|
Home | Reviews | Speed Test | Tools | News | Forums | Info | About | Join |
2.1 Malware Removal
Unexplained Popups even after all steps in the following FAQ come up "clean" »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance No apparent signs in a HijackThis log. No entries visibile under "Device Manager" or "Network Places" This pest is adware that is hidden by a rootkit. It produces various popups from a number of advertisers, all generating from adchannel.contextplus.net The best way to tell if you've got it is to run this diagnostic tool: Download Rootkit Revealer (free tool) »technet.microsoft.com/en ··· 445.aspx Unzip it to your desktop. Open the rootkitrevealer folder and double-click rootkitrevealer.exe Click the Scan button (bottom right) It may take a while to scan (don't do anything while it's running) When it's done, go up to File > Save. Choose to save it to your desktop. We may need to request a copy of it later. If you see 200-300 or so entries that are similar to the following, you can try running the AproposFix posted further down. Sample entries in the RootkitRevealer log showing Apropos infections have a random named folder in the Programs Folder and some of the highlighted file names see below for example. The ace.dll file is frequently seen as well. quote: by CalamityJane edited by lilhurricane Aurora/Nail fix By racooper w/SwanDog46 & miekiemoes PLEASE READ AND FOLLOW THESE INSTRUCTIONS CAREFULLY; YOU MAY WANT TO PRINT OR SAVE THESE INSTRUCTIONS LOCALLY BEFORE STARTING. 1. Please download, install, and update the free version of Ewido AntiMalware: [*]From the main ewido screen, click on update in the left menu, then click the Start update button. [*]After the update finishes (the status bar at the bottom will display "Update successful") [*]Exit Ewido. DO NOT scan yet. 2. Please download this revised installer for the Nailfix utility. DO NOT run it yet. Alternate download links here: http://www.spywareedge.net/nf/nailfix.exe http://www.spywareaid.com/index.php?file=s...22&softtype=exe 3. Reboot to Safe Mode How to start the computer in Safe mode http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam 4. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. 5. Next, run Ewido again. [*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run. [*]If ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. [*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. 6. Then run HijackThis, click Scan, and place a checkmark by the following item (if found): F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [random] c:\windows\system32\random.exe r Close all open windows except for HijackThis and click Fix Checked Note that the 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r. Locate and delete the following File in BOLD: c:\windows\system32\random.exe (or whatever the name may have changed to, as noted above). 6. Now, run CCleaner. [*]Uncheck "Cookies" under "Internet Explorer". [*]If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox". [*]Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run. 7. Please start a new topic if you need help. Do not post your logs in someone else's threads. Please NOTE: If you have not done so already, follow the Manadory Steps first before post a HijackThis log. The rules are here: http://www.dslreports.com/faq/13616 Edited for new version of Nailfix 22Jul2005 by CalamityJane edited by lilhurricane E2TakeOut version 1.00 by: RubbeR DuckY This program removes the E2Give and PTech malware. Simply download, unzip, and run the E2TakeOut.exe file. Follow the onscreen directions and be sure to restart your computer when prompted. Main indicators in a HijackThis log: O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O20 - AppInit_DLLs: iniwin32.dll O20 - AppInit_DLLs: inicfg32.dll How to Use Please download E2TakeOut by Rubber Ducky from here: »www.malwarebytes.org/E2T ··· eOut.zip * Extract the file to your Desktop * Double click E2TakeOut.exe * Click the Begin Removal button * Wait until the program is finished scanning * Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal * Reboot your computer * Once your computer has rebooted E2TakeOut will open and produce a report * Please copy/paste that report into your next reply by CalamityJane LQfix bymiekiemoes (free tool) is used for the latest variants of Elitebar including the pokapoka strains. You can download it here: »users.pandora.be/bluepat ··· Qfix.exe Download it to your desktop Double-click LQfix.exe and click install. Leave the default settings. If you change them, the fix will fail. Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start. Follow the prompts on the screen. Your system will reboot afterwards. Your system may take longer than usual to start up this one time; please be patient. ................. And the free version of Ewido Security Suite can also remove most of the variants of pokapoka and Elitebar safely, including the Qoologic Trojan that often accompanies EliteBar »www.ewido.net/en/download/ by CalamityJane edited by lilhurricane Please see: »Security Cleanup FAQ »Zlob/Smitfraud Removal Edit: 16 April 2006 New tool now fixes all Smitfraud variants. FAQ combined into one: »Security Cleanup FAQ »Zlob/Smitfraud Removal by CalamityJane These removal tools only work for the following operating systems: 1. SmitfraudFix: Windows 2k, 2003 and XP ONLY 2. RogueRemover: Vista Windows 98/ME users will need to follow the complete pre-cleaning FAQ here: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance SpywareQuake and SpyFalcon are just two of many examples of the Zlob/Smitfraud family of desktop hijackers that pop up over the desktop or gives an alert from the taskbar near the clock and displays a warning message that your computer is infected with spyware and telling you to buy/download/install their program. These warnings are fake and try to trick you into buying the commercial version of software. The many versions of this pest can vary with the warning message shown. A list of example screenshots can be seen here: »Security Cleanup FAQ »Screenshots of Desktop Hijack Other Zlob/Smitfraud variants include: AlphaCleaner AdwarePunisher AntiVirusGold AntispywareSoldier PSGuard RazeSpyware Search Maid Security IGuard SpyAxe SpyFalcon SpySheriff SpywareStrike Virtual Maid VirusBurst WinHound {This list of names has become to long to list all of the possibilities) Note: Not for Vista users. If you are running Windows Vista, please use the RogueRemover tool described in the next section. The following steps may not clean all of it, but should be a good start and will restore the desktop to default at least so you can proceed with complete removal using various tools. 1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from) 2. {WinXP, 2k only!) Download SmitfraudFix (by S!Ri) to your Desktop. http://siri.urz.free.fr/Fix/SmitfraudFix.zip Extract all the files to your Destop. How to extract (decompress) zipped or compressed files »www.lvsonline.com/tut-co ··· ex.shtml A folder named SmitfraudFix will be created on your Desktop. Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm 3. Reboot into Safe Mode How to start the computer in Safe mode: You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. 4. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press Enter to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter 5. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. 6. Now please scan with HijackThis to produce a log. Post that log in a new topic along with the Ewido log you saved earlier (or the Adaware log) and the Panda report. We will also need the log from SmitFraudFix called rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your new topic. Logs needed in your post are: rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed Fresh HijackThis log ........................................... VISTA users, please use this tool instead Please download Rogue Remover from here: [code] »www.malwarebytes.org/rog ··· over.php [/code] & save it to your desktop. [*]Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover. [*]Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop. [*]Once the program runs, select Check for Updates. [*]When prompted, select Check for Updates. [*]If prompted again, click Download to receive the latest updates. [*]When completed, close the update window. [*]Finally, select Scan and the program will walk you through the remaining steps. ................................................................................................. Additional Instructions a. How to Post a new Topic in the Security Cleanup Forum Go to this link: »Security Cleanup Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem. b. Instructions for HijackThis: Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help: »russelltexas.com/malware ··· lder.htm This is to ensure it makes the necessary backups for recovery if needed. Download HijackThis »www.trendsecure.com/port ··· this.php Unzip/decompress the file and save the contents (HijackThis.exe) to the new folder you made and doubleclick on HijackThis.exe to open the program. On the Main Menu page, Choose *Do a system scan and save a log* When the scan finishes, you will get a popup to save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results here. Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results. ................................................................................ Edit 01 Sep 2007 by CalamityJane : Added additional instructions for Vista Edit: 08 Aug 2007 by CalamityJane: Adjusted HJT instruction for new ver. 2.02 by Trend-Micro 16 Oct 2006 by CalamityJane. Removed Ewido and Panda scan instructions as SmitfraudFix can do the whole job. Edit 16 Jul 2006 by CalamityJane: Adjusted instructions for Ewido new ver 4.0 Edit 16 April 2006 by CalamityJane: Added SmitfraudFix tool to replace SmitRem and roguescanfix tools. by CalamityJane Vundo/VirtuMonde is an adware program that downloads and displays popup advertisements, often seen as Winfixer. Please see important note at the bottom regarding a vulnerabilty in Sun Java that may have be the source of this infection. It may also hijack the browser to unwanted advertising related sites. If you know that you have the Vundo/Virutumonde trojan and other programs have not been able to remove it, please take the following steps using the free tools below.
Please download VundoFix.exe from here: »www.atribune.org/ccount/ ··· php?id=4 and save it to your desktop •Double-click VundoFix.exe to run it. •Click the Scan for Vundo button. •Once it's done scanning, click the Remove Vundo button. •You will receive a prompt asking if you want to remove the files, click YES •Once you click yes, your desktop will go blank as it starts removing Vundo. •When completed, it will prompt that it will reboot your computer, click OK. •Please post the contents of C:\vundofix.txt and a new HiJackThis log. •Please post the contents of C:\vundofix.txt into a New Topic in the Security Cleanup Forum Go to this link: »Security Cleanup Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem. Include the vundofix.txt contents and a fresh HijackThis log (instructions below) Please put in the Title of your topic: Vundo Removal. We will also need to see a diagnostic log from the free tool HijackThis
• Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed. See here for specific instructions and screen shots to help: »russelltexas.com/malware ··· lder.htm •Download HijackThis here »www.trendsecure.com/port ··· this.php • Unzip the file to the new folder you made and doubleclick on HijackThis.exe to open the program. On the newusers quickstart page, Choose *Do a system scan and save a log* • When the scan finishes, you will get a popup to Save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results into your New Topic when you are ready to post for help. Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results. ................................................................................... Important Note: Possible Vulnerability in Sun Java versions may be responsible for Vundo/Winfixer infections Check your installed Sun Java versions We have noticed a large number of Winfixer/ Vundo / Virutmonde Victims have an older version of Sun Java installed in Add/Remove Programs in the Control Panel. Other older or newer versions may also be installed Please see this topic: »Potential Vulnerability with Sun Java auto update Important Note: Autoupdate of Sun Java does not uninstall previous (vulnerable) versions of the program. Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java. To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed: »www.java.com/en/download ··· atic.jsp You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software Or you can get the manual download here: »www.java.com/en/download ··· nual.jsp And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system. Update: From the SANS Handler's Diary at the Internet Storm Center posted Handler's Diary January 13th 2006 CERTs warn about java bug being exploited »isc.sans.org/diary.php?s ··· yid=1039 quote:AND you still need to manually uninstall old verisons of Sun Java after updating! quote: by CalamityJane edited by lilhurricane |