Some Malware found

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by KenB2014, Sep 5, 2007.

  1. KenB2014

    KenB2014 Private First Class

    I completed "Read and Run Me First" and the resulting files are attached. The computer was running very slowly, with some lockups.

    Thanks
     

    Attached Files:

  2. KenB2014

    KenB2014 Private First Class

    Some Malware found-part 2

    additional attachments
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As stated in the READ ME, slow PCs are not always due to malware. And the same is true of lockups. Both of these appear to be true for you. I will give you a few things to try but you don't have malware problems. After trying these things if you still have problems you will have to discuss them in the Software or Hardware Forum.


    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to ewido security suite control
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
      • Webroot Spy Sweeper Engine
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste ewido security suite control into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
      • svcWRSSSDK
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down.

    Uninstall the below software:
    J2SE Runtime Environment 5.0 Update 6 <-- old version & you have the new version already
    Microsoft AntiSpyware <-- this was discontinued by Microsoft along time ago
    Mozilla Firefox (1.5.0.12) <-- old version
    Sunbelt CounterSpy <-- we are finished with this trial now
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox

    Now delete the below folders which might be left behind by the uninstall:
    C:\Documents and Settings\Ryan\Application Data\Sunbelt Software
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    D:\Program Files\Sunbelt Software


    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

    After clicking Fix, exit HJT.

    Now reboot in normal mode

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    Now attach a new log from HJT.

    Make sure you tell me how things are working now!
     
  4. KenB2014

    KenB2014 Private First Class

    Thanks for the reply.

    I did run the "Basic Computer Maintenance..." items before starting the "Read and Run Me First" steps. That did clean up many of the problems, but I figured it was prudent to follow the Malware search and removal steps while working on these other issues.

    Sorry I missed the Viewpoint media Player in the list for removal. I did remove numerous programs, but overlooked that one.

    When I ran Spybot S&D, it found and removed a Virtumonde entry. Subsequently, I ran the VundoFix.exe program and it found nothing remaining.

    I completed all the steps as you directed, with the exception of reinstalling Firefox. We did remove the old version, but are discussing whether to use the latest IE vs. Firefox. If we go with Firefox, I will reinstall it.

    The new HJT log is attached. The computer seems to be running well now. Thank you again for all the help.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Some Malware found-part 2

    You're welcome. You now need to complete our final steps and make sure you get an antivirus program installed from the list of recommended tools.

    It is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    10. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
  6. KenB2014

    KenB2014 Private First Class

    I forgot to mention that I got rid of Norton Systemworks as part of the cleanup process, which means that now all of my family computers are less bloated. I hadn't installed the antivirus yet at the last scan that you saw.

    I completed the final steps as you directed, and also ran the "How to Protect..." steps.

    I now have installed:
    Avast
    Zone Alarm Pro
    CCleaner
    a squared
    Comodo BOClean
    Spybot
    SpyWare Blaster

    Thanks again. I really appreciate what you all do.
    Ken
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
  8. KenB2014

    KenB2014 Private First Class

    One more item that I just found...

    I ran the scan with a squared and it identified GameSpy Arcade as a threat. I don't see it listed as a problem program in your list. The author defends it as simply displaying ads, but states that it is not adware or spyware and that they are working with Norton and others to not identify it as such.

    Is it a problem or should I ignore the a squared find?
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's up to you. Many tools detect it simply due to it being adware and because it has been known to install other software. adware is consider to be part of the generic covered by malware. If you don't mind the adware and popups and the fact that it could install other software then keep. The author is not going to get it delisted if it is still adware. Put you can look at it this way, it is not what I would consider destructive malware.
     
  10. KenB2014

    KenB2014 Private First Class

    This is my adult son's computer and he does use GameSpy for online gaming. With all the detection and protection programs installed, we will leave GameSpy installed and just keep an eye things.
    Thanks.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds