Malware Removal from Windows XP Home PC

Dear MG,

I am attempting to clean up malware on a Dell Dimension 9150 PC running Windows XP Home Edition SP3. The system had Avast antivirus installed but the Avast service had been stopped and would not restart. Although the Avast interface would launch, there was no response when any buttons were clicked.

I have carefully reviewed and followed the instructions provided in this forum. I removed the following unused applications in the control panel - including AOL Version 9, Avast Antivirus, Google Chrome, "Classic Phone Tools", "Digital Line Detect", Learn2 Player and "MyWay Search Assistant". Mozilla FireFox was also removed and is to be reinstalled later after the system has been disinfected.

I downloaded, installed and ran Microsoft Security Essentials - which found one infected file. I noticed that during my ComboFix scan, despite having temporarily disabled Microsoft Security Essentials and Windows Firewall, it reported that McAfee Antivirus scanning was still enabled. McAfee was not among the applications in the Add/Remove Programs part of the Control Panel - and is therefore likely installed in some kind of stealth mode. I'm also unable to open the Windows Update "Check for Updates" page.

The scans found 8 or 9 infected files and over 500 tracking cookies. However, RootRepeal found no evidence of Rootkits. Since I am unfamiliar with interpretation of the logs (see attached), I would like your assistance in confirming the logs show the system has been successfully cleaned and there is no further evidence of infection from malware on the system.

Thanks in advance.

 

Hi and welcome to Major Geeks, Dave2U!

Your logs are clean of malware. However, if you wanted to tidy up a bit and remove the remaining traces of McAfee from the Security Center cache, see the below:
These fixes are optional as they are not malware related.

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Viewpoint Media Player <-- Should have been uninstalled earlier
• RealPlayer Basic <-- Is this functioning? The below service is associated with it and appears to have an invalid ImagePath

Code:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASCTRM]
"ImagePath"="\??\c:\windows\system32"

Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Settings,ProxyOverride = 127.0.0.1
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Documents and Settings\alan madge\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee.com Personal Firewall
C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
[COLOR="DarkRed"]SecCenter::[/COLOR]
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW:  *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Which browser are you attempting to do this from?

 

Dear ThisIsU,

Thank you for your assistance.

I successfully removed the ViewPoint Media Player and RealPlayer Basic in the Add/Remove Programs section of the Control Panel. I then successfully followed Doug Knox's instructions to Disable/Remove Windows Messenger.

I then ran ComboFix for a second time after inserting the script provided. After that I updated Oracle/Sun Java to the latest version (7u2). Finally, I ran MGTools.exe.

ComboFix and MGTools logs are attached for your review. After rebooting, I noticed that the Windows Update icon appeared in the notification tray on the Task Bar. I installed the 6 updates listed as ready for installation.

After rebooting the system, I was able to manually go to Windows Update and download and install/numerous updates without any difficulty. I did notice that Windows Genuine Validation needed to be (re-)installed, but other than that, it was smooth sailing with Microsoft updates for Windows XP SP3, Office 2003 SP3 and other Microsoft products.

The primary user had been using Mozilla FireFox and I will be recommending the user stay with Internet Explorer 8 since it is now stable, secure and automatically updated.

Once again, thank you for your invaluable assistance in disinfecting this system!

 

You are very welcome

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

Dear ThisIsU,

Following your clean-up instructions, we were just preparing to return the PC to its owner when I noticed that the Microsoft Security Essentials icon was not present in the notification area.

Checking the Add/Remove programs section of the Control Panel, I see that it indicates MS Security Essentials was last used on Dec 26. Since the system has been on since this software was installed, this would seem to indicate that MS Security Essentials has been disabled and is not receiving updates even though the updates tab on the GUI tells me that definitions were created on Dec 27 at 8:03PM and they were last checked on Dec 28 at 2:33AM.

Virus definition version: 1.117.1842.0
Spyware definition version: 1.117.1842.0
are also shown as being installed on the Update Tab for the MS Security Essentials GUI.

My laptop also runs MS Security Essentials and has definitions from version 1.117.1864.0 installed.

This leads me to believe that there may be malware still present on this system. I have just ran SUPERAntispyware and Malwarebytes scans and have uploaded the scan logs for your review. Please let me know what next steps you wish me to undertake to get to the bottom of this issue.

Best regards,
Dave2U

 

1. Uninstall MSE using Revo Uninstaller.
   
2. Reboot
   
3. Now download MSE from here
   • Choose Windows XP 32-Bit

 

Dear ThisIsU,

I have followed your procedure to remove MS Security Essentials using REVO uninstaller and reinstall the application from your download location. After doing so, the MS Security Essentials icon was restored to the notification area last night.

However, I noticed today that the MSE icon was once again missing from the notification area. I updated SUPERAntiSpyware and Malwarebytes and ran complete scans this evening. These logs are attached for your review.

I still feel there is some residue malware on the system affecting MSE (at the least) and other applications and data at the worst.

Best regards,
Dave2U

 

These logs are clean. I do not think this is a malware problem.

Question: What are the power settings on this computer?

• Is the hard drive set to turn off automatically after XX minutes/hours?
• Is the PC set to go into Hibernation mode after XX minutes/hours?
• Is the PC set to go into Sleep mode after XX minutes/hours?

You may try turning each of these off and see if the MSE still disappears.
Also, can you double-click the MSE icon on the desktop to get it to show in the system tray again?