Malware fake anti-virus takes over desktop

Posted on 2008-09-29
Last Modified: 2013-12-06
Another client got one of these fake anti-virus malware programs - changing the desktop wallpaper and disabling the Desktop properties on a Win2k machine.
I took a HijackThis snapshot, ran SDFix & ComboFix then took another HijackThis snapshot - I've attached all four logs.
It seems to have cleared up the problem but I'm hoping someone can verify that it's gone from the last HijackThis log - I don't know exactly what to look for.
Question by:samsterid
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2

Assisted Solution

Hav0k earned 150 total points
ID: 22598242
SSODL: SetWinDsc - {450BA914-BC73-0948-A058-091904176C33} - C:\Program Files\zqlyvtb\SetWinDsc.dll

get rid of that, for what I can see, you're good to go :)

Assisted Solution

Hav0k earned 150 total points
ID: 22598277
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Sorry, this as well. Wasn't keeping my eyes wide open enough :P
LVL 47

Accepted Solution

rpggamergirl earned 300 total points
ID: 22601320

Run combofix again using this script to remove those bad folders and the bad reg entry.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
C:\Documents and Settings\All Users\Application Data\ipgfkdwf
C:\Documents and Settings\All Users\Application Data\lormtivu
C:\Program Files\zqlyvtb
C:\Documents and Settings\All Users\Application Data\opgjcdcf
C:\Documents and Settings\All Users\Application Data\nmrwradi

3. Save the above as CFScript.txt on your desktop(in the same location as Combofix.exe).
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

And fix these entries in Hijackthis (as had been suggested already)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.


Author Comment

ID: 22629623
Ok - thanks all for the help:
Here is the final HijackThis log:
 - I think it's pretty clean now
LVL 47

Expert Comment

ID: 22634463
Hijackthis log looks clean!
Have you also run the Combofix' CFScript.txt?

Author Comment

ID: 22639037
Yes I ran the CFSript.txt as advised - the last HijackThis scan is afterward - thanks again!
LVL 47

Expert Comment

ID: 22640185
No problem, glad to know it's been resolved.
You can then uninstall combofix.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.


Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question