Have I done it?

Discussion in 'Malware Help (A Specialist Will Reply)' started by learner1, May 16, 2007.

  1. learner1

    learner1 Private E-2

    OK, as I am a real amateur at this would somebody be really kind and check to see if I have managed to remove a whole load of viruses and some malware. This has done my head in to be honest :cry and I would really appreciate a sanity check!! I have followed the advice on the sticky "READ & RUN ME FIRST. Malware Removal Guide". Here's the info/background of the problems:

    I usually run Norton Internet Security 2007 - firewall and virus checker.
    I recently started to get multi pop-ups in IE7
    The virus checker identified Adware.MaxSearch, Trojan.Adclicker and Downloader, and I was unable intially to visit any Symantec Web pages until I ran Spybot which identified a load of redirected hosts.
    I followed Norton/Spybot instructions, deleting various files and register entries.
    I still had pops-ups and installed more software:
    Windows Defender - Nil detections
    Adaware - Nil detections
    AVG AntiSpyware - detected worm.Pytica, worm.VB.at and Trojan.Obfuscated
    SuperAntiSpy - detected Adware.LOP

    After reading various forums I uninstalled the source of some of the problems - a Windows Messanger Add On with adware sponsor (CID) although windows uninstaller said some of the files were locked.

    I then started to follow the advice of this forum:
    emptied Norton Antivirus quarantine
    emptied norton protected recycle bin
    installed and ran ccleaner
    enabled recommended windows folder viewing options
    downloaded recommended software
    started safe mode
    ran ccleaner for each windows user
    ran Spybot - it spotted that Microsoft.SecurityCentre was disabled but I think Symantec does this anyway?
    ran counterspy -report attached (2 entries)
    ran Bitdefender online scan - several trojans - report attached
    rebooted normal mode
    ran PandaActiveScan - Nil detections
    ran getrunkey - report attached

    Part 2 to follow in next post
     

    Attached Files:

    learner1, May 16, 2007
    #1
  2. learner1

    learner1 Private E-2

    Part 2....

    ran shownew - report attached
    ran HiJackThis - report attached

    The pop ups seem to have stopped now, but am I in the clear?? There seemed to be so many infections I'm not sure if I have cracked it. You guys deserve medals

    Thanks very much for any advice, I hope I followed the sticky ok

    Rob
     

    Attached Files:

    learner1, May 16, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You mean MESSENGER PLUS! LIVE. This is the scurge of the internet. Tens of thousands of people have been infected by installing this program and not reading carefully.

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Client IP-IPX
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteClient IP-IPX into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT

    Is Sunbelt CounterSpy the free trial version from the READ ME? If so, uninstall it now as we are finished with it.

    Also uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 1
    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    I will post additional steps soon in a second message.
     
    chaslang, May 16, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vcl.vaio.sony.co.jp/eu/PforVAIO.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - Startup: csrss.lnk = ?

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Documents and Settings\julie\Start Menu\Programs\Startup\csrss.lnk

    Now run Ccleaner

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, May 16, 2007
    #4
  5. learner1

    learner1 Private E-2

    Chas - thanks for helping me out and for your advice. OK here's how it went.

    Everything done in order with following issues:

    Issue 1

    when I attempted to use HJT to fix the lines you recommended I had 2 warning/error messages:

    Message 1: Quote:

    Error #52 (Bad file name or number) in Sub GetLongPath (?.exe) Please send a report to merijn@spywareinfo.com mentioning what you were doing and what version of windows you have. This message has been copied to your clipboard.

    End quote

    Is this dodgy?

    Message 2: Quote:

    Unable to delete the file:
    04-Startup: csrss.Ink=?
    The file may be in use. Use Task Manager to shutdown the programme and run HijackThis again to delete the file.

    End Quote

    Note - I tried to end the csrss process in task manager but I was prevented from doing so by windows and received this message:

    quote:
    Critical system process, Task Manager cannot end this process.
    End quote.

    I was therefore unable to use HJT to fix this line.

    Issue 2

    After rebooting to Safe Mode, I had problems deleting csrss.Ink. When I got to the folder I found a shortcut called csrss but not a file. I went right click on it, properties. In the properties window there were no details of target type, location or target. Shortcut keys - none, Run normal window. However, there was another tab in the window called Revisions and in this I found csrss.Ink although I was unable to delete it. I therefore deleted the whole shortcut anyway. Hope this was ok.

    I had problems setting my home page to major geeks - it seemed to keep wanting it set to runonce.msn.com/runonce2.aspx. In the end, I opened IE7 and reset it manually - might be finger trouble though:eek:

    The Regedit4 script ran ok

    The reports you requested are attached.

    Once again, I can't thank you enough for your help.

    Rob
     

    Attached Files:

    learner1, May 17, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! This just happens in HijackThis sometimes. Don't worry about it.

    Don't do that! csrss.exe running from the system32 folder is valid. csrss.lnk has nothing to do with that file.


    Yes! That was the file that I asked you to delete. csrss.lnk is a shortcut file and that is all you needed to do was simply delete it and nothing else. This was a backup to fixing the O4 line in HJT which I assumed would fail.

    How are things working?

    Your logs are clean but you should consider removing SuperAntispyware and AVG Antispyware unless you are going to buy one of them. You already have Windows Defender installed (not the best antispyware program) and you don't want to have conflicts between these programs and the excess use of system resources will slow your PC down.

    You can also use HJT to fix the below non-malware items which will help in PC performance too. These are unnecessary startups:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
     
    chaslang, May 17, 2007
    #6
  7. learner1

    learner1 Private E-2

    Chas

    Sorry about the mix up with the csrss file. The computer seems to be working ok and my logs are clean....I reckon that's a thumbs up:D

    May I just say that you guys are absolute heros. The ordinary guy in the street has no chance against the people who write these viruses etc and without people like yourselves we would be completely stuck. Many thanks indeed for your help (and your patience!!):wave

    Rob
     
    learner1, May 17, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, May 17, 2007
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds