Spyware/ Malware Removal

[Deckard]

I was hoping that your hosts file would have entries in it that might explain why Kaspersky wasn't working, but it's exactly what it should be. Let's try a different online scanner.

Perform an online scan with Internet Explorer with Panda ActiveScan.

1. Click on the "Scan your PC" button located at the bottom of the page. A popup window should appear -- make sure you allow it if you have a popup blocker.
2. Enter your e-mail address, country, and state and click Scan Now.
3. Your computer will download Panda's 8 megabyte ActiveX control at this point. Follow the on-screen directions if it asks you to install the ActiveX control.
4. Begin the scan by selecting My Computer. Note:
   • Please turn off the real time scanner of any existing antivirus program while performing the online scan.
   • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
   • Click on See report then click Save report.
   • It is not necessary to remain online while it's doing the scan, but you will have to re-connect after it has finished to see the report.

Post that report for me.

[StormTroop]

Incident Status Location

Adware:adware/crystalys Not disinfected c:\program files\Crystalys media
Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyWebSearch
Potentially unwanted tool:application/funweb Not disinfected hkey_current_user\software\Fun Web Products
Adware:adware/morwillsearch Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.bfast.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.go.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.www.advnt01.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.rightmedia.net/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.belnk.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Joanna\Application Data\Mozilla\Firefox\Profiles\31vo347c.default\cookies.txt[.atwola.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@adopt.hbmediapro[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@anm.co[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@belnk[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@c3.gostats[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@cassava[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@cgi-bin[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@cgi-bin[4].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@cgi-bin[6].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@dist.belnk[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@drivecleaner[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@gostats[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@go[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@i.screensavers[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@questionmarket[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@rightmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@searchportal.information[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@stats.drivecleaner[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@toplist[2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@www.advnt01[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@www.drivecleaner[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@www.errorsafe[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Joanna\Cookies\joanna@xmts[2].txt
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Joanna\Local Settings\Temporary Internet Files\Content.IE5\4UBMEBFV\channels_02[1].gif
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tom\Cookies\tom@2o7[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tom\Cookies\tom@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Tom\DoctorWeb\Quarantine\process.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Tom\DoctorWeb\Quarantine\Uninstall My Web Search.dll
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\uninstall.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\swreg.exe
Possible Virus. Not disinfected C:\winks\Angry Dog\run.exe
Possible Virus. Not disinfected C:\winks\Burping Bear\run.exe
Possible Virus. Not disinfected C:\winks\christmas 11\run.exe
Possible Virus. Not disinfected C:\winks\christmas19\run.exe
Possible Virus. Not disinfected C:\winks\christmas20\run.exe
Possible Virus. Not disinfected C:\winks\Crazy Frog\run.exe
Possible Virus. Not disinfected C:\winks\Excited\run.exe
Possible Virus. Not disinfected C:\winks\Happy Dance\run.exe
Possible Virus. Not disinfected C:\winks\Hippo Pic\run.exe
Possible Virus. Not disinfected C:\winks\Twisted Whiskers Laughing Dog\run.exe

[Deckard]

?

I thought we deleted MyWebSearch. And yet, it's back.


Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Crystalys Media
MyEmoticons
MyWebSearch

Please let me know if any of these were unable to uninstall.


Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.


Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Crystalys Media
C:\Program Files\MyWebSearch
C:\Program Files\MyEmoticons

Reboot
Reboot your system to Normal Mode and log in as Joanna.


Clear Cookies
Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General. Under Temporary Internet Files, click on Delete Cookies. Then click Delete Files.

Clear your Firefox cookies. From the open browser, go to Tools>Options>Privacy>Cookies>Clear.


Submit For Analysis
Please submit the following file to VirusTotal Scan:

C:\winks\Angry Dog\run.exe

At the top of the window you should see "Select file" and a blank box. Copy and paste the red text from above into the box. Then click "Send". When it is finished, please copy the information listed the two tables (i.e., the scan results and "Additional Information") into Notepad and save it on your Desktop so you can paste it with your next reply.


Online Scan
Please perform an BitDefender Online Scan using Internet Explorer. Once finished, click on the Details button to view the results. To the upper right of the results you will see an option saying "Click here to export the scan results". Please do so and save it to your desktop. Copy and paste the results of the scan with your next post.


With Your Next Post...
Please paste the following with your next reply (in this order please):

1. VirusTotal report,
2. BitDefender scan report,
3. a new HiJackThis log taken after BitDefender finishes.

[StormTroop]

Sorry for the delay, theBitDefender Scan takes around 2-3 hours and its nearly christmas, so we need to use the computer a lot. I did one today but it looks like my mum (Im 15 ) somehow closed it. Ill try and get it done asap. In the mean time, heres my VirusTotal report and also, my sister (Joanna) has been downloading all sorts of internet junk, much of which contains malware and the rest is just taking up space. Im unsure as to what is junk so would you be able to list some of the things that can be removed (from the reports ive given you). e.g. I dont know what that winks folder is, but it looks like rubbish and there are loads of gameslike 'Diner Dash' etc. and MSN downloads and so on that are never used. Ive already removed Puzzle Pirates which was taking up 125.00Mb (a lot more than it should be doing im sure).

Anyway, heres the VirusTotal thing and ill try get the BitDefender done ASAP

Antivirus Version Update Result
AntiVir 7.2.0.49 12.11.2006 no virus found
Authentium 4.93.8 12.08.2006 no virus found
Avast 4.7.892.0 12.11.2006 no virus found
AVG 386 12.09.2006 no virus found
BitDefender 7.2 12.11.2006 no virus found
CAT-QuickHeal 8.00 12.11.2006 no virus found
ClamAV devel-20060426 12.11.2006 no virus found
DrWeb 4.33 12.11.2006 no virus found
eSafe 7.0.14.0 12.11.2006 no virus found
eTrust-InoculateIT 23.73.81 12.09.2006 no virus found
eTrust-Vet 30.3.3244 12.11.2006 no virus found
Ewido 4.0 12.10.2006 no virus found
Fortinet 2.82.0.0 12.11.2006 no virus found
F-Prot 3.16f 12.08.2006 no virus found
F-Prot4 4.2.1.29 12.08.2006 no virus found
Ikarus T3.1.0.26 12.11.2006 no virus found
Kaspersky 4.0.2.24 12.11.2006 no virus found
McAfee 4915 12.10.2006 no virus found
Microsoft 1.1804 12.11.2006 no virus found
NOD32v2 1914 12.11.2006 no virus found
Norman 5.80.02 12.11.2006 no virus found
Panda 9.0.0.4 12.11.2006 no virus found
Prevx1 V2 12.11.2006 no virus found
Sophos 4.12.0 12.10.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 no virus found
TheHacker 6.0.3.131 12.10.2006 no virus found
UNA 1.83 12.08.2006 no virus found
VBA32 3.11.1 12.10.2006 no virus found
VirusBuster 4.3.15:9 12.11.2006 no virus found


Aditional Information
File size: 16384 bytes
MD5: ea3f67c0490eb3912156d85a32f497ee
SHA1: 1024aa86124b3e8fd2ce65218f64a8e2221655c2

[StormTroop]

Oh, turns out it finished and said it had scanned all the files and found nothing, so my Mum closed it, without getting the report. Should I do another anyway?

[Deckard]

Nah, I honestly expected it to come back clean. You can delete the C:\winks folder if you want -- it looks like it's MSN messenger stuff but doesn't appear to be malware.

Well done, your logs are clean! Any more issues? If not, you should be good to go but we still have a few items we'd like to address.

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm and then click OK.

Reset System Restore

• Go to Start>Run, type SYSDM.CPL and press Enter.
• Select the System Restore tab.
• Check "Turn off System Restore on all drives" and click Apply.
• Now uncheck the same option and click OK.

Re-enable Protection
Turn back on any malware prevention tools we might have had you switch off.

Microsoft Updates
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection.

Please ensure that you have already patched your system against these recent critical exploits:

• WMF exploit: KB912919
• VML exploit: KB925486

Enable Windows Auto Update:

• Go to Start>Run, type WUAUCPL.CPL and press Enter.
• Make sure "Keep my computer up to date" is checked.
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Update Java
You need to update your Java as it is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

1. Download the latest version of Java Runtime Environment (JRE) 6.0.
2. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download Windows Offline Installation with or without multi-language and save to your desktop.
7. Close any programs you may have running -- especially your web browser(s).
8. Go to Start→Control Panel double-click on Add/Remove Programs.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Remove or Change/Remove button.
11. Repeat as many times as necessary to remove each version of Java.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.
14. After the reboot, go back into the Control Panel and double-click the Java icon.
15. Under Temporary Internet Files, click the Delete Files button.
16. There are two options in the window to clear the cache - leave both checked:
    • Applications and Applets
    • Trace and Log Files
17. Click OK on Delete Temporary Files Window. NOTE: This deletes ALL of the Downloaded Applications and Applets from the cache.
18. Click OK to leave the Java Control Panel.

Tool Deletions
Feel free to remove these tools and their folders:

• ComboFix
• Autoruns and AutoCmd
• CleanUp! (uninstall from Add/Remove Programs)
• Win32DelfKil
• Dr.Web CureIt

You may want to keep AVG Anti-Spyware, as it will offer you some additional protection. It is a free 30 day trial, after which time you will need to manually update it yourself.


Malware Prevention
This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them.

Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer".

The following is a list of free software we recommend:

Antivirus
AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one.

• AOL Active Virus Shield (powered by Kaspersky Antivirus)
• BitDefender
• Avira PersonalEdition Classic
• Avast!
• AVG

Firewalls
A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use:

• Sygate Personal Firewall
• ZoneAlarm
• Tiny Personal Firewall
• Sunbelt Kerio Personal Firewall
• Outpost Firewall PRO

Realtime Malware Prevention Tools
These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time.

• Spyware Guard
• Spybot Search & Destroy
• AdAware
• WinPatrol - with tutorial

Passive Malware Prevention Tools
These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
• IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage.
• MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
• McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.

Alternative Web Browsers
Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

• Firefox
• Opera

Alternative Miscellaneous
Here are some alternatives that are worth looking into if you use their features:

• Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.)
• Miranda-IM - another Instant Messenger client with multiple IM capabilities.
• Desktop Weather - A taskbar weather program that is free and resource light.

Please respond to this thread one more time so we can mark this thread as resolved.

[StormTroop]

Thanks a lot, you've been really helpful
Few more things though, when I tried to install the VML exploit, it said that my version of IE was unsuitable for the update. Also, when i tried to download the new Java, it said 'Our site is currently offline for maintenance.' Finally, I am currently doing something with a game that requires me to keep my hidden folders unhidden. Does that pose any sort of security risk?

The things you have listed, are they the best ones, or the best free ones? We have McAfee Personal Firewall Installed as a Firewall, is that OK?

Thanks VERY much.

[Deckard]

No problem! Glad I could help.

You've got IE7, and the VML exploit was before that; it's probable that it is unneeded for IE7. I'll keep that in mind for the future so as not to confuse people. I appreciate the hint.

Keeping your folders unhidden poses no security risk. Windows likes to hide certain folders to make sure you don't accidently delete something important; but as long as you're careful no harm is done.

What you have installed for a firewall is fine.