Computers The Official Malware/Antivirus Thread - Need help or general advice? Read this first! - Page 19

This thread provides information on malware removal, links to malware removal tools, and recommendations & links to anti-virus software. The intention of this thread is to provide quick and accurate support for malware-related issues and questions.

Many people here are willing to provide assistance if you're having computer problems, and this thread is not meant to discourage people from asking for help.... but, please read the information provided first, or else there's a good chance you'll be sent here, here, or here . We aren't Geek Squad, so while we won't grossly overcharge you for information and advice, we also aren't responsible for anything you do to your computer.

Also, feel free to make suggestions on the content of this post, and I'll try to keep it up to date.

Research

A lot of information can be found at this EliteKiller link, including...

Links to recommended malware scanning & removal tools, including the Rogue Removal Kit (which includes combofix), malwarebytes (aka MBAM), and Hitman Pro.
A link to HiJackThis, which creates a log of registry entries, running services, etc; that can be posted here for additional support.
Reviews, recommendations, and links to antivirus software, on-demand scanners, and online scanners.
Information on firewalls and unsecured networks, as well as malware/virus prevention.

Malware Removal

If you think your computer is infected, the EliteKiller link provides a thorough solution. Simply put...

Originally Posted by mikeyis4dcats.:
Step 1 go here http://www.elitekiller.com/malware.htm and read up

Step 2 download the Rogue Removal Kit http://www.elitekiller.com/files/rogueremoval.zip

Step 3 unzip the Kit, read the instruction file and run the tools in the order given.

Step 4 Thank me in about 3 hours for fixing your shit.

The Rogue Removal Kit is is a zipped file that includes malwarebytes, CCleaner (a registry cleaner that will also delete temporary files), Combofix, Hitman Pro, and HiJackThis (HiJackThis is optional, see below). The instructions guide you through running these tools in Safe Mode With Networking; then running malwarebytes and an online scanner in Normal Mode.

Some people don't recommend running Combofix unless you're fairly certain you need to use it, but I've never heard of people having major problems with it. Here's a list of symptoms to Vundo infections, which may help determine if you need to run Combofix. You can also look here to see instructions with screenshots on how to use Combofix.

Taken from the readme in the Rogue Removal Kit:

Quality Online Virus Scanners: (all scanners offer detection and removal)

F-Secure
NOD32
Bitdefender

Quality Free Anti-Virus Software:

Panda Cloud
Microsoft Security Essentials
Antivir
Avast!
AVG

My two cents on downloading anti-malware software...

Download it from another computer if possible, or from Safe Mode With Networking on the infected machine.
Verify you are downloading from a legit source and are not being redirected to a site where you'll end up downloading more malware. If you click on any links above, verify the link in the bottom left before clicking on it, then after clicking the link verify that's where you were taken in the address bar.
The elitekiller article mentions downloading the software to a USB drive. Do not download the software to a USB drive on the infected machine if you're not in Safe Mode, or else you risk infecting the USB drive and other computers you connect the drive to in the future.

Other Helpful Tips & Tools

Rkill will kill processes that may be preventing scanners from completely removing malware.

To get into Safe Mode With Networking, press F8 every couple of seconds while the computer is starting (before the Windows splash screen). If you see the Windows splash screen, you will need to try again. The safe thing to do is log into Windows, restart, and try pressing F8 several times before seeing the Windows splash screen. Alternatively, my advice that falls into the category of “what I'd do if it was my own computer, but wouldn't tell someone to do it if I worked in tech support” would be, if you didn't get into Safe Mode the first time and you're at the Windows splash screen, hold down the power button until the computer turns off. When you start the computer again, it should automatically ask you if you want to go into Safe Mode With Networking.

If you get a Blue Screen of Death after selecting Safe Mode With Networking, read the following posts on how to fix it:
http://blog.didierstevens.com/2006/06/22/save-safeboot/
http://blog.didierstevens.com/2006/0...ring-safeboot/
http://blog.didierstevens.com/2007/0...th-a-reg-file/

Still infected, or just want to make sure everything is okay?

HiJackThis is a tool that will create a log file that can be analyzed by geeks to see what is running on your computer. Install and run HiJackThis (preferably in Safe Mode With Networking), and select 'Do a system scan and save a log file'. You can then copy/paste the output to this thread, and with any luck, someone will stop by and let you know what you can delete. You can then checkmark the items in HiJackThis and click 'Fixed checked'.

If you don't get a quick response here or would rather do it yourself, you can also go to http://hijackthis.de/, which is an online analyzer for your HiJackThis log. Simply copy and paste the log into the text box and click the Analyze button. During my testing of the site, I found it wasn't perfect, especially when a proxy was setup (the visitor rating would be 'extremely nasty', but the site itself would say it was safe)... but, it's at least a good tool that can significantly shorten the time it takes to analyze the log, and it gives you an idea of which entries you can delete or at least Google/post here for further research.

You can also look at the responses to HiJackThis posts in this thread to get an idea of what is safe and what should be removed.

Windows Performance

A good starting point to knowing what processes and services are running on your computer is a HiJackThis log. There's also a lot of information that's only a Google search away.

To manage the process that start when Windows starts, use msconfig (Start button -> Run... -> msconfig -> Startup tab). This is a good resource on startup processes, and it includes a large database of startup processes with information on whether they're required to run Windows or if it's okay to uncheck them. You basically want processes that are in c:\Windows checked, and you can generally uncheck processes in c:\program files (but there are exceptions, like your antivirus), but do some research (Google, the provided links, this thread) if you're not sure. Adobe, Apple (including qttask, Boujour, AppleUpdater, etc), and any messenger program (unless you have it sign you in at startup) are always the first ones to get unchecked on my computer.

Services can be a little tougher to manage, because it's usually a much longer list, and it's not as simple as flipping them on or off. This is a great resource for managing Windows services (Start button -> Run... -> services.msc). Simply choose your version of Windows and then click on the Service Configuration link. It presents the default setup, a safe setup (what most people can use without any consequences), a tweaked setup for faster startup, and a bare bones setup for the super geek. There's also a Tweaks page for stuff like Adding/Removing programs and System Restore.
[Reply]

Originally Posted by chasedude:
I agree being an informed user would prevent this from installing on their system. Yet the number of the uninformed usually outweighs intelligent users.

My main point I was trying to get across is no OS is safe anymore. Apple users thought they were bullet proof because most malware/trojans are meant for the more popular Windows system.

I just hooked up avast on my mobile and it's caught a couple hidden in some apps I wanted to try.

Well... most malware/trojans are written for Windows. Because it's infinitely easier to execute malicious code that doesn't require any user input. "Drive by" infection is still not possible with OS X. Which does provide OS X with a much greater resistance to infection, and makes antivirus programs for Mac pretty much unnecessary. The last few versions of OS X actually have malware protection built in to the OS, which most people don't realize. And OS X is much better at sandboxing everything you run to prevent infection, memory leaks, permission issues, etc. I completely agree that no OS is bullet proof. But OS X should still be considered one of the safest options available.

I could write a program in about 5 minutes, that could completely destroy an OS X install. But it would also require the user to authenticate as admin to install, no different than the "malware" above. I don't think that makes me a hax0r though, and I wouldn't consider OS X to be vulnerable because the program I wrote could harm it if it were installed. Because that's just common sense. No virus or malware protection is going to protect against irresponsible stupidity like that.
[Reply]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:14:01 AM, on 4/6/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsearcher.com
O2 - BHO: PriceGong - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files\PriceGong\2.5.0\PriceGongIE.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Funmoods Helper Object - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\Program Files\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Funmoods Toolbar - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - C:\Program Files\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Acer VCM.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe

--
End of file - 6494 bytes

Does this look right?
[Reply]