newcomer, in training Topic Starter

    I just got back from being out all day (watched the BCS game on TiVO, it was good), but no. I had been careful since getting some hits (which I normally never have) and not going to any sites that might take personal information.

    I don't use any P2P, so the KazaA hit had me curious. I actually don't think I've turned on System Restore at all (or ever created a Restore point).

    Regarding ultimate bet. I haven't logged on or used that service for at least 6 months. I'll uninstall it from my system after posting this.

    Thanks for the help so far.

    edit: I already had third-party cookies disabled.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Good. Anything you are no longer using- whether it's an installed program, Active object, Toolbar or extra button should be stopped and removed.

    I didn't see either the KazaA or Bitfrost entries, so can't advise you on them.

    Remove the cleaning programs:
    Download OTCleanIt from HERE & save it to your desktop.
    This needs to be started. The system will create a new restore point about once every 24 hours if system is on. It's also a good idea for you to create your own restore point before install, uninstalls, updates and any system work that could potentially cause a problem:

    All Programs> Accessories> System Tools> System Restore> Click on System Restore settings on the left>make sure there is no check in 'turn off System Restore> make sure the correct drive is being monitored
    Clear your existing System Restore points and establish a new clean restore point:
    (If you have any problem getting SR to run, let me know and I'll give you a troubleshooting list. This is an excellent feature and is sometimes all you have to get you out of a jam. Use it. I created a shortcut to System Restore and keep it in my Quick Launch Toolbar- it's a good reminder to set a new restore point of my own.

    Let me know if you need more help.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.