marathonman330
asked on
Need to clean WinAntiVirus from Win XP PC
I am trying to clean a Win XP SP2 PC where IE appears to be hijacked. Intermittently the home page is redirected to count2.exitexchange.com and there is a popup trying to get you to 'Download WinAntiVirus FREE now!'. Does anyone know of a specific removal tool for this? Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is the link to the logfile. Thank you.
https://filedb.experts-exchange.com/incoming/ee-stuff/402-hijackthis.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/404-hijackthis.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/405-VundoFix.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/406-hijackthis.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/402-hijackthis.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/404-hijackthis.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/405-VundoFix.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/406-hijackthis.txt
Yes, Vundo infection is showing in your log as well as Zango Toolbar, Hijackthis won't be able to remove vundo entries while vundo files are still active.
1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Then;
2. Download and unzip BFUzip
http://www.merijn.org/files/bfu.zip
Run the program and click the Web button
Use the URL below to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/MediaGateway.BFU
Make sure all IE windows are closed.
Execute the script by clicking the "Execute" button.
3. After you've run those 2 tools, run another scan with hijackthis and let us see a new link to your fresh hijackthis log.
Let us know if you're having trouble running vundofix.
1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Then;
2. Download and unzip BFUzip
http://www.merijn.org/files/bfu.zip
Run the program and click the Web button
Use the URL below to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/MediaGateway.BFU
Make sure all IE windows are closed.
Execute the script by clicking the "Execute" button.
3. After you've run those 2 tools, run another scan with hijackthis and let us see a new link to your fresh hijackthis log.
Let us know if you're having trouble running vundofix.
ASKER
I uploaded a fresh hijackthis logfile.
IE is still being redirected to that site. Also, most of the time when I launch IE, Internet Properties comes up. I need to keep cancelling that until the browser opens.
IE is still being redirected to that site. Also, most of the time when I launch IE, Internet Properties comes up. I need to keep cancelling that until the browser opens.
can you please post the vundo txt?
I just want to check whether it took care of the vundo file or didn't. There is another file that needs to be killed too.
these are all the bad entries in your log from your original link.
You can put a check next these entries and click "Fix Checked" button:
O2 - BHO: (no name) - {68622693-36e2-452f-87e9-b
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-8
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: cicaze - C:\WINDOWS\SYSTEM32\cicaze
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.
I just want to check whether it took care of the vundo file or didn't. There is another file that needs to be killed too.
these are all the bad entries in your log from your original link.
You can put a check next these entries and click "Fix Checked" button:
O2 - BHO: (no name) - {68622693-36e2-452f-87e9-b
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-8
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: cicaze - C:\WINDOWS\SYSTEM32\cicaze
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.
ASKER
Vundo.txt has been uploaded. Thank you.
Can you please run vundofix again?
Double-click VundoFix.exe to launch it.
After VundoFix loads right-click inside the listbox (white box)
Click on the option to "Add More Files?"
Copy/paste the following, one to each box:
C:\WINDOWS\system32\vtstt.
Click "Add File(s)"
Finally, click the "Scan for Vundo" button.
Once it's done scanning, click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
If this does not work, then we just kill that file with another tool.
Did you run Mediagateway.bfu yet?
Double-click VundoFix.exe to launch it.
After VundoFix loads right-click inside the listbox (white box)
Click on the option to "Add More Files?"
Copy/paste the following, one to each box:
C:\WINDOWS\system32\vtstt.
Click "Add File(s)"
Finally, click the "Scan for Vundo" button.
Once it's done scanning, click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
If this does not work, then we just kill that file with another tool.
Did you run Mediagateway.bfu yet?
ASKER
I uploaded the latest Hijack This logfile.
I ran vundofix again but it did not find vtstt.dll. I also could not find it manually.
I did earlier run mediagateway.bfu.
IE is still being redirected to:
http://62.4.84.53/trafc-2/rfe.php?nid=dw&cmp=mygeek_17&q=home&uid=E5F01630AF9311DA9AF3000B6AC2AAE3&guid=475a7eeb+AD715A3AE7944151902BEE061C23A7A2&lid=http:%2F%2Fad.doubleclick.net%2Fadi%2Fnba.dart%2Fhomepage;pos=5;dcopt=ist;sz=180x150;tile=5;;ord=1153188209062%3F
I ran vundofix again but it did not find vtstt.dll. I also could not find it manually.
I did earlier run mediagateway.bfu.
IE is still being redirected to:
http://62.4.84.53/trafc-2/rfe.php?nid=dw&cmp=mygeek_17&q=home&uid=E5F01630AF9311DA9AF3000B6AC2AAE3&guid=475a7eeb+AD715A3AE7944151902BEE061C23A7A2&lid=http:%2F%2Fad.doubleclick.net%2Fadi%2Fnba.dart%2Fhomepage;pos=5;dcopt=ist;sz=180x150;tile=5;;ord=1153188209062%3F
Sorry I can't access that page, it says a "not found page"
Did you run vundofix and added this dll --> C:\WINDOWS\system32\vtstt.
and was it deleted? if not then we can just delete it manually using Avenger.
Did you run vundofix and added this dll --> C:\WINDOWS\system32\vtstt.
and was it deleted? if not then we can just delete it manually using Avenger.
oops sorry, I just saw your post about vundo not being able to find it... okay let's use avenger.
BRB
BRB
ASKER
I added that file but it said it was not found. There were no other files found. The Remove Vundo button had nothing to clean. I also went into system32 but could not find that file. Thank you.
ASKER
Where do I get Avenger?
Should I fix the following in hijack this?
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.
Thank you for all your help?
Should I fix the following in hijack this?
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.
Thank you for all your help?
the entry is still showing in your Hijackthis log, if Avenger can not find it then I would believe it does not exist and that it's only the registry entry left.
1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip
*Click on Avenger.zip to open the file
*Extract avenger.exe to your desktop
2. Copy all the text contained between the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):
--------------------------
Files to delete:
C:\WINDOWS\system32\vtstt.
Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Wi
--------------------------
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
*Under "Script file to execute" choose "Input Script Manually".
*Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
*Paste the text copied to clipboard into this window by pressing (Ctrl+V).
*Click Done
*Now click on the Green Light to begin execution of the script
*Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
*It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
*On reboot, it will briefly open a black command window on your desktop, this is normal.
*After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
*The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please post the content of c:\avenger.txt
1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip
*Click on Avenger.zip to open the file
*Extract avenger.exe to your desktop
2. Copy all the text contained between the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):
--------------------------
Files to delete:
C:\WINDOWS\system32\vtstt.
Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Wi
--------------------------
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
*Under "Script file to execute" choose "Input Script Manually".
*Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
*Paste the text copied to clipboard into this window by pressing (Ctrl+V).
*Click Done
*Now click on the Green Light to begin execution of the script
*Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
*It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
*On reboot, it will briefly open a black command window on your desktop, this is normal.
*After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
*The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please post the content of c:\avenger.txt
It is also safe to fix those R's entries and just leave your startpage don't fix it.
Did you insall SideStep on purpose? If not please remove the relevant entry as well.
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-0
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-0
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.
Start > Run > type
regsvr32 /u occache.dll
Click OK
Manualy delete this file --> C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
When you finish go back to:
Click Start > Run
Paste in this command
regsvr32 occache.dll
And Click OK
Did you insall SideStep on purpose? If not please remove the relevant entry as well.
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-0
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-0
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.
Start > Run > type
regsvr32 /u occache.dll
Click OK
Manualy delete this file --> C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
When you finish go back to:
Click Start > Run
Paste in this command
regsvr32 occache.dll
And Click OK
ASKER
I ran Avenger and posted avenger.txt. I also posted the latest hijack this logfile. Should I do anything about -
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
I have opened IE several times now and it seems to be working fine. Hopefully it is now taken care of. Thank you.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
I have opened IE several times now and it seems to be working fine. Hopefully it is now taken care of. Thank you.
Yeah fix this too, I missed that sorry.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
I'll check EE stuff now.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
I'll check EE stuff now.
Great! Avenger took care of the file and the reg entry. So vundo is well and truly gone.
SideStep is also considered malware, to delete the file you need to unregiser the occache.dll first so you can see everything in the DPF folder because by default explorer will not show everything in that folder, explorer only shows activex plugins etc, that's why that's a good folder for malware writers to put their installers in, :)
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-0
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-0
O16 - DPF: {640B39C1-D713-464F-92C3-7
SideStep is also considered malware, to delete the file you need to unregiser the occache.dll first so you can see everything in the DPF folder because by default explorer will not show everything in that folder, explorer only shows activex plugins etc, that's why that's a good folder for malware writers to put their installers in, :)
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-0
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-0
O16 - DPF: {640B39C1-D713-464F-92C3-7
Just run this tool once if you dont have a domain to force policies towards your client ;)
http://www.majorgeeks.com/Brute_Force_Uninstaller_BFU_d4714.html
regards,
http://www.majorgeeks.com/Brute_Force_Uninstaller_BFU_d4714.html
regards,
ASKER
rpggamergirl,
The PC is clean. Thank you for all your help. May I ask what resources you use to determine what hijack this entries to fix?
The PC is clean. Thank you for all your help. May I ask what resources you use to determine what hijack this entries to fix?
>>The PC is clean. Thank you for all your help. May I ask what resources you use to determine what hijack this entries to fix?<<
That's great! and you're welcome, glad I could help.
I've been reading HJT logs for a year, so now it's easy for me to spot any bad entries and the specific malware infections they point to, then use the right tool for it.
Credits go to malware Experts who taught me to interpret hijackthis entries.
These entries below tell us that it was a vundo infection, but somehow vundofix couldn't find the other set of vundo files and that's where Avenger came in, Avenger always find a file if it's in the system.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
O2 - BHO: (no name) - {68622693-36e2-452f-87e9-b
O20 - Winlogon Notify: cicaze - C:\WINDOWS\SYSTEM32\cicaze
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.
Thanks for the points and the A grade! :)
That's great! and you're welcome, glad I could help.
I've been reading HJT logs for a year, so now it's easy for me to spot any bad entries and the specific malware infections they point to, then use the right tool for it.
Credits go to malware Experts who taught me to interpret hijackthis entries.
These entries below tell us that it was a vundo infection, but somehow vundofix couldn't find the other set of vundo files and that's where Avenger came in, Avenger always find a file if it's in the system.
O2 - BHO: ADOUsefulNet Object - {DB5B9C14-BC53-4AF9-A6BF-4
O2 - BHO: (no name) - {68622693-36e2-452f-87e9-b
O20 - Winlogon Notify: cicaze - C:\WINDOWS\SYSTEM32\cicaze
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.
Thanks for the points and the A grade! :)
If you look in your system32 folder, its very likely that you'll find the backward names of "vtstt.dll" with different extentions like .bak, .tmp, .ini
Using vundofix would delete the backward files as well but since we use Avenger those leftover backward files would still be there(don't worry they are harmless) they will be removed with your other scanners sooner or later.
Those reversed name files would be something like these:(not all of those would be present but only some)
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
Using vundofix would delete the backward files as well but since we use Avenger those leftover backward files would still be there(don't worry they are harmless) they will be removed with your other scanners sooner or later.
Those reversed name files would be something like these:(not all of those would be present but only some)
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
C:\WINDOWS\system32\ttsvt.
Please download About:Buster 6.0.
http://www.malwarebytes.org/AboutBuster.zip
Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them.
Exit AboutBuster and reboot into safe mode.
Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.