Removing XXXToolbar & IST variant

My browser, IE 6.0, has been hijacked by a stubborn variant of XXXToolbar/IST spyware.

Symptoms:

1) When booting laptop with DSL connected, IE automtically launches and installs the following [while showing fake yahoo page]:

http://install.xxxtoolbar.com/ist/s...ttp://inf3ct3d.us/m.html&payable=1&country=US

2) IE is unaffected if laptop is booted in safemode or without DSL connected

3) IE and other applications running slowly and/or crashing, hanging

Solutions Tried So Far (w/out success):

1) Ran basic removal protocol, per Major Attidude's thread

2) Did manual removal for ISTbar and XXXToolBar, as described in a few sites - did not find any of the associated files in registry or uninstalled server being pinged (via "regsvr32/u ...")

3) HijackThis! shows "autoprotect.exe" being launched. Delete this file as
well as an associated file from C:\ and ...Window\prefetch -
but "autoprotect.exe" keeps being re-
installed. Analyzed code but found nothing in 04 etc, linked to this file

4) Reinstalled IE V6.0

PLEASE HELP!

Note: using WindowsXP Professional

 

Hi Erasmus,

If you have exhausted the options in the Cleanup Tutorial (including the Online Scans), then go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work lately and cannot visit this forum too often these days, but somebody will try to take a look when they get a chance.

PP

 

Hi PP,

Thanks for taking a look at the attached HJT file.

Only other clue is that ActiveX controls are disabled on browser and I
cannot reset them via Tool>Internet Options>Security> Custom - custom
box is inactive.

Really appreciate the help!
Erasmus

 

Happy to try to help!

Let's start with what we can see first . . . .


Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

MDNS.exe
autoprotect.exe

Now scan with HijackThis and Check the Boxes for the following:
O4 - HKLM\..\Run: [MDN] MDNS.exe
O4 - HKLM\..\RunServices: [MDN] MDNS.exe
O4 - HKCU\..\Run: [MDN] MDNS.exe

O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\MDNS.exe --> All Instances of this one
C:\autoprotect.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

Re: Removing WORM RBOT.AOM hijacker

Hi PP,

Thanks for the additional HJT & cleanmgr guidance - it worked like a charm!
Appreciate you taking time to swing back & help.

I suspected the MSDNE.exe file, as I did not find in a reference HJT file when laptop was clean. So, I did some additional research and found it was associated with Worm, called Worm_RBOT.AOM (in TrendMicro lingo)

So, it was not an IST variant - like I orginally thought.

I also found a Trojan Startpage.A on a latter diagnostic scan.

I found the TrendMicro Virus enclyclopaedia very useful in learning more about how these nasties work & how to remove them.

Here is another helpful site, if anyone else is having problems & want to learn more:

www.viruslist.com/en/viruses/encclopedia?virusid=3814

(This gives alias for a virus - helpful when going to specific sites)

I genuinely appreciate this community & how much I learn about PC related technology, code etc.

Hope to be able to help more as my own knowledge grows.
Erasmus

 

Glad to see things are looking better!

Please have a peek at Chaslang's Recommendations!!

PP