Leftover Adware/Malware

Sophos Anti-Rootkit will scan your computer for files that have been hidden using rootkit technology.

Many of the newer malware infections use this technology to hide themselves and to make them more difficult to remove.

Installation

Download Sophos Anti-Rootkit 1.1 and save to a location you will be able to find such as your desktop

Run sarsfx.exe by double clicking on it.

Click Accept to agree to the EULA

Click Install (if you wish to change the default installation location do so here but remember where you install to, the default is C:\SOPHTEMP)

Once it finishes copying files, exit the installer​

Running the scan

Navigate to the location that you installed the software to (Default: C:\SOPHTEMP)

Run sargui.exe by double clicking on it.

Ensure that all three of the options are checked

Click Start Scan

Once the scan is complete, close Sophos Anti-Rootkit by closing the scan window and clicking Exit in the main window

DO NOT CLICK 'CLEAN UP CHECKED ITEMS' OR ATTEMPT TO HAVE SOPHOS ANTI-ROOTKIT FIX ANYTHING UNLESS SPECIFICALLY INSTRUCTED TO IN THE THREAD YOU ARE WORKING ON​

Finding the logsClick on Start --> Run

Type in %TEMP%\sarscan.log and press enter

The log file will open in the default editor (probably Notepad)

Click File --> Save As and save the file to your desktop or other location for easy retrieval.

Attach the log on your next post.

 

Let's try this:
Virtumonde aka Trojan Vundo Removal

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Attach new logs for:
GetRun
ShowNew
HJT

 

Please print these instructions or save to your desktop.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Goto Add/Remove progams and uninstall the below.
Viewpoint Manager (Remove Only)
Viewpoint Media Player

If they are not found or will not uninstall, make sure to tell me!


Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\gngyo.exe
F2 - REG:system.ini:UserInit=C:\WINDOWS\system32\userinit.exe,qjndydg.exe,ddjfihw.exe
O4 - HKLM\..\Run: [w00a1ed2.dll] RUNDLL32.EXE w00a1ed2.dll,I2 0001a4ba000a1ed2
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513 G
O4 - HKLM\..\Run: [Oecfdb] C:\Program Files\Rtai\Iwwpnc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kqpyvioA] C:\WINDOWS\kqpyvioA.exe
O4 - HKLM\..\Run: [bppoxa] C:\WINDOWS\system32\bxlwxc.exe reg_run
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\wqpns.dll


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now do the next post.

 

Now

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run this Virtumonde aka Trojan Vundo Removal

Now attach the below logs and tell me how the above steps went.

1. Combofix log
2. VundoFix log
3. new GetRunKey log
4. new ShowNew log
5. new HJT

 

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

A couple things remain to be fixed! You may have missed the editing change to the registry patch.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Also uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 2

Also uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
C:\Documents and Settings\Morgan\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Also if the below is still in your HJT log, fix it! This is from the old Sun Java version!
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe


Attach a new log from GetRunKey so we can be sure that malware item is gone.

 

I'm not sure what you did or where you have been surfing, but I see you immediately started using MSconfig again to disable startups. This is bad practice since it is not what MSconfig was designed form. If you don't need software, then uninstall it. If you never need it to load at startup then change the configuration of the program not to load at startup. If it does not give you that option and you don't ever need it, then permanently remove it from the startup list with HJT. If you need it to load sometimes but not all the time, first check the programs options and then if the necessary, use a real startup manager program like Startup CPL
Why did you stop your antivirus program from loading at startup?????

But don't do any of the above yet. See below because you have Malware again.

But the bigger problem is that your log shows that you have infections again. Also you have changed your ability to see hidden files back to more like defaults. You need to do the below:

1. Disable MSconfig as requested in the READ ME (i.e., select Normal Startup)
2. redo step 2 of the READ ME. Make sure you do all steps exactly this time since last time TimW had to give you a registry patch to correct that fact that you did not do step 2.
3. Attach new logs from
   • GetRunKey
   • ShowNew
   • HijackThis

I have to wonder if this log is even from the same PC because things look so different????

 

Not true. You have the actual antivirus program disable. vptray is an unnnecessary startup just to make Symantec appear in the tray for easy access.

You have the below in MSconfig

ccapp.exe is a process belonging to Norton AntiVirus. It is responsible for the auto-protect and email checking facilities, both of which will not function correctly if this service is stopped.


And yes you were previously clean but not anymore. At least not completely. It should not be necessary to stop all those items from loading to begin with. First you should just uninstall unnecessary software. Then you should configure the programs that you don't need to load but still need the software on the PC, not to load at startup. Anything you don't need to load at all should be permanently removed. MSconfig should not be used like this. It is a temporary debugging tool only.