Tech Support Forum - View Single Post - First-time Malware victim - vwwdiag32

Ried · 11-14-2006, 07:31 AM

Hi,

Now we go after the rest of it--this may take a few rounds to erradicate it completely.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop** Do not run it yet.

-----------------

Download gmer from http://www.gmer.net & unzip it to desktop. Do not run it yet.

-----------------

Using Internet Explorer, download ResetTeaTimer.bat.

If you are using Firefox, right click the above link and choose ‘Save As’. Save it to your desktop.

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

-----------------

Download LSPFix.exe

Instructions for using LSPFix

Double click on LSPFix.exe to run it.
Once running, you will be required to tick the disclaimer - "I know what I'm doing".
You'll find a window with 2 panes.
In the left pane which is labeled Keep, select all instances of sniffer.dll
Then click on the arrow pointing to the right, >>.
This will move the entry to the right pane labeled Remove
Click the Finish button to complete the fix.

If you are unsure about removing certain files, please come back and post the filenames here and I will advise you how to proceed.

-----------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\361101032252966165.exe
O4 - HKCU\..\Run: [Winstl] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstb] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstd] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstr] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsty] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstn] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstw] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstu] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstt] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstj] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstf] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsta] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstc] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstv] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstq] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstg] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstp] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsti] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstm] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsth] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winste] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstz] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsts] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstk] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstx] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsto] C:\361101032252978853.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Uninstall.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0729a573...p/RdxIE601.cab

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Using My Computer, navigate to and delete the following Files:

D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\361101032252966165.exe
C:\361101032252978853.exe

-----------------------------------

Clear your Temp and Temporary Internet Files:

Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove.
Make sure Temporary Internet Files and Temporary Files checked' and click OK.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

-----------------------------------

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Press scan & when it has finished press copy & paste the log back here

-----------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

Run a new scan with HijackThis and save the log.

-----------------------------------

Please include the following in your next reply:

Panda results
ComboFix.txt
New HijackThis log

11-14-2006, 07:31 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 19,078 OS: WinXP and Vista	Hi, Now we go after the rest of it--this may take a few rounds to erradicate it completely. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ************************************************* Download Combofix and save it to your desktop. Note: It is important that it is saved directly to your desktop Do not run it yet. ----------------- Download gmer from http://www.gmer.net & unzip it to desktop. Do not run it yet. ----------------- Using Internet Explorer, download ResetTeaTimer.bat. If you are using Firefox, right click the above link and choose ‘Save As’. Save it to your desktop. Double click ResetTeaTimer.bat to remove all entries set by TeaTimer. ----------------- Download LSPFix.exe Instructions for using LSPFix Double click on LSPFix.exe to run it. Once running, you will be required to tick the disclaimer - "I know what I'm doing". You'll find a window with 2 panes. In the left pane which is labeled Keep, select all instances of sniffer.dll Then click on the arrow pointing to the right, >>. This will move the entry to the right pane labeled Remove Click the Finish button to complete the fix. If you are unsure about removing certain files, please come back and post the filenames here and I will advise you how to proceed. ----------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. ----------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKCU\..\Run: [WinMedia] C:\361101032252966165.exe O4 - HKCU\..\Run: [Winstl] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstb] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstd] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstr] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winsty] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstn] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstw] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstu] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstt] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstj] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstf] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winsta] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstc] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstv] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstq] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstg] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstp] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winsti] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstm] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winsth] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winste] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstz] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winsts] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstk] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winstx] C:\361101032252978853.exe O4 - HKCU\..\Run: [Winsto] C:\361101032252978853.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Uninstall.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0729a573...p/RdxIE601.cab Click 'Fix Checked' and close HijackThis. ----------------------------------- Go to My Computer->Tools->Folder Options->View** tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. ----------------------------------- Using My Computer, navigate to and delete the following Files: D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe C:\361101032252966165.exe C:\361101032252978853.exe ----------------------------------- Clear your Temp and Temporary Internet Files: Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove. Make sure Temporary Internet Files and Temporary Files checked' and click OK. ----------------------------------- Reboot into Normal Mode. ----------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ----------------------------------- Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked. Press scan & when it has finished press copy & paste the log back here ----------------------------------- Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ----------------------------------- Run a new scan with HijackThis and save the log. ----------------------------------- Please include the following in your next reply: Panda results ComboFix.txt New HijackThis log __________________ Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."