Almost There - I hope!

otter_60 · Jan 8, 2006

Hi Maj. Geek,

Over the weekend I've been house-sitting for a friend, and for the last 3 days, I've been removing a LOAD of malware from their computer, and I think I'm almost there - THANKS TO YOU GUYS (i.e., your great website)!!!

There's still something that's not quite right. I get a warning that something is trying to change a web page, so I think that IE is still getting Hijacked.

I read the "READ & RUN ME FIRST Before Asking for Support" page, and I think I've done everything except the "Special Removal Procedures" and "Alternate Scans".

Here's what I think did:

0: Preliminary House Cleaning
1: Disable System Restore temporarily
2: Enable viewing of hidden files, system files and file extensions
3: Do not use Multiple Antivirus Applications
4: Downloading Tools
5: Cleaning Malware
6: Online Virus And Trojan Scanning
Bitdefender (Log File attached)
Panda ActiveScan (Log File attached)
7: HijackThis (Log File attached)

Can you look at the log files and suggest a next step?

Thanks in advance!

Otter

otter_60 · Jan 8, 2006

I forgot that I had a later version of the bd log. I couldn't find the Edit Button to change my previous log, so I just attached the newer log to this post.

Thx,
Otter

otter_60 · Jan 8, 2006

Plz ignore my previous post about a newer Log File.

Thx,
o

chaslang · Jan 9, 2006

First please empty all items from your Yahoo Quarantine folder. That should take care of item in the below list and others also found by BitDefender.
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\20050619214746.zip [WToolsB.dll]
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\20050619214746.zip [WToolsA.exe]
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\20050619214746.zip [WSup.exe]
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\20050619214746.zip [WToolsB.to_be_deleted]
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\ppqAE.tmp
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp\bdedata2.dll
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp\bdedownloader.dll
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp\dmanu4.cab
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp\dmanu4.cab [dman4.dll]
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp\dmanu4.cab [dman4.exe]
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp\dmanu4.cab [BDEInstallProgress4.dll]
D:\2005-10-03\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp\pmfiles.cab [sysdetect.dll]
Also empty your Norton Quarantine folder to remove a load of other stuff.

The scanners believe the below two items are bad:
D:\2005-10-03\Documents and Settings\user\My Documents\PowerPlus-Setup.exe
D:\2005-10-03\Documents and Settings\user\My Documents\runescape try.rar

Do you know what they are? Do you need them? Delete them if not needed?

What is all this stuff being saved in the 2005-10-03 folder anyway? Did you do a backup and save it all there?

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - AutorunsDisabled - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\QL <--- the whole folder
C:\WINDOWS\system32\zzz-igps.exe
D:\2005-10-03\_temp\wfallsfree.exe
D:\2005-10-03\Program Files\ZangoClient <--- the whole folder
D:\2005-10-03\Program Files\Screensavers.com <--- the whole folder
D:\2005-10-03\Program Files\MyWebSearch <--- the whole folder
D:\2005-10-03\Program Files\MediaLoads <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

otter_60 · Jan 9, 2006

Hello, and MANY, MANY Thanks for your analysis and instructions!!!

I did everything on your list, and yes the D:\2005-10-03 directory was a backup that I made the last time I tried to straighten-out my friends PC. It was so bad I bought an external harddrive (the D-Drive) and reformatted the C-Drive. It didn't take too long to become a big mess again.

Attached is the latest HJT log. I haven't really run long enough to notice any malware.

I've got to figure-out how to help my friends from getting into this mess. A long time ago I installed a router so that the NAT will act as a firewall. I'm going to get them to buy AdAware and to read your post on How to Prevent Malware.

Thanks again for all your help!

Otter

chaslang · Jan 9, 2006

The HJT log is now clean. The next thing to do is step 1 of the READ ME to dump System Restore points. And then on to the How to Protect thread you mentioned. Make sure all of it is completed and make sure your friend read and understands the below section:

10) Security starts with you! Becareful what you download and from where!
Click to expand...

Let me know if there are any other malware issues. As of now you look clean.

otter_60 · Jan 9, 2006

GREAT!

I dumped the Restore Points, and will talk to my friends when they get back tonight.

If my friends have any more malware problems in the next day or so, should I append to this thread, or start a new one?

Thanks again,
Otter

chaslang · Jan 9, 2006

As long as it is only a few days yes.

If it gets to the point of a week or more and NEW problems popup. It would be necessary to start the READ ME over again. And then start a new thread. This thread could always be reference if it seems relevant.

Things change very quickly in the malware world and a week or two can be a lifetime. (Especially for some bugs! )

Log in or Sign up

Almost There - I hope!

otter_60 Private E-2

Attached Files:

bd-report-4a.txt

panda-Activescan-4a.txt

hijackthis-04a.log

otter_60 Private E-2

otter_60 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

otter_60 Private E-2

Attached Files:

hijackthis-03.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

otter_60 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member