Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Malware fake anti-virus takes over desktop

Posted on 2008-09-29
Last Modified: 2013-12-06
Another client got one of these fake anti-virus malware programs - changing the desktop wallpaper and disabling the Desktop properties on a Win2k machine.
I took a HijackThis snapshot, ran SDFix & ComboFix then took another HijackThis snapshot - I've attached all four logs.
It seems to have cleared up the problem but I'm hoping someone can verify that it's gone from the last HijackThis log - I don't know exactly what to look for.
Question by:samsterid
  • 3
  • 2
  • 2

Assisted Solution

Hav0k earned 150 total points
ID: 22598242
SSODL: SetWinDsc - {450BA914-BC73-0948-A058-091904176C33} - C:\Program Files\zqlyvtb\SetWinDsc.dll

get rid of that, for what I can see, you're good to go :)

Assisted Solution

Hav0k earned 150 total points
ID: 22598277
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Sorry, this as well. Wasn't keeping my eyes wide open enough :P
LVL 47

Accepted Solution

rpggamergirl earned 300 total points
ID: 22601320

Run combofix again using this script to remove those bad folders and the bad reg entry.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
C:\Documents and Settings\All Users\Application Data\ipgfkdwf
C:\Documents and Settings\All Users\Application Data\lormtivu
C:\Program Files\zqlyvtb
C:\Documents and Settings\All Users\Application Data\opgjcdcf
C:\Documents and Settings\All Users\Application Data\nmrwradi

3. Save the above as CFScript.txt on your desktop(in the same location as Combofix.exe).
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

And fix these entries in Hijackthis (as had been suggested already)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Author Comment

ID: 22629623
Ok - thanks all for the help:
Here is the final HijackThis log:
 - I think it's pretty clean now
LVL 47

Expert Comment

ID: 22634463
Hijackthis log looks clean!
Have you also run the Combofix' CFScript.txt?

Author Comment

ID: 22639037
Yes I ran the CFSript.txt as advised - the last HijackThis scan is afterward - thanks again!
LVL 47

Expert Comment

ID: 22640185
No problem, glad to know it's been resolved.
You can then uninstall combofix.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.


Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Remove and unencrypt files and folders infected with Crypto virus 20 149
Trojan blocked 11 99
Kaspersky Anti-Ransomware Tool for Business 10 150
Twitching screen 11 117
Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question