So it goes

Discussion in 'Malware Help (A Specialist Will Reply)' started by JMNorris, Apr 19, 2007.

  1. JMNorris

    JMNorris Private E-2

    A coworker gave me a preteen's computer to clean. I suppose you can predict the horrors: no windows login password, an expired antivirus program, Kazaa.

    I uninstalled Some programs listed in step 0 of the malware removal guide (including Kazaa and Wild Tangent--there were one or two other that I don't remember).

    I ran Sypbot Search & Destroy in Safe Mode.

    I ran CounterSpy in Safe Mode, log attached.

    I ran BitDefender's online scanner in Safe Mode with Network Support. I mistakenly rebooted before saving the log. I ran the online scanner (in Safe Mode with Network Support) again so you can get a log--though the log that I forgot to save would be, I suppose, the more informative. The second log is attached. Note. The Bitdefender online scanner did NOT delete several infected files, presumably installation programs. One was in Kazaa's "My Shared Files" directory--I deleted that via the Windows Manager. The rest were in a single "System Restore" subdirectory. I didn't bother with those yet.

    I tried unsuccessfully to run Panda's online scanner, both the free version and the paid (ActiveScan Pro) version. In both cases, attempting to open the scanner page got me instead a web page with the message (for the paid version):
    When opening the free version, the first line was the same; the second line was:
    After rebooting and starting Windows normally again, I ran the ShowNew and GetRunKeys scripts. I also ran HijackThis under the name Analyse. Logs for all three are attached to a subsequent post.
     

    Attached Files:

    JMNorris, Apr 19, 2007
    #1
  2. JMNorris

    JMNorris Private E-2

    Additional promised attachments (logs for ShowNew, GetRunKeys, and HijackThis).
     

    Attached Files:

    JMNorris, Apr 19, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The CounterSpy log shows that you Ignored all the problems it found. You need to run it again and this time Quarantine or Delete everything it finds. Then attach a new log so we can be sure everything was cleaned up.

    The Windows OS on this PC is way out of date with updates and this is a major security risk. After all malware is remove, all updates need to be installed!
    You need to uninstall Viewpoint Media Player (Remove Only) as given in step 0 of the READ ME.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
    O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
    O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
    O4 - HKLM\..\Run: [PrecisionTime] C:\PROGRA~1\PrecisionTime\PrecisionTime.exe
    O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
    O4 - HKLM\..\Run: [hoadgbw] C:\WINDOWS\kjberup.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [v72O39P] qd3sink.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [ewtERVjsg] ipskadp.exe
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file))
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
    O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Owner\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\Program Files\CxtPls <--- the whole folder
    C:\Program Files\PrecisionTime <--- the whole folder
    C:\WINDOWS\kjberup.exe
    C:\WINDOWS\system32\ipskadp.exe
    C:\WINDOWS\system32\qd3sink.exe

    Now run Ccleaner

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Apr 20, 2007
    #3
  4. JMNorris

    JMNorris Private E-2

    Yikes--That was really sloppy of me. I've run it again (in Safe Mode) and a new log is attached.

    Sigh. I'm not surprised by this given the other horrors I've found. I'll also add passwords to the Windows logins. Double sigh.

    I did the HJT fixes you recommended. Either I missed one of the R1 items you recommended, or it came back. A new log is attached.

    I did not find any of the files you recommended I delete:
    Perhaps my rerun of CounterSpy took care of these?

    I ran CCleaner again.

    I reset the web settings as recommended. I did this twice: once logged in as Administrator and once as Owner (the other user ID). Should that have gotten rid of the R0 item in the new HJT log?

    In addition to the new CounterSpy and HJT logs, I have also new GetRunKey and ShowNew logs, one of them in a separate post.

    I'm not familiar with how badly the computer was running before the cleanup. With just a very cursory check, it seems to be running ok npw.
     

    Attached Files:

    JMNorris, Apr 23, 2007
    #4
  5. JMNorris

    JMNorris Private E-2

    One more log to upload.
     

    Attached Files:

    JMNorris, Apr 23, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software


    Your logsare clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Apr 23, 2007
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds