Virus/Worm/Trojan/Malware Cleanup

[punjabdapunk]

Hi,
I'm helping a friend remove a number of Virus/Worm/Trojan/Malware issues after she spent sometime playing with limwire.

I've used howard_hopkinso useful advice posted in thread :
"techspot.com/vb/topic58138.html"

to create the log files required. Also, no rootkits were found.

I'm hoping someone with more knowledge than me can advise on what's left.

I'm worried about the m?iexec.exe entry in HijackThis.

MS Messenger also does not start . . . the error we get when it starts is the "parameter is incorrect".

Let me know if there is anything else you need.

Thanks

Kind regards
punjabDaPunk

 

[howard_hopkinso]

Hello and welcome to Techspot.

Delete all files in AVG Antispyware quarantine.


Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\epoPGPsdk.dll
C:\WINDOWS\system32\kjkmp.bak2
C:\WINDOWS\system32\pmkjk.dll

Folder::
C:\WINDOWS\a?sembly
C:\WINDOWS\system32\FNTS~1
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6589FE66-1EB0-426F-8D17-2A71A7DAEA30}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77C19C75-4869-4BA4-BE3C-A9DEA67659B4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C75B9AE-B928-4FDB-6081-0F2024F378EC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7C4E09A-2775-4EA0-8E1F-EE1D40DF9F8C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Srro"=-
"Lsywibt"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of punjabdapunk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[punjabdapunk]

Hi Howard,
Thank you for you prompt reply.

I've done as you instructed and attach the logs as requested.

Kind regards
punjabDaPunk

 

[howard_hopkinso]

All clean.

Delete the following folder.

C:\qoobox

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

Go HERE, download and install the latest version of Java.

Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of punjabdapunk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[punjabdapunk]

It All Clean

Hi Howard,
It's all clean. Thanks for your clear advice.

Hope you don't mind but I do have a question (the last I promise).

I just want to know how you go about improving your knowledge of viruses., worms, trojans and malware.

Any pointers welcome.



Kind regards
punjabDaPunk

 

[howard_hopkinso]

That is quite a difficult question to answer.

Experience is the name of the game really.

However, if you`re interested in learning how to fight malware, I suggest you consider joining the Malware Removal University.

Regards Howard

This thread is for the use of punjabdapunk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[punjabdapunk]

Malware University

Thank you for the good and sound advice (as expected).

Take care
Shazad

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.