8 step complete: Vundo, Darksma, Casclient infections

Status
Not open for further replies.
T

timbob5

Posts: 44   +0
I have been running CA Security (Virus and Spyware) along with Windows Firewall for years with good success (past week on a daily basis).

For about two weeks, been fighting Casclient, Darksma Spyware and Vundo virus. 2 to3 Spyware and up to 50 viruses detected at times. When on internet, Windows 2009 Security continues to attempt loading automatically, need to hit [esc] and exit every time to keep away (My spouse and kids are not very computer savvy and I worry this virus will get in). Also get random websites opening.

We use internet for college, loan payments, occasional online banking, and occasional purchases. I have not done any of this after getting spywares (virus showed up shortly after).

I cannot seem to rid myself of these and began researching online. Found your site and saw many successful correspondence on similar issues and was quite impressed.

I have run the 8 step removal instructions, attached logs and am asking if someone has time and knowledge to let me know if I was successful in my first attempt and if further steps are needed. Thank you in advance.

tim
 
Hi Tim

Your mbam and sas logs show found and removed items. We must see them either clean or with something it can not clean.

Rerun them both again.

Post all log as you run again, except HJT log after clean or when requested.

Mike
 
Mike,

Thank you for the quick response. It sure is nice to have people to help out on computer troubles. Years back I gave up on some virus issues and got a new computer to solve (the virus won). Your help is really appreciated.

I have run Malewarebytes Anti-Mailware (with no items detected) and ran SuperAntiSpyware (first run with 8 items, rebooted as told and ran second time with no items) and I am attaching the log files.

This is the first time on the web and I wonder if I should try running both again to see if all is clear.

I will wait for your recommendation(s) prior to continuing.

Tim
 
Mike,

I have downloaded the program requested and have attached the info and log files.

Thank you for taking the time to help,
Tim
 
Hi Tim

Some minor issues to be cleaned with HJT but not yet.

There are indications of other issues so do the below.

These don't take as long so do the first attach log as they are run.

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished.

Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt now.

Then continue below.
=========================================
ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

After all the above are done post new HJT log.

Mike
 
Mike,

Sorry for delay, son's car needed repair work, ughhh.

I had nine viruses on CA Anti Virus scan today which were deleted automatically, listed as 'Actns/SwifT'.

I followed your instructions and have attached the three (3) logs.

Looking forward to next step.

Thanks,
Tim
 
Hi Tim

There is evidence of a very bad new Malware. This one is hard to get rid of and CA is one of the only scanners catching it as far as I know. But it is not completely cleaning it.

It is imperative that you do all the below ASAP!

Run HJT Scan only Select and remove the below
O20 - AppInit_DLLs: jlruoa.dll

Run MBAM click More Tools- Run Tool. Then paste the line below in to the File name box and click OK to delete it.

c:\windows\system32\mawwurqo.dll

Next Run combofix again.

Then UPDATE MBAM and run it again, then UPDATE SAS and run it again.

Get me the logs as you run them not all at once.

Mike

Mike
 
Mike,

The 12/3 CA spyware scan detected 'KaZaA' and 'Bifrost' which were deleted and quarentined.

I ran HJT scan only and deleted file 'O20 - AppInit_DLLs: jlruoa.dll'

I ran MBAM and attaching log. After pasting 'c:\windows\system32\mawwurqo.dll' it could not find file, however created it and then deleted it.

Will perform other steps later this evening.

Tim
 
Mike,

Ran Combofix and have posted the log.

Ran Hijackthis and posted the log.

My son needs to write paper on word and after I plan on updating MBAM and SAS and running both again. I will send these logs when completed.

Thanks Mike,
Tim
 
OK you did it!

Won't hurt to rescan with UPDATED MBAM an SAS once more as you said, if done at convenient time as while you are working or sleeping.

I will wait a few days till you have sent the logs and then we will close the thread and cleanup the tools we used.

Mike
 
Mike,

Ran MBAB and SAS. MBAB was clean, however 13 adware cookies on SAS (normal?). Attaching both logs.

Tim
 
Yes the moment you open a website you get cookies. Most are OK so don't worry.

Thread closing-------------------------------------------------------------------
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

If prompted to Reboot click Yes.
OTCleanit will delete itself when finished, if not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html
-------------------------------------------------------------------------------------
The issues found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.

If they find something they can not clean then get back to us.

Additionally run CCleaner.

I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to co-exist with other Virus scanners.

Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
Hostman http://www.abelhadigital.com/2008/07...-released.html

A Disk scan and Defrag are in order.

Mike
 
Mike, can you explain to me about the use of RSIT in place of HijackThis? What is the home site? What does it do? How is it different from HJ?

timbob, here's some help with the Tracking Cookies. Have SAS remove them. Click on the lower left screen shot here to enlarge image, showing you what to check:
http://superantispyware.en.softonic.com/images

After you have done that:
Reset Cookies:
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
Click to expand...
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
C:\Program Files\Viewpoint\Common\ViewpointService.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Click to expand...
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

1. Start> Run> msconfig> Selective Startup> Startup menu> UNCHECK all Viewpoint entries> Apply> OK
2. Start> Run> services.msc> right click on viewpoint Manager> Properties> change Startup type to Disabled.
3. Control Panel> Add/Remove Programs> UNINSTALL any Viewpoint entries

Reboot into Normal Mode. NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
 
Well post #18 in this thread tells you where you get it.

I am surprised you have never heard of it I have used it for over a year.

It is a System information tool that runs HJT as part of its report just gives a lot of other details. Similar to OTScanit.

Mike
 
I have not heard of it to be used in place of HijackThis. Since HijackThis is recommended in the TechSpot malware cleaning, it seems you would encourage the use of that. The problem I think Mike is that you don't open and deal with the entries that need to be removed in the HijackThis log. Having the users run additional programs is not going to remove those entries.
 
But why burden the user with more to run? Plus I think the HijackThis entries themselves need to be dealt with. I think you run unnecessary programs.
 
Status
Not open for further replies.

Similar threads

Julio Franco
The complete list of alternatives to all Google products
2 3 4
Replies
98
Views
34K
wizardB
wizardB
David Matthews
Google unveils Tez, a mobile payment app that uses sound to transfer money
Replies
2
Views
1K
Skidmarksdeluxe
Skidmarksdeluxe
Nicki
Solved 3 infections
2
Replies
26
Views
6K
Broni
Broni

Latest posts

Back