Help required - Virus removal

[iturkington]

Hi,

I'm wondering is someone can give me some help or advice on virus removal.

The machine was infected by a virus. The symptom was new processes requesting access to the internet. These were blocked by the fire wall, and as a result there was no internet access.

I've read and followed the "8-step Viruses/Spyware/Malware Preliminary Removal Instructions" post on this forum.

The virus appears to have been removed successfully. But there is one stubborn bit of malware which will not go away!

I have virus scanned with AVG Anti Virus Free (latest version). This is now showing no infections, and no warnings.

I'm basically wondering if the machine is now clean. Or how I cna get rid of the last bit of Adware.

I've attached the following log files...
(1) mbam-log-2009-02-02 (09-50-27).txt
(2) SUPERAntiSpyware Scan Log - 02-02-2009 - 12-23-15.log
(3) hijackthis 2009-02-02.log (hijackthis.exe was renamed before running.)

Any help appreciated.

Thanks,
Ian

 

[mflynn]

Hi iturkington

Run HJT select and remove the below
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Were there other runs with MBAM and SAS are these the only logs?

Do the below..

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[Bobbye]

Regarding the 020 entry in the HijackThis log:
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

acnotify.dll is a part of Access Connections software.
The following was found by some to be a problem with their IBM Lenovo machines:

New Intel 2200bg and 2915abg update:
New Intel PRO 2200bg and 2915abg Mini PCI adapter wireless software (wireless driver from IBM/Lenovo) for Windows 2000, XP - ThinkPad R5*, T4*, X31, X32, X4*, Z60m, Version: 9.0.4.8

I am quoting one of the users here:

I ended up uninstalling Access Connections (but kept the profiles), rebooting, then uninstalling the wireless driver in device manager. Next I went to Add or Remove Programs and chose to remove Intel(R) PROSet/Wireless Software, and when given the option to repair, I chose to repair. I then rebooted and Windows found the new wireless driver and installed it. Finally I reinstalled Access Connections.

Moral of the above: I would recommend uninstalling Access Connections before upgrading the wireless driver. Reboot, then reinstall Access Connections.

This might be of help to you.

Mike I came across this in a search and thought it worth sharing.

 

[mflynn]

10-4

Good to know! I always uninstall that Lenova Acer and Dell stuff anyway but did not know there was a specif issue with it.

Thanks Bobbye

 

[Bobbye]

You're welcome Mike. It's been my experience that the average user does not check for the pre-loaded software and continues to have it all start on boot and run in the background. Toshiba is another bad one, then Sony VAIO. I use to think Dell was the worse, but it's a poor fourth compared to these others!

 

[iturkington]

Mike,

Thanks for the reply, I'm following the steps now.

You mentioned other logs. I'd ran them several times to get the PC as clean as possible, and only attached the final logs.

So I've attached here if you are interested.

Thanks again,
Ian

 

[mflynn]

Good job Ian!

Yes it is good to know what you had in case we need to take extra steps.

Get me the rest of my last post. SDFix and ComboFix. And we will finish this up.

Mike

 

[iturkington]

Mike,

I've run SDFix. All worked fine. Log file attached.

...BUT...

When I run COMBOFIX.EXE I get the following...

(1) prep.com has encountered a problem and needs to close.

(2) AVG Resident Shield alert
threat detected!
Filename: C:\Doc and Settings\Grace\Local Settings\Temp\9.tmp\b2b.dll
Threat name: Trojan horse BackDoor.SmallX.VX
Detected on open.

Any suggestions? I didn't want to turn off the resident shield without getting advice first!

Thanks,
Ian

 

[mflynn]

Unplug network cable turn off AVG and run.

If still issues run combofix from safe mode.

Mike

 

[iturkington]

Without AVG Combofix completed.
(although left the laptop locked)

Now restarted and combofix log file attached.

Thanks,
Ian

 

[mflynn]

Great you are good to go!

Look carefully at Bobbye's post #3!

Other than that lets close this one and cleanup some of these special tools, after you give me a status report on your computer.

Mike

 

[iturkington]

And a new HJT log.

 

[iturkington]

Mike,

Thanks for your help.

PC appears to be working fine now. In fact there were no symptoms after running all the stuff in the "8-step Viruses/Spyware/Malware Preliminary Removal Instructions", but I hought I'd get some advice on the logs.

I'll run a few more scans overnight tonight and hopefully it will get a clean scan report.

With regards to Bobbye's post. The laptop is an IBM ThinkPad T41, and I always connect to the LAN using wireless. But I've not be doing anything to the drivers, and it appears to be working fine. So I'm inclined not to interfere with it.

Thanks,
Ian

 

[mflynn]

He just had IE open when he ran HJT!

No problem!

Mike

 

[iturkington]

Should I run HJT one last time,
without IE running and check?

 

[mflynn]

Won't hurt but that was what it was!

Look in taskmgr for iexplore first if it is there and you do not have it open then that will be a problem.

tragicallyhip is confusing the Windows Explorer (Explorer.exe) (the windows GUI, My Computer) with iexplorer.exe which is the Microsoft Internet explorer.

Mike

 

[iturkington]

Mike,

Checked task manager and ran HJT without IE running and all looks fine to me.

Thanks again,
Ian

 

[mflynn]

tode ye so!

Mike