help with massively infected pc

Discussion in 'Malware Help (A Specialist Will Reply)' started by craigcomputer, Aug 6, 2006.

  1. craigcomputer

    craigcomputer Private E-2

    Hi, thanks in advance for providing the “READ AND RUN ME FIRST”guide . I am removing various malware from a computer and have followed all those steps – and this was massively infected, making for a long post.

    When I first approached this PC (Running seemingly fully-patched XP Home, SP2), I immediately noticed that the Antivirus under Yahoo online protection was turned off (notified under the Y.O.P. icon and windows security warning in the system tray). I’m certain you are aware that Yahoo antivirus is re-branded computer associates e-trust. Antivirus would turn off though soon after I turned it back on; why this happened is in question; see further explanation towards end of post.

    Here’s what I removed: uninstalled from add/remove programs; MyWaySearch, weather channel desktop, weather studio (2 versions), windows of the world screensaver (which showed no window but instantly disappeared from the list), starware, screensavers installer, cursorcafe, and finally found TopFiveSearch in the list but was given the standard message that it wasn’t found, so I clicked to remove the entry from the list.

    I noticed WhenU under the Start menu>All Programs list, and Blubster somewhere on the C: Drive. I manually deleted both. Also there is some software by a vendor I’ve never heard of, “BVRP” (Classic Phonetools, and others).

    SSD found and said it fixed : AmericanMedicalOnline
    WildTangent
    C2.lop
    DCON
    Freeze
    Funweb
    FunwebProducts
    IE Plugin
    MyWay.MyBar
    MyWay.MySearch
    MyWay.MyWebSearch
    MyWebSearch
    NewDotNet
    WebRebates.TopRebates
    WhenU.SaveNow

    I saw some indication that WildTangent persisted, though. Next scanned with WinDefender. It said it removed Altnet.

    Next BitDefender online scan reported it removed:
    Trojan.Dialer.LG
    Backdoor.Genlot.A out of the Yahoo online protection quarantine

    Next I tried to run Panda online scan, but the screen resolution in safe mode meant I couldn’t see all the window contents. I rebooted into normal mode. Now keep in mind I had before switched the msconfig from selective startup to normal startup. But this now was the first time I had restarted into normal mode since doing that. When it booted up I noticed new things: one was an error generated by software by Elaborate Bytes possibly trying to “call home”. Also there was an alert by CA antivirus that the subscription was expired. This made me question if the program was turning itself off or if a virus had slipped past it and disabled the virus protection. I understand that lots of viruses slip past CA e-trust antivirus, so this wouldn’t surprise me.

    Now I ran the panda scanner – it detected but couldn’t clean anything.
    I ran SSD once more and it found WildTangent again, and said it fixed it again.
    Newfiles, runkeys, and hijack this! logs attached to this post

    P.S.: oh this user has done banking online on this system. I imagine this person had better get a credit report
     

    Attached Files:

    Last edited: Aug 6, 2006
    craigcomputer, Aug 6, 2006
    #1
  2. craigcomputer

    craigcomputer Private E-2

    more attachments

    Bitdefender, Panda activescan logs posted here.
     

    Attached Files:

    craigcomputer, Aug 6, 2006
    #2
  3. craigcomputer

    craigcomputer Private E-2

    bidi-bidi-Bump.

    Please help me! I did all the steps in the guide, and have seen replies to people who didn't peform these steps and have posted since me.
     
    Last edited by a moderator: Aug 6, 2006
    craigcomputer, Aug 6, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We cannot be here all the time and it is a weekend. Please be patient.

    One thing you must learn though is to post once and then wait for any answer. Each time you post another message you are hurting yourself. You send yourself to the bottom of our work queue each time you post. We work from oldest to newest order. When you bump your thread by adding unnecessary messages or to post intermediate incomplete information rather than waiting until your scans are complete, you loose your place and make it take even longer to get an answer. The moral.....don't bump and when you actually have all necessary information to post. For example, if you are running 3 scans, don't post messages saying you are running them and don't post after each scan. When you complete all 3 scans, then post all logs and any other information.
     
    chaslang, Aug 6, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First look in Add/Remove programs for the below and uninstall if found:
    clocksync
    ieplugin
    comet


    Start by downloading - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcD3RW7BXlKjvf62dkU/xKkmynlALeNxSfJnRLpv/IdAfrrapS6dvpxCxuHlSJuz6rFiHLu6uFBJroOJ1qq6fJeDYAWbDA7+hRLoa5RnjVVA0JH1UJdaDkzmJ4FDgQZgcQcG8S0GBJDLvHcQVZunuJE2Y24qH7lNWCMBO/k26IIEpR20fcH2o7J37oioEKbYTSXsnE7VVcBzHQ=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.weatherstudio.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwX5bEaI0bVldvMFEtvt0B12Emb8jlI/MU735wZ4yvS4ZPqIhLMuEUtxFSUybInnVTXafBLtt0Oo523cdLd5CcRVyuW4ZGi4LYwE5YM+VYk28MctcXJ7am6Q==
    R3 - URLSearchHook: (no name) - - (no file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
    O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
    O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm591YYUS
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/300fcaae9b1a22715f05/netzip/RdxIE2.cab
    O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
    O16 - DPF: {EF98AF7B-1F54-4079-91BC-3996DEABA45A} (Sinstaller Class) - http://www.cursorcafe.com/app_cc/bin/cursorcafe.cab
    O16 - DPF: {FFFF0017-0001-101A-A3C9-08002B2F49FB} - http://www.desktoplife.net/23d25380.exe
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - F:\CDS300\__CDS2.dll (file missing)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\Program Files\Uninstall My Web Search.dll
    F:\CDS300\__CDS2.dll
    C:\windows\system32\rlvknlg.exe
    C:\WINDOWS\pornaccess.exe
    C:\WINDOWS\NDNuninstall6_90.exe
    c:\windows\system32\rk.bin
    c:\windows\downloaded program files\HDPlugin1101.dll
    c:\windows\inf\biini.inf
    c:\windows\ss3unstl.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locat the below folders and delete if found:
    C:\Program Files\ClockSync
    c:\program files\MyWay
    C:\Program Files\My Web Search

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp\
    C:\Documents and Settings\Vince\Local Settings\TEMP


    Now attach a new HJT log and tell me how the steps went.

    Also download the lastest version of ShowNew (changed since you last downloaded it) and attach a new log from ShowNew.

    Make sure you tell me how things are working now!
     
    chaslang, Aug 6, 2006
    #5
  6. craigcomputer

    craigcomputer Private E-2

    Heya, thanks.
    Ok, I'll start at the beginning of what you suggested:

    There were none of those listings in add/remove programs.
    All the steps of HiJackthis!, merging registry entries, and pocket killbox went great.

    None of the clocksync or myway folders existed, and nothing was in the windows\temp folder older than today's files.

    In C:\Documents...\TEMP folder I ran into a problem deleting the one older file, IadHide. I checked the file properties and the author is Backweb.

    Next when running ShowNew I received a series of errors. "C:\...Symantec\s32evnt1.dll - installable Virtual Device Driver failed Dll initialization. Close or Ignore?" I selected close repeatedly then finally got the logfile. Attached are HJT and shownew logfiles.

    I'll try booting into safe mode to delete the IadHide.
     

    Attached Files:

    craigcomputer, Aug 8, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks a lot better. How is everything running?

    Just have HijackThis fix the below line:

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    Do you know what the below is for?
    O4 - HKLM\..\Run: [*acplay] C:\WINDOWS\repair\acplay.exe

    Get properties info on the acplay.exe file.
     
    chaslang, Aug 9, 2006
    #7
  8. craigcomputer

    craigcomputer Private E-2

    Since last post:
    I removed that Extra button with no file associated using HJT!, like you asked.

    -Ran Xcleaner, cleaned DCON, Aurora, IEPlugin, Starware Toolbar, Superlogy, WhenU-Ucontrol.
    -Deleted Iadhide from Kodak folders.
    -Ran SUPERAntispyware, deleted removed IEPlugin, found a listing pointing to the !KillBox\rk.bin file and identifying it as "Relevant Knowledge". I ignored that second listing since it seemed to be a file intentionally created by ProcessKillbox when I copied and pasted files to delete.

    Also that file, "acplay.exe" was no longer around (probably deleted a long time ago), so I could not get the properties info you asked for. So I had XCleaner remove that entry from startup items.

    Next I installed Kaspersky Internet Security suite (replacing the incomplete and broken installation of Yahoo Online Protection previously on the PC).
    I connected and got internet sig updates. I ran a full scan, it found and deleted:
    adware.ImiBar.E (pointed to windows\snbho.exe)
    Gator.1101 (pointed to Hbplugin1101.dll)

    It also picked up the rk.bin file as adware, "Win32.RK.c"

    Attached is current HJT! log.
     

    Attached Files:

    craigcomputer, Aug 9, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so how is everything running?

    You really do not want to have both Windows Defender and SuperAntiSpyware installed at the same time. If you do not plan on buying SuperAntiSpyware to get full capability then you should uninstall it and keep Windows Defender. If you are going to buy it, then uninstall Windows Defender (but only if you buy it. The free version is not a full feature application.).

    Now run Pocket Killbox and from the File menu select Cleanup and Delete all Backups.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    Last edited: Aug 9, 2006
    chaslang, Aug 9, 2006
    #9
  10. craigcomputer

    craigcomputer Private E-2

    Things are running fine, really.
    But SSD keeps finding WildTangent
     
    craigcomputer, Aug 10, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Attach a log from Spybot! It probably is just finding a miscellansous registry key!
     
    chaslang, Aug 11, 2006
    #11
  12. craigcomputer

    craigcomputer Private E-2

    The PC is no longer in my posession, back in the hands of its owner, but thank you!
     
    craigcomputer, Aug 17, 2006
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds