Help - Can't seem to get rid of malware

Hello,

I need some help with the following.

Before christmas, I seem to be infected with spyware/ trojans on my Xp machine.

First began with something called AVSystemCare putting an icon on the desktop and download window automatically appearing.

Then when the machine was left on with the browser open, music and talking would randomly start playing and clicking sounds indicating web browsing - no windows would pop up but the following sites would show.

The machine would run very slow.

ad.kingame.info
octane.tv
look4bull
webclixs

Since then I have followed your tips and software to remove this and run combofix, cccleaner and looked removed as much of the registry entries that looked suspect but I still think it's infected.

I have also run spybot, ad-aware 2007, windows defender, McAfee Full scan and many other tools to rid my system of this malware.

McAfee found a trojan called 17PHOLMES572.EXE & A0157382.EXE and deleted it after the scan. Looking through the log file it also found rasesnet.exe and snapsnet.exe and Yazzle1281OinAdmin.exe trojans the week before.

I then noticed that on startup, there would be a window pop up saying personalised settings were updated running tcpdiss.exe

I found the registry entry and stopped this loading and then deleted the file.

It still seems that the click through to other websites is the only problem left and wondered if anyone could help to see if they can see anything left to do.

I set the controls on the IE7 browser to alert me when activex controls are trying to open and it alerts still when the browser is open left idle.

thanks in advance for any help and I attach the MGtools log below.

 

Welcome to Major Geeks!

I'm looking through your logs now, and it looks like you might have missed a few steps in the readme we asked you to follow. Would you please follow through the readme again and post the resulting logs from it?

 

Hello,

Oops sorry, here is the combofix log....

Thanks,

 

Hello scrooge56

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

7. Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Then attach the below logs:

• C:\ComboFix.txt
• Panda ActiveScan Report.
• C:\MGlogs.zip

 

Hello Rip Chain - I have done it although Panda active scan kept falling over several times.

Thanks for your help so far.


On a positive note, the click through to websites has stopped....

:major

 

Sorry, seems the logs didn't post - trying to upload again.

 

Hello scrooge56

Looking through all that stuff, it looks like your computer is pretty well cleaned from malware. How are things currently running on your end?

 

Hi Rip Chain,

There have been no issues since - This has been bugging me for weeks and I am really grateful it's finally gone.

Thanks for you help!

:wave

 

Here are some last tips for you

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then go to Start > Run and type: Cleanmgr
• Click "OK".
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
6. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
7. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software