Users Self Help Malware Removal Guide

MicroBell · 03-04-2006, 12:13 AM

Updated 07-20-06

This section of the forum is designed as a self help guide for removal of some of the more common malware you find. Please understand that a lot of these infections require a trained analyst's help, and many steps to remove. If you're ever in doubt or confused about a step, then please post your Hijackthis log in the correct forum and an analyst will assist you.

Best Regards
MB

WARNING:

Use of the information in this thread is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you.

MicroBell · 03-04-2006, 12:50 AM

Virtumonde/Vundo Removal Instructions

Trojan Vundo is a component of an adware program that downloads and displays pop-up advertisements. (Such as Winfixer)

Entries to look for in the HJT log that will identify the infection.

O2 - BHO: MSEvents Object - {39D2FC9B-041C-470E-AE72-F8C001247626} - C:\WINDOWS\REGIST~1\pcdb.dll
O20 - Winlogon Notify: pcdb - C:\WINDOWS\REGIST~1\pcdb.dll
O2 - BHO: MSEvents Object - {AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6} - C:\WINNT\addins\asip.dll
O20 - Winlogon Notify: asip - C:\WINNT\addins\asip.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\med.dll
O20 - Winlogon Notify: med - C:\WINDOWS\SYSTEM32\med.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\******.dll
O2 - BHO: ATLDistrib Object
GUID {659E147E-BD03-4605-988C-AA6D7EA497CA} C:\WINDOWS\system32\****.dll
O20 - Winlogon Notify: **** - C:\WINDOWS\SYSTEM32\****.dll
O2 - BHO: MFCOptimizeClass Object - {A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - C:\WINDOWS\System32\ssqrs.dll
O2 - BHO: WTLHelper Object - {75DC57F8-D831-4AB8-86B7-4F826F4A0873} - C:\WINDOWS\system32\jkkjk.dll
O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINDOWS\System32\opnop.dll
O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\vtstq.dll
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\fccdd.dll

With each O2 entry, there will be a corresponding O20 entry in Winlogon Notify section. The file in the C:\WINDOWS\system32 folder will be a random named .dll file.

The Fix
+++++++++++++++++++++++++++++++++++++++++

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a set of logs from Deckard's System Scanner in a new thread in the HijackThis Log Help Forum if you need further assistance.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

You should now be free of Virtumonde/Vundo and the popups it was generating. If you require help with the removal of Virtumonde/Vundo or to check your HJT log, then please start your own thread in the HijackThis Log Help Forum and a trained Analyst will review your log.

WARNING:

Use of the information in this fix is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you.

MicroBell · 03-04-2006, 01:17 AM

Look2Me/VX2 Removal Instructions

The Look2Me/VX2 infection generates popups. It's easy to spot as it uses a random named long DLL and Random folder in the 020 Winlogon Notify section of the HJT log.

Entries to look for in the HJT log that will identify the infection.

O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\e8020idoe80c0.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\m4rm0e91eh.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\hpj0231mg.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\e602lgdo160c.dll
O20 - Winlogon Notify: TESING - H:\WINDOWS\system32\p0r40a9qed.dll
O20 - Winlogon Notify: Guardian - C:\WINDOWS\system32\msg117.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\irr2l59o1.dll

The Fix
+++++++++++++++++++++++++++++++++++

Please Download Look2Me-Destroyer.exe and save the file to your desktop.

Print out these instructions and close ALL windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to "Run this program as a task".
You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Click OK
When Look2Me-Destroyer re-opens, click the "Scan for L2M button", your desktop icons will disappear, this is normal.
Once it's done scanning, click the "Remove L2M button".
You will receive a "Done Scanning message", click OK.
When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click OK.
Your computer will then shutdown.
Turn your computer back on.

You should now be free of Look2Me/VX2 and the popups it was generating. If you require help with the removal of Look2Me/VX2 or to check your HJT log, then please start your own thread in the hijackthis section of this forum and a trained Analyst will review your log.

WARNING:

Use of the information in this fix is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you.

MicroBell · 05-04-2006, 07:31 PM

Updated: 03-07-07

SmitFraud and It's Variants (Zlob) Removal Instructions

Smitfraud is a Desktop Hijacker that changes your desktop and pops up a FALSE security warning that your system is infected. It useally installs a "Fake" security program which trys to trick you into purchasing the program to remove these entrys.

Common hijackthis log entrys you may see:

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6DD8.tmp (Note: filename is random, but CLSID is NOT.)
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp XXX.tmp
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp76EF.tmp
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKLM\..\Run: [Alfacleaner] C:\Program Files\Alfacleaner\Alfaleaner.exe /h
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe
O4 - Startup: spysheriff.lnk = C:\Program Files\SpywareSheriff\spysheriff.exe
O4 - HKLM\..\Run: [SpywareQuake.com] C:\Program Files\SpywareQuake.com\Spyware-Quake.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Documents and SO9 - Extra button:
O4 - HKCU\..\Run: [SpySheriff] C:\Documents and Settings\David\Desktop\eKhM31T4O8\SpySheriff.exe
O9 - Extra button: Microsoft AntiSpyware helper - {4D186D89-32DB-439E-A37D-50511D6393C7} - (file missing) (HKCU) (Note: sometimes a file is listed)

This infection has many varients. The list below contains ALL the varients this FIX will remove. If you have one or more of these programs installed...then run this FIX.

AdwarePunisher
AdwareSheriff
AlphaCleaner
Antispyware Soldier
AntiVermeans
AntiVermins
AntiVerminser
AntiVirGear
AntivirusGolden
AVGold
Brain Codec
BraveSentry
DirectVideo
EliteCodec
eMedia Codec
FreeVideo
Gold Codec
HQ Codec
iCodecPack
Image ActiveX Object
iMediaCodec
IntCodec
iVideoCodec
JPEG Encoder
Key Generator
MalwareCrush 3.7
MalwareWipe
MalwareWiped
MalwareWipePro
MalwareWiper
Media-Codec
MediaCodec
MMediaCodec
MovieCommander
MPCODEC
My Pass Generator
PCODEC
Perfect Codec
PestCapture
PestTrap
PornMag Pass
PornPass Manager
PowerCodec
PrivateVideo
PSGuard
QualityCodec
quicknavigate.com
Registry Cleaner
Security iGuard
Silver Codec
SiteTicket
Smitfraud
SoftCodec
SpyAxe
SpyCrush
SpyDown
SpyFalcon
SpyGuard
SpyHeal
SpyHeals
SpyLocked
SpyMarshal
SpySheriff
SpySoldier
Spyware Soft Stop
Spyware Vanisher
SpywareKnight
SpywareQuake
SpywareSheriff
SpywareStrike
Startsearches.net
strCodec
Super Codec
TitanShield Antispyware
TrueCodec
Trust Cleaner
UpdateSearches.com
VidCodecs
Video Access ActiveX Object
Video ActiveX Object
VideoAccess
VideoBox
VideoCompressionCodec
VideoKeyCodec
VideosCodec
VirusHeat 3.9
Virtual Maid
VirusBlast
VirusBurst
Win32.puper
WinAntiSpyPro
WinHound
WinMediaCodec
XXXHoliday
X Password Generator
X Password Manager
ZipCodec

The Fix
+++++++++++++++++++++++++++++++++++

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download SmitfraudFix (by S!Ri) to your Desktop.

---------------------------------------------------------------------------------------------

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Double-click smitfraudfix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Restart in normal Windows.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Double-click smitfraudfix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Run an Online scan

Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.
______________________________

You should now be free of the smitfraud variant. If you require help with the removal of the smitfraud variant you have or to check your HJT log, then please start your own thread in the hijackthis section of this forum and a trained Analyst will review your logs.

*Note* The above fix creates the following logs which you should also post along with your hijackthis log.

Panda log
C:\rapport.txt (log from the SmitfraudFix tool)

WARNING:

Use of the information in this fix is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you.

MicroBell · 05-04-2006, 07:52 PM

Updated: 05-04-06

Alcan.B Infection Removal Instructions

This infection is a worm that typically changes many of your security settings and DISABLES both "Task Manager" and "Regedit" in the windows operating system. Your antivirus may pick this infection up...but fails to clean it.

The infection has many many files and entrys.

Common hijackthis log entrys associated with this infection:

O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O4 - HKLM\..\Run: [gimmysmileys] C:\\GIMMYSMILEYS#.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd#.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames#.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames#.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban#.exe
O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD#.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad#.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad#.exe
O4 - HKLM\..\Run: [newname] C:\\newname#.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname#.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC0#.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\[semi-random].exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\[semi-random].exe
O4 - Startup: Zstart.lnk = C:\WINDOWS\TEMP\[semi-random].exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM(32)\[random].EXE CORN001
O4 - HKLM\..\Run: [Command] C:\WINDOWS\system.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-##-##-######.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\System32\slk8x2peu.exe"
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [gjZC2XV] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [ula0U] "D:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\System32\expload.exe
O4 - HKLM\..\Run: [tetriz3] C:\WINDOWS\system32\tetriz3.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINDOWS\system32\tetriz3.exe
O4 - HKCU\..\Run: [tetriz3] C:\WINDOWS\system32\tetriz3.exe
O4 - HKCU\..\Run: [Abrada WIN32] C:\WINDOWS\abradaload.dll
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20021\socks.exe 20021
O4 - HKLM\..\Run: [rmalt] C:\Program Files\Update06\Setup.exe
O4 - HKLM\..\Run: [newname] c:\windows\newname12.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad12.exe
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard12.exe
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\[user]\LOCALS~1\Temp\[random].tmp
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\[user]\LOCALS~1\Temp\[random].tmp####.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: wmplayer.exe
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCAdvice\FCAdvice.dll
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\[random].dll

*Note* Entrys that contain #### are random letters and numbers.

The Fix
+++++++++++++++++++++++++++++++++++

Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:)" or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with this yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows.

You should now be free of the Alcan.B Infection and regained control of "Task Manager" and "Regedit". If you require help with the removal of Alcan.B Infection or to check your HJT log, then please start your own thread in the hijackthis section of this forum and a trained Analyst will review your log.

WARNING:

Use of the information in this fix is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you.

03-04-2006, 12:13 AM	#1 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,951 OS: Windows XP-Pro SP2	Users Self Help Malware Removal Guide Updated 07-20-06 This section of the forum is designed as a self help guide for removal of some of the more common malware you find. Please understand that a lot of these infections require a trained analyst's help, and many steps to remove. If you're ever in doubt or confused about a step, then please post your Hijackthis log in the correct forum and an analyst will assist you. Best Regards MB WARNING: Use of the information in this thread is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by tetonbob : 04-18-2007 at 08:45 AM.

03-04-2006, 12:50 AM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,951 OS: Windows XP-Pro SP2	Virtumonde/Vundo Removal Instructions Trojan Vundo is a component of an adware program that downloads and displays pop-up advertisements. (Such as Winfixer) Entries to look for in the HJT log that will identify the infection. O2 - BHO: MSEvents Object - {39D2FC9B-041C-470E-AE72-F8C001247626} - C:\WINDOWS\REGIST~1\pcdb.dll O20 - Winlogon Notify: pcdb - C:\WINDOWS\REGIST~1\pcdb.dll O2 - BHO: MSEvents Object - {AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6} - C:\WINNT\addins\asip.dll O20 - Winlogon Notify: asip - C:\WINNT\addins\asip.dll O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\med.dll O20 - Winlogon Notify: med - C:\WINDOWS\SYSTEM32\med.dll O20 - AppInit_DLLs: C:\WINDOWS\System32\****.dll O2 - BHO: ATLDistrib Object GUID {659E147E-BD03-4605-988C-AA6D7EA497CA} C:\WINDOWS\system32\.dll O20 - Winlogon Notify: - C:\WINDOWS\SYSTEM32\.dll O2 - BHO: MFCOptimizeClass Object - {A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - C:\WINDOWS\System32\ssqrs.dll O2 - BHO: WTLHelper Object - {75DC57F8-D831-4AB8-86B7-4F826F4A0873} - C:\WINDOWS\system32\jkkjk.dll O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINDOWS\System32\opnop.dll O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\vtstq.dll O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\fccdd.dll With each O2 entry, there will be a corresponding O20 entry in Winlogon Notify section. The file in the C:\WINDOWS\system32 folder will be a random named .dll file. The Fix +++++++++++++++++++++++++++++++++++++++++ Please download VundoFix.exe to your desktop Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a set of logs from Deckard's System Scanner in a new thread in the HijackThis Log Help Forum if you need further assistance. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. You should now be free of Virtumonde/Vundo and the popups it was generating. If you require help with the removal of Virtumonde/Vundo or to check your HJT log, then please start your own thread in the HijackThis Log Help Forum and a trained Analyst will review your log. WARNING: Use of the information in this fix is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder**

03-04-2006, 01:17 AM	#3 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,951 OS: Windows XP-Pro SP2	Look2Me/VX2 Removal Instructions The Look2Me/VX2 infection generates popups. It's easy to spot as it uses a random named long DLL and Random folder in the 020 Winlogon Notify section of the HJT log. Entries to look for in the HJT log that will identify the infection. O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\e8020idoe80c0.dll O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\m4rm0e91eh.dll O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\hpj0231mg.dll O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\e602lgdo160c.dll O20 - Winlogon Notify: TESING - H:\WINDOWS\system32\p0r40a9qed.dll O20 - Winlogon Notify: Guardian - C:\WINDOWS\system32\msg117.dll O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\irr2l59o1.dll The Fix +++++++++++++++++++++++++++++++++++ Please Download Look2Me-Destroyer.exe and save the file to your desktop. Print out these instructions and close ALL windows before continuing. Double-click Look2Me-Destroyer.exe to run it. Put a check next to "Run this program as a task". You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Click OK When Look2Me-Destroyer re-opens, click the "Scan for L2M button", your desktop icons will disappear, this is normal. Once it's done scanning, click the "Remove L2M button". You will receive a "Done Scanning message", click OK. When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click OK. Your computer will then shutdown. Turn your computer back on. You should now be free of Look2Me/VX2 and the popups it was generating. If you require help with the removal of Look2Me/VX2 or to check your HJT log, then please start your own thread in the hijackthis section of this forum and a trained Analyst will review your log. WARNING: Use of the information in this fix is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-04-2006, 07:31 PM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,951 OS: Windows XP-Pro SP2	Updated: 03-07-07 SmitFraud and It's Variants (Zlob) Removal Instructions Smitfraud is a Desktop Hijacker that changes your desktop and pops up a FALSE security warning that your system is infected. It useally installs a "Fake" security program which trys to trick you into purchasing the program to remove these entrys. Common hijackthis log entrys you may see: O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6DD8.tmp (Note: filename is random, but CLSID is NOT.) O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp XXX.tmp O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp76EF.tmp O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h O4 - HKLM\..\Run: [Alfacleaner] C:\Program Files\Alfacleaner\Alfaleaner.exe /h O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe O4 - Startup: spysheriff.lnk = C:\Program Files\SpywareSheriff\spysheriff.exe O4 - HKLM\..\Run: [SpywareQuake.com] C:\Program Files\SpywareQuake.com\Spyware-Quake.exe O4 - HKCU\..\Run: [SpySheriff] C:\Documents and SO9 - Extra button: O4 - HKCU\..\Run: [SpySheriff] C:\Documents and Settings\David\Desktop\eKhM31T4O8\SpySheriff.exe O9 - Extra button: Microsoft AntiSpyware helper - {4D186D89-32DB-439E-A37D-50511D6393C7} - (file missing) (HKCU) (Note: sometimes a file is listed) This infection has many varients. The list below contains ALL the varients this FIX will remove. If you have one or more of these programs installed...then run this FIX. AdwarePunisher AdwareSheriff AlphaCleaner Antispyware Soldier AntiVermeans AntiVermins AntiVerminser AntiVirGear AntivirusGolden AVGold Brain Codec BraveSentry DirectVideo EliteCodec eMedia Codec FreeVideo Gold Codec HQ Codec iCodecPack Image ActiveX Object iMediaCodec IntCodec iVideoCodec JPEG Encoder Key Generator MalwareCrush 3.7 MalwareWipe MalwareWiped MalwareWipePro MalwareWiper Media-Codec MediaCodec MMediaCodec MovieCommander MPCODEC My Pass Generator PCODEC Perfect Codec PestCapture PestTrap PornMag Pass PornPass Manager PowerCodec PrivateVideo PSGuard QualityCodec quicknavigate.com Registry Cleaner Security iGuard Silver Codec SiteTicket Smitfraud SoftCodec SpyAxe SpyCrush SpyDown SpyFalcon SpyGuard SpyHeal SpyHeals SpyLocked SpyMarshal SpySheriff SpySoldier Spyware Soft Stop Spyware Vanisher SpywareKnight SpywareQuake SpywareSheriff SpywareStrike Startsearches.net strCodec Super Codec TitanShield Antispyware TrueCodec Trust Cleaner UpdateSearches.com VidCodecs Video Access ActiveX Object Video ActiveX Object VideoAccess VideoBox VideoCompressionCodec VideoKeyCodec VideosCodec VirusHeat 3.9 Virtual Maid VirusBlast VirusBurst Win32.puper WinAntiSpyPro WinHound WinMediaCodec XXXHoliday X Password Generator X Password Manager ZipCodec The Fix +++++++++++++++++++++++++++++++++++ Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. Please download SmitfraudFix (by S!Ri) to your Desktop. --------------------------------------------------------------------------------------------- Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. ______________________________ Double-click smitfraudfix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Restart in normal Windows. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ______________________________ Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. ______________________________ Double-click smitfraudfix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ______________________________ Run an Online scan Perform an online scan with Panda ActiveScan Click on Scan Your PC Now A "pop up" window will appear, or a new tab will open. Click on Register Choose the option you like most, but we recommend the Free Registration. Click on Register Enter your e-mail address, and create a password. Select "I do not want to receive any type of information". (unless you want to receive such information) Click on Send Confirm registration, and continue by entering your user name and password, then click on Enter Select Full Scan, then Click on Scan Now Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser. If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect Please ignore the offer to buy the program. Click on Export To Export the log and save it to your desktop. * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Avast users note: Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database. ______________________________ You should now be free of the smitfraud variant. If you require help with the removal of the smitfraud variant you have or to check your HJT log, then please start your own thread in the hijackthis section of this forum and a trained Analyst will review your logs. *Note* The above fix creates the following logs which you should also post along with your hijackthis log. Panda log C:\rapport.txt (log from the SmitfraudFix tool) WARNING: Use of the information in this fix is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by tetonbob : 04-24-2008 at 05:18 PM. Reason: removed AVG AntiSpyware; no longer available

05-04-2006, 07:52 PM	#5 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,951 OS: Windows XP-Pro SP2	Updated: 05-04-06 Alcan.B Infection Removal Instructions This infection is a worm that typically changes many of your security settings and DISABLES both *"Task Manager"* and *"Regedit"* in the windows operating system. Your antivirus may pick this infection up...but fails to clean it. The infection has many many files and entrys. Common hijackthis log entrys associated with this infection: O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll O4 - HKLM\..\Run: [gimmysmileys] C:\\GIMMYSMILEYS#.exe O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd#.exe O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames#.exe O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames#.exe O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban#.exe O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD#.exe O4 - HKLM\..\Run: [mousepad] C:\\mousepad#.exe O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad#.exe O4 - HKLM\..\Run: [newname] C:\\newname#.exe O4 - HKLM\..\Run: [newname] C:\windows\newname#.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC0#.exe O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\[semi-random].exe O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\[semi-random].exe O4 - Startup: Zstart.lnk = C:\WINDOWS\TEMP\[semi-random].exe O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM(32)\[random].EXE CORN001 O4 - HKLM\..\Run: [Command] C:\WINDOWS\system.exe O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-##-##-######.exe O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\System32\slk8x2peu.exe" O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe" O4 - HKLM\..\Run: [gjZC2XV] "C:\WINDOWS\system32\slk8x2peu.exe" O4 - HKLM\..\Run: [ula0U] "D:\WINDOWS\system32\slk8x2peu.exe" O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\System32\expload.exe O4 - HKLM\..\Run: [tetriz3] C:\WINDOWS\system32\tetriz3.exe O4 - HKLM\..\RunServices: [tetriz3] C:\WINDOWS\system32\tetriz3.exe O4 - HKCU\..\Run: [tetriz3] C:\WINDOWS\system32\tetriz3.exe O4 - HKCU\..\Run: [Abrada WIN32] C:\WINDOWS\abradaload.dll O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20021\socks.exe 20021 O4 - HKLM\..\Run: [rmalt] C:\Program Files\Update06\Setup.exe O4 - HKLM\..\Run: [newname] c:\windows\newname12.exe O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad12.exe O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard12.exe O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe" O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe" O4 - HKCU\..\Run: [Key] C:\DOCUME~1\[user]\LOCALS~1\Temp\[random].tmp O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\[user]\LOCALS~1\Temp\[random].tmp####.exe O4 - Global Startup: svchost.exe O4 - Global Startup: wmplayer.exe O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCAdvice\FCAdvice.dll O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\[random].dll *Note* Entrys that contain #### are random letters and numbers. The Fix +++++++++++++++++++++++++++++++++++ Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click *"Next"* In the box to choose where to extract the files to, Click *"Browse"* Click on the + sign next to *"My Computer"* Click on *"Local Disk (C:)"* or whatever your primary drive is Click *"Make New Folder"* Type in BFU Click *"Next", and Uncheck the "Show Extracted Files"* box and then click *"Finish".* RIGHT-CLICK HERE and choose *"Save As"* (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Do not do anything with this yet! Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal windows. You should now be free of the Alcan.B Infection and regained control of *"Task Manager"* and *"Regedit".* If you require help with the removal of Alcan.B Infection or to check your HJT log, then please start your own thread in the hijackthis section of this forum and a trained Analyst will review your log. WARNING: Use of the information in this fix is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by tetonbob : 04-24-2008 at 05:19 PM. Reason: removed AVG AntiSpyware; no longer available