Solved

Need to clean WinAntiVirus from Win XP PC

Posted on 2006-07-17
22
829 Views
Last Modified: 2016-08-29
I am trying to clean a Win XP SP2 PC where IE appears to be hijacked.  Intermittently the home page is redirected to count2.exitexchange.com and there is a popup trying to get you to 'Download WinAntiVirus FREE now!'.  Does anyone know of a specific removal tool for this?  Thank you.
0
Comment
Question by:marathonman330
  • 13
  • 8
22 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
Comment Utility
1. You could try VundoFix, but letting us look at your hijackthis log first would be best so we'll know for sure what kind of malware is hijacking your homepage.

Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.

2. Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Normally, AboutBuster would fix the usual homepage hijacker, but looking at your hijackthis log would be the best option to do first just to be sure.

Please download About:Buster 6.0.
http://www.malwarebytes.org/AboutBuster.zip

Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them.

Exit AboutBuster and reboot into safe mode.
Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.
0
 

Author Comment

by:marathonman330
Comment Utility
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Yes, Vundo infection is showing in your log as well as Zango Toolbar, Hijackthis won't be able to remove vundo entries while vundo files are still active.

1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.


Then;
2. Download and unzip BFUzip
http://www.merijn.org/files/bfu.zip
Run the program and click the Web button
Use the URL below to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/MediaGateway.BFU

Make sure all IE windows are closed.

Execute the script by clicking the "Execute" button.

3. After you've run those 2 tools, run another scan with hijackthis and let us see a new link to your fresh hijackthis log.
Let us know if you're having trouble running vundofix.
0
 

Author Comment

by:marathonman330
Comment Utility
I uploaded a fresh hijackthis logfile.

IE is still being redirected to that site.  Also, most of the time when I launch IE, Internet Properties comes up.  I need to keep cancelling that until the browser opens.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
can you please post the vundo txt?
I just want to check whether it took care of the vundo file or didn't. There is another file that needs to be killed too.


these are all the bad entries in your log from your original link.
You can put a check next these entries and click "Fix Checked" button:
O2 - BHO: (no name) - {68622693-36e2-452f-87e9-b8edb4d8e1cc} - C:\WINDOWS\system32\cicaze.dll
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: cicaze - C:\WINDOWS\SYSTEM32\cicaze.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll
0
 

Author Comment

by:marathonman330
Comment Utility
Vundo.txt has been uploaded.  Thank you.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Can you please run vundofix again?
Double-click VundoFix.exe to launch it.
After VundoFix loads right-click inside the listbox (white box)

Click on the option to "Add More Files?"

Copy/paste the following, one to each box:
C:\WINDOWS\system32\vtstt.dll

Click "Add File(s)"

Finally, click the "Scan for Vundo" button.
Once it's done scanning, click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

If this does not work, then we just kill that file with another tool.
Did you run Mediagateway.bfu yet?
0
 

Author Comment

by:marathonman330
Comment Utility
I uploaded the latest Hijack This logfile.

I ran vundofix again but it did not find vtstt.dll.  I also could not find it manually.

I did earlier run mediagateway.bfu.

IE is still being redirected to:

http://62.4.84.53/trafc-2/rfe.php?nid=dw&cmp=mygeek_17&q=home&uid=E5F01630AF9311DA9AF3000B6AC2AAE3&guid=475a7eeb+AD715A3AE7944151902BEE061C23A7A2&lid=http:%2F%2Fad.doubleclick.net%2Fadi%2Fnba.dart%2Fhomepage;pos=5;dcopt=ist;sz=180x150;tile=5;;ord=1153188209062%3F
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Sorry I can't access that page, it says a "not found page"

Did you run vundofix and added this dll --> C:\WINDOWS\system32\vtstt.dll
and was it deleted? if not then we can just delete it manually using Avenger.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
oops sorry, I just saw your post about vundo not being able to find it... okay let's use avenger.  
BRB
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:marathonman330
Comment Utility
I added that file but it said it was not found.  There were no other files found.  The Remove Vundo button had nothing to clean.  I also went into system32 but could not find that file.  Thank you.
0
 

Author Comment

by:marathonman330
Comment Utility
Where do I get Avenger?

Should I fix the following in hijack this?

O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll

Thank you for all your help?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
the entry is still showing in your Hijackthis log, if Avenger can not find it then I would believe it does not exist and that it's only the registry entry left.

1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

2. Copy all the text contained between the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):
----------------------------------------------------------------------------------------------------------------

Files to delete:
C:\WINDOWS\system32\vtstt.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtstt

----------------------------------------------------------------------------------------------------------------

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please post the content of c:\avenger.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
It is also safe to fix those R's entries and just leave your startpage don't fix it.

Did you insall SideStep on purpose? If not please remove the relevant entry as well.

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll



Start > Run > type

regsvr32 /u occache.dll

Click OK
Manualy delete this file --> C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll

When you finish go back to:
Click Start > Run
Paste in this command

regsvr32 occache.dll

And Click OK
0
 

Author Comment

by:marathonman330
Comment Utility
I ran Avenger and posted avenger.txt.  I also posted the latest hijack this logfile.  Should I do anything about -

O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll (file missing)

I have opened IE several times now and it seems to be working fine.  Hopefully it is now taken care of.  Thank you.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Yeah fix this too, I missed that sorry.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll (file missing)

I'll check EE stuff now.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Great! Avenger took care of the file and the reg entry. So vundo is well and truly gone.

SideStep is also considered malware, to delete the file you need to unregiser the occache.dll first so you can see everything in the DPF folder because by default explorer will not show everything in that folder, explorer only shows activex plugins etc, that's why that's a good folder for malware writers to put their installers in, :)


O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll (file missing)
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
0
 
LVL 10

Expert Comment

by:Chris_Gralike
Comment Utility
Just run this tool once if you dont have a domain to force policies towards your client ;)

http://www.majorgeeks.com/Brute_Force_Uninstaller_BFU_d4714.html

regards,
0
 

Author Comment

by:marathonman330
Comment Utility
rpggamergirl,

The PC is clean.  Thank you for all your help.  May I ask what resources you use to determine what hijack this entries to fix?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
>>The PC is clean.  Thank you for all your help.  May I ask what resources you use to determine what hijack this entries to fix?<<

That's great! and you're welcome, glad I could help.
I've been reading HJT logs for a year, so now it's easy for me to spot any bad entries and the specific malware infections they point to, then use the right tool for it.
Credits go to malware Experts who taught me to interpret hijackthis entries.

These entries below tell us that it was a vundo infection, but somehow vundofix couldn't find the other set of vundo files and that's where Avenger came in, Avenger always find a file if it's in the system.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O2 - BHO: (no name) - {68622693-36e2-452f-87e9-b8edb4d8e1cc} - C:\WINDOWS\system32\cicaze.dll
O20 - Winlogon Notify: cicaze - C:\WINDOWS\SYSTEM32\cicaze.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll


Thanks for the points and the A grade! :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
If you look in your system32 folder, its very likely that you'll find the backward names of "vtstt.dll" with different extentions like .bak, .tmp, .ini
Using vundofix would delete the backward files as well but since we use Avenger those leftover backward files would still be there(don't worry they are harmless) they will be removed with your other scanners sooner or later.

Those reversed name files would be something like these:(not all of those would be present but only some)
C:\WINDOWS\system32\ttsvt.bak
C:\WINDOWS\system32\ttsvt.bak1
C:\WINDOWS\system32\ttsvt.tmp
C:\WINDOWS\system32\ttsvt.tmp1
C:\WINDOWS\system32\ttsvt.tmp2
C:\WINDOWS\system32\ttsvt.ini
C:\WINDOWS\system32\ttsvt.ini2
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now