One question about removal of suspect items

Hello Folks

I am wondering about the answer to this one question :-o. Malware removal is an extensive, exhaustive, necessary process which includes ComboFix. What is the correct process for the removal of Adware entries found within the Registry?

paramonks

 

I don't really understand your question. Are you asking, when found, what is the best way to remove them?

Can you elaborate a little?

 

Hello bjgarrick,

Thank your for your reply. I shall try to explain. SAS (SUPERAntiSpyware Professional) seemed to be having trouble eliminating an "alleged Adware suspect item" it found within the registry. As Combofix seems directed at fixing "Malware" I wondered if sorting out this "Adware" issue would be at all different.

Ultimately my question has become defunct as this so called questionable item within the registry is a False Positive from SAS. So my query probably should have gone into the Software Forum and not troubled you in Malware at all.

Webshots have a new version of their software within their package is a service called python. SAS does not like several of the items associated with python/webshots. I had upgraded webshots but have since reverted to a previous version. The uninstall left remnants that SAS did/does not like - hence my question.

SAS updated their definitions etc yesterday and today our time. I have not run a further scan today, but did yesterday and although it still identified this registry item as a threat, when it came time to quarantine items found there were no additional measures I had to complete to satisfy the program so that it could complete it's task.

I hope what I have written makes some sense and that this information is of some use you and your fellow malware fighters. I am sorry if you have wasted valuable time contemplating my query as it could have been spent on a more pressing issue.

Thank you for your assistance

paramonks

 

What was the detection from SAS? Did it give a name? If it had trouble removing it then it's more than likely a legit infection, could be the new variant of Trojan Vundo which is pretty persistent.

I would recommend running the steps below and attaching the requested logs so we can confirm you're clean.

 

Hello bjgarrick

Yes SAS did. I have attached the log file from that day - it called the item Adware.Vundo Variant

Thank you, I have run the steps listed, and attach all the logs requested in this and the next posting. I did not have any problems running any of the scans. I did not need to use Safe mode at all. I have not had any issues with connection to the internet since SAS initially found this registry item on 3rd Jan.

I only have one remaining issue with Lavasoft firewall. It is still disabled. Restarting the program gives me a message saying I have switch to another user account using Microsoft Fast User Switching feature (or MTS). I cannot manage the firewall in this session because it is already running in another and I have to switch back to the initial session to change the Firewall settings. it was disabled in.

paramonks

 

Remaining 2 logs as requested. Thank you

paramonks

 

Step 1:

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.​

Step 2:

Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 3:

Please download ATF-Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF-Cleaner menu to close the program.​

Step 4:

Once you have completed the above, download updates for SAS & MBAM and run two more full scans. Once complete, attach the new logs along with a new set of logs from MGTools.exe​

 

Hello bjgarrick

Thank you for your follow up instructions they are most welcome.

1. Ran MGTools\analyse.exe. Fixed all the registry items you listed.

2. Default Security Setting - already "greyed" - no changes made

3. ATF-Cleaner - ran without incident. Did not save nor move any cookies. Am not a habitual cookie keeper.

4. SAS - ran without incident - log attached. MBAM - ran without incident - log attached. MGTools.exe - ran without incident - log attached.

The only remaining issue is - I still do not have any control over my firewall, as per my previous message. Status is unchanged. It was disabled to run ComboFix.

regards - paramonks

 

Your logs are clean! About the firewall, have you tried to uninstall/reinstall?

 

Hello bjgarrick

Thank you for the information. No I have refrained from uninstalling or installing any/all programs incase this interfered with the process that one must follow to determine if there are infections that require removal.

I shall now try to uninstall the firewall. I have been seriously contemplating changing programs as there are much better options available now.

I presume that this means if I still have issues with the firewall I should make any further postings in Software as my system is not infected.

Regards

paramonks

 

I would suggest Comodo Firewall, it's free and does a great job. This is the one I use and recommend.

Comodo Internet Security

 

Hello bjgarrick

Thank you for the recommendation. I see that it rates highly during testing.

I am still unable to access my firewall and the uninstall portion of the program. So I will have to see further advice from the Software Forum.

I thank you for all your efforts and advice. They are most appreciated.

Regards - paramonks

 

Download Your Uninstaller! 2008, save to your desktop and install.

You should be able to remove the old firewall this way. Once it's removed reboot and install the new one.

If you have any problems doing so, just let me know.

 

Also, If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware & Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources (except a little disk space) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. If we had you run Avenger, you can delete all files related to Avenger now.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to Add/Remove Programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Windows Vista, Windows XP or Windows ME, you need to follow the below:
   • Refer to the cleaning steps in the READ ME for your Windows version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Hello bjgarrick

Thank you for this information. I booted in Safe Mode and uninstalled the software. I shall keep your suggestion to hand for future reference. I have installed Comodo Firewall and we are just getting to know one another.

I have completed the final steps listed in your last posting. But I am unsure that the uninstall for combofix worked correctly. I still have a file called Qoobox on my system IIRC it was something used by combofix?

Regards

paramonks

 

Yes! it is related to ComboFix. Download a fresh copy of ComboFix, save it toy our desktop. Once saved on the desktop, click start and then click run, type in the following and press enter. Be sure you copy/paste it exactly as it is. Doing this should uninstall and delete all related files/folders.

"%userprofile%\Desktop\combofix" /u

 

Hello bjgarrick

Thank you for the information, that certainly took care of it this time, I must not have typed the instructions in properly first time.

Huge Kudos to you and your fellow malware fighters, I see that all of you have your hands full at present fighting off nasties.

paramonks

 

You're Welcome!

Surf Safely!:major