TechSpot

Viruses/Spyware/Malware, preliminary removal instructions by howard_hopkinso

By M0ntG0M3rY
Dec 1, 2007
  1. The following two posts are exact citation of Viruses/Spyware/Malware, preliminary removal instructions by howard_hopkinso, which have been retrieved from Google cache and formatted to reproduce their original presentation.
     
  2. M0ntG0M3rY

    M0ntG0M3rY TS Rookie Topic Starter Posts: 48

    Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.

    If after reading the above, you wish to clean your system, do the following.

    -----------------------------------------------------------------------------------------------------------------------------------
    Please make sure you complete all steps in this thread, BEFORE you post the requested log files.

    Make sure you read and follow all the STEPS below, otherwise it just makes it that much harder for us to help you effectively.

    DO NOT SKIP ANY OF THE INSTRUCTIONS

    If you have any problems following any of the instructions, please ask for assistance.

    -----------------------------------------------------------------------------------------------------------------------------------
    STEP1:


    Malware Removal: Temporarily Disable Real Time Monitoring Programs.

    This is because some real time protection programmes can interfere with any fixes we are trying to run.

    Once your system is clean, you are advised to turn the protection back on.

    See these instructions on how to disable some of the more common real time monitoring programmes. Thanks to CastleCops for the info.

    ------------------------------------------------------------------------------------------------------------------------------------
    STEP2:

    If you`re NOT running any antivirus or firewall software, you should install some ASAP.


    Download and install the free AVG or Avast antivirus programmes and either the free Zonealarm, Kerio or Comodo firewall programmes.

    Install whichever firewall you chose, followed by whichever antivirus programme you chose. Reboot your system the required number of times. Run the antivirus updates.

    ONLY INSTALL THE ABOVE ANTIVIRUS/FIREWALL SOFTWARE, IF YOU DON`T ALREADY HAVE ANY ANTIVIRUS OR FIREWALL SOFTWARE.

    -----------------------------------------------------------------------------------------------------------------------------------
    STEP3:

    Run this online virus scanner. You will need to use Internet Explorer for this scanner. It`s one of the very few online scanners that will actually disinfect viruses etc. NOTE: If you have any problems with the online scanner, skip it and continue with the rest of the instructions below.

    -----------------------------------------------------------------------------------------------------------------------------------
    STEP4:

    Make sure you have the LATEST version of HJT (currently v2.0.2) from HERE.

    The above link will download the HijackThis installer. Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. It will also automatically OPEN HJT, close it.

    -----------------------------------------------------------------------------------------------------------------------------------
    STEP5:

    THIS IS VERY IMPORTANT.

    Open the C:\Program Files\TrendMicro\HijackThis folder in program files. Rename the Hijackthis.exe file to Crusty.exe. This is because some malware can hide from HijackThis.exe. Right click the HijackThis.exe file and choose rename. Click in the title box and press the delete key to clear what`s there, type Crusty.exe and press the enter key. Right click the Crusty.exe file and choose send to desktop(create shortcut).

    Under no circumstances should you add any items to the HJT ignore list.

    Do not run a HJT scan, until step15 of this thread.

    ------------------------------------------------------------------------------------------------------------------------------------
    STEP6:

    Download and install AVG Antispyware(formerly Ewido).
    Double-click the icon on your desktop to run it.
    On the top of the main screen click Shield. Click the word active to change it to inactive.
    On the top of the main screen click 'Update'. Then click on 'Start
    update'. The update will start and a progress bar will show the updates
    being installed.
    If you are having problems with the updater, you can get the manual update at http://downloads.ewido.net/avgas-sig...ll-current.exe
    When you have finished updating, exit AVG Antispyware.

    For a complete pictorial guide to the use of AVG Antispyware look HERE. Thanks to rik for the guide.

    -----------------------------------------------------------------------------------------------------------------------------------
    STEP7:

    Download and install the latest version of SS&D from HERE. Make sure you have the latest definition files(updates). Click the immunize button in the lefthand pane, then click the green immunize cross in the righthand pane. Close SS&D. Make sure that during installation the Teatimer protection is disabled.

    -----------------------------------------------------------------------------------------------------------------------------------
    STEP8:

    Download and install the latest version of Ad-Aware SE Personal from HERE. Make sure you have the latest definition files. Close Ad-aware se.

    -----------------------------------------------------------------------------------------------------------------------------------
    STEP9:

    Download the Ccleaner programme from HERE.

    Close all browsers. Run the programme and make sure all the boxes are ticked under the Windows(except for the Old prefetch Data option, this should be unticked) and Applications tabs and click the run cleaner button. Do this several times.


    -----------------------------------------------------------------------------------------------------------------------------------
    STEP10:

    Download and run these three tools. Follow the instructions for using each tool on the download site for each tool.

    Tool1 Tool2 Tool3

    -----------------------------------------------------------------------------------------------------------------------------------
    STEP11:

    Download the Panda Antirootkit programme.

    Unzip it and run the PAVARK.exe file.

    Tick the box that says In depth scan and follow the on screen instructions.

    DO NOT remove any UNKNOWN ROOTKITS at this stage. Instead, let me know the results.

    Let me know the results in your reply.

    PLease Note: Panda Antirootkit is not compatible with Windows Vista.

    If you are running Vista, please download the AVG Antirootkit programme.

    Disconnect from the net and install the programme.

    Run the programme and tick Indepth scan. Do not have AVG Antirootkit fix anything, instead let me know the results.

    Once the scan is finished, reconnect to the net.

    -----------------------------------------------------------------------------------------------------------------------------------
    Please continue with instructions in the post below.
     
  3. M0ntG0M3rY

    M0ntG0M3rY TS Rookie Topic Starter Posts: 48

    STEP12:

    Delete all versions of Combofix you may already have.

    Download Combofix.exe.
    Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Combofix will automatically save the log file to C:\combofix.txt Do not post the Combofix log, until you have completed the rest of the instructions below.


    -----------------------------------------------------------------------------------------------------------------------------------

    STEP13:

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run a full system scan with your antivirus programme and delete whatever it finds, including anything in the virus vault.

    -----------------------------------------------------------------------------------------------------------------------------------

    STEP14:

    Run SS&D and fix whatever it finds.

    Run Ad-Aware personal se. Click start, uncheck scan for negligible risk entries.
    Select perform full system scan and click next, fix whatever it finds.

    See this pictorial guide on how to use AVG Antispyware.

    Make sure all windows are closed.

    Run AVG Antispyware.

    VERY IMPORTANT

    Make sure AVG is set to quarantine it`s results.

    Make sure you read this step properly.


    That`s because too many members are posting an AVG log that says "No Action Taken" or "Ignored"

    Please note:
    If your AVG Antispyware log says all items have "No Action Taken" or "Ignored" That`s because you haven`t followed the instructions properly for using AVG Antispyware and will have to read them again and do a fresh AVG Antispyware scan.

    There is absolutely no point in attaching an AVG Antispyware log that says items have "NO ACTION TAKEN" or "IGNORED"

    Once finished, click the save scan report button, followed by the Save report as button and save it to your desktop.

    Reboot into normal mode and rehide your protected OS files.

    -----------------------------------------------------------------------------------------------------------------------------------

    STEP15:

    Run HijackThis.

    Click on Scan. After the program is done with the scan, click on the "Save log". It should be the same button as the previous "Scan" button you clicked on. Save the log to wherever you want. You can now attach your HJT log without having to rename it as a .txt file.

    Attach the HJT logfile as an attachment into a new thread in our security and the web forum(unless you`ve already got a thread here).

    See this thread for instructions on how to post a HJT log and your other logs as ATTACHMENTS.

    Please note: HJT and any other logs must not be posted as .doc files. This is due to the risk of viruses etc.


    Once you`ve finished these instructions, you should have 3 log files. HJT, Combofix and AVG Antispyware logs. They are the only logs we need, unless otherwise requested.

    I don`t want to see any other log files, unless I specifically request them.

    That means no Smitfraud log, no Vundufix log, No VirtumundoBeGone log, or any other kind of damn logs.

    Don`t forget to: Let us know the results of the Panda Antirootkit scan


    Let us know what symptoms you`re having if any.

    Regards Howard [​IMG]
     
  4. frogentott

    frogentott TS Rookie

    Here are the Logs after i finished with everything you directed ^^

    Oh and the Antirootkit found nothing btw. What do i do next? I still get the "Can not find script file "C:\FS6519.dll.vbs". alert when i try to double click open my C: drive.
     
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    M0ntG0M3rY better to just provide a link, like this:

    Viruses/Spyware/Malware, preliminary removal instructions

    frogentott have you posted before about this ?
    Sounds as though you have some history to your issue.

    You may want to check THIS link on startup issues.
    Scroll down to STARTUP MANAGERS to download and hopefully remove your startup issue.
     
  6. frogentott

    frogentott TS Rookie

    Thank You!!!

    Ooh after i ran Cracky.exe the problem was fixed!!! Thank You very much for the great help and tips!!! God Bless!!!
     
  7. M0ntG0M3rY

    M0ntG0M3rY TS Rookie Topic Starter Posts: 48

    :evil: Check the time my message was posted... the link didn't exist at all, I just reconstructed the text, which have since been copied and put in its original place...


    frogentott, I recommend you start a new thread instead.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I see by 2 Hrs yours is the original (format)

    Apologies M0ntG0M3rY, when I saw the long post. I thought it was strange.
     
  9. M0ntG0M3rY

    M0ntG0M3rY TS Rookie Topic Starter Posts: 48

    no problem :)
     
  10. tomrca

    tomrca TS Rookie Posts: 1,000

    have you run NOOB KILLER yet AS this shows in your log R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TAGA LIPA ARE!you can get it from HERE
    in th meantime have hijackthis fix :
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)b

    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    check to see if you know this: O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab if not remove
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...