• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 842
  • Last Modified:

Need to clean WinAntiVirus from Win XP PC

I am trying to clean a Win XP SP2 PC where IE appears to be hijacked.  Intermittently the home page is redirected to count2.exitexchange.com and there is a popup trying to get you to 'Download WinAntiVirus FREE now!'.  Does anyone know of a specific removal tool for this?  Thank you.
0
marathonman330
Asked:
marathonman330
  • 13
  • 8
1 Solution
 
rpggamergirlCommented:
1. You could try VundoFix, but letting us look at your hijackthis log first would be best so we'll know for sure what kind of malware is hijacking your homepage.

Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.

2. Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
rpggamergirlCommented:
Normally, AboutBuster would fix the usual homepage hijacker, but looking at your hijackthis log would be the best option to do first just to be sure.

Please download About:Buster 6.0.
http://www.malwarebytes.org/AboutBuster.zip

Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them.

Exit AboutBuster and reboot into safe mode.
Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
rpggamergirlCommented:
Yes, Vundo infection is showing in your log as well as Zango Toolbar, Hijackthis won't be able to remove vundo entries while vundo files are still active.

1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.


Then;
2. Download and unzip BFUzip
http://www.merijn.org/files/bfu.zip
Run the program and click the Web button
Use the URL below to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/MediaGateway.BFU

Make sure all IE windows are closed.

Execute the script by clicking the "Execute" button.

3. After you've run those 2 tools, run another scan with hijackthis and let us see a new link to your fresh hijackthis log.
Let us know if you're having trouble running vundofix.
0
 
marathonman330Author Commented:
I uploaded a fresh hijackthis logfile.

IE is still being redirected to that site.  Also, most of the time when I launch IE, Internet Properties comes up.  I need to keep cancelling that until the browser opens.
0
 
rpggamergirlCommented:
can you please post the vundo txt?
I just want to check whether it took care of the vundo file or didn't. There is another file that needs to be killed too.


these are all the bad entries in your log from your original link.
You can put a check next these entries and click "Fix Checked" button:
O2 - BHO: (no name) - {68622693-36e2-452f-87e9-b8edb4d8e1cc} - C:\WINDOWS\system32\cicaze.dll
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: cicaze - C:\WINDOWS\SYSTEM32\cicaze.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll
0
 
marathonman330Author Commented:
Vundo.txt has been uploaded.  Thank you.
0
 
rpggamergirlCommented:
Can you please run vundofix again?
Double-click VundoFix.exe to launch it.
After VundoFix loads right-click inside the listbox (white box)

Click on the option to "Add More Files?"

Copy/paste the following, one to each box:
C:\WINDOWS\system32\vtstt.dll

Click "Add File(s)"

Finally, click the "Scan for Vundo" button.
Once it's done scanning, click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

If this does not work, then we just kill that file with another tool.
Did you run Mediagateway.bfu yet?
0
 
marathonman330Author Commented:
I uploaded the latest Hijack This logfile.

I ran vundofix again but it did not find vtstt.dll.  I also could not find it manually.

I did earlier run mediagateway.bfu.

IE is still being redirected to:

http://62.4.84.53/trafc-2/rfe.php?nid=dw&cmp=mygeek_17&q=home&uid=E5F01630AF9311DA9AF3000B6AC2AAE3&guid=475a7eeb+AD715A3AE7944151902BEE061C23A7A2&lid=http:%2F%2Fad.doubleclick.net%2Fadi%2Fnba.dart%2Fhomepage;pos=5;dcopt=ist;sz=180x150;tile=5;;ord=1153188209062%3F
0
 
rpggamergirlCommented:
Sorry I can't access that page, it says a "not found page"

Did you run vundofix and added this dll --> C:\WINDOWS\system32\vtstt.dll
and was it deleted? if not then we can just delete it manually using Avenger.
0
 
rpggamergirlCommented:
oops sorry, I just saw your post about vundo not being able to find it... okay let's use avenger.  
BRB
0
 
marathonman330Author Commented:
I added that file but it said it was not found.  There were no other files found.  The Remove Vundo button had nothing to clean.  I also went into system32 but could not find that file.  Thank you.
0
 
marathonman330Author Commented:
Where do I get Avenger?

Should I fix the following in hijack this?

O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll

Thank you for all your help?
0
 
rpggamergirlCommented:
the entry is still showing in your Hijackthis log, if Avenger can not find it then I would believe it does not exist and that it's only the registry entry left.

1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

2. Copy all the text contained between the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):
----------------------------------------------------------------------------------------------------------------

Files to delete:
C:\WINDOWS\system32\vtstt.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtstt

----------------------------------------------------------------------------------------------------------------

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please post the content of c:\avenger.txt
0
 
rpggamergirlCommented:
It is also safe to fix those R's entries and just leave your startpage don't fix it.

Did you insall SideStep on purpose? If not please remove the relevant entry as well.

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll



Start > Run > type

regsvr32 /u occache.dll

Click OK
Manualy delete this file --> C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll

When you finish go back to:
Click Start > Run
Paste in this command

regsvr32 occache.dll

And Click OK
0
 
marathonman330Author Commented:
I ran Avenger and posted avenger.txt.  I also posted the latest hijack this logfile.  Should I do anything about -

O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll (file missing)

I have opened IE several times now and it seems to be working fine.  Hopefully it is now taken care of.  Thank you.
0
 
rpggamergirlCommented:
Yeah fix this too, I missed that sorry.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll (file missing)

I'll check EE stuff now.
0
 
rpggamergirlCommented:
Great! Avenger took care of the file and the reg entry. So vundo is well and truly gone.

SideStep is also considered malware, to delete the file you need to unregiser the occache.dll first so you can see everything in the DPF folder because by default explorer will not show everything in that folder, explorer only shows activex plugins etc, that's why that's a good folder for malware writers to put their installers in, :)


O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll (file missing)
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
0
 
Chris GralikeSpecialistCommented:
Just run this tool once if you dont have a domain to force policies towards your client ;)

http://www.majorgeeks.com/Brute_Force_Uninstaller_BFU_d4714.html

regards,
0
 
marathonman330Author Commented:
rpggamergirl,

The PC is clean.  Thank you for all your help.  May I ask what resources you use to determine what hijack this entries to fix?
0
 
rpggamergirlCommented:
>>The PC is clean.  Thank you for all your help.  May I ask what resources you use to determine what hijack this entries to fix?<<

That's great! and you're welcome, glad I could help.
I've been reading HJT logs for a year, so now it's easy for me to spot any bad entries and the specific malware infections they point to, then use the right tool for it.
Credits go to malware Experts who taught me to interpret hijackthis entries.

These entries below tell us that it was a vundo infection, but somehow vundofix couldn't find the other set of vundo files and that's where Avenger came in, Avenger always find a file if it's in the system.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-42CAE9A3BD81} - C:\WINDOWS\system32\vtstt.dll
O2 - BHO: (no name) - {68622693-36e2-452f-87e9-b8edb4d8e1cc} - C:\WINDOWS\system32\cicaze.dll
O20 - Winlogon Notify: cicaze - C:\WINDOWS\SYSTEM32\cicaze.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll


Thanks for the points and the A grade! :)
0
 
rpggamergirlCommented:
If you look in your system32 folder, its very likely that you'll find the backward names of "vtstt.dll" with different extentions like .bak, .tmp, .ini
Using vundofix would delete the backward files as well but since we use Avenger those leftover backward files would still be there(don't worry they are harmless) they will be removed with your other scanners sooner or later.

Those reversed name files would be something like these:(not all of those would be present but only some)
C:\WINDOWS\system32\ttsvt.bak
C:\WINDOWS\system32\ttsvt.bak1
C:\WINDOWS\system32\ttsvt.tmp
C:\WINDOWS\system32\ttsvt.tmp1
C:\WINDOWS\system32\ttsvt.tmp2
C:\WINDOWS\system32\ttsvt.ini
C:\WINDOWS\system32\ttsvt.ini2
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 13
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now