Help removing Malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by KenB2014, Jan 29, 2006.

  1. KenB2014

    KenB2014 Private First Class

    My son's computer was a real mess. I've made some good progress following your guides and now hope to finish the job with your advice.
    This computer runs WinXP SP2 with all updates

    I ran VundoFix.exe to remove vturq.dll and mljjj.dll, etc.
    I've followed all the steps in "Read & Run Me First" and read the other guides.
    I've attached vundofix.txt, bdscan1.txt, Activescan.txt, and hijackthis.log

    Thanks for the help.
    Ken
     
    Last edited: Mar 10, 2007
  2. KenB2014

    KenB2014 Private First Class

    Thanks for the reply.

    Dace & Purityscan are not in Add/Remove Programs.

    I deleted the "C:\program files\dace" folder and contents after ending the sndd.exe process.

    I ran Spy Sweeper and Ewido and removed all they found.

    Files are attached for these two and the new Highjackthis log.

    Thanks
    Ken
     
    Last edited: Mar 10, 2007
  3. KenB2014

    KenB2014 Private First Class

    OK,

    I followed the instructions in the tutorial:

    Hijackthis did not have any of the lines listed.
    Control panel...web did not contain any of the items listed.
    None of the listed files or lolders existed.

    I've attached the requested files.
    Thanks
     
    Last edited: Mar 10, 2007
  4. KenB2014

    KenB2014 Private First Class

    Weatherbug was not in add/remove programs.

    Found and removed the lines indicated with HJT.

    Booted in safe mode:
    Couldn't delete paytime.exe or tool2.exe. Says "It is being used by another person or program."
    Deleted "Winconfig" folder.
    "dace" folder was previously deleted at some point.
    Deleted "AWS"

    I stopped at that point until I get further instructions on how to delete paytime and tool2.

    I noticed there are also files tool1.exe, tool3.exe, tool4.exe, tool5.exe and toolbar.exe in C:\Windows---are these any problem?

    Thanks
     
  5. KenB2014

    KenB2014 Private First Class

    ISTBar was not in add/remove programs

    WinPfind file attached.
     
    Last edited: Mar 10, 2007
  6. KenB2014

    KenB2014 Private First Class

    I followed your steps exactly including shutting down all that I could in the system tray. The target files didn't appear in either the winlogin or explorer threads. I restarted and this time didn't shutdown anything in the system tray, but still nothing there.

    I've attached jpgs of the screenshots of the threads.

    On hold for now awaiting further instructions :)
     
    Last edited: Mar 10, 2007
  7. KenB2014

    KenB2014 Private First Class

    Killbox complete and all tool*.exe files are gone after reboot.

    HJT log attached
     
    Last edited: Mar 10, 2007
  8. KenB2014

    KenB2014 Private First Class

    My son no longer uses comcast since he's moved from that area. I'm not sure about the first entry for that reason.

    What is the impact of proxyoverride = cdn ?

    Should I remove any lines from HJT containing comcast?

    Thanks
     
  9. KenB2014

    KenB2014 Private First Class

    Ok. Sorry for the delay. I removed the four lines from yesterday's instructions and decided to rerun all of the steps from the beginning today just for the heck of it. We still had a few things that we hadn't removed yet.

    I deleted the paytime.exe file from yesterday with killbox.

    I followed Read and Run Me First:
    All scans in safe mode = clean.
    Bitdefender = clean

    Panda Activescan = detects cws.searchmeup(kl.exe) and virtumonde. I tried running cwshredder again and it doesn't see cws. I followed the procedure for Vundofix and it says clean. Also, I remove the Tribalfusion cookie repeatedly and it reappears. Is that just a common cookie found when surfing? The Panda Activescan report is attached.

    The Hijackthis log is attached. I noticed these lines for the scanners. Should I change any settings for these programs or uninstall them when finished?
    -Spy Sweeper is installed, but not selected to start with windows...why is WRSSSDK.exe running?
    -09 Extra Button for bdoscandel.exe
    -09 Extra Tools for Uninstall Bitdefender Online Scanner
    -016 DPF BDSCANONLINE Control
    -023 Service for Spy Sweeper\WRSSSDK

    Once I hear from you, I will complete any further steps if required, and then follow the guide on protecting the computer from malware.

    I appreciate the excellent help for this problem. I've learned a lot and enjoyed the process...most of the time :). I have four more computers that are behaving well, but I know they too need to be scanned and cleaned up. Now I have a handle on how to get started. I came to the right place!
     
    Last edited: Mar 10, 2007
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You could try looking for and deleting the below registry keys if they exist. Your correct about Panda. They are a real PITA reporting the registry stuff without saying what/where.

    HKEY_CURRENT_USER\Software\Microsoft\WindowsUpd
    HKEY_CURRENT_USER\Software\Microsoft\SysUpd
     
  11. KenB2014

    KenB2014 Private First Class

    Just curious about Spy Sweeper (WRSSSDK.exe). I have "Load at Windows Startup" unchecked and it is not running in the System Tray, yet it is running as a service called "Webroot Spy Service Engine." When this program installs, does it install the service and the user has no control over that from the options within the program? Is the program actually performing a function if it is not in the startup items, but runs the engine as a service?

    I booted to safe mode, but needed killbox to delete kl.exe

    The two registry keys are not present in the registry.
     
  12. KenB2014

    KenB2014 Private First Class

    Any further thoughts on Virtumondo? Would it be worth paying the $8.95 for 6 months of Panda Activescan Pro to clean out what it finds? I do have other computers that I am going to clean up.
    ---------------------------------------
    I'm following the steps in "How to protect yourself from malware," and have a few questions:

    I run Norton Systemworks which I know is a systems hog. Do you recommend moving to other programs to accomplish the tasks that Systemworks covers? If so, what programs do you recommend? I don't have a problem with moving to other products that provide a better solution.

    I use Zone Alarm Pro with the anti-spyware and Email protection on. Any thoughts?

    If this were your computer, which anti-spyware programs would you have running for protection? Which would you use to scan periodically?
     
  13. KenB2014

    KenB2014 Private First Class

    Kevin,
    Thank you for all your help. This computer runs great and I've followed all the steps for protection including Foxfire. I appreciate all your time and quick responses as you walked me through this process. It was actually fun, in a masochistic sort of way. :)

    I saved all the programs used to a CD, so that I can easily install and check my other computers. One down and four to go. Although the others are not behaving badly, I know it's in there.

    Ken
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds