First step malware removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by davidhmd, May 4, 2008.

  1. davidhmd

    davidhmd Private E-2

    I think I'm having some malware issues. I can follow self help instructions, but don't have any computer expertise.

    I'm looking for advice on whether I should pursue option A or B. A) backup my files and reinstall Windows B) Follow standard malware removal steps in sticky section.

    Is reinstalling Windows more likely to clean out all malware and slow PC issues and give me a completely fresh start including erasing all other possibly malicious program files? If yes, then I lean toward that option.

    Running Windows XP with NIS 2008. Primarly use Firefox unless sites insist on Explorer.

    Symantec won't help w/out $100 fee b/c I've been downloading movie torrents with BitComment and Peer Gaurdian.

    Thank you for your help.

    NIS recently identified following malware:
    adware.MaxSearch threat
    downloader threat
    SecurityRisk.Downldr
    Downloader.MisleadApp
    Adware.Purityscan
    Malware alarm install
    Trojan Vundo-Partially Resolved
    Tracking Cookie detected by Virus scanner

    NIS says all these threats have been removed, but system still seems buggy and I keep getting the following start up error:
    Error loading c:\WINDOWS\system32\vdjtades.dll The specified module could not be found.

    System Information, Software Environment, lists the following Running Tasks:
    agent.exe c:\program files\common files\installshield\updateservice\agent.exe
    alg.exe Not Available
    aluschedulersvc.exe c:\program files\symantec\liveupdate\aluschedulersvc.exe
    andreavc.exe c:\program files\creative\voicecenter\andreavc.exe
    brss01a.exe c:\windows\system32\brss01a.exe
    brsvc01a.exe c:\windows\system32\brsvc01a.exe
    ccproxy.exe c:\program files\common files\symantec shared\ccproxy.exe
    ccsvchst.exe c:\program files\common files\symantec shared\ccsvchst.exe
    ccsvchst.exe c:\program files\common files\symantec shared\ccsvchst.exe
    csrss.exe Not Available
    ctdetect.exe c:\program files\creative\mediasource\detector\ctdetect.exe
    ctfmon.exe c:\windows\system32\ctfmon.exe
    ctsvccda.exe c:\windows\system32\ctsvccda.exe
    ctsysvol.exe c:\program files\creative\sbaudigy\surround mixer\ctsysvol.exe
    dlactrlw.exe c:\windows\system32\dla\dlactrlw.exe
    dlg.exe c:\program files\digital line detect\dlg.exe
    dllhost.exe c:\windows\system32\dllhost.exe
    dmxlauncher.exe c:\program files\dell\media experience\dmxlauncher.exe
    dsagnt.exe c:\program files\dellsupport\dsagnt.exe
    easyshare.exe c:\program files\kodak\kodak easyshare software\bin\easyshare.exe
    ehmsas.exe c:\windows\ehome\ehmsas.exe
    ehrecvr.exe c:\windows\ehome\ehrecvr.exe
    ehsched.exe c:\windows\ehome\ehsched.exe
    ehtray.exe c:\windows\ehome\ehtray.exe
    elservice.exe c:\program files\intel\inteldh\intel(r) quick resume technology\elservice.exe
    explorer.exe c:\windows\explorer.exe
    firefox.exe c:\progra~1\mozilla firefox\firefox.exe
    googledesktop.exe c:\program files\google\google desktop search\googledesktop.exe
    googledesktopdisplay.exe c:\program files\google\google desktop search\googledesktopdisplay.exe
    googledesktopindex.exe c:\program files\google\google desktop search\googledesktopindex.exe
    helpctr.exe c:\windows\pchealth\helpctr\binaries\helpctr.exe
    helpsvc.exe c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    iaanotif.exe c:\program files\intel\intel matrix storage manager\iaanotif.exe
    iaantmon.exe c:\program files\intel\intel matrix storage manager\iaantmon.exe
    ipodservice.exe c:\program files\ipod\bin\ipodservice.exe
    issch.exe c:\program files\common files\installshield\updateservice\issch.exe
    isuspm.exe c:\program files\common files\installshield\updateservice\isuspm.exe
    ituneshelper.exe c:\program files\itunes\ituneshelper.exe
    kodakccs.exe c:\windows\system32\drivers\kodakccs.exe
    lsass.exe c:\windows\system32\lsass.exe
    mcrdsvc.exe Not Available
    mm_tray.exe c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
    msmsgs.exe c:\program files\messenger\msmsgs.exe
    notepad.exe c:\windows\system32\notepad.exe
    nvsvc32.exe c:\windows\system32\nvsvc32.exe
    scsiaccess.exe c:\windows\system32\scsiaccess.exe
    services.exe c:\windows\system32\services.exe
    smss.exe c:\windows\system32\smss.exe
    spoolsv.exe c:\windows\system32\spoolsv.exe
    sprtcmd.exe c:\program files\dell support center\bin\sprtcmd.exe
    sprtsvc.exe c:\program files\dell support center\bin\sprtsvc.exe
    spysweeper.exe c:\program files\webroot\spy sweeper\spysweeper.exe
    spysweeperui.exe c:\program files\webroot\spy sweeper\spysweeperui.exe
    ssu.exe c:\program files\webroot\spy sweeper\ssu.exe
    stsystra.exe c:\windows\stsystra.exe
    svchost.exe Not Available
    svchost.exe Not Available
    svchost.exe Not Available
    svchost.exe Not Available
    svchost.exe c:\windows\system32\svchost.exe
    svchost.exe c:\windows\system32\svchost.exe
    svchost.exe c:\windows\system32\svchost.exe
    symlcsvc.exe c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe
    system Not Available
    system idle process Not Available
    uwclean.exe c:\program files\blcorp\uwcsuite\uwc\uwclean.exe
    winlogon.exe c:\windows\system32\winlogon.exe
    wmiprvse.exe Not Available
     
    davidhmd, May 4, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It is really your choice ...doing a reformat and install will remove everything. So when you install / copy files and programs back to the new install, it will only be a matter of whether those items are infected.

    If you do the Read and Run instructions...we can see how infected you are and it may be a simple cleaning. You can follow these instructions:

    READ & RUN ME FIRST. Malware Removal Guide
     
    TimW, May 4, 2008
    #2
  3. davidhmd

    davidhmd Private E-2

    I think system's all clean now, and haven't had any problems since. Can someone check my logs to be sure of refer to some resources that will help me understand them.
     

    Attached Files:

    davidhmd, May 10, 2008
    #3
  4. davidhmd

    davidhmd Private E-2

    MG log
     

    Attached Files:

    davidhmd, May 10, 2008
    #4
  5. davidhmd

    davidhmd Private E-2

    I just ran Super Anti Spyware again and 0 threats found.
     
    davidhmd, May 10, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes...you look much better ...just a few things to do:


    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, May 10, 2008
    #6
  7. davidhmd

    davidhmd Private E-2

    The avenger commands failed, but I still followed the remaining instructions and ran the GetLogs.bat file.
     

    Attached Files:

    davidhmd, May 11, 2008
    #7
  8. davidhmd

    davidhmd Private E-2

    Things appear to be running fine before and after this step.
     
    davidhmd, May 11, 2008
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Avenger didn't fail...:)

    Your logs look clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    2.
    * Click START then RUN
    * Now type "%userprofile%\Desktop\cf" /u in the runbox and click OK.
    * Note: The space between the cf and the /U, it must be there.
    3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    5. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    6. After doing the above, you should work thru the below link:
    How to Protect yourself from malware!
     
    TimW, May 11, 2008
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds