can't get rid of infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by killinfections, Nov 21, 2007.

  1. killinfections

    killinfections Private E-2

    I have a "security toolbar 7.1" infection on internet explorer which also contains "online security guide" and "live safety center" on my desktop.

    I first used "unhackme" and it seemed to got rid of the problem. I scanned with "avast!" and "ad-aware" and all clean. Then today, when I turned on my computer again, the infection is back up.

    I've just downloaded "sophos anti-rootkit" and avast! virus cleaner tool but they didn't turn up anything.

    should I proceed with the general malware removal steps posted on the forum or is there something else I need to do?

    Thanks in advance.
     
    killinfections, Nov 21, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Nov 21, 2007
    #2
  3. killinfections

    killinfections Private E-2

    So I've followed the steps in cleaning windows XP.

    The "security toolbar 7.1" and "online security guide" and "live safety center" still exists.

    when I used combo fix, it seemed to have gotten rid of the problem. However when I reconnected to the internet, the malware came back.

    Spybot SD, Combo Fix and AVG both found stuff that I removed.

    I've followed the steps for AVG anti-spyware, but it did not generate a report.
    But, it did scan out "Trojan.Arbinder.a" which was quarantined and "TrackingCookie.Atdmt" and "TrackingCookie.Findwhat" which were deleted.

    so, I was only able to attach combo fix log and mglogs.

    the security warning and popping up balloon warning symptoms still exists
     

    Attached Files:

    killinfections, Nov 25, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below old versions of software:
    J2SE Development Kit 5.0 Update 12
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 12
    J2SE Runtime Environment 5.0 Update 7
    Java(TM) 6 Update 2
    Java(TM) SE Runtime Environment 6 Update 1

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: {093f94d5-a266-b439-1bf4-985101be88d1} - {1d88eb10-1589-4fb1-934b-662a5d49f390} - C:\WINDOWS\system32\dhrgkdxl.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\bacpbxkn.dll
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\bacpbxkn.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [b87b05c4] rundll32.exe "C:\WINDOWS\system32\xurmhlqm.dll",b
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\infectionkiller\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\RunOnce: [SpybotDeletingA6058] command /c del "C:\WINDOWS\system32\bacpbxkn.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC8352] cmd /c del "C:\WINDOWS\system32\bacpbxkn.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA1995] command /c del "C:\WINDOWS\system32\bacpbxkn.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC9323] cmd /c del "C:\WINDOWS\system32\bacpbxkn.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB626] command /c del "C:\WINDOWS\system32\bacpbxkn.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD2065] cmd /c del "C:\WINDOWS\system32\bacpbxkn.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB8318] command /c del "C:\WINDOWS\system32\bacpbxkn.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD9266] cmd /c del "C:\WINDOWS\system32\bacpbxkn.dll_old"
    O20 - Winlogon Notify: bacpbxkn - C:\WINDOWS\SYSTEM32\bacpbxkn.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Nov 26, 2007
    #4
  5. killinfections

    killinfections Private E-2

    I have not yet taken the next step you've told me to, however
    when I turned on my computer each time, Spybot SD runs and finds 10 files, of which called something like Virtualmundo or something. It deletes it and then my desktop loads. This last time, it did not run and the problem seemed to be fixed.
    My computer seems to be fixed. the "online security center" and "live safety center" doesnt reappear when I delete them and the warning messages have stopped.
    Is weird because it still had problems until the last few times I turned on my computer
    Do you think my computer is fixed?
    or do I need to do the steps you've said anyways?
    :confused
     
    killinfections, Dec 1, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No!! You need to do what I gave to you.
     
    chaslang, Dec 1, 2007
    #6
  7. killinfections

    killinfections Private E-2

    I did like you said, however i didnt seem to have the following files on the scanner:

    but I did one one:
    O3 - Toolbar: (no name) - {[numbers]} - (no file)

    i didnt select it.


    So like I've said before, my comp seemed to be fix. It still looks pretty good after doing all those things you said. Am I done now?

    thanks.
     

    Attached Files:

    killinfections, Dec 1, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to uninstall J2SE Runtime Environment 5.0 Update 12 Uninstall it now.

    Also have HijackThis fix the below line:
    O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)

    Yes even though your PC did not show any outward signs of infection you previously were still infected. However now you are clean! ;)

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Dec 1, 2007
    #8
  9. killinfections

    killinfections Private E-2

    That isnt on the add/remove program list. I even looked for it using the search program, and nothing came up.
     
    killinfections, Dec 1, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay but it is in your registry's uninstall program list though. The below will remove it.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
     
    Last edited: Dec 3, 2007
    chaslang, Dec 1, 2007
    #10
  11. killinfections

    killinfections Private E-2

    so before i do the system restore point thing, i have a minor question.

    before the malware, my computer had a little volume bar thing (not the normal one from the taskbar) that showed up when i adjust the volume with my keyboard. however, now, it still works but the volume bar wont show up, so i wont know how much volume im going up or down. was this affected by the malware, or can i fix what?

    and also, can i delete AVG and CCleaner?

    thanks.
     
    killinfections, Dec 2, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Unknown. If you are not talking about the controls that are part of Windows, perhaps you are referring to something for your audio card and may need to reinstall the softare.

    CCleaner is something you should keep around as recommended in the How to protect yourself thread. Instead of removing AVG Antispyware, I would dump Ad-Aware 2007 which is not nearly as good. Did you install one of the realtime antispyware blocking tools.
     
    chaslang, Dec 3, 2007
    #12
  13. killinfections

    killinfections Private E-2

    but i thought you had to pay for AVG after trial period?
    no, not yet.
     
    killinfections, Dec 3, 2007
    #13
  14. killinfections

    killinfections Private E-2

    oh and also, can i re-hide the "hidden" files?
     
    killinfections, Dec 3, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! It will still work as a scanning and removal tool. The realtime blocking from the guard will go away after the trial period. The free Ad-Aware 2007 is only a scanner and it is not as good nor as useful as AVG AS.

    Yes you can hide things again if you feel it is necessary. Just be aware that doing so, also gives malware places to hide from you.
     
    chaslang, Dec 4, 2007
    #15
  16. killinfections

    killinfections Private E-2

    so i got comodo bo-cleaner. will that take the place of both AVG and ad-aware?
     
    killinfections, Dec 5, 2007
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! ComodoBOClean is only a protection tool It is not a scanner which is what the free AVG Antispyware and Ad-Aware (also Spybot) are for.
     
    chaslang, Dec 6, 2007
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds