Solved

Need to clean WinAntiVirus from Win XP PC

Posted on 2006-07-17
22
835 Views
Last Modified: 2016-08-29
I am trying to clean a Win XP SP2 PC where IE appears to be hijacked.  Intermittently the home page is redirected to count2.exitexchange.com and there is a popup trying to get you to 'Download WinAntiVirus FREE now!'.  Does anyone know of a specific removal tool for this?  Thank you.
0
Comment
Question by:marathonman330
  • 13
  • 8
22 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17126408
1. You could try VundoFix, but letting us look at your hijackthis log first would be best so we'll know for sure what kind of malware is hijacking your homepage.

Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.

2. Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17126421
Normally, AboutBuster would fix the usual homepage hijacker, but looking at your hijackthis log would be the best option to do first just to be sure.

Please download About:Buster 6.0.
http://www.malwarebytes.org/AboutBuster.zip

Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them.

Exit AboutBuster and reboot into safe mode.
Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.
0
 

Author Comment

by:marathonman330
ID: 17126546
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17126700
Yes, Vundo infection is showing in your log as well as Zango Toolbar, Hijackthis won't be able to remove vundo entries while vundo files are still active.

1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.


Then;
2. Download and unzip BFUzip
http://www.merijn.org/files/bfu.zip
Run the program and click the Web button
Use the URL below to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/MediaGateway.BFU

Make sure all IE windows are closed.

Execute the script by clicking the "Execute" button.

3. After you've run those 2 tools, run another scan with hijackthis and let us see a new link to your fresh hijackthis log.
Let us know if you're having trouble running vundofix.
0
 

Author Comment

by:marathonman330
ID: 17126882
I uploaded a fresh hijackthis logfile.

IE is still being redirected to that site.  Also, most of the time when I launch IE, Internet Properties comes up.  I need to keep cancelling that until the browser opens.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17126904
can you please post the vundo txt?
I just want to check whether it took care of the vundo file or didn't. There is another file that needs to be killed too.


these are all the bad entries in your log from your original link.
You can put a check next these entries and click "Fix Checked" button:
O2 - BHO: (no name) - {68622693-36e2-452f-87e9-b8edb4d8e1cc} - C:\WINDOWS\system32\cicaze.dll
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: cicaze - C:\WINDOWS\SYSTEM32\cicaze.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll
0
 

Author Comment

by:marathonman330
ID: 17126924
Vundo.txt has been uploaded.  Thank you.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17126971
Can you please run vundofix again?
Double-click VundoFix.exe to launch it.
After VundoFix loads right-click inside the listbox (white box)

Click on the option to "Add More Files?"

Copy/paste the following, one to each box:
C:\WINDOWS\system32\vtstt.dll

Click "Add File(s)"

Finally, click the "Scan for Vundo" button.
Once it's done scanning, click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

If this does not work, then we just kill that file with another tool.
Did you run Mediagateway.bfu yet?
0
 

Author Comment

by:marathonman330
ID: 17127212
I uploaded the latest Hijack This logfile.

I ran vundofix again but it did not find vtstt.dll.  I also could not find it manually.

I did earlier run mediagateway.bfu.

IE is still being redirected to:

http://62.4.84.53/trafc-2/rfe.php?nid=dw&cmp=mygeek_17&q=home&uid=E5F01630AF9311DA9AF3000B6AC2AAE3&guid=475a7eeb+AD715A3AE7944151902BEE061C23A7A2&lid=http:%2F%2Fad.doubleclick.net%2Fadi%2Fnba.dart%2Fhomepage;pos=5;dcopt=ist;sz=180x150;tile=5;;ord=1153188209062%3F
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17127275
Sorry I can't access that page, it says a "not found page"

Did you run vundofix and added this dll --> C:\WINDOWS\system32\vtstt.dll
and was it deleted? if not then we can just delete it manually using Avenger.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17127296
oops sorry, I just saw your post about vundo not being able to find it... okay let's use avenger.  
BRB
0
 

Author Comment

by:marathonman330
ID: 17127308
I added that file but it said it was not found.  There were no other files found.  The Remove Vundo button had nothing to clean.  I also went into system32 but could not find that file.  Thank you.
0
 

Author Comment

by:marathonman330
ID: 17127337
Where do I get Avenger?

Should I fix the following in hijack this?

O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll

Thank you for all your help?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17127340
the entry is still showing in your Hijackthis log, if Avenger can not find it then I would believe it does not exist and that it's only the registry entry left.

1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

2. Copy all the text contained between the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):
----------------------------------------------------------------------------------------------------------------

Files to delete:
C:\WINDOWS\system32\vtstt.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtstt

----------------------------------------------------------------------------------------------------------------

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please post the content of c:\avenger.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17127407
It is also safe to fix those R's entries and just leave your startpage don't fix it.

Did you insall SideStep on purpose? If not please remove the relevant entry as well.

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll



Start > Run > type

regsvr32 /u occache.dll

Click OK
Manualy delete this file --> C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll

When you finish go back to:
Click Start > Run
Paste in this command

regsvr32 occache.dll

And Click OK
0
 

Author Comment

by:marathonman330
ID: 17127440
I ran Avenger and posted avenger.txt.  I also posted the latest hijack this logfile.  Should I do anything about -

O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll (file missing)

I have opened IE several times now and it seems to be working fine.  Hopefully it is now taken care of.  Thank you.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17127496
Yeah fix this too, I missed that sorry.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll (file missing)

I'll check EE stuff now.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17127528
Great! Avenger took care of the file and the reg entry. So vundo is well and truly gone.

SideStep is also considered malware, to delete the file you need to unregiser the occache.dll first so you can see everything in the DPF folder because by default explorer will not show everything in that folder, explorer only shows activex plugins etc, that's why that's a good folder for malware writers to put their installers in, :)


O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll (file missing)
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
0
 
LVL 10

Expert Comment

by:Chris_Gralike
ID: 17128877
Just run this tool once if you dont have a domain to force policies towards your client ;)

http://www.majorgeeks.com/Brute_Force_Uninstaller_BFU_d4714.html

regards,
0
 

Author Comment

by:marathonman330
ID: 17139502
rpggamergirl,

The PC is clean.  Thank you for all your help.  May I ask what resources you use to determine what hijack this entries to fix?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17142817
>>The PC is clean.  Thank you for all your help.  May I ask what resources you use to determine what hijack this entries to fix?<<

That's great! and you're welcome, glad I could help.
I've been reading HJT logs for a year, so now it's easy for me to spot any bad entries and the specific malware infections they point to, then use the right tool for it.
Credits go to malware Experts who taught me to interpret hijackthis entries.

These entries below tell us that it was a vundo infection, but somehow vundofix couldn't find the other set of vundo files and that's where Avenger came in, Avenger always find a file if it's in the system.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O2 - BHO: (no name) - {68622693-36e2-452f-87e9-b8edb4d8e1cc} - C:\WINDOWS\system32\cicaze.dll
O20 - Winlogon Notify: cicaze - C:\WINDOWS\SYSTEM32\cicaze.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll


Thanks for the points and the A grade! :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17142866
If you look in your system32 folder, its very likely that you'll find the backward names of "vtstt.dll" with different extentions like .bak, .tmp, .ini
Using vundofix would delete the backward files as well but since we use Avenger those leftover backward files would still be there(don't worry they are harmless) they will be removed with your other scanners sooner or later.

Those reversed name files would be something like these:(not all of those would be present but only some)
C:\WINDOWS\system32\ttsvt.bak
C:\WINDOWS\system32\ttsvt.bak1
C:\WINDOWS\system32\ttsvt.tmp
C:\WINDOWS\system32\ttsvt.tmp1
C:\WINDOWS\system32\ttsvt.tmp2
C:\WINDOWS\system32\ttsvt.ini
C:\WINDOWS\system32\ttsvt.ini2
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question