Cleaning out an infection; am I done yet? (HJT log)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bjornhall, Dec 13, 2005.

  1. bjornhall

    bjornhall Private E-2

    Hi,

    I've been trying to help my wife clean out an infection from her computer. The symptoms were:
    1. Bogus 'windows security center' message popping up: "WARNING: Windows Firewall detected suspicious network activity..." yada yada
    2. SAV finds virus "Download.Trojan" at C:\System Volume Information\...\{random}.exe
    3. Microsoft AntiSpyware finds Trojan.Downloader.Small.popcorn64 and PWS-Pinch

    We have gone through the steps in "READ & RUN ME FIRST Before Asking for Support", "Downloading, Installing, and Running HijackThis" and this thread:http://forum.majorgeeks.com/showthread.php?t=76078

    The symptoms are gone for the moment, but there are a few lines in the HijackThis log that I can't determine if they are safe or not; they do look rather suspicious. Perhaps you might have a look at it and see if there is anything in there that still needs fixed?

    Thanks so much for your help! :)

    All the best,
    - Björn
     

    Attached Files:

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Before you start this I see you have more than one antivirus, you need to pick one and uninstall the other because running 2 will cause conflicts on your computer.

    After you complete the above, please see the below thread on how to install and run Spy Sweeper.

    Running Spy Sweeper...
     
  3. bjornhall

    bjornhall Private E-2

    Thanks for your help!

    Getting rid of Panda Titanium 2006 Antivirus + Antispyware has turned out to be a problem. Have tried its uninstall feature, add/remove program, in safe mode, after disabling the Win XP firewall, but none of it works. We get the following error messages:
    Error message 1:
    >SetupDLL\SetupDLL.cpp (390)
    pAPP:panda Titanium Antivirus 2006 + Antispyware
    PVENDOR:panda Software
    PGUID:98032D6F-3EE6-4646-B68C-40BF012AC89B
    $11.0.0.28844
    @Windows XP Service Pack 2 (2600) IE 6.0.2900.2180

    Error message 2:
    Setup has experienced an error.

    Please do the following:
    - Close any running programs
    - Empty your temporary folder
    - Check your Internet connection (Internet-based Setups)

    Then try to run the Setup again.

    Error code: -5001

    I have found some manual uninstall instructions in Dutch (which I don't speak), but since it involves a lot of registry hacking for which I can't quite understand the Dutch instructions we're a little reluctant to try it. As for now, we have 'disabled' the Panda stuff by shutting down everything that can be shut down from its own menus, then having MS Antispyware block it from running at startup (had to boot to safe mode to be able to do that). I hope that's good enough to run the Spy Sweeper tests, but if anyone knows how best to get rid of the Panda I am all ears!

    Dutch removal instructions here: http://www.pandasoftware.nl/nl/ret/support/index.asp?ID=208&filter=

    Running Spy Sweeper tests now; will post logs when they're finished!

    Best,
    - Björn
     
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    For the uninstall problem, download Your Uninstaller! 2006 5.0.0.215 .

    Install, run and check PRO MODE, then locate Panda and then uninstall. If you get an error, procede it will force the uninstall.
     
  5. bjornhall

    bjornhall Private E-2

    Thanks, will try that method!

    In the meantime, here is the SpySweeper log and the new HJT log.

    Btw, my wife got your note and is quite ok with that; it is really a good policy anyway. She asks me to say thanks too!

    Best,
    - Björn
     

    Attached Files:

  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Let me know the results from the uninstall, also I see your definitions for SS are out dated. If you can update these to the latest version, should be (584) then run another sweep and attach the log.

    Afterwards, please download Blacklight to its own folder...

    F-Secure Blacklight

    After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

    Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post along with a fresh HJT log.
     
  7. bjornhall

    bjornhall Private E-2

    Okies, did what you said; Blacklight didn't find a single item, but spysweeper did.

    (to be continued due to three attachments)
     

    Attached Files:

  8. bjornhall

    bjornhall Private E-2

    ... and here is the hijackthis log as well. Thank you so much for your time and effort, really appreciate it!

    About uninstalling Panda, is it very important we do that right away? We have tied it up so tightly not even HijackThis seems to see any trace of it... If not, we'd rather do it when we've cleaned out the infections and can enable and use System Restore (has been disabled this whole time) in case we screw up the uninstallation procedure. But if we must do it now, we'll just have to I suppose.

    All the best,
    - Björn
     

    Attached Files:

  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    If you use System Restore everything we have done will be wasted because you will go back in time. It's best to use the program I requested to remove it, there isnt anyway it can go bad.

    After you complete the above...

    Please see the below thread on how to install and run Ewido Security Suite.

    Running Ewido Security Suite ...
     
  10. bjornhall

    bjornhall Private E-2

    Ok, did the uninstall thing without problems; the Your Uninstaller program kicks ass!!!

    Will post back here soon as we've ran the new ewido scan (takes 9 hours each time in safe mode, but will get it done asap!).

    Edited to add: In the meantime, MS Antispyware decided to run an autoscheduled scan (ooops...?). It found some remnant of WinFixer (installed and removed that before coming here) and removed it, but nothing else.

    Thanks for your help.

    Best,
    - Björn
     
  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Yes, I love that program!

    I will be awaiting new HJT log with the Ewido log.
     
  12. bjornhall

    bjornhall Private E-2

    Ok, got that done finally. Here is the ewido log and, for good measure, a Spybot log (HJT log to follow).
     

    Attached Files:

  13. bjornhall

    bjornhall Private E-2

    ... and here is the fresh HJT log. Thanks again for all your help; imagine I thought we were at least almost done when I posted the first log here... :rolleyes:

    All the best,
    - Björn
     

    Attached Files:

  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please look in Add or Remove Programs for the following and Uninstall them if found:

    Ewido

    Spy Sweeper


    Now scan with HijackThis and Check the Boxes for the following:

    Make sure All Browser Windows are Closed when you Click FIX.

    O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)

    O4 - HKLM\..\Run: [dmfbb.exe] C:\WINDOWS\system32\dmfbb.exe

    O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

    C:\WINDOWS\system32\dmfbb.exe

    C:\WINDOWS\SYSTEM32\avldr.dll

    NEXT:
    Run CCleaner to clean up cookies and temp files.

    Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
    Note: Remember to get all updates before doing the scans.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.


    After you complete the above, reboot and let me know how things are running.
     
  15. bjornhall

    bjornhall Private E-2

    Ok, am back; sorry this is taking so long...

    Completed all the steps in your last post. Ad-aware and Spybot found a couple things and removed them. The computer seems to be running fine at the moment.

    I attach a fresh HJT log.

    Best,
    - Björn
     

    Attached Files:

  16. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your HJT log is clean, are you having any further problems?
     
  17. bjornhall

    bjornhall Private E-2

    Great! And no, no problems here, everything seems to be running fine.

    Thank you so much for all your help; we would never have gotten all that stuff sorted out on our own! :)

    All the best,
    - Björn & Tia
     
  18. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds