TechSpot

Virus/malware ridden laptop, followed removal instructions

By mesomers19
Apr 8, 2008
  1. First off, first time using this thread.

    So here are the problems:
    Internet history says that I have repeatedly visited some site called NDr___ (last couple of letters/numbers always changes)
    Constant Pop-ups
    An alert message that reads:
    Microsoft Visual C++ Runtime library
    Buffer overrun detected
    C:\WINDOWS\explorer.exe
    A buffer overrun has been detected which has corrupted the program’s internal state. The program cannot safely continue and must now be terminated.

    Also internet/laptop runs a lot slower than usual.

    So, I followed the instructions in the
    Viruses/Spyware/Malware, preliminary removal instructions
    thread,
    and here are my log results that the thread said I should post.

    Side note: I couldn't figure out how to get combo fix to work so I used the second option listed.

    Also, the results of the Panda Antirootkit scan were all zeros.
     
  2. damusca

    damusca TS Rookie Posts: 26

    NDr - this could mean non delivery receipt, generally used in emails when you send a message and it does not get received or vice versa, good chance your computer is logging into something that is not responding, might be a good thing depending on what that is, have you tried just typing in the letters of NDr___? and seeing where it takes you, even if it is a dodgy site, spyware etc, you will be fine as long as you do not click on anything, even more so if you are using panda and mcafee.

    Buffer over run could be due to a dll problem.

    I have fixed the problem on my P.C. (Win XP Pro SP2, IE7)
    My overun error was caused by a DLL file that is a bad virus or trojan. As a Jpeg file, It was opened by my son on MSN.
    It took me 4 days to work it out. It lives in the windows\system32 folder. I tried 3 spyware programs & Norton Antivirus 2006 but the file kept coming back. I fixed the problem by downloading a Program called PrevX1,at no cost with a trial period of 1 month.

    Go to http://www.prevx.com/
    Download and run it, It worked for me.
    I am sorry I have forgotten the file name but it changes itself a few times.
    My problem caused windows explorer to crash and IE to go crazy at times loading up new pages very fast.

    Another thing you could try to use is ccleaner, a freeware utility, this is available from www.piriform.com, will do a few things which are all straightforward but there is also a registry check, if you have a dll error in there it will find it and give you the option of fixing ( deleting it ).

    For your spyware - adware errors, have you checked your programme list in your control panel - add or remove programmes, if you look down here there is probably something which has installed itself at the back of one of your downloads and hidden away which is causing your pop ups.
    Should be easy enough to recognise, will usually have "ad" somewhere in the file name or be masquerading as a spam blocker or something, lavasoft adaware is usally quite good at finding these things, do not know what firewall you are using but the comodo one is excellent, comodo pro, will do full scan if you choose to get it and will find the virus problem as well as protecting the integrity of your registry, it is also a free download.
    Best of luck
    David
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here




    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    Afterwards please scan again with Hijackthis and attach it together with the above 2 logs
     
  4. mesomers19

    mesomers19 TS Rookie Topic Starter

    Hey,
    so I did the SDFix, and the Malwarebytes' Anti-Malware

    here are the new logs
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, first of all some files are missing from Mcafee. You may want to consider reinstalling.

    You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {E18C014E-A7BF-462B-9B96-01AF812E4508} - C:\WINDOWS\system32\awtqr.dll (file missing)
    O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
    O4 - HKLM\..\Run: [1c0202fb] rundll32.exe "C:\WINDOWS\system32\xfweiick.dll",b
    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.lib.ucalgary.ca/lib/ucalgary/support/plugins/ebraryRdr.cab


    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files:

    Files:
    C:\WINDOWS\system32\xfweiick.dll <-This file only

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log



    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  6. mesomers19

    mesomers19 TS Rookie Topic Starter

    new log

    hey
    sorry about the wait
    papers suck


    When I went to manually delete
    C:\WINDOWS\system32\xfweiick.dll
    I couldn't find it.

    here is the new log and the Kaspersky Online AV Scanner report
     
  7. mesomers19

    mesomers19 TS Rookie Topic Starter

    oops

    Sorry i forgot to add the Kaspersky Online AV Scanner report
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Looking much better.

    Manually clear cache

    • Open an Explorer folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.


    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    ---------------------------------------------------------------------------
    I recommend you keep
    1 anti virus program
    1 firewall
    Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

    For Spybot you can download the latest version from HERE.

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

    And just to be sure
    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...