Help remove w32.MyZor.FK

I need help, but I am new to MajorGeek forums. I am using a Dell XPS M140 laptop, use Windows XP, am connected using cable modem through Charter. Today I somehow got a malware that I think is w32.MyZor.FK. It has installed an icon in the tray, takes over IE home page, continuously gives pop-ups telling me to download a spyware, and the PC has also slowed down.

I followed the steps in the "New Shorter Version of the Read & Run Me First" and also the "Windows XP Cleaning Procedure" but the malware is still there.

I have attached logs from ComboFix and MGtools. I could not find a log from AVG Antispyware.

Hope you can help.
Thanks timoteo01

 

Thanks, Sorry about not attaching the logs - I thought I had done it right but I guess not. I will try again and I also ran the AVG Spyware and found the log.

 

Hi timoteo!
Welcome to Major Geeks!

Please go to Removing Zlob aka SmitFraud, SpySheriff, Infections and follow the instructions for SmitFraudFix. There will be two separate logs and you need to attach the first one to us before you continue to get the second one, otherwise the one will overwrite the other one.

After you finish the above scan, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates. The scan is in the MGtools folder under C. The zipped logs can be found directly under C:\



Let me know how this goes!
abri

 

Hi - Thanks for the help!
I am not clear on the instructions. I installed SmitfraudFix and completed step 1. The report is attached.

In order to complete Step 2 the instructions say to close all applications before rebooting in safe mode. After doing this will I still be able to attach the second report to this reply?

Just in case, I attached the first report.

 

I rebooted in Safe mode and ran step 2 of SmitFraudfix. Attached is the log. The icon is not longer in the tray - Hopefully everything is fixed!

 

Hi timoteo!

In case you missed my 2nd paragraph in post #4 (second paragraph), please complete those instructions as well so I can check and see if your logs are really free of malware. Sometimes fixing one thing allows something else to be seen, so we like to check them a last time.

abri

 

Abri,
Sorry I forgot that paragraph. Here it is.
Timoteo

 

Hi timoteo!

1) Do you know what the following is? I'm looking out for signs of mulitple antivirus programs and I'm not sure what this particular active X refers to. Did you install something from Trend Micro?

O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB

2) You can disable Teatimer now or come back to this step if the below doesn't work. Teatimer blocks some fixes. To disable Teatimer do the following:
This can be done two ways.[/color]
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

3) Go to add/remove programs and uninstall the below:

- J2SE Runtime Environment 5.0 Update 11
- J2SE Runtime Environment 5.0 Update 7
- Java 2 Runtime Environment, SE v1.4.2_03
- Java(TM) 6 Update 2
- Java(TM) SE Runtime Environment 6 Update 1

4) We need to stop a service which you don't need:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT (it will now be called analyse.exe and you will find it inside the MGTools folder of your root drive), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste Symantec Core LC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now:

5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

After you click fix, just close hijackthis.


6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

7) After completing the above, please run CCleaner in the default setting on the Windows tab as you did when you first went through the READ & RUN ME.


8) Please run C:\MGTools.exe again (located under C:\ ) and attach a fresh MGlogs.zip. After I check this I'll post our final cleaning instructions to remove all the logs and tools.

Let me know how things went!

abri

 

Hi abri,
1) I do not know what it is, I think I installed and then uninstalled PC-cillin, could it be related?

2) I used the second method to disable Teatimer.

3) Completed.

4) I completed as instructed, except I typed in Symantec Core LC instead of Copy/Paste.

5) Completed step 5 except "O23 - Service: Symantec Core LC ............" was not listed.

6) I ran Disable/Remove Windows Messenger, and selected "Uninstall Windows Messenger"

7) I ran CCleaner, but I did not use the default settings. I had previously selected all the boxes and don't know how to go back to the defaults. I ran both Cleaner (with all boxes selected) and Registry (with all boxes selected).

8) Completed and log is attached.

Thanks
timoteo

 

Well that was brave. Is your computer still alive?

You can re-enable Spybot's Teatimer by the reverse of the instructions I gave you. If you're not having any further malware symptoms, please do our final clean-up instructions. Before you reset your system restore, allow your computer to boot a few times and use your different programs for a few days to make sure nothing odd resulted from the registry changes made by CCleaner. It's a relatively safe tool, but I wasn't actually thinking of having you run either the registry tab or checking all the boxes in the Windows tab.

abri

 

abri
I have done everything except setting a clean restore point (Yes the computer is still alive).
Thanks very much for your help!