dslreports logo


2.1 Malware Removal

Symptoms


Unexplained Popups even after all steps in the following FAQ come up "clean"
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

No apparent signs in a HijackThis log.

No entries visibile under "Device Manager" or "Network Places"

This pest is adware that is hidden by a rootkit. It produces various popups from a number of advertisers, all generating from adchannel.contextplus.net

The best way to tell if you've got it is to run this diagnostic tool:
Download Rootkit Revealer (free tool)
»technet.microsoft.com/en ··· 445.aspx

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
We may need to request a copy of it later.

If you see 200-300 or so entries that are similar to the following, you can try running the AproposFix posted further down.

Sample entries in the RootkitRevealer log showing Apropos infections have a random named folder in the Programs Folder and some of the highlighted file names see below for example. The ace.dll file is frequently seen as well.
quote:
C:\Program Files\Holt_old Note: Random Named Folder in Program Files 13/11/2005 17:37 0 bytes Hidden from Windows API.
C:\Program Files\Holt_old\ace.dll 26/10/2005 15:46 568.00 KB Hidden from Windows API.
C:\Program Files\Holt_old\AI_07-11-2005.log 07/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_08-11-2005.log 08/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_09-11-2005.log 09/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_10-11-2005.log 10/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_11-11-2005.log 11/11/2005 00:05 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_12-11-2005.log 12/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_13-11-2005.log 13/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache 13/11/2005 17:58 0 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache\0000001c_436ee411_0000b71b 07/11/2005 00:20 3.81 KB Hidden from Windows API.
C:\Program Files\Holt_old\Cache\0000001c_436fd078_000ec82e 07/11/2005 17:08 5.38 KB Hidden from Windows API.
C:\Program Files\Holt_old\Cache\00000029_435febb3_0007270e 26/10/2005 15:48 2 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache\00000029_435fed33_0002dc6c 13/11/2005 19:07 3.54 KB Hidden from Windows API.
quote:
etc. The log itself will be very long with lots of entries similar to the above)

The Fix


Please download AproposFix from here:

»Security Cleanup FAQ »Security Clean-Up Approved White List

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post the entire contents of the log.txt file in the aproposfix folder into a New Topic.

Thanks to Swandog46 for developing this fix tool :)

1/6/07 --- fixed broken link to RootkitRevealer ~lil~

by CalamityJane See Profile edited by lilhurricane See Profile
last modified: 2008-01-06 11:18:38


Aurora/Nail fix
By racooper w/SwanDog46 & miekiemoes

PLEASE READ AND FOLLOW THESE INSTRUCTIONS CAREFULLY; YOU MAY WANT TO PRINT OR SAVE THESE INSTRUCTIONS LOCALLY BEFORE STARTING.

1. Please download, install, and update the free version of Ewido AntiMalware:


    [*]From the main ewido screen, click on update in the left menu, then click the Start update button.

    [*]After the update finishes (the status bar at the bottom will display "Update successful")

    [*]Exit Ewido. DO NOT scan yet.
Download CCleaner and install, but do not run it yet.

2. Please download this revised installer for the Nailfix utility.
DO NOT run it yet.
Alternate download links here:
http://www.spywareedge.net/nf/nailfix.exe
http://www.spywareaid.com/index.php?file=s...22&softtype=exe

3. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

4. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

5. Next, run Ewido again.

    [*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

    [*]If ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

    [*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.


6. Then run HijackThis, click Scan, and place a checkmark by the following item (if found):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [random] c:\windows\system32\random.exe r


Close all open windows except for HijackThis and click Fix Checked Note that the 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.

Locate and delete the following File in BOLD:
c:\windows\system32\random.exe (or whatever the name may have changed to, as noted above).

6. Now, run CCleaner.

    [*]Uncheck "Cookies" under "Internet Explorer".
    [*]If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
    [*]Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

7. Please start a new topic if you need help. Do not post your logs in someone else's threads. Please NOTE: If you have not done so already, follow the Manadory Steps first before post a HijackThis log. The rules are here:
http://www.dslreports.com/faq/13616

Edited for new version of Nailfix 22Jul2005

by CalamityJane See Profile edited by lilhurricane See Profile
last modified: 2006-01-02 23:49:29

E2TakeOut version 1.00
by: RubbeR DuckY

This program removes the E2Give and PTech malware. Simply download, unzip, and run the E2TakeOut.exe file. Follow the onscreen directions and be sure to restart your computer when prompted.

Main indicators in a HijackThis log:

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O20 - AppInit_DLLs: iniwin32.dll
O20 - AppInit_DLLs: inicfg32.dll

How to Use
Please download E2TakeOut by Rubber Ducky from here:

»www.malwarebytes.org/E2T ··· eOut.zip

* Extract the file to your Desktop
* Double click E2TakeOut.exe
* Click the Begin Removal button
* Wait until the program is finished scanning
* Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
* Reboot your computer
* Once your computer has rebooted E2TakeOut will open and produce a report
* Please copy/paste that report into your next reply

by CalamityJane See Profile
last modified: 2006-06-08 10:18:29

LQfix bymiekiemoes See Profile (free tool) is used for the latest variants of Elitebar including the pokapoka strains.
You can download it here:

»users.pandora.be/bluepat ··· Qfix.exe

Download it to your desktop

Double-click LQfix.exe and click install.

Leave the default settings. If you change them, the fix will fail.

Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.

Follow the prompts on the screen. Your system will reboot afterwards.

Your system may take longer than usual to start up this one time; please be patient.
.................
And the free version of Ewido Security Suite can also remove most of the variants of pokapoka and Elitebar safely, including the Qoologic Trojan that often accompanies EliteBar
»www.ewido.net/en/download/

by CalamityJane See Profile edited by lilhurricane See Profile
last modified: 2006-01-09 00:18:18

Please see:
»Security Cleanup FAQ »Zlob/Smitfraud Removal

Edit: 16 April 2006 New tool now fixes all Smitfraud variants. FAQ combined into one:
»Security Cleanup FAQ »Zlob/Smitfraud Removal

by CalamityJane See Profile
last modified: 2006-04-16 21:36:02

These removal tools only work for the following operating systems:

1. SmitfraudFix: Windows 2k, 2003 and XP ONLY
2. RogueRemover: Vista

Windows 98/ME users will need to follow the complete pre-cleaning FAQ here:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

SpywareQuake and SpyFalcon are just two of many examples of the Zlob/Smitfraud family of desktop hijackers that pop up over the desktop or gives an alert from the taskbar near the clock and displays a warning message that your computer is infected with spyware and telling you to buy/download/install their program. These warnings are fake and try to trick you into buying the commercial version of software. The many versions of this pest can vary with the warning message shown. A list of example screenshots can be seen here:
»Security Cleanup FAQ »Screenshots of Desktop Hijack

Other Zlob/Smitfraud variants include:
AlphaCleaner
AdwarePunisher
AntiVirusGold
AntispywareSoldier
PSGuard
RazeSpyware
Search Maid
Security IGuard
SpyAxe
SpyFalcon
SpySheriff
SpywareStrike
Virtual Maid
VirusBurst
WinHound
{This list of names has become to long to list all of the possibilities)

Zlob/Smitfraud Removal

Note: Not for Vista users. If you are running Windows Vista, please use the RogueRemover tool described in the next section.

The following steps may not clean all of it, but should be a good start and will restore the desktop to default at least so you can proceed with complete removal using various tools.

1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

2. {WinXP, 2k only!) Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop.
How to extract (decompress) zipped or compressed files
»www.lvsonline.com/tut-co ··· ex.shtml

A folder named SmitfraudFix will be created on your Desktop.



Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

3. Reboot into Safe Mode
How to start the computer in Safe mode:

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd



Select option #2 - Clean by typing 2 and press Enter to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.



The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter

5. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

6. Now please scan with HijackThis to produce a log. Post that log in a new topic along with the Ewido log you saved earlier (or the Adaware log) and the Panda report. We will also need the log from SmitFraudFix called rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your new topic. Logs needed in your post are:

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Fresh HijackThis log
...........................................
VISTA users, please use this tool instead

Please download Rogue Remover from here: [code]
»www.malwarebytes.org/rog ··· over.php
[/code] & save it to your desktop.

    [*]Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover.
    [*]Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.
    [*]Once the program runs, select Check for Updates.
    [*]When prompted, select Check for Updates.
    [*]If prompted again, click Download to receive the latest updates.
    [*]When completed, close the update window.
    [*]Finally, select Scan and the program will walk you through the remaining steps.

.................................................................................................
Additional Instructions

a. How to Post a new Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem.

b. Instructions for HijackThis:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
»russelltexas.com/malware ··· lder.htm
This is to ensure it makes the necessary backups for recovery if needed.

Download HijackThis
»www.trendsecure.com/port ··· this.php

Unzip/decompress the file and save the contents (HijackThis.exe) to the new folder you made and doubleclick on HijackThis.exe to open the program. On the Main Menu page, Choose *Do a system scan and save a log*

When the scan finishes, you will get a popup to save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results here.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

................................................................................

Edit 01 Sep 2007 by CalamityJane : Added additional instructions for Vista

Edit: 08 Aug 2007 by CalamityJane: Adjusted HJT instruction for new ver. 2.02 by Trend-Micro

16 Oct 2006 by CalamityJane. Removed Ewido and Panda scan instructions as SmitfraudFix can do the whole job.

Edit 16 Jul 2006 by CalamityJane: Adjusted instructions for Ewido new ver 4.0


Edit 16 April 2006 by CalamityJane: Added SmitfraudFix tool to replace SmitRem and roguescanfix tools.

by CalamityJane See Profile
last modified: 2007-09-01 22:12:04

Vundo/VirtuMonde is an adware program that downloads and displays popup advertisements, often seen as Winfixer. Please see important note at the bottom regarding a vulnerabilty in Sun Java that may have be the source of this infection. It may also hijack the browser to unwanted advertising related sites. If you know that you have the Vundo/Virutumonde trojan and other programs have not been able to remove it, please take the following steps using the free tools below.

    VundoFix by Atribune


Please download VundoFix.exe from here:
»www.atribune.org/ccount/ ··· php?id=4

and save it to your desktop

•Double-click VundoFix.exe to run it.
•Click the Scan for Vundo button.
•Once it's done scanning, click the Remove Vundo button.
•You will receive a prompt asking if you want to remove the files,
click YES
•Once you click yes, your desktop will go blank as it starts removing
Vundo.
•When completed, it will prompt that it will reboot your computer,
click OK.
•Please post the contents of C:\vundofix.txt and a new
HiJackThis log.

•Please post the contents of C:\vundofix.txt into a New Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem. Include the vundofix.txt contents and a fresh HijackThis log (instructions below) Please put in the Title of your topic: Vundo Removal.

We will also need to see a diagnostic log from the free tool HijackThis
    Create a Diagnostic log using HijackThis


• Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed.
See here for specific instructions and screen shots to help:
»russelltexas.com/malware ··· lder.htm

•Download HijackThis here
»www.trendsecure.com/port ··· this.php

• Unzip the file to the new folder you made and doubleclick on HijackThis.exe to open the program. On the newusers quickstart page, Choose *Do a system scan and save a log*

• When the scan finishes, you will get a popup to Save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results into your New Topic when you are ready to post for help.

Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

...................................................................................

Important Note: Possible Vulnerability in Sun Java versions may be responsible for Vundo/Winfixer infections
Check your installed Sun Java versions
We have noticed a large number of Winfixer/ Vundo / Virutmonde Victims have an older version of Sun Java installed in Add/Remove Programs in the Control Panel. Other older or newer versions may also be installed
Please see this topic:
»Potential Vulnerability with Sun Java auto update

Important Note: Autoupdate of Sun Java does not uninstall previous (vulnerable) versions of the program.
Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java.

To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:
»www.java.com/en/download ··· atic.jsp

You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software

Or you can get the manual download here:
»www.java.com/en/download ··· nual.jsp

And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.

Update: From the SANS Handler's Diary at the Internet Storm Center posted Handler's Diary January 13th 2006
CERTs warn about java bug being exploited
»isc.sans.org/diary.php?s ··· yid=1039
quote:
According to the bulletins you need at least:

* Version 1.3.1_16 or later
* Version 1.4.2_09 or later
* Version (1.)5 update 4 or later {insert My Note: We are now on update 6 in this version)

to be safe.
AND you still need to manually uninstall old verisons of Sun Java after updating!
quote:
Vince told it's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present.

by CalamityJane See Profile edited by lilhurricane See Profile
last modified: 2009-12-21 02:04:40