Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on July 31, 2008, 11:42:00 PM

Title: Malware fixes and work-arounds!
Post by: polonus on July 31, 2008, 11:42:00 PM
Facts to better write your malware-fix

Identification of malware

When you start getting involved in malware fighting, recognizing certain infections is hard. Every infection has specific characteristics. There are sites where you can find descriptions of various infections.

1. Read a log several times to get a good grasp of what it has.

2. Using Google or the Castlecop database or a good online hjt analyzer page the lines can be found that should be fixed.

3. Important about filtering is that it can be a further indication of the malware at hand. Many malware infections demand more of you than just simply end a process.

Most databases like castlecops give links to further information about the specific infection.
Then you can also find interesting information here. The most important resource for information always is Google. You stand on the shoulders of many malware fighters in what you do. How did others handle a similar infection on a reliable help site.

Read a hijackthis-log/

From a line of a hijackthis log you can see what it is?

Take this line for instance:
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

A 04-line consists of a name of a process and the name of a program.
O4 - HKLM\..\Run: [Program-name] "C:\Program Files\map\proces.exe"
In the Castlecops database look for a process named nwiz.exe 3 posible variants.
All have a different program-name. So the combination gives you the key. In this case nwizz.exe is part of nVidia graphics cards drivers.

Do's and don't's

1. Clean the computer with standard scanners before anything else.

Hijackthis is brought in as other methods did not solve the problems. Then HJT is not finding all..
By using various reliable malware scanners a lot can be taken off. Maybe the problem is solved completely.
But when everything fails we use a "dangerous" program like  hijackthis.
There are cleansing routines to state how a PC is cleansed correctly.

2. Never fix with a hjt program that has not been updated to the latest version, and hijackthis.exe has been placed in the right file. An older version of hijackthis misses things and messes your cleansing up.
Hijackthis.exe should be unzipped te zijn and put in a non-temperal file. This to prevent to loose backups.

3. Never start a fix with systemrestore disabled.
You reset system restore only after the PC is fully cleansed. not earlier. If something goes wrong, you have nothing to cling to. Step 7 describes how you can reset system restore.

4. Hijackthis is NO scanner.

Fixing wrong lines with Hijackthis is not sufficient to cleanse all malware. Sometimes we need additional tool,or manual removing processes can be necessary in severe cases.
 
Only fixing the 02-lines takes the processes out, but with exemptions.

5. As a rule of thumb leave all 016-lines unfixed.
Most 016-lines are completely harmless and useful even. A database will give you the malware ones.

6. (file missing) does not always equals that file is actually missing.
In a hijackthis-log you may find (file missing) behind a line. These are mostly 02, 03, 09 or 023-rules.
Normally only for 02- and 03-lines this can be taken as a fact, in other cases it is dubious.
This is a known bug in Hijackthis. As a rule 09 and 023-regels with (file missing) can be left alone,
only when it is not known malware, then the files that come with it should be fixed.
When in doubt about a (file missing) you can check if the process is active in "running processes".

7. Manually changing the register is a matter of last resort and a final option.
It is utterly dangerous for the victim without experience to have a go at the registry.
A small mistake can make that the PC will misfunction or halts.
When all scanners fail,  hijackthis and other tools fail, it is better to write a register fix for the victim.
When this also fails, manual registry alterations are allowed, but back-up the registry first, and fully instruct.
 
8. Do not take a process out before you have identified it to be bad, and know what it is and does.

When in doubt, and no database to go by, these options are still open to you.
- Have a file scan by uploading it to Jotti, or Virustotal and look at the results, more results more likely to be malware.
- Look what firm made the file.
- Rename the file in question and move to a backup-file. If it is essential you can put it back later.

9. Never fix a 010-line using hijackthis
This may corrupt winsock, and you loose your internet connection.
Better to use LSPFix or Winsockfix for these purposes.

10. At the end of your malware topic. give some further security tips to prevent re-infection.
Tell them they need a FW and one resident AV scanner. For us we are avast evangelists! And stress the importance of patching windows and other software.

Outline of your fix

Every fix is different, but generally this is a good outline.

1. We welcome those that seek help from us.
Tell them not to panic, tell them all will be well in the end.

2. Let them know what infection they have, and when known how they were infected.

3. When hijackthis.exe is in a wrong folder, it should be placed in the right one.

4. Let them download the tools necessary to fight the malware at hand.

5. Let them make hidden files visible, so they can be found and deleted.

6. Deinstall infections through configuration screen > software. A better option than manual uninstall.
Do not forget to restart after every uninstall. There are lists for easily to uninstall malware programs.

7. Have your instructions printed for further instruction as a txt.file. This because the rest of the cure should be dome in SafeMode.

8. When a PC has various infections, it is better to have the victim start up his PC in SafeMode.
In SafeMode malware processes responsible for the infection are non-active, so easier to be deleted.

9. Have the malware-lines fixed with Hijackthis. Do not forget that all othr windows and programs should be closed, before fix checked can be entered.
 
10. Have all malware folders and files deleted.

11. In SafeMode also clean temp-folders, where malware can reside.
A new scan can be better performed that way.

12. Have the PC restart in normal mode

13. Perform an online scan or a DrWebCureIt scan for instance.

14. Tell what logs you like to have attached.
Ask whether the victim encountered further problems.

15. Wish the victim all the best and thank them for coming here for help.
- Make you fix readable by using bold, italics etc. and numerics.
- Many that come here for help are not very computer savvy. Be precise and simple in your instructions.

If at a certain point your malware cleansing routine may take a wrong turn, ask for help from the experienced malware fighters here.
No one will blame you, now dive into it, and try to help others,

polonus (malware fighter)

P.S. hijackthis manual: http://hometown.aol.co.uk/jrmc137/index.htm

A very good link to an extensive hijackthis manual can be found here:
http://www.malwarehelp.org/understanding-and-interpreting-hjt1.html
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: wyrmrider on August 02, 2008, 04:22:19 AM
here's what charlie at Maddoktor2 has to say

Here's how to post a HiJackThis log:
First please
Register and Login.
Then......
Please download HiJackThis into its own permanent folder,
example: C:\HJT\HiJackThis.exe, C:\Program Files\HJT\HijackThis.exe or C:\MyDocuments\HJT\HijackThis.exe

Please Note:
You can get a complete installer that installs HijackThis to C:\Program Files\Trend Micro\HijackThis, makes an entry in the start menu and also providing a desktop shortcut from HERE

Double click on it to open it up, hit the Do a system scan and save log button, WordPad or NotePad will open and it will be saved in the folder, copy and paste the entire log into your New Post. (use edit > select all > copy > paste it into a New Post)

7. Along with your HijackThis log, please post a log from this free tool as well:
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

   1. Close all applications and windows.
   2. Double-click on dss.exe to run it, and follow the prompts.
   3. When the scan is complete, two text files will open - main.txt<- this one will be maximized
      and extra.txt<-this one will be minimized
   4. Copy and paste the contents of main.txt and the extra.txt to your post. in your reply

Good Luck and Please be PATIENT.....we will get to you asap
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: polonus on August 04, 2008, 09:40:28 PM
Hi malware fighters,

People that have no experience better stay away from analyzing HJT logs and fixing, this should be accompanied by people that know how to do this, here I give you an example:

0CAT YellowPages
Whenever you have this infection, you will get pop-ups from this IP 69.50.160.100.
 
In a hijackthislog you will find:
O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - C:\Program Files\0CAT YellowPages\STIEbar.dll
O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - C:\Program Files\0CAT YellowPages\STIEbar.dll
 
Cause of this infection, not visable in the hjt log, is a file to replave webcheck.dll in the system32 folder.
 
How to remove:
The file is also shown in the HJT startuplist under Enumerating ShellServiceObjectDelayLoad items.
False: WebCheck: C:\WINDOWS\system32\msvcrta.dll
Secure: WebCheck: C:\WINDOWS\system32\webcheck.dll
Check if msvcrta.dll can be found.
Go to start - run.
Give in: regsvr32 webcheck.dll
Delete using Killbox or fix with HijackThis C:\WINDOWS\system32\msvcrta.dll or the false file shown following WebCheck.
(met Hijackthis: Config - Misc Tools - Delete a file on reboot)
further info on 0CAT YellowPages spyware infection:

http://www.wilderssecurity.com/showthread.php?t=59940

polonus
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: polonus on August 05, 2008, 08:59:55 PM
Hi malware fighters,

Just another example, this time a not so easy one,

Switch-dialer
Startportal of MS-Connect of…. is a dialer that also hijacks your start page (e.g. 24start.com).
This dialer is owned by ConnectSwitch.
It is a tricky dialer because it changes names regularly.
 
Recognize this infection.
If you are infected with this dialer you can see this in your hijackthislog.
 
MS-Connect:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\msite18.exe
O4 - HKLM\..\Run: [MS-Connect] C:\WINNT\System32\cdm.exe
O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\game.exe
O4 - HKLM\..\Run: [MS-RunKey] C:\WINDOWS\System32\arr.exe
 
Startportal:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Startportal/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/Startportal/Portal/portal.html
O4 - HKLM\..\Run: [Diskstart] C:\WINNT\system32\code.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\cat.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM\HIT.EXE
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM32\snt.exe
 
QuickPage:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/QuickPage/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/QuickPage/Portal/portal.html
O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\ru.exe
O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\cp.exe
 
OnlineDirect:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\sed.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\msgplus.exe
 
NowOnline:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagine = file:///C:/Program%20Files/NowOnline/Portal/portal.html
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe
 
FirstEnter:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\dll.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\plugin.exe
 
First2Enter
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/First2Enter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/First2Enter/Portal/portal.html
O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme.exe
O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\run_21.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv.exe
 
Plus18Point
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\intl.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\int1.exe
 
MStartEnter
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStartEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/MStartEnter/Portal/portal.html
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\mstar2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\system32\mstart.exe
 
MStart2Page
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mcmgr32.exe
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\system32\mmgr32.exe
 
EnterOne
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/EnterOne/Portal/portal.html
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\System32\m2gr32.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntcpl.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntopengl.exe
 
PageOn1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/PageOn1/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/PageOn1/Portal/portal.html
O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\rcron.exe
O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\dservice.exe
 
Make125
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Make125/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/Make125/Portal/portal.html
O4 - HKLM\..\Run: [sVideo2] C:\WINDOWS\system32\vxdrun6.exe
 
eMakeSV
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagw = file:///C:/Program%20Files/eMakeSV/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/eMakeSV/Portal/portal.html
O4 - HKLM\..\Run: [eMakeSV] C:\WINDOWS\system32\emakesv.exe
O4 - HKLM\..\Run: [eMakeSV] C:\WINDOWS\system32\emake2b.exe
 
NIEUW2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/NIEUW2/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/NIEUW2/Portal/portal.html
O4 - HKLM\..\Run: [NIEUW] C:\WINDOWS\system32\emake2b.exe
 
How to remove:
1. Go to start - Configurationscreen - Software - Change or remove programs.
Uninstall Switch.
 
2. If the uninstall fails, use HijackThis.
End active process, search known entries and fix these using HijackThis.
 
Delete in SafeMode the exe-file and also the folder c:\Program Files\ where Portal can be found.
 
Other variants related to Switch:
 
AtivOpen
A hijackthislog shows:
O4 - HKLM\..\Run: [AtivOpen] C:\WINDOWS\system32\ativopen.exe
O16 - DPF: {5CBF8C22-E9A6-11D7-90FE-000AE4012999} - hxxp://a0e6.ffx23wl.nl/plugins/nl/ativopen.cab
 
How to remove:
Go to start - Configurationscreen - Software - Change or remove programs.
Uninstall AtivOpen.
Fix the O16 using HijackThis.
 
AdServerNow
A hijackthislog shows:
O4 - HKLM\..\Run: [Updater] C:\Windows\system32\adservernow.exe
 
Hoew to remove:
Go to start - Configurationscreen - Software - Change or remove programs.
Uninstall AdServerNow
 
Others:
A hijackthislog shows:
O4 - HKLM\..\Run: [NAP32] "C:\WINDOWS\System32\NAP32.exe"
O16 - DPF: {62C9173E-C4C3-43B9-82F2-3DDD51663B00} - hxxp://pms.localscripts.nl/plugins/nap32/nap32_nl.cab
        
polonus   
   
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: polonus on September 01, 2008, 01:10:27 AM
Hi malware fighters,

Today we discuss hijackers:
017 - LOP.com Domain Hijacks
When you are surfing to a website using a hostname in stead of an IP-address, the computer use the DNS-server to translate the host to an IP-address. Some hijackers change the names of DNS servers, so their DNS servers are being used. In this way they can redirect you to whatever site they want.
Internet addresses without dots do not really exist.
It works when you type e.g.google' in the browser address bar.
Internet Explorer automatically tries to repair prevailing errors. So it can turn "google" into "www.google.com" automatically.
One of the names that IE automatically tries is placing the domain name setting, you have given in, automatically behind the internet address.
If a spyware program also does this, these links will redirect through a spyware website.
 
Code       Explanation
O17        LOP.com Domain Hijacks
 
How it looks:
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gla.ac.uk
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
 
If the domain name is not that of your ISP or the firm where you work ,
let HJT fix this.
Also for SearchList-entries. For the NameServer (DNS-server) entries google for your ISP to see if they are good or bad.
 
O18 - Extra protocols and protocol hijackers

What to do:

Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks'
(Huntbar), you should have HijackThis fix those.
Other things that show up are either not confirmed safe yet, or are hijacked (i.e. the CLSID has been changed)
by spyware. In the last case, have HijackThis fix it.
O18 - Extra Protocols and Protocol Hijackers

The standard Protocols are being changed by the protocol used by the hijacker.
In this way the hijacker gets control over certain methods of data exchange with the Internet.
Hijackthis reads the protocols-section in the registry for non-standard protocols.
When something is found up it gives the CLSID and the file path.
Keys that are found there can not always be trusted, and delivers too many FPs to just blindly rely on.

 
Code     Explanation
O18       Extra protocols and protocol hijackers
 
What they look like:
O18 - Protocol: relatedblinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}
 
There is only a restricted number of hijackers, Known abusers are:

    * cn (CommonName)
    * ayb (Lop.com)
    * relatedlinks (Huntbar)

Other cases found have not been affirmed as secure or as hijacked (CLSID has been changed) by spyware.
iF SO HAVE hjt FIX THIS. Hijackthis does not remove the registry key and the additional file.
Meer info vind je hier.
 
Used registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\       
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID       
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler       
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter
 
 
019 - User Style sheet hijack
A style sheet is determining how a total webpage will appear, as well as the various elements in it,

The standard style sheet can be overwritten by a hijacker.
 
Code     Explanation
O19       User style sheet hijack
 
How it looks:
O19 - User style sheet: c:\WINDOWS\Java\my.css
 
If the browser slows down, or you are experiencing regular pop-ups, you better fix this.
These issues are caused by coolwebsearch and are best repair using CWShredder.

Download CWShredder.
HijackThis does not remove the affiliating file.
Used registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles\: User Stylesheets
 
 
020 - AppInit_DLLs Register value: starting automattically - Keys under Notify
The values mentioned in the registry key AppInit_DLLs are being loaded whenever user32.dll is being loaded.
Most executables (exe's) use user32.dll. This means that the dll files found  in the registry key Appinit_DLLs
also will be loaded. The user32.dll file is also being used by automatic processes automatically started by the system on log-on.
This means that files inside AppInit_DLLs are being loaded in a very early stage.
The files loaded via AppInit_DLL's stay in memory until log-off.
 
Code     Explanation
O20      AppInit_DLLs Registry value: starting automatically
O20      Keys under Winlogon\Notify
 
How it looks:
O20 - AppInit_DLLs: msconfd.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\f40o0ed3eh0.dll
 
AppInit_DLLs: Few legit applications use it (Norton CleanSweep uses APITRAP.DLL),
but they are more seen by trojans and aggressive browser-hijackers (e.g. CoolWebSearch).
The DLL files mentioned here can be found in the system32-folder as a rule.
The reason is that only the first 32 characters are being read from this registry key by the system,
and when these file are in the system32-folder the full path does not need to be given.
The files are hidden for Windows explorer.
When you have these item fixed by HJT, the affiliating files is not being removed.
More info is being found here.
 
Notify: Since the 1.99.1 version also extra keys appear under Notify in combination with O20,
HijackThis uses a whitelist to do so. Standard keys under Notify with affiliating dll are:

    * crypt32chain   (c:\windows\system32\crypt32.dll)
    * cryptnet   (c:\windows\system32\cryptnet.dll
    * cscdll   (c:\windows\system32\cscdll.dll)
    * ScCertProp   (c:\windows\system32\wlnotify.dll)
    * Schedule   (c:\windows\system32\wlnotify.dll)
    * Sclgntfy   (c:\windows\system32\sclgntfy.dll)
    * SensLogn   (c:\windows\system32\WlNotify.dll)
    * Termsrv   (c:\windows\system32\wlnotify.dll
    * wlballoon   (c:\windows\system32\wlnotify.dll)

HijackThis removes the registry key, but not the affiliating file.
An infection using this method is VX2.
Not all keys appearing under Notify are malicious.
 
Used registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

In case of a 'hidden' DLL loading from this Registry value (only visible when
using 'Edit Binary Data' option in Regedit) the dll name may be prefixed with
a pipe '|' to make it visible in the log.

polonus
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: polonus on October 25, 2008, 11:24:26 PM
Hi malware fighters, a new example is cleansing a computer of a LOP infection:

LOP and Messengerplus
Messengerplus you may install in two fashions: with sponsors and without sponsors.
Install the program with sponsors will give you a LOP infection.
Characteristics of such an infection with LOP are:

    * Blue toolbars.
    * Another default start page (cannot be altered).
    * Shortcuts onto your Desktop: Casino Online, Internet, Poker, Printer · Cartridges, Travel, Website Hosting.
    * New folders / shortcuts in your Favorites: Casino Online, Computers, Cool Stuff, Games, Internet, Movie, Online Gaming, Shopping Gifts, Travel, Web Hosting.

 
In a HijackThislog you would see the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = htxp://www.hebpzgppdmcvvkxolwsemyymm.org/Vgphr21hygEpijzFdJP36tdGhOtNQ6Wuf41DysyWb7Ef6km1SVuZftsQ3kmJbKgd.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = htxp://www.epxecirbtjumy.uk/Vgphr21hygHow4_WlYqSGCX9Qa53kzYt6MxWoMxzxkw.html
O2 - BHO: (no name) - {9C134485-ACC7-E857-CFC6-91A7FBF80B9C} - C:\DOCUME~1\Pol\APPLIC~1\SCRHOL~1\IntraHide.exe
O4 - HKLM\..\Run: [new bolt log bone] C:\Documents and Settings\All Users\Application Data\proxy chic new bolt\browsetitle.exe
O4 - HKCU\..\Run: [SpamDate] C:\DOCUME~1\Pol\APPLIC~1\COPYUP~1\bone corn soap.exe
 
These are only examples. The entries you will see in a hijackthislog may differ, because they are unique/random. The CLSID's and the filenames that LOP uses are randomly generated.
 
How to delete:
To get rid of this infection, act accordingly:
Go to Configuration Screen - Software - Change or delete programmes. Uninstall Messengerplus.
Reboot your computer.
 
If the infection reappears, you may have the latest form of LOP. This infection uses planned tasks.
A possibility to remove the infection is to install Messengerplus again WITH sponsors and then uninstall.
During uninstall you should give in a security code. Do so.
 
When that does not cure it, better make a hijackthis startup list.
Look if you will find a job for Enumerating Task Scheduler - a job (.job) has a name made up from (16?) random numbers and letters. (e.g.. A4476F8291C4E84E.job)
When a random job.name is being found there, then that is the cause of the re-infection.
This .job is a hidden file name and can be found inside the folder c:\windows\tasks.
Removal is best performed using Pocket Killbox.
 
If you want to keep using je Messengerplus, install it again , but now choose the option 'without sponsors',

polonus
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: enen on November 15, 2008, 12:51:06 PM
sir, gud day, im an avast user but unfortunately i have been affected by a malware, wdp-ash-updscript.vbs ,is is located at the program file folder of avast... i have try anything inable to delete and fix this one... but i cant able to find a remedy... and i have found an article bout this one here it is,http://www.avast.com/eng/avast_plus_wdp.html... sir i also use hijack this and here is my log files... hope u figure this one out.. thank you sir i appreciate your help! thank you very much in advance..
--------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:58 PM, on 11/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ikernel.exe
C:\WINDOWS\SYSTEM32\NET.exe
C:\WINDOWS\SYSTEM32\NET.exe
C:\WINDOWS\SYSTEM32\net1.exe
C:\WINDOWS\SYSTEM32\net1.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [UberIcon] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Converter 3.0\IEShellExt.dll /100
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.196.182.244/activex/AMC.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7313 bytes
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: FreewheelinFrank on November 15, 2008, 12:55:03 PM
Please post the log in your own thread:

http://forum.avast.com/index.php?topic=40088.0 (http://forum.avast.com/index.php?topic=40088.0)
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: enen on November 15, 2008, 01:08:52 PM
sir wat is secure web gateway... its the only one that detect this malware..
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: FreewheelinFrank on November 15, 2008, 01:10:11 PM
Please post in your own thread.
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: twoferz on January 07, 2009, 10:59:09 PM
 :'( My computer is infected with three viruses that I know of.  ???
Spyware.IEMonster.b, Zlob.PornAdvertiser.xplisit & Trojan.InfoStealer.Banker.s

Presently I can not do anything on that computer without the following things happening: various pop-ups open, my document folder opens, & many random webpages (blank & advertisements) restrict and ultimately freezes my computer. After restarting it my active desktop is disabled (which I can not get it too return) and after several minutes a blue screen telling me to reboot my system.

Can anyone help me
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: CharleyO on January 08, 2009, 09:17:19 AM
***

Welcome to the forums, twoferz.   :)

Please post your problem in it's own thread.

To others who think of posting in this thread, please read the title of the thread again. This thread is an instructional thread and not a help thread. Please start your own thread so that help can be given to your particular problem.


***
Title: Re: How to better write your malware-fix and using hijackthis!
Post by: polonus on May 04, 2009, 08:52:29 PM
Hi CharleyO and other malware fighters,

I will give this link here, because it is a more recent (2009) long tutorial for us:

http://www.aumha.org/a/hjttutor.php

Also consider these instructions:
http://forums.majorgeeks.com/showthread.php?t=38752

And these 3 long instructions: http://www.malwarehelp.org/understanding-and-interpreting-hjt1.html
and  http://www.malwarehelp.org/understanding-and-interpreting-hjt2.html
and http://www.malwarehelp.org/understanding-and-interpreting-hjt3.html

And how to make a safe windows folder for hjt: http://russelltexas.com/malware/createhjtfolder.htm
N.B. here you have to translate this info for the most recent HJT version, e.g. 2.0.2

enjoy,

polonus

Title: Re: How to better write your malware-fix and using hijackthis!
Post by: CharleyO on May 05, 2009, 07:39:23 AM
***

Thanks for the links, Polonus.   :)


***
Title: Malware fixes and work-arounds!
Post by: polonus on October 27, 2009, 06:31:58 PM
Hi malware fighters,

One uses MBAM and it immediately shuts down upon opening and/or
one uses HJT and it immediately shuts down upon opening
This is being cause by a Coolwebsearch Trojan (CWS) variant.

To solve this problem: Download the CoolWWWSearch.SmartKiller removal tool :
http://www.safer-networking.org/files/delcwssk.zip
After running this tool HJT and MBAM should be right functioning again,

polonus
 
Title: Malware-fixes and work-arounds...
Post by: polonus on December 24, 2009, 08:19:48 PM
Hi malware fighters,

As requested I gonna put some links and work-arounds here, starting with this one as MBAM is being halted by a rootkit: http://forum.avast.com/index.php?topic=52583.msg445341#msg445341

More to follow,

polonus

P.S. Some older considerations, some points might still be valid:
1. I cannot download Malwarebytes Anti-malware.
Probably your computer infected with DNSChanger trojan. Read and follow these instructions: How to remove trojan DNSChanger{ http://www.myantispyware.com/2007/11/06/how-to-remove-trojan-dnschanger/

2. Malwarebytes Anti-malware won`t install, run or
update:http://www.myantispyware.com/2009/06/08/malwarebytes-wont-install-run-or-update-how-to-fix-it/

3. Got error code 731 (0,9).
Try restarting the computer, it should solve the error.

Title: Malware fixes and work-arounds!
Post by: nmb on December 24, 2009, 08:22:28 PM
sir pol,

could you change the topic header to something general? - suggestion.. what say?

nmb
Title: Re: Malware fixes and work-arounds!
Post by: polonus on December 24, 2009, 08:31:15 PM
Hi nmb,

This better?

polonus
Title: Re: Malware fixes and work-arounds!
Post by: nmb on December 24, 2009, 08:32:39 PM
yes sir,

there you go! thanks for considering my words sir.

voted for sticky.

thanks
nmb

edit : oops! already in sticky status.
Title: Re: Malware fixes and work-arounds!
Post by: polonus on December 24, 2009, 08:38:18 PM
Hi malware fighters,

A link to the Malware Report: http://www.besttechie.net/category/malware-report/
with removal info links for the following malware and rogues:
WinBlue Soft, Virus Sweeper, SpywareProtect 2009, Total Security, SpywareGuard 2009 and the 2008, Antivirus 360, Personal Defender 2009, Zlob,
Personal Antivrus: http://www.myantispyware.com/2009/03/18/how-to-remove-personal-antivirus-uninstall-instructions/

polonus

Title: Re: Malware fixes and work-arounds!
Post by: polonus on December 25, 2009, 03:01:25 AM
Hi malware fighters,

You just has experienced a svchost.exe crash, where an unknown module crashed on 0x0000000000 or an Error-bucket 738702451 then this could be due to malware but also module crash (browser)- you could try this:
Start/Run the command called regedit.exe (Registry editor). Navigate to HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\NetBT\Parameters and on the right side, double-click TransportBindName -
press delete and give it an empty value. That will close port 445.
Also, go to HKEY_LOCAL_MACHINE\Software\Microsoft\OLE and
change the value of EnableDCOM from Y to the value N - that will close port 135.
If you know how, you may also disable NETbios. Restart the computer and the bug might be gone.
Or work this with a tool called wwdc: http://www.softpedia.com/get/Security/Firewall/Windows-Worms-Doors-Cleaner.shtml

polonus
Title: Re: Malware fixes and work-arounds!
Post by: YoKenny on December 25, 2009, 03:11:44 AM
@ polonus

My DSL modem closes ports 135 and 445 so that tweak is un-necessary.

Quote
GRC Port Authority Report created on UTC: 2009-12-25 at 02:10:28

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
                            119, 135, 139, 143, 389, 443, 445,
                            1002, 1024-1030, 1720, 5000

    0 Ports Open
    0 Ports Closed
   26 Ports Stealth
---------------------
   26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.
https://www.grc.com/x/ne.dll?bh0bkyd2

wwdc does not work on Windows 7
Title: Re: Malware fixes and work-arounds!
Post by: polonus on December 25, 2009, 04:17:39 PM
Hi YoKenny,

The newer operational systems like Vista and W7 have more protection aboard here.
wwdc is for users of XP SP3 which OS should only be run secure with normal user rights and utmost caution, so that it will not become the malware getto system, a situation for the coming years that has been predicted by anti-malware vendors,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on December 25, 2009, 04:32:51 PM
Hi malware fighters,

Regedit won't work and this could be because of you, an administrator or malware intervened.

Unless you or an administrator has applied this policy in your system for the users,
it is safe to have freefixer or HijackThis fix this entry (one of so-called 07 restrictions)

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
(there could also be one or more additional 04 entries involved with worms and trojans of this sort)

The malcreants without the victim noticing changed a registry key,
so one can no longer access regedit.

It is a component of malware or spyware,
you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the forum.
Name of trojan activity: DisableRegedit
HijackThis Category: O7
HijackThis Line:

O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Description: Disabled Regedit tools is a signature of trojan activity

How to remove: Use HijackThis, freefixer or Use Malwarebytes Antimalware

A work-around is to download freefixer.
You find it here: (http://www.freefixer.com/static/freefixersetup.exe).
Install, perform a scan and maybe you encounter this item:

HKCU Software Microsoft WindowsCurrent VersionPoliciesSystem, DisableRegedit=1

That is the cause of your predicament. Select this item and click"fix checked"
and then restart your computer.

How to use MBAM here:
Download MalwareBytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe
then download it onto your desktop.
Double click mbam-setup.exe to install the program.

See to it that after install there are tags next to:
Update MalwareBytes' Anti-Malware
Start MalwareBytes' Anti-Malware
Then click "Finish".
Whenever an update is available , that will be downloaded and installed.
As soon as the program is started, go to the tab window "General Settings".
Here you tag: "Close Internet Explorer during removal of malware".
Then go to tab window "Scanner", choose "Quick Scan".
Then click "Scan" to start the scan.
Scanning may take a while so be patient.
When the sacn has finished, you click OK, then view "View results" to see results.
See to it that everything is tagged there, and then click: "Remove selected".
After removal a log will open and you will be asked to restart the computer.
The log will be automatically be saved by MalwareBytes' Anti-Malware
and can be found by clicking the "Logs" tab inside the program.

Now a practical example description of a worm that disables regedit
 in this fashion and how to remove it can be found here:
http://www.quickheal.co.in/alerts/archives/alerts-Worm-VB-jp.asp

polonus

Title: Re: Malware fixes and work-arounds!
Post by: balzarini_marzia on December 27, 2009, 04:56:46 PM
Salve, ho da poco scaricato avast 4.8 home edition ma ricevo sempre questo messaggio:avast: allarme nel controllo della posta. avast non sarà capace di proteggere la posta in arrivo (protocollo IMAP), la posta in uscita (POP3) e le news (NNTP protocol). Errore: 10022. Controllare che lo scanner di posta elettronica non sia bloccato dal firewall. come posso fare? Per favore aiutami!!!!
Title: Re: Malware fixes and work-arounds!
Post by: nmb on January 01, 2010, 03:48:24 PM
The Undeletable SafeBoot Key

Hello friends,

Quote
I present you a new program to create the SafeBoot registry key with special permissions protecting it from deletion. After using this new program, you’ll be able to restore the SafeBoot registry keys with my .REG files.

Many malware deletes the SafeBoot registry key to prevent you from booting into Safe Mode. I provide a registry fix to restore these keys.

here : Didier stevens' blog (http://blog.didierstevens.com/2010/01/01/the-undeletable-safeboot-key/)

Hope it helps all malware fighters.

Thanks
nmb
Title: Re: Malware fixes and work-arounds!
Post by: polonus on January 02, 2010, 01:48:59 PM
Hi nmb,

We can read each others minds, look here: http://forum.avast.com/index.php?topic=52960.msg448960#msg448960
With additional comments,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on January 07, 2010, 07:40:09 PM
Hi malware fighters,

Cloaked malware. Eradication: See the procedure discribed here: http://techver2.blogspot.com/2009_11_22_archive.html

polonus

Title: Re: Malware fixes and work-arounds!
Post by: polonus on January 09, 2010, 01:48:29 PM
Hi malware fighters,
Protection agains Samy's nattransversal exploit with NS inside Fx

If you want to change ABE should select, copy and paste this rule with Notepad

# NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports)
Site https?://[^/]+:[0-35-7]
Deny

What to do next:

Navigate via Noscript, Options, Advanced to tabwindow ABE worden There left click USER and then button change, a prompt will pop up saying no file can be coupled to ABE. Choose the last option with the txt "select a program within the list of installed programs" and search for Notepad. Paste the rule at the top inside Notepad. At closing Notepad choose save. Click OK. The rule now has been added. Click OK to close the Option and save all.
You are now fully protected against router travesal...
(Coutesy of NS's Giorgio Maone- with thanks)

polonus
Title: Re: Malware fixes and work-arounds!
Post by: nmb on January 09, 2010, 06:05:29 PM
Protection agains Samy's nattransversal exploit with NS inside Fx

Here is the original : Hackademix (http://hackademix.net/2010/01/08/nat-pinning-and-abe/)

Thanks
nmb
Title: Re: Malware fixes and work-arounds!
Post by: lexx_gray@hotmail.com on January 29, 2010, 10:15:00 PM
i just order the AVAst Pro and downloaded it but what ever is on my comp. will not let me open anything including my malware/spyware scanner. Can someone help me???
Title: Re: Malware fixes and work-arounds!
Post by: polonus on February 04, 2010, 01:27:09 PM
Hi malware fighters,

A fix for a IE vulnerability on XP adn Win2000 where protected mode has been disabled can be found here:
http://go.microsoft.com/?linkid=9709676
Info on the Information Disclosure hole in IE: http://www.microsoft.com/technet/security/advisory/980088.mspx
Make a bookmark of it, because later MS will come out with an out of band patch, and you then have to disable the work around:
Users with Vista and Windows7 are safe,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on February 14, 2010, 11:51:20 PM
Hi malware fighters,

A work-around for an intermittent CPU peak due to a corrupt virtual memory leaking:
Make sure you have plenty of RAM to do this (minimum 515mb preferred). Get rid of the current page file (virtual memory), it may be corrupted causing memory leaks.

>Right click My Computer on your desktop
>Choose Properties
>Click the Advanced tab
> In the Performance panel,
>Click the Settings button
>Advanced tab in the Performance options
> In the Virtual memory panel,
>Click the Change button
>Select C drive/partition, if it isn’t already selected
> Tick ‘No Paging file’ in the paging file size for selected drive panel.
> Press the SET button
> Then click OK, OK, OK.
>Reboot, the system will re-create it.

This possible solution should end your worries,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: alisterben on March 02, 2010, 08:16:57 AM
Give me some possible solution for cleaning registry.
Title: Re: Malware fixes and work-arounds!
Post by: CharleyO on March 02, 2010, 11:31:22 AM
***

Go to the link below and download TweakNow Registry Cleaner at the top left under the header Download.

http://www.tweaknow.com/RegCleaner.php


***
Title: Re: Malware fixes and work-arounds!
Post by: nmb on March 02, 2010, 04:40:40 PM
Go to the link below and download TweakNow Registry Cleaner at the top left under the header Download.
http://www.tweaknow.com/RegCleaner.php

Be careful with this, I have had problems after cleaning.. better leave the registry as it is or use ccleaner's registry cleaner. which is very much safer.

Thanks
nmb
Title: Re: Malware fixes and work-arounds!
Post by: magicmatt1 on March 03, 2010, 05:52:02 PM
Can anybody help me with this nasty "xp antivirus pro" virus?
Title: Re: Malware fixes and work-arounds!
Post by: Pondus on March 03, 2010, 05:56:35 PM
You should have started a new topic, and not posted inside this


How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

What this programs does:

Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:

•Antivirus Vista 2010
•Vista Antispyware 2010
•Vista Guardian
•Vista Antivirus Pro
•Vista Internet Security
•Vista Internet Security 2010
•XP Guardian
•XP Antivirus Pro
•XP AntiSpyware 2010
•XP Internet Security
•XP Internet Security 2010
•Antivirus XP 2010
•Antivirus Win 7 2010
•Win7 Guardian
•Win 7 Antivirus Pro
•Win 7 Antispyware 2010
•Win 7 Internet Security
•Win 7 Internet Security 2010

When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it instead launches Antivirus Vista 2010, Win 7 Antispyware 2010, or XP Internet Security 2010. If the original program that you wanted to launch is deemed safe by the rogue, it will then launch it as well. This allows the rogue to determine what executables it wants to allow you to run in order to protect itself. It will also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Last, but not least, when try to browse to a web site, it will hijack your browser and state that the site is a security risk and not allow you to visit it.
Title: Re: Malware fixes and work-arounds!
Post by: soumen on March 09, 2010, 09:59:55 PM
Hi guys,

Need some help!

My PC is infected with Win32-Malware-gen.
The virus is present in C:\Windows\Temp\xxx.tmp\svchost.exe.

Avast home edition is detecting it every 5 mins and suggested measure is to move it to Chest.
I have tried bootscan and it deletes it but after reboot it comes up again.

please let me know how to remove the malware from my system.

Thanks in advance!
Title: Re: Malware fixes and work-arounds!
Post by: Pondus on March 09, 2010, 10:08:54 PM
Hi guys,

Need some help!

My PC is infected with Win32-Malware-gen.
The virus is present in C:\Windows\Temp\xxx.tmp\svchost.exe.

Avast home edition is detecting it every 5 mins and suggested measure is to move it to Chest.
I have tried bootscan and it deletes it but after reboot it comes up again.

please let me know how to remove the malware from my system.

Thanks in advance!


http://forum.avast.com/index.php?topic=54389.0
Title: Re: Malware fixes and work-arounds!
Post by: DavidR on March 09, 2010, 10:13:58 PM
@ soumen
This really should be in its own new topic in the Viruses and Worms forum as it is technically unrelated to the original Topic.

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).

If you have any other questions, etc. including posting logs, create your own new topic to do that, thanks.
Title: Re: Malware fixes and work-arounds!
Post by: polonus on March 24, 2010, 12:00:47 AM
Hi malware fighters,

You experiences a block of the MS update, somehow the settings for svchost.exe for www.update.microsoft.com are being blocked, so now it is time to reset the settings database in ZA.

Hold down the Ctrl and Shift keys together
Right click on the ZA icon near your clock
Choose 'Reset' from the box that comes up
Choose Yes on the Reset Settings dialog box
When prompted, choose OK to restart your system
Follow the on screen configuration prompts after reboot

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on April 02, 2010, 09:34:32 PM
Hi malware fighters,

A proposed manual removal routine,

1) Run Process explorer. Use Ctrl+F to find any references to the malware at hand.
2) Kill any malware processes or malware threads (PIDs) inside of normal processes (ex. some malware hides as a thread in winlogon.exe)
3) Run Autoruns to be able to cleanse the "startup vectors" for the malware
4) Reboot
5) If the system boots clean, obliterate the malware files. For this use MoveOnBoot: http://go.ask-leo.com/moveonboot (instruction: http://ask-leo.com/how_do_i_delete_a_file_in_use.html )

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on April 08, 2010, 11:10:07 PM
Specific usb virus cleansing script found here: http://www.en.mygeekside.com/?p=18

pol
Title: Re: Malware fixes and work-arounds!
Post by: asw on April 19, 2010, 04:01:10 PM
need help with win32:alurean-fz      now has affected startup.  what does  C:/windows/system32/drivers/rascacd.sys      mean?
Title: Re: Malware fixes and work-arounds!
Post by: essexboy on April 19, 2010, 08:33:11 PM
That may be the new TDSS variant which takes careful handling - please start your own thread and let me know.  I will then assist
PLease do not try to restore the system as one variant will remove all services if you do that 
Title: Re: Malware fixes and work-arounds!
Post by: polonus on May 04, 2010, 08:50:41 PM
Hi malware fighters,

Repository of malware removal tools: http://www.wintricks.it/FORUM/showthread.php?t=56594


polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on May 20, 2010, 03:34:06 PM
Hi malware fighters,

Work-around for the new ActionKey USB malware worm: Preventing AutoPlay for a Component
Quote
To prevent AutoPlay from launching in response to an event, add the following REG_SZ value, as shown in this example.

HKEY_LOCAL_MACHINE
   SOFTWARE
      Microsoft
         Windows
            CurrentVersion
               Explorer
                  AutoplayHandlers
                     CancelAutoplay
                        CLSID
                           00000000-0000-0000-0000-000000000000The value is the class identifier (CLSID) that the component generating the event is known by in the running object table (ROT). The value has no data.

Important  Under this key, the CLSIDs are not enclosed in braces ( {} ).

pol

Title: Re: Malware fixes and work-arounds!
Post by: kellykent@hotmail.com on June 30, 2010, 11:22:54 PM
I have been using the newer free version of Avast for awhile.  Before that 4.8.  Over the last couple of months I have recently worked 3 machines that have come down with different malware/trojans that Avast did not catch.  What program caught it?  F-Secure Clean Scan.  A free version.
I recommend Avast to everyone who asks but I'm beginning to lose confidence.
The only problem with the Clean scanning software of f-secure is it doesn't tell me what it caught just tells me "malware".
Title: Re: Malware fixes and work-arounds!
Post by: polonus on June 30, 2010, 11:38:05 PM
Hi kellykentAThotmail.com,

Well this is quite common for any resident av solution. It cannot catch all, to many variants, they have to make a selection for their database and cover the remainder with heuristics, too large a vulnerability window to cover and zero-days can also be your deal if you are so unlucky to stumble upon it online. This is not only avast it is with all av solutions, so best what you can do is have some additional non-resident scanning next to it (MBAM, SAS, online scanner of your choice) so the detection range become as broad as you can live with. Additionally if you want to be fully protected use a Mozilla browser with NoScript and RequestPolicy extensions installed, yep, and then, and then you are fully covered,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: robnasty on July 03, 2010, 02:11:32 PM
Hi there
I have a question relating to malware.
I picked up a trojan last night even though my avast was runnin and up to date.
my system restore is diabled and avast has been completely diabled incluing the boot scan it just restarts the pc
and does not scan the pc infact avast says the version installed is `unknown` how do i remove this threat and restore avast
to its former working order?
please help!
Title: Re: Malware fixes and work-arounds!
Post by: polonus on July 26, 2010, 07:13:27 PM
Hi malware fighters,

There is now protection against the new Windows Shortcut Exploits without losing your icons, free tool download here:

http://downloads.sophos.com/custom-tools/Sophos%20Windows%20Shortcut%20Exploit%20Protection%20Tool.msi

polonus
Title: Re: Malware fixes and work-arounds!
Post by: nmb on July 27, 2010, 05:30:46 PM
<snip>
There is now protection against the new Windows Shortcut Exploits without losing your icons, free tool download here:

One more (GDATA) : http://www.gdata.de/support/downloads/tools (tool available in English)

Read more in sans diary : http://isc.sans.edu/diary.html?storyid=9268
Quote
This(Sophos) tool currently only protects against LNK files and does not protect against PIF based exploits. It also does not protect against LNK files or targets stored on the local disk.

nmb
Title: Re: Malware fixes and work-arounds!
Post by: igor on July 27, 2010, 05:39:35 PM
There is now protection against the new Windows Shortcut Exploits without losing your icons, free tool download here:

Well, how about avast? It protects you for quite some time already... ;)
Title: Re: Malware fixes and work-arounds!
Post by: polonus on July 27, 2010, 06:06:56 PM
Hi igor,

If you say so, and we all are avast users after all. We should know why then.   
Thanks a bunch, for the reassuring message,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: Rednose on July 28, 2010, 07:52:41 AM
There is now protection against the new Windows Shortcut Exploits without losing your icons, free tool download here:

Well, how about avast? It protects you for quite some time already... ;)


Hi Igor :)

So if I understand you right Avast! detects/blocks the LNK exploit itself, no matter what malware it is used by ???

Greetz, Red.
Title: Re: Malware fixes and work-arounds!
Post by: nmb on July 28, 2010, 07:36:55 PM
Well, how about avast? It protects you for quite some time already... ;)

Yeah :) I have seen the LNK:Runner in the vps update history ;)

Thx
Title: Re: Malware fixes and work-arounds!
Post by: polonus on July 28, 2010, 11:36:23 PM
Hi folks,

I reported here about the third party fixes for the LNK-hole, but I must also tell you that Microsoft will not support these solutions according to Microsofts security-response team's group manager, Jerry Bryant,


polonus
Title: Re: Malware fixes and work-arounds!
Post by: Rednose on July 29, 2010, 07:28:55 AM
Yeah :) I have seen the LNK:Runner in the vps update history ;)

Thx

Yeah, you are right :)

16.7.2010 - 100716-0  LNK:Runner
17.7.2010 - 100717-1  LNK:Runner-A, LNK:Runner-B
25.7.2010 - 100725-0  LNK:Runner-T

Greetz, Red.
Title: Re: Malware fixes and work-arounds!
Post by: polonus on July 30, 2010, 11:33:12 PM
Hi malware fighters,

Undo your fixes and work-arounds before you patch coming Monday with an official MS out of band vulnerability fix: http://www.dshield.org/diary.html?storyid=9304

pol
Title: Re: Malware fixes and work-arounds!
Post by: Dch48 on July 30, 2010, 11:49:38 PM
Question--- I didn't do any fixes for the lnk problem so I'm good there but I did apply the workaround for the previous problem with the HCP protocol. I backed up the registry keys that it said to delete. Now that the patch has been applied, can I just reinsert those keys? They still are not present in my registry so HCP is still disabled. I have not encountered any problems since disabling it so maybe I should just wait until something says I need to enable the protocol?
Title: Re: Malware fixes and work-arounds!
Post by: polonus on July 30, 2010, 11:58:49 PM
Well Dch48,

Well the sound policy is always, if there is a security hole apply the MS fix, NEVER go for a third party solution (MS and I advise you not to do that, and they know their backyard best), if the official update patch comes before applying the patch you should undo the temporal fix. If you haven't applied any MS fix then do nothing, just update and voila. As they see that more and more malcreants are abusing the "shortcut" vulnerability they apparently decided to come up with an out of band solution for the problem coming Monday - you can enable HCP if you need this, if you do not need a service do not install, the lesser services you have installed the smaller the vulnerability surface, it is a good security measure. Some do not need Java, do not install, some install VLC Media Player, they do not need other Media players, so also be lean on plug-ins, just take aboard that what is essential for your private computer experience,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: AntDude on August 01, 2010, 07:24:20 PM
Yeah :) I have seen the LNK:Runner in the vps update history ;)

Thx

Yeah, you are right :)

16.7.2010 - 100716-0  LNK:Runner
17.7.2010 - 100717-1  LNK:Runner-A, LNK:Runner-B
25.7.2010 - 100725-0  LNK:Runner-T

Greetz, Red.
Awesome. I have an old client who still uses an old Windows 2000 SP4 with all updates. MS dropped its support last month (actually two months ago since there were no updates last month :(). He currently run the latest Avast Free on it. I'm glad that this is protected. :)
Title: Re: Malware fixes and work-arounds!
Post by: polonus on August 01, 2010, 10:18:51 PM
Hi forum friends,

Probably tomorrow MS will patch the shell32.dll file with the out-of-band patch because the hole is situated there,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: Mele20 on August 02, 2010, 03:39:21 AM
Well Dch48,

Well the sound policy is always, if there is a security hole apply the MS fix, NEVER go for a third party solution (MS and I advise you not to do that, and they know their backyard best), if the official update patch comes before applying the patch you should undo the temporal fix. If you haven't applied any MS fix then do nothing, just update and voila. As they see that more and more malcreants are abusing the "shortcut" vulnerability they apparently decided to come up with an out of band solution for the problem coming Monday - you can enable HCP if you need this, if you do not need a service do not install, the lesser services you have installed the smaller the vulnerability surface, it is a good security measure. Some do not need Java, do not install, some install VLC Media Player, they do not need other Media players, so also be lean on plug-ins, just take aboard that what is essential for your private computer experience,

polonus

Ahem. Not all of us have XP SP3 or Vista or Win 7. I run XP Pro SP2 and have no intention of risking upgrading an extremely heavily used 4.5 year old desktop. It will remain at SP2.

I was quite puzzled by Virus Total's report when I would submit the two files from the POC to VT every day, or so, to see who was able to detect it. On VT, Avast showed as NOT detecting the nastiest of the two tests (suckme) but just detecting the dll.dll. I was on my Host XP machine that runs Avira 8 so I started my Vista virtual machine where I have Avast and downloaded the POC to thta machine also. Then I was able to see that Avast was detecting in a different manner than Avira (which has separate signatures for the two tests) and I assume this is why VT doesn't show Avast (and a number of other vendors) as detecting the suckme file.  Avast detects both and detects when downloading the .RAR file also but it doesn't show that on VT.

Anyhow, my main machine will not be protected by Microsoft's patch unless they do something other than patching shell32.dll. If they patch that then the SP3 patch will not work on SP2.
Title: Re: Malware fixes and work-arounds!
Post by: Dch48 on August 02, 2010, 05:03:09 AM
Sorry but there just is no good or sound reason not to be using SP3. It performs better than SP2 in all aspects besides the security matters.
Title: Re: Malware fixes and work-arounds!
Post by: DavidR on August 02, 2010, 05:13:30 AM
@ Mele20
Having SP3 shouldn't put any extra load on your resources, CPU and RAM than XP SP2. I certainly didn't find any noticeable difference when I updated on my old system. Yes it may well take up more hard disk space, but not a huge amount more.

Without SP3 you have no future security updates period.

Unfortunately the VT scan doesn't test all of avasts resident shields and one of the most proactive being the web shields detection.
Title: Re: Malware fixes and work-arounds!
Post by: Rednose on August 02, 2010, 08:44:20 PM
Hi forum friends,

Probably tomorrow MS will patch the shell32.dll file with the out-of-band patch because the hole is situated there,

polonus

The patch is available thru Microsoft update :

http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx

Greetz, Red.
Title: Re: Malware fixes and work-arounds!
Post by: polonus on September 01, 2010, 01:05:22 AM
How to delete a fake av:
The Internet Antivirus spyware generates fake and misleading system scan messages on an infected computer. The scans show viruses and other malware found on your hard drive. The messages also urge you to pay for the full version of the Internet Antivirus application to remove these and future threats. However, Internet Antivirus is a scam targeted at inexperienced users because the software is fake and uncapable of removing any viruses. Delete this dangerous spyware immediately upon detection.
Difficulty: Moderate
Instructions

      End System Processes
   1.
      1

      Press the "Ctrl," "Shift" and "Esc" keys at the same time to start the Task Manager.
   2.
      2

      Click the "Processes" tab.
   3.
      3

      Select "IAInstall.exe" from the list of processes and click "End Process" at the bottom of the window. Select "IAvir.exe" from the list of processes and click "End Process" at the bottom of the window.
   4.
      4

      Close the Task Manager.
      Remove Registry Entries
   5.
      1

      Go to the "Start" menu, type "regedit" in the "Start Search" box and hit "Enter" to start the Registry Editor.
   6.
      2

      Browse to and delete the following registry entries:



      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Internet Antivirus" = ""C:\program files\Internet Antivirus\IAvir.exe" /s"

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"3P_UDEC_IA:" = ""[Installer Path]\IAInstall.exe" 0;C;"

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"iv:" = """C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe"""
   7.
      3

      Close the Registry Editor.
      Delete Files
   8.
      1

      Go to the "Start" menu, type "Internet Antivirus" in the "Start Search" box and hit "Enter."
   9.
      2

      Delete all search results.
  10.
      3

      Restart your computer.

pol
Title: Re: Malware fixes and work-arounds!
Post by: polonus on September 07, 2010, 07:29:40 PM
Hi forum friends,

With Winsock connection problems through malware etc. for XP/W2000 then
here is a pre-Winsock Fix, install from  http://www.visualtour.com/downloads/xp_fix.exe
Then go here to download the Winsock Fix: http://www.visualtour.com/downloads/xp_fix.exe
(The pre-Winsock fix in case Winsock Fix is not supported)

For Vista we have this info: http://www.mydigitallife.info/2007/06/18/repair-and-reset-windows-vista-tcpip-winsock-catalog-corruption/

and for W7: http://windows7themes.net/repair-reset-winsock-windows-7.html

polonus
Title: Re: Malware fixes and work-arounds!
Post by: Left123 on September 19, 2010, 11:32:46 AM
How to delete a fake av:
The Internet Antivirus spyware generates fake and misleading system scan messages on an infected computer. The scans show viruses and other malware found on your hard drive. The messages also urge you to pay for the full version of the Internet Antivirus application to remove these and future threats. However, Internet Antivirus is a scam targeted at inexperienced users because the software is fake and uncapable of removing any viruses. Delete this dangerous spyware immediately upon detection.
Difficulty: Moderate
Instructions

      End System Processes
   1.
      1

      Press the "Ctrl," "Shift" and "Esc" keys at the same time to start the Task Manager.
   2.
      2

      Click the "Processes" tab.
   3.
      3

      Select "IAInstall.exe" from the list of processes and click "End Process" at the bottom of the window. Select "IAvir.exe" from the list of processes and click "End Process" at the bottom of the window.
   4.
      4

      Close the Task Manager.
      Remove Registry Entries
   5.
      1

      Go to the "Start" menu, type "regedit" in the "Start Search" box and hit "Enter" to start the Registry Editor.
   6.
      2

      Browse to and delete the following registry entries:



      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Internet Antivirus" = ""C:\program files\Internet Antivirus\IAvir.exe" /s"

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"3P_UDEC_IA:" = ""[Installer Path]\IAInstall.exe" 0;C;"

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"iv:" = """C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe"""
   7.
      3

      Close the Registry Editor.
      Delete Files
   8.
      1

      Go to the "Start" menu, type "Internet Antivirus" in the "Start Search" box and hit "Enter."
   9.
      2

      Delete all search results.
  10.
      3

      Restart your computer.

pol


some times the new afake av's like NAVa SHIEld or other av's block the task manager in this case they must download procexp
picture:
[(http://img440.imageshack.us/img440/2997/randomk.jpg)

Title: Re: Malware fixes and work-arounds!
Post by: DavidR on September 19, 2010, 02:42:44 PM
@ Left123
When posting images, please crop the image to show only what is relevant and reduce the file size (that will make it small enough to attach to the post as opposed to having a direct link), not everyone viewing the images is using broadband.

I don't know why you felt you needed to quote the whole of Polonus's post just reference the relevant part. You make a valid point that the Task Manager might not be available, the other information is in the original post. These two options reduces the need for huge amounts of scrolling.

How to delete a fake av:
The Internet Antivirus spyware generates fake and misleading system scan messages on an infected computer. The scans show viruses and other malware found on your hard drive. The messages also urge you to pay for the full version of the Internet Antivirus application to remove these and future threats. However, Internet Antivirus is a scam targeted at inexperienced users because the software is fake and uncapable of removing any viruses. Delete this dangerous spyware immediately upon detection.
Difficulty: Moderate
Instructions

      End System Processes
   1.
      1
      Press the "Ctrl," "Shift" and "Esc" keys at the same time to start the Task Manager.
<snip>
Title: Re: Malware fixes and work-arounds!
Post by: Left123 on September 19, 2010, 03:40:34 PM
@ Left123
When posting images, please crop the image to show only what is relevant and reduce the file size (that will make it small enough to attach to the post as opposed to having a direct link), not everyone viewing the images is using broadband.

I don't know why you felt you needed to quote the whole of Polonus's post just reference the relevant part. You make a valid point that the Task Manager might not be available, the other information is in the original post. These two options reduces the need for huge amounts of scrolling.

How to delete a fake av:
The Internet Antivirus spyware generates fake and misleading system scan messages on an infected computer. The scans show viruses and other malware found on your hard drive. The messages also urge you to pay for the full version of the Internet Antivirus application to remove these and future threats. However, Internet Antivirus is a scam targeted at inexperienced users because the software is fake and uncapable of removing any viruses. Delete this dangerous spyware immediately upon detection.
Difficulty: Moderate
Instructions

      End System Processes
   1.
      1
      Press the "Ctrl," "Shift" and "Esc" keys at the same time to start the Task Manager.
<snip>


about the quote you have right,i dont know how to attach an image,shall i upload the pic and post the link next time?
Title: Re: Malware fixes and work-arounds!
Post by: DavidR on September 19, 2010, 04:33:42 PM
When you click the Reply button, there is an Additional Options link, this expands the options to attach a file, that can be an image file or a text file (.log or .txt). Also see How to post an Image (http://forum.avast.com/index.php?topic=8982.0).
Title: Re: Malware fixes and work-arounds!
Post by: polonus on April 01, 2011, 11:09:04 PM
Applied in a recent Fake-AV malware cleansing. To remove this completely in certain cases is best to combine MBAM and SAS.

MBAM, Trojans will block the downloading and installation of MBAM. If this happens, download it from a known clean computer, update, and rename the executable file before executing on the infected computer.
Download MBAM free from here: http://www.malwarebytes.org/mbam-download.php
So do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner. Download and Instructions to be found here: http://www.superantispyware.com/portablescanner.html
Both tools can be downloaded from a known clean computer onto a USB stick and run on the infected computer.
Hope this could help other users as well,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on June 18, 2011, 04:38:25 PM
L.S.

Whenever you do a scan or upload a suspicious file for a scan on VT for instance, then MD5/SHA1 hashes are being generated, and you can identify that particular file, piece of malcreation if it has already been analyzed through earlier scans or found by honeypots.

There is even an extension that can search the Virustotal hashes automatically for you in the Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/virustotal-hash/

Online you can check here: https://www.vicheck.ca/md5query.php
Or you may use the hash database here: http://isc.sans.edu/tools/hashsearch.html

Or just put the hash in as a google search query and look for additional information
you may stumble upon and if avast does not detect send the info to virus AT avast dot com:

Now for some examples, so you may learn what this is all about -

For instance we have found this MD5 hash: 4d7796df39daf235028919533ea7e73b
and we get these accompanying VT results from ViCheck.ca:
http://www.virustotal.com/file-scan/report.html?id=393796c058193cbde2108a799e5378bf5f5a2bfb42db9fddc7034bf56a99c99e-1307961961
and the accompanying Threatreport for this MD5 hash:
http://www.threatexpert.com/report.aspx?md5=4d7796df39daf235028919533ea7e73b
At once we will know that avast does not detect this malware,
and from the Threat report it stemmed from Croatia: http://wepawet.iseclab.org/view.php?hash=3df4df1ded0c2535f521ae302d2f903e&t=1308059678&type=js
Anubis report here: http://anubis.iseclab.org/?action=result&task_id=1d51c29456a0c2d04692cbfc0f8a9011a
Site with poor reputation:
http://www.mywot.com/en/scorecard/ms.mjntravel.biz
but lots of links there are now dead, so this one is not responding.
So on to the most recent one there and see if avast folks did their homework.
and yes, BINGO, they did, as we expected from them, because this MD5 has was found there only yesterday: MD5 hash = dc1297306c88b89fd79f121b1bc5bb22
And if we look at VT for that one, we see that our good avast av protects us all:
http://www.virustotal.com/file-scan/report.html?id=6e1a05ca5bb5d8e72f8de5ab403a8533bb88e74d81933d766613b807dc7a64d5-1308255138
malware detected by avast as Win32:Downloader-HXU,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: DavidR on June 18, 2011, 05:23:44 PM
The firefox add-in, is from march 2010 and doesn't appear to install/work with firefox 4.0.1, so I guess the same wild be with FF5 when released soon.
Title: Re: Malware fixes and work-arounds!
Post by: polonus on June 18, 2011, 09:45:40 PM
Hi DavidR,

Thanks for pointing this out, have been using Google Chrome lately, so not aware of the Fx add/on policy lately. We have to fall back to google or check against other sources,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on June 28, 2011, 09:16:24 PM
Hi forum friends,

A malware remover may ask you to use "Defogger" in the cleansing routine of rogue.agent/gen.nullo for instance (recently back);
this as an initial part of such a cleansing routine.

What is this all about?
The tool is to temporarily stop the legitimate drivers used by CD Emulators,
so they cannot interfere with investigative tools we use to detect the real baddies.

This tool by jpshortstuff can be downloaded here http://www.jpshortstuff.247fixes.com/Defogger.exe
So save it to your desktop.
Now double click on Defogger to run this tool.
With Vista and on W7 you need to run it with full administrative rights.
Now the application window will appear.
Click the Disable button to disable your CD Emulation drivers.
Click Yes to continue.
A 'Finished!' message will appear.
Click OK...Defogger will now ask to reboot the machine...click OK.
If not, reboot manually. Do not re-enable these drivers until instructed or your system has been fully cleansed.
N.B. If you receive an error message while running Defogger, please post the log defogger_disable which will appear on your desktop.

In back enabling the drivers with Defogger, you might have to delete and re-install defogger again to perform re-enabling. This could happen in some cases.

The application window will appear.
You click the Re-enable button to re-enable your CD Emulation drivers.
Then click Yes to continue.
A 'Finished!' message will appear.
Now click OK
Defogger will now ask to reboot the machine, click OK,

That is all, if asked you now know what this is all about,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on June 30, 2011, 01:32:16 AM
Hi forum friends,

For those who uses the NotScript extension in Google Chrome,
https://chrome.google.com/webstore/detail/odjhifogjcknibkahlpidmdajjpkkcfn
Instructions for use in browser, can be found on the page of the developer here: http://optimalcycling.com/other-projects/notscripts/
it is advisable for additional protection also to install this following user.script from here:
http://userscripts.org/scripts/show/94123
It should stop all but the most sophisticated clickjacking attempts (i.e. 99.9% of them).
Author of this anti-clcikjacking script is Michael Waddell,
Test page: http://www.planb-security.net/notclickjacking/iframe_madness.html
& http://evil.hackademix.net/frameopts/  

Enjoy and be more secure,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on November 09, 2011, 03:29:02 PM
This free Python tool (script aiding to find DuQu-drivers) may find (almost) all of the DuQu drivers. The tool can be found here: https://github.com/halsten/Duqu-detectors [souce: Mohamed Saher, analyst]

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on December 03, 2011, 04:12:31 PM
Well what could be a way to test extra large files is with this free file threat ranking scanner, downloadable from here (English version):
http://www.computer-support.nl/Software/AHC/Setup.exe
All about this free tool - summary and functionality can be read here: http://www.backgroundtask.eu/Applications/AHC1_Index.php
This for files that are larger than metascanners can handle..

Enjoy,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on December 31, 2011, 01:51:17 AM
Hi you forum friends,

Some virus fighting utilities to be found on link given. Use only under supervision of a qualified removal expert here like essexboy, oldman, etc when they decide for these to be used. See: http://support.kaspersky.com/viruses/utility  link from kaspersky lab,

pol
Title: Re: Malware fixes and work-arounds!
Post by: polonus on January 14, 2012, 12:29:26 AM
How to eliminate Trojan-ransom using Kaspersky's Rector Decryptor:
Go to http://support.kaspersky.com/faq/?qid=208282275
link source from Kaspersky Support, this for instruction how to use and here is
the download link: http://support.kaspersky.com/downloads/utils/rectordecryptor.zip
Only use under the guidance of a qualified remover like essexboy or oldman here,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: polonus on January 20, 2012, 06:25:06 PM
Security extension to be used in the Google Chrome browser: http://userscripts.org/scripts/show/22955
Extension detects frameworks, XSS proxy, XSS shell, Attack-API and BeEF, exploitation, has detection for image.gif, txt/javascript, data txt/html, local file protocol exploitation, wide protocol based and was thoroughly tested, for web developpers and with a browser independant greasemonkey install, detects things that never get detected at webserver-level FW, detects web client run  web trojan and backdoor abuse. In short nice I have this extension in the Google Chrome browser. Only thing is you must have the expertise to evaluate the findings yourself. So it is not just for everyone. Or install and use it and ask about alerts here on the forum,

polonus
Title: Re: Malware fixes and work-arounds!
Post by: andy222 on February 27, 2012, 10:42:57 AM
Facts to better write your malware-fix

Identification of malware

When you start getting involved in malware fighting, recognizing certain infections is hard. Every infection has specific characteristics. There are sites where you can find descriptions of various infections.

....



Hello, when Avast! blacklist a site (which is the case of mine http://www.lapasserelle.com and I lose a lot of revenues...) why don't you explain why?

Regards,

Andy
Title: Re: Malware fixes and work-arounds!
Post by: Pondus on March 28, 2012, 10:13:05 PM
Facts to better write your malware-fix

Identification of malware

When you start getting involved in malware fighting, recognizing certain infections is hard. Every infection has specific characteristics. There are sites where you can find descriptions of various infections.

....

URLVoid - http://www.urlvoid.com/scan/lapasserelle.com/



Hello, when Avast! blacklist a site (which is the case of mine http://www.lapasserelle.com and I lose a lot of revenues...) why don't you explain why?

Regards,

Andy