Thread: Help! Stubborn Antispyware Soldier Infection
View Single Post
Old 10-04-2006, 11:01 AM   #6 (permalink)
fredmh
Analyst, Security Team ; TSF Supporter
 
fredmh's Avatar
 
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP


It appears that you may have misunderstood the instructions on my last post, as all the original malware is still in place.

1. Option 1 of the SmitfraudFix tool was used instead of Option 2.
2. AVG Anti Spyware settings were not set to allow it to Quarantine what it found.

Let's try it again so we can get your system clean

----------------------------------------

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

DOWNLOADS


AVG Anti-Spyware 7.5

  1. Double-click the icon on Desktop to launch AVG A-S 7.5
  2. On the top of the main screen click Shield
  3. Click the word active to change it to inactive
  4. On the top of the main screen click Update.
  5. Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  6. I also recommend changing the "Update interval" to something more reasonable like 12 hours.



CWSHREDDER

Your system is infected with Cool Web Search. You must download and run this tool

Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree.
Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file,
choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

----------------------------------------

DISABLE ANTI-SPYWARE APPLICATIONS

Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system.



Windows Defender

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.
  • Open Windows Defender.
  • Click on Tools>Options.
  • Scroll down and uncheck "Use real-time protection (recommended)".
  • After you uncheck this, click on the Save button and close Windows Defender.


S& D Spybot's Tea Timer


While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

----------------------------------------

SAFE MODE RE-BOOT

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).
In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

These are all still in place. They MUST be deleted

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

This file MUST be deleted

c:\windows\system32\xhgwfkuf.exe

----------------------------------------

SmitFraud - OPTION 2

We need to use Option #2 as it will clean the infection for us.


Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

----------------------------------------

RUNNING SCANNERS

AVG Anti-Spyware 7.5

Please ensure you're allowing AVG Anti Spyware to do it's job. Please note the settings below

  • Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
    This scan can take quite a while to run, so be prepared.
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
  • When the scan is complete click Recommended Action and change it to Quarantine.
  • Then click Apply all actions.


Once finished, click the Save report button, then click Save Report As and save it to your desktop.


Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SECURE DESKTOP


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

  • "Security Info"
  • "Warning Message"
  • "Security Desktop"
  • "Warning Homepage"
  • "Desktop Uninstall"


Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

----------------------------------------
SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

SmitFraud - OPTION 3

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.



Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford.
For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

----------------------------------------

ON-LINE SCANS


Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
    We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items:

c:rapport.txt from SmitFraud
AVG A/S scan
Kaspersky scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode
fredmh is offline