Issues with adware, spyware, trojans and virii - logs attached...

Discussion in 'Malware Help (A Specialist Will Reply)' started by BigShot, Oct 2, 2006.

  1. BigShot

    BigShot Private First Class

    I've spent the past two evenings uninstalling software and scanning my cousin's computer after she called me to say she thought she had "a virus" - after a link popped up in an MSN Messenger window, clicking in it installed a virus which has since infected several of her friends' computers. It turns out that "a virus" was understating the matter just a bit.

    Searching with Mcafee and various other scans turned up a LOT of infections, some of which were cleared up, others seem to have remained.

    A few things worth mentioning.
    In the cleanup I removed Limewire, MSN+and sponsor program, google bar, yahoo bar, - there was an MSN+ plugin that I removed but unfortunately I didn't think to note down the name of it until just after I took it off.

    Currently the machine has the 90 day trial of McAfee AntiVirus on it (no other elements of McAfee security centre installed) with WindowsFirewall taking care of that side of things.
    When this is all cleared up my intention is to remove McAfee and install the 2006 edition of Norton Internet Security as they have bought this and it is sitting on disk waiting for me to install it.

    The computer is an "emachines E4026"

    After following the instructions on this site following all the cleaning I've already done I'm still getting popups regularly. Upon logging into a user space, a small window (looks like a dialougue box) pops up in the middle of the screen but is gone before it loads fully.
    There is also sometimes a process running with an icon next to it (in task manager) that resembles the icon used for visual basic project files (or at least it did when I was at college about 7 years ago) The process is called Project1.

    I've followed all the insturctions on this page http://forums.majorgeeks.com/showthread.php?t=35407. I installed all the suggested software, ran the scans in the order specified and read all the related pages to ensure it was done correctly.

    I'm attaching log files produced by HijackThis, BitDefender, Panda Activescan, GetRunKey and ShowNew

    I have just run AIDA32 to get the system spec...
    Operating System
    Microsoft Windows XP Home Edition
    SP2
    Internet Explorer 6.0.2900.2180
    CPU Type - Unknown 2933 MHz (5.5 x 533) - System spec reports Pentium4 2.93GHz
    Motherboard Type - Intel Corporation D915GAG
    Motherboard Chipset - Intel Grantsdale-G i915G/GL/GV
    System memory 245MB
    Bios Type - Insyde (07/07/05)
    Video Adapter - Intel 82915G/GV910GL Express Chipset Family (128MB)
    3D Accelerator - Intel Extreme Graphics 3
    Audio Adapter - Realtek HD Adio output
    Audio Adapter - USB Audio

    I've posted all I can think could be relevant - if anything else is needed just let me know.


    Hopefully someone will be able to help me get the machine cleaned up and working again - I sure hope so anyway.
     
    BigShot, Oct 2, 2006
    #1
  2. BigShot

    BigShot Private First Class

    OOPS!
    Was just heading out the door to go home and realised I'd forgotten to attach the log files.

    While I make this post I should also add that something is changing the Internet Explorer homepage to http://www.findthewebsiteyouneed.com/

    Thanks again.
     

    Attached Files:

    BigShot, Oct 2, 2006
    #2
  3. BigShot

    BigShot Private First Class

    And as I posted the previous post, McAfee alerted me to another PUP. I've removed it several times already.
    C:\deskbar.exe

    More logs attached.
     

    Attached Files:

    BigShot, Oct 2, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First install the current version of Sun Java from: Sun Java Runtime Environment

    Then uninstall the below old versions of Sun Java:
    J2SE Runtime Environment 5.0 Update 2

    Also while in Add/Remove Program, uninstall the below rogue tool:
    SpywareRemover 3.6.0.3


    Continue by downloading two tools we will need- Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\dfndrff_e20.exe <--- if you see other similarly named processes to this, kill them too.

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    O2 - BHO: (no name) - {72F9BCE2-6617-DD6D-7933-D52193107560} - C:\DOCUME~1\Heather\APPLIC~1\MOVEST~1\style find.exe (file missing)
    O4 - HKLM\..\Run: [Aimdeleteactivegram] C:\Documents and Settings\All Users\Application Data\base ford aim delete\OneLess.exe
    O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Heather\Yinstall.exe
    O4 - HKLM\..\Run: [defender] C:\\dfndrff_e20.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e20.exe
    O4 - HKCU\..\Run: [Debug Road] C:\DOCUME~1\Heather\APPLIC~1\SUPPOR~1\WinIsoTest.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
    O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\All Users\Application Data\base ford aim delete\OneLess.exe
    C:\Documents and Settings\Heather\Application Data\SUPPOR~1\WinIsoTest.exe
    C:\Documents and Settings\Heather\Yinstall.exe
    C:\WINDOWS\Downloaded Program Files\speedtest2.dll
    C:\deskbar.exe
    C:\deskbar_e18.exe
    C:\deskbar_e19.exe
    C:\deskbar_e20.exe
    C:\dfndrff_e18.exe
    C:\dfndrff_e19.exe
    C:\dfndrff_e20.exe
    c:\windows\keyboard1.dat
    C:\kybrdff_e18.exe
    C:\kybrdff_e19.exe
    C:\kybrdff_e20.exe
    C:\nwnmff_e18.exe
    C:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe
    C:\WINDOWS\RDFX4.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete it if found:
    C:\Program Files\Deskbar

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Heather\Local Settings\Temp

    Now attach a the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Oct 3, 2006
    #4
  5. BigShot

    BigShot Private First Class

    All done.
    Everything went smoothly from your instructions.

    IE now has about:blank as the homepage.
    I've yet to see any popups. Since the reboot.

    A few ponts about the process...
    I couldn't find the following lines in the HijackThis Misc Tools section.
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

    There were other listings that were a little different but took up the same positions in the list. The computer has been used online since my last posting so I assume they were changed in that time.


    After the Delete on Reboot process I couldn't find C:\Program Files\Deskbar

    In the temp folders there were no files from any days other than today.

    I think that's about all that's worth mentioning.

    Logs attached.
     

    Attached Files:

    BigShot, Oct 7, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Use Windows Explorer to locate the below files and delete them:

    C:\deskbar_e21.exe
    C:\dfndrff_e23.exe
    C:\dfndrff_e24.exe
    C:\dfndrff_e22.exe
    C:\kybrdff_e23.exe
    C:\kybrdff_e24.exe
    C:\kybrdff_e22.exe

    Then attach a new log from ShowNew.

    How is everything working?
     
    chaslang, Oct 9, 2006
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds