Please help me to remove this malware

Hi there,

I or one of my family have downloaded a piece of malware that redirected my browser, installed unwanted programmes and created icons in my taskbar. As far as I can tell the download in question was/is called Media Codec.

After following all the steps you recommended in the sticky thread, the browser is back to normal. However, nearly all the scans detected viruses/malware that they couldn't clean, delete or update and I am still getting pop-up balloons that say:"System has detected 4 spyware infections" and a flashing yellow warning symbol in the taskbar. Also in the taskbar is a flashing icon that alternates question mark with a red circle with a line through it.

There is (intermittently) also a red window which opens at the bopttom right of the screen (displaying the following text: "Your computer is infected! Critical systems error! System detected virus activities. These may cause critical system failure...") which links to a webpage for anti-virus software.

I've attached the runkeys, newfiles and bitdetector reports. I'll post the panda one in the next post. I'm running Windows XP Home Professional, though I'm unsure of my specs. Any help would be much appreciated, and I'd willing donate any of my organs in return for the removal of this bugger.

Thanks

UZ

 

The activescan report is attached here.

 

The infections in the activescan log are 'mostly' cookies so don't worry about them for now, they should have been removed by CCleaner when you ran it though.

What about the HJT log, please see step 7 of the 'read and run me first' sticky

 

Hi Matt,

Wow that was quick. In fact, the only thing that's been quicker than that today has been the HijackThis scan. Attached is the HijackThis Log.

Cheers

UZ

 

Please download the attached zip file and save to your desktop.

Extract the single exe inside and run it.

This will create a new file on your desktop called procdll.txt

Attach this log as your next post.

 

There doesn't seem to be any attachment in your post

 

There is now

 

Cheers I've downloaded it and extracted it. But when I try and run it, a window with the heading ProcessDll.exe - Application Error opens up displaying the text: "The application failed to initialize properly (0xc0000135). Click on OK to terminate the application." I also tried unzipping it to my download folder in C: but the same thing happened.

 

OK don't worry, you don't have the .net framework, I thought you would have since you have xp sp2 but its not important, I'll work up a starting fix in a bit but I have to go offline for an hour or so.

Matt

@ chas, @spd, @bjgarick take over if you want if I'm not back soon

 

You're a legend. I think I'd probably weep if I hadn't found you guys. See you later.

 

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of vwlummc.dll once and then click the kill button. After you have killed all of the vwlummc.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of vwlummc.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.


Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filename into KILL BOX. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click YES

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.



REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Hi,

I've followed the instructions above and the new HJT Log is attached.

Cheers

U

 

When you rebooted to safe mode was the file there or had it already been removed.

Do you have viewing of hidden files and folders enabled as per the 'Read and Run me Sticky'

 

When you've had a look at the HJT can you tell me if I'm virus-free? The things from the task bar and the pop-ups have disappeared but I am - as you've probably guessed - a bit 'special' when it comes to computers. Do I need to do anything more? Matt Chugg mentioned that there were some problems with the stuff in the Active Scan log that I could worry about after the main malware had been destroyed...

Also, thank you for your time and energy - I really, really appreciate the fact that you guys provide this service for free for hapless noobs like me. Is there some way of saying 'thank you' in a material way,like donations to charity/bandwidth costs/beer funds?

 

Have you recently changed or upgraded your norton AV ?

You seem to have a few BHOs with files missing:


O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\Media-Codec\isaddon.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\Media-Codec\iesplugin.dll (file missing)


Have HJT fix these entries

 

Ok, I've done what you said above - the HJT log is attached if its of any use. As far as I know we haven't changed/upgraded Norton AV recently - is this something I should do asap?

 

How is your computer running now ?

You didn't update your Java as I said in my first post

Is your ISP BT ?

 

Sorry about that, am updating Java now as I write. The computer is running perfectly now, with no visible signs of malware! Thank you very much for showing me how to mend it. My ISP is indeed BT...do you have some sort of voodoo/telepathic power?

 

OK Your log is clean now, time to go back to step one in the read me and flush your restore points and create a clean new one ('as instructed in Step 1 of the Read and Run Me')

Please read this on How to protect yourself from malware

I am indeed telepathic, its a useful skill (Not really I did a nslookup on the ips in the O17 line in your HJT log.)

 

I'll do just that - once again, thank you very much for this fella, it's most appreciated.

You should have left me in the dark about the ISP thing - I'd have told everyone that I knew that you lot have mystical powers

 

No problem, glad to help

Who says I don't have other mystical powers ?

Matt