• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1031
  • Last Modified:

Malware fake anti-virus takes over desktop

Another client got one of these fake anti-virus malware programs - changing the desktop wallpaper and disabling the Desktop properties on a Win2k machine.
I took a HijackThis snapshot, ran SDFix & ComboFix then took another HijackThis snapshot - I've attached all four logs.
It seems to have cleared up the problem but I'm hoping someone can verify that it's gone from the last HijackThis log - I don't know exactly what to look for.
HijackThis-Before-sdfix-etc..txt
SDFixReport.txt
combofixlog.txt
HijackThis-After-sdfix-etc..txt
0
samsterid
Asked:
samsterid
  • 3
  • 2
  • 2
3 Solutions
 
Hav0kCommented:
SSODL: SetWinDsc - {450BA914-BC73-0948-A058-091904176C33} - C:\Program Files\zqlyvtb\SetWinDsc.dll

get rid of that, for what I can see, you're good to go :)
0
 
Hav0kCommented:
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Sorry, this as well. Wasn't keeping my eyes wide open enough :P
0
 
rpggamergirlCommented:

Run combofix again using this script to remove those bad folders and the bad reg entry.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
Folder::
C:\Documents and Settings\All Users\Application Data\ipgfkdwf
C:\Documents and Settings\All Users\Application Data\lormtivu
C:\Program Files\zqlyvtb
C:\Documents and Settings\All Users\Application Data\opgjcdcf
C:\Documents and Settings\All Users\Application Data\nmrwradi

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SetWinDsc"=-
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop(in the same location as Combofix.exe).
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


And fix these entries in Hijackthis (as had been suggested already)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
samsteridAuthor Commented:
Ok - thanks all for the help:
Here is the final HijackThis log:
 - I think it's pretty clean now
hijackthis-final.txt
0
 
rpggamergirlCommented:
Hijackthis log looks clean!
Have you also run the Combofix' CFScript.txt?
0
 
samsteridAuthor Commented:
Yes I ran the CFSript.txt as advised - the last HijackThis scan is afterward - thanks again!
0
 
rpggamergirlCommented:
No problem, glad to know it's been resolved.
You can then uninstall combofix.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.


Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now