Leftover Adware/Malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by evilgiggleofdoom, Feb 4, 2007.

  1. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    I used the read me first post personally to clean my laptop about 2 months ago, and it worked fine and Im exceedingly happy. Now Im trying to do the same for a friends computer (my friend is very computer illiterate) and has amassed about 2 years worth of temp files and so many viruses, etc. Im sure most of it was taken care of by the readme first post, but theres still some popup problems and system resources taken up so windows runs abominably slow. Here are the logs, and thanks for the help.
     

    Attached Files:

  2. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    Heres the rest of the logs. Also, I forgot to mention I could not get the panda scan to work on this laptop past the "select area to scan" page, internet explorer 7 says theres an error on the page and will not let me click on local drives, my computer, or anything.
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sophos Anti-Rootkit will scan your computer for files that have been hidden using rootkit technology.

    Many of the newer malware infections use this technology to hide themselves and to make them more difficult to remove.

    Installation
    Download Sophos Anti-Rootkit 1.1 and save to a location you will be able to find such as your desktop

    Run sarsfx.exe by double clicking on it.

    Click Accept to agree to the EULA

    Click Install (if you wish to change the default installation location do so here but remember where you install to, the default is C:\SOPHTEMP)

    Once it finishes copying files, exit the installer​
    Running the scan
    Navigate to the location that you installed the software to (Default: C:\SOPHTEMP)

    Run sargui.exe by double clicking on it.

    Ensure that all three of the options are checked

    Click Start Scan

    Once the scan is complete, close Sophos Anti-Rootkit by closing the scan window and clicking Exit in the main window

    DO NOT CLICK 'CLEAN UP CHECKED ITEMS' OR ATTEMPT TO HAVE SOPHOS ANTI-ROOTKIT FIX ANYTHING UNLESS SPECIFICALLY INSTRUCTED TO IN THE THREAD YOU ARE WORKING ON
    Finding the logsClick on Start --> Run

    Type in %TEMP%\sarscan.log and press enter

    The log file will open in the default editor (probably Notepad)

    Click File --> Save As and save the file to your desktop or other location for easy retrieval.

    Attach the log on your next post.
     
  4. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    When I ran the scan I got errors about privileges, so I tried to run the scan in safe mode under the administrator user but apparently this program wont work in safe mode. heres the log
     

    Attached Files:

  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try this:
    Virtumonde aka Trojan Vundo Removal

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
    Scan for Vundo button." when VundoFix appears at reboot.

    Attach new logs for:
    GetRun
    ShowNew
    HJT
     
  6. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    Vundofix didnt find any infected files
     

    Attached Files:

  7. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    and heres the new hjt log
     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please print these instructions or save to your desktop.

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Goto Add/Remove progams and uninstall the below.
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player

    If they are not found or will not uninstall, make sure to tell me!


    Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\gngyo.exe
    F2 - REG:system.ini:UserInit=C:\WINDOWS\system32\userinit.exe,qjndydg.exe,ddjfihw.exe
    O4 - HKLM\..\Run: [w00a1ed2.dll] RUNDLL32.EXE w00a1ed2.dll,I2 0001a4ba000a1ed2
    O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513 G
    O4 - HKLM\..\Run: [Oecfdb] C:\Program Files\Rtai\Iwwpnc.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [kqpyvioA] C:\WINDOWS\kqpyvioA.exe
    O4 - HKLM\..\Run: [bppoxa] C:\WINDOWS\system32\bxlwxc.exe reg_run
    O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\wqpns.dll


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
    Last edited by a moderator: Feb 5, 2007
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now do the next post.
     
    Last edited by a moderator: Feb 5, 2007
  10. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    everything went according to plan, removed both viewpoint entries in the add/remove list. Managed to fix the entries in HJT before a popup opened my browser again, but the last line 020 - winlogon notify: shellscrap was not in the list to be removed. killbox deleted 12 files, computer rebooted and i made the logs and added to the registry. Now symantec is bringing to my attention about 400 infections of Adware.Look2Me and Adware.Qoolaid, most are quarantined but some require terminations or have status pending. Here are the newest logs.
     

    Attached Files:

  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now
    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run this Virtumonde aka Trojan Vundo Removal

    Now attach the below logs and tell me how the above steps went.
    1. Combofix log
    2. VundoFix log
    3. new GetRunKey log
    4. new ShowNew log
    5. new HJT
     
  12. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    combofix removed look2me and qoo (no more popups so far!) and vundofix didnt find anything. I think my problems are pretty much gone :)
     

    Attached Files:

  13. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    By the way, thanks a lot for the time and help, I really didnt expect anyone to get back to me this quick. You guys rock :cool
     

    Attached Files:

    Last edited: Feb 5, 2007
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
  15. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    Thanks bunches!
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    A couple things remain to be fixed! You may have missed the editing change to the registry patch.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Also uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 2

    Also uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
    C:\Documents and Settings\Morgan\Local Settings\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Also if the below is still in your HJT log, fix it! This is from the old Sun Java version!
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe


    Attach a new log from GetRunKey so we can be sure that malware item is gone.
     
  17. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    Ok, done and done. Registry edited, removed remaining microsoft java already from the protect against malware thread (and installed new java) Counterspy is gone, and that HJT log entry wasnt there to be fixed, I assume it was removed with the microsoft java uninstaller I used from the thread. Also removed the J2SE Runtime Environment thru add/remove. Heres the newest getrunkey log
     

    Attached Files:

    Last edited: Feb 6, 2007
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure what you did or where you have been surfing, but I see you immediately started using MSconfig again to disable startups. This is bad practice since it is not what MSconfig was designed form. If you don't need software, then uninstall it. If you never need it to load at startup then change the configuration of the program not to load at startup. If it does not give you that option and you don't ever need it, then permanently remove it from the startup list with HJT. If you need it to load sometimes but not all the time, first check the programs options and then if the necessary, use a real startup manager program like Startup CPL
    Why did you stop your antivirus program from loading at startup?????

    But don't do any of the above yet. See below because you have Malware again.

    But the bigger problem is that your log shows that you have infections again. Also you have changed your ability to see hidden files back to more like defaults. You need to do the below:
    1. Disable MSconfig as requested in the READ ME (i.e., select Normal Startup)
    2. redo step 2 of the READ ME. Make sure you do all steps exactly this time since last time TimW had to give you a registry patch to correct that fact that you did not do step 2.
    3. Attach new logs from
      • GetRunKey
      • ShowNew
      • HijackThis
    I have to wonder if this log is even from the same PC because things look so different????
     
  19. evilgiggleofdoom

    evilgiggleofdoom Private E-2

    It's the same system, and i turned hidden files back off because I had thought I was finished (he said I could go ahead and remove getrun and shownew, etc) So I was putting things back the way they were. I did the steps, I turned made hidden files viewable per step 2. I dont have symantec turned off, vptray is symantics executable and is set to start with the computer. Most of the entries in the startup menu on msconfig dont look familiar or cant be removed from startup thru any settings that I can find in each program, and I dont want to remove anything that my friend may still use, but without msconfig all those startup entries kill the memory (only has 256mb at the moment) every time the laptop comes on. But during the steps in the readme I did have the laptop set to normal with nothing changed in msconfig. But I'll redo everything and post the logs tomorrow.
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not true. You have the actual antivirus program disable. vptray is an unnnecessary startup just to make Symantec appear in the tray for easy access.

    You have the below in MSconfig
    ccapp.exe is a process belonging to Norton AntiVirus. It is responsible for the auto-protect and email checking facilities, both of which will not function correctly if this service is stopped.


    And yes you were previously clean but not anymore. At least not completely. It should not be necessary to stop all those items from loading to begin with. First you should just uninstall unnecessary software. Then you should configure the programs that you don't need to load but still need the software on the PC, not to load at startup. Anything you don't need to load at all should be permanently removed. MSconfig should not be used like this. It is a temporary debugging tool only.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds