Spyware/viral infection - possible

[Bizarro]

This is my first post here. My normal spyware kept getting hits for a Bifrost (labeled it as backdoor) and a KazaA (P2P) for a few days. I then went and originally ran through the malwarebytes and superantispy-ware and it found nothing up relogging in. However, I'd see them from scan to scan.

My real-time virus scanner the same day (5 days ago), hit several Vmalum. viruses when I wasn't browsing. It killed them.

My question is this, what can I do to make sure my system is really clean. I've gone through the 8 step post guidelines, and am attaching the appropriate logs.

Thank-you very much, in advance.

 

[Bobbye]

The only malware entry in all three of the logs is: O20 - AppInit_DLLs: ztcqxj.dll

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
O20 - AppInit_DLLs: ztcqxj.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot inti Safe Mode:

Start> Search> Files & Folders> Tools> Folder options> View tab> CHECK 'show hidden files and folders'> type ztcqxj.dll into the search box and search> if found, do a right click> delete. (Please go back and 'rehide' the files when through)

Reboot into Normal Mode.

1. Download and Install SDFix
* Download SDFix from HERE
and save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

2. Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

3. Run SDFix
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here

Please rescan with HijackThis when through and attach both logs.

 

[Bizarro]

I have done this, and attached both reports.

 

[Bobbye]

Looks good to me AppInit file is now gone!

CA describes Bitfrost here:
http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453148203
and the spyware program in the suite should have removed it-or your previous runs with Malwarebytes and should have found and quarantined it. You can remove if from there. KazaA is a file sharing, usually music download site. It is very easy to get malware with any file sharing-P2P program.

I didn't see any evidence of the server.exe file from Bitfrost in these logs.

My question is this, what can I do to make sure my system is really clean. I've gone through the 8 step post guidelines, and am attaching the appropriate logs.

Some malware is 'user induced'. Be careful of these sites:

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - G:\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - G:\UltimateBet\UltimateBet.exe
And I thought I saw a poker site on a log. The game site dispense a lot of adware- that's how the pay for running the sites.

You might want to read this content:
File Behavior: ULTIMATEBET.EXE has been seen to perform the following behavior:
http://www.prevx.com/filenames/1513460210692091515-0/ULTIMATEBET2EEXE.html

and seriously consider removing any processes from it.

You should also stay away from the file sharing sites like BitTorent, uTotent, KazaA, Limewire and others.

If you found TrackingCookie when you ran SuperAntispyware, do this:
Reset Cookies:

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Open Firefox> Tools> Options> Privact> Cookies> UNCHECK 'allow third party Cookies'> CHECK 'accept Cookies from sites.'

Are you having any system problem similar to what you had before cleaning the system? DON'T use the System Restore. We will remove the old points as they can have malware and cleaning programs do not remove it from those files.

 

[Bizarro]

I just got back from being out all day (watched the BCS game on TiVO, it was good), but no. I had been careful since getting some hits (which I normally never have) and not going to any sites that might take personal information.

I don't use any P2P, so the KazaA hit had me curious. I actually don't think I've turned on System Restore at all (or ever created a Restore point).

Regarding ultimate bet. I haven't logged on or used that service for at least 6 months. I'll uninstall it from my system after posting this.

Thanks for the help so far.

edit: I already had third-party cookies disabled.

 

[Bobbye]

Regarding ultimate bet. I haven't logged on or used that service for at least 6 months. I'll uninstall it from my system after posting this.

Good. Anything you are no longer using- whether it's an installed program, Active object, Toolbar or extra button should be stopped and removed.

I didn't see either the KazaA or Bitfrost entries, so can't advise you on them.

Remove the cleaning programs:
Download OTCleanIt from HERE & save it to your desktop.

Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

I actually don't think I've turned on System Restore at all (or ever created a Restore point).

This needs to be started. The system will create a new restore point about once every 24 hours if system is on. It's also a good idea for you to create your own restore point before install, uninstalls, updates and any system work that could potentially cause a problem:

All Programs> Accessories> System Tools> System Restore> Click on System Restore settings on the left>make sure there is no check in 'turn off System Restore> make sure the correct drive is being monitored
Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

(If you have any problem getting SR to run, let me know and I'll give you a troubleshooting list. This is an excellent feature and is sometimes all you have to get you out of a jam. Use it. I created a shortcut to System Restore and keep it in my Quick Launch Toolbar- it's a good reminder to set a new restore point of my own.

Let me know if you need more help.