Virusburst & Others

Discussion in 'Malware Help (A Specialist Will Reply)' started by yellowman7884, May 10, 2007.

  1. yellowman7884

    yellowman7884 Private E-2

    Hi,
    Recently picked up VirusBurst, asafehomepage, protection bar and what seemed like a dozen other pieces of malware. Laptop was completely clean up until then.
    Followed all steps on READ & RUN ME FIRST & I seem to have lost a lot of what I was getting, however still getting some pop ups and messages. Pestcapture, antivermins etc.

    Spybot continues to show Zlob.VideoAccessActiveXObject.
    Bitdefender showed clear, ActiveScan showed 7 spyware infections and 2 virus infections (Virus infections showed to be fixed)
    GetRunkey, ShowNew both downloaded as per instructions, and Hijack this renamed as per instructions. Please help!!

    Counterspy, bitdefender , and Activescn attached - second post will include GetRunkey, ShowNew, and HijackThislog
     

    Attached Files:

    yellowman7884, May 10, 2007
    #1
  2. yellowman7884

    yellowman7884 Private E-2

    GetRunKey, ShowNew & HijackThislog also attached

    :) 7884
     

    Attached Files:

    yellowman7884, May 10, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    MarketResearch

    Use windows explorer to delete this folder:
    C:\Program Files\Security Tools

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {7A8F5B7A-A74F-495E-8A33-DF6226D2BAD8} - (no file)

    After clicking Fix, exit HJT.

    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT
     
    TimW, May 10, 2007
    #3
  4. yellowman7884

    yellowman7884 Private E-2

    1. I cannot find MarketResearch to uninstall it - it does not appear in Add/Remove programs.
    2. Attempted to delete folder at C:\Program Files\Security Tools but received message: Cannot delete imsmain.exe Access is denied Make Sure the disk is not full or write protected and that the file is not currently in use.
    3. Should I continue with the regedit instruction?
     
    yellowman7884, May 10, 2007
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try removing them in safe mode.....if that doesn't work:
    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HJT and fix the item ---
    O2 - BHO: (no name) - {7A8F5B7A-A74F-495E-8A33-DF6226D2BAD8} - (no file)

    Then do the registry patch.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.*(or on the folders option)*
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Security Tools

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Attach the requested logs.
     
    TimW, May 10, 2007
    #5
  6. yellowman7884

    yellowman7884 Private E-2

    Sorry, should have said earlier - I cannot access safe mode
    Pocket Killbox downloaded
    Item fixed from HJT, patch added to registry, file deleted on reboot, no message received and new logs attached - I just had a look in program files and Security Tools still appears in there.
     

    Attached Files:

    yellowman7884, May 10, 2007
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try Pocket Kill once again....only this time click on the files button and copy and paste these into it:

    C:\Program Files\Security Tools\imsunst.exe
    C:\Program Files\Security Tools\imsmn.exe
    C:\Program Files\Security Tools\imsmain.exe
    C:\Program Files\Security Tools\iesunst.exe
    C:\Program Files\Security Tools\iesbunst.exe

    Post the three logs again...(new runs of each.)
     
    TimW, May 10, 2007
    #7
  8. yellowman7884

    yellowman7884 Private E-2

    Files deleted as per instructions
    New logs attached - still getting those damn pop ups - Security Tools file is still there.
    I think i need a pint
    I checked a file named Kilbox which appears to hold the files that you asked me to delete, however they all still exist within Security Tools also.
     

    Attached Files:

    yellowman7884, May 10, 2007
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Make that two pints .....

    Ok....before I leave for the day....

    Use windows explorer to manually delete all the contents of that folder, one by one. (making sure you are logged in with an administrator account).

    We may have to use Process Explorer to delete them.....let me know as I will check in later.
     
    TimW, May 10, 2007
    #9
  10. yellowman7884

    yellowman7884 Private E-2

    Ok,
    I managed to delete two of the files to recycle bin, it will not let me delete imsmain.exe, and imsmn.exe - same message as before access denied.

    Although I am logged in as administrator, I am not sure if these are complete access rights.

    I AM going for those pints now. Home in a couple of hours.

    Your assistance is greatly appreciated. I hope you can get to the bottom of this.
    Cheers
    :) 7884
     
    yellowman7884, May 10, 2007
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you still unable to access safe mode?

    What pop ups -----> what do they say or refer to?

    I'd like you to try running:
    Download SDFix and save it to your Desktop.
    • Run the SDFix.exe by double clicking on it.
    • Allos it to install into the default location which is c:\SDFix
    • Now please reboot your computer into Safe Mode (see this if you don't know how: Starting your computer in Safe mode )
    • When you have booted into safe mode, open the C:\SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry entries found and then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Attach the Report.txt file to your next message.
     
    TimW, May 11, 2007
    #11
  12. yellowman7884

    yellowman7884 Private E-2

    Ok,
    My wife required the laptop in work and took it to her IT guy. Apparently it was infected with horrendous viruses and he worked on it for some time. I (or she) don't know what he's done but the pop ups have stopped. He doesn't know whether he has done enough to keep the virus off it, but it sems ok for now.
    Just as a matter of interest the pop ups included ads for Safety Center, System Defender, Security Health Center, casino ads, and hardcore porn. Messages at the bottom of the screen included Networm-iVirus@fp, Networm-iVirus@mx, Spyware.Cyberlog-X, Spyworm.win32, Symantic virus warning of Virusburst, and many more.
    Do you require me to take any further actions to satisfy yourself, or should I just leave it.
    I greatly appreciate your help in any case.
    (I havent yet followed your instructions for SDfix etc, and Security Tools folder still exists in Program files).
     
    yellowman7884, May 12, 2007
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not knowing what was done by the IT dept. and the security folder still being present does make me wonder if you are really clean.

    Are/is there anything in that folder? Plus I doubt that the registry key has been deleted:
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]
    "rare"=-

    Yes to running SDFix and attaching the log.
    And I would like to see new logs for:
    GetRun
    ShowNew
    HJT
     
    TimW, May 12, 2007
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds