removing Security 7.1 toolbar

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Lynn Kerber, Nov 8, 2007.

  1. Lynn Kerber

    Lynn Kerber Private E-2

    I have been having problems removing the SECURITY 7.1 Toolbar stuff..I have been following the instructions in the same problem with Goldbug

    I have attached the combo fix log in this post

    I have also attached the log from SMITFRAUD option 1 in this post

    I am working on step 2 of the SMITFRAUD instructions now
     

    Attached Files:

  2. Lynn Kerber

    Lynn Kerber Private E-2

    Second half of the SMITFRAUD run, option 2 CLEAN log

    I am having trouble rebooting in safe mode with networking now for some reason. I am going to post this log and then try it again. Waiting for advice.

    thanks in advance
     

    Attached Files:

  3. Lynn Kerber

    Lynn Kerber Private E-2

    ShowNew logs, GetRunKey log and HJT log.

    thanks again for your help
     

    Attached Files:

  4. Lynn Kerber

    Lynn Kerber Private E-2

    Re: removing Security 7.1 toolbar - solved

    Using the various tools on the site and info from similar problems in other posts. It appears I have kicked this bad boy off my machine, hopefully for good. :D Since it is friday.. Time to :drink

    Thanks for all the info on this site, once again it is a lifesaver. I have used it many times, w/o posting to fix issues.

    thanks and a big :highfive to all involved
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    Java 2 Runtime Environment, SE v1.4.2_13"
    Java(TM) SE Runtime Environment 6 Update 1

    Reboot and install:
    Java Runtime 6

    Find and delete:
    C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk

    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk


    This is not what we want:
    C:\HJT\HijackThis.exe ---> C:\HJT\analyse,exe
    Please rename it as instructed!

    You did not run either AVG_anti-spyware nor BitDefender ...please do so.

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Attach new logs for:
    AVG-Antispyware
    BitDefender
    ShowNew
    GetRunKeys
    HJT
    Avenger
     
  6. Lynn Kerber

    Lynn Kerber Private E-2

    I will get on this, and get back with you as soon as I can.

    thanks
     
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Attach the files when you are ready. :)
     
  8. Lynn Kerber

    Lynn Kerber Private E-2

    Logs posted- finally. Here are the first three.

    I apologize for not hitting all the steps, must have had a braincramp. Sorry:eek:

    This post has AVG-Antispyware report
    BitDefender
    Show new,

    other will follow

    thanks again
     

    Attached Files:

  9. Lynn Kerber

    Lynn Kerber Private E-2

    Here are the next three,

    Get Run Keys
    Hijack this, done correctly this time
    Avenger


    thanks in advance
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    There is still a few things that need attention.
    Please Download this file to your desktop - Combofix.exe
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log for you. Attach this log to your next reply

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Then attach new logs for:
    ShowNew
    GetRunKeys
    HJT
    ComboFix
     
  11. Lynn Kerber

    Lynn Kerber Private E-2

    Here are the new logs for combo fix, newfiles, get run key,
    I will post hijack on next post

    Again many thanks
     

    Attached Files:

  12. Lynn Kerber

    Lynn Kerber Private E-2

    Highjack this log.


    thanks a million
     

    Attached Files:

  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Make sure you have disabled all of your security programs while we do the following:

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Attach new logs for:
    ShowNew
    GetRunKeys
    HJT
    Avenger
     
  14. Lynn Kerber

    Lynn Kerber Private E-2

    This thing is a real pain... It keeps coming back.

    Here are the new logs.
     

    Attached Files:

  15. Lynn Kerber

    Lynn Kerber Private E-2

    Here is the Hijack this log

    I can only find Symantec Firewall and the Avenger trial running, I am guessing the Symantec firewall has some type of antivirus as well. Just guessing.

    thanks again
     

    Attached Files:

  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You have symantec client software which bundles anti-virus and your firewall ---> it should be in your system tray (right click the icon and choose disable). It needs to be disabled until the following is completed.

    Please re-run ComboFix.....

    Now run this Virtumonde aka Trojan Vundo Removal

    * Double-click VundoFix.exe to run it.
    * When VundoFix opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.
    * Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions above, starting from "Click the
    Scan for Vundo button" when VundoFix appears at reboot.

    After rebooting...
    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Attach new logs for:
    ShowNew
    GetRunKeys
    HJT
    Avenger
    ComboFix
    VundoFix
     
  17. Lynn Kerber

    Lynn Kerber Private E-2

    Just want to make sure I understand the process.

    Should I have the Client Security disabled for every process and should I post all of the logs after completion of all the steps...

    thanks
     
  18. Lynn Kerber

    Lynn Kerber Private E-2

    All right - Here we go (again) more logs...

    Combo Fix, Vundo fix, Avenger...

    more to follow
     

    Attached Files:

  19. Lynn Kerber

    Lynn Kerber Private E-2

    Here are the final three..

    New files, Get run keys, Hijack this.

    To my "untrained" eye, the hijack this log looks much better.

    One question - once this is back to normal, the Symantec Security Firewall is all I need to run, I can stop the Avenger Anti-Virus Is this true?

    PS - I am now going to use Firefox as well, not sure if that will help or not.

    thanks in advance
     

    Attached Files:

  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This is what is running and needs to remain running:
    Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

    Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    See if these still exist and if so, delete them:
    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk

    Your logs look clean. You may uninstall any programs we had you download (including CounterSpy, etc).

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
  21. Lynn Kerber

    Lynn Kerber Private E-2

    Thanks so much for your help. You guys are the best
    :celebrate:clap

    I will finish off the rests of the tasks and hopefully not have these issues again.

    :dood:drink

    thanks
    lynn
     
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No problem ..safe surfing...:)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds