Solved

Malware fake anti-virus takes over desktop

Posted on 2008-09-29
7
1,018 Views
Last Modified: 2013-12-06
Another client got one of these fake anti-virus malware programs - changing the desktop wallpaper and disabling the Desktop properties on a Win2k machine.
I took a HijackThis snapshot, ran SDFix & ComboFix then took another HijackThis snapshot - I've attached all four logs.
It seems to have cleared up the problem but I'm hoping someone can verify that it's gone from the last HijackThis log - I don't know exactly what to look for.
HijackThis-Before-sdfix-etc..txt
SDFixReport.txt
combofixlog.txt
HijackThis-After-sdfix-etc..txt
0
Comment
Question by:samsterid
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 3

Assisted Solution

by:Hav0k
Hav0k earned 150 total points
ID: 22598242
SSODL: SetWinDsc - {450BA914-BC73-0948-A058-091904176C33} - C:\Program Files\zqlyvtb\SetWinDsc.dll

get rid of that, for what I can see, you're good to go :)
0
 
LVL 3

Assisted Solution

by:Hav0k
Hav0k earned 150 total points
ID: 22598277
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Sorry, this as well. Wasn't keeping my eyes wide open enough :P
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 300 total points
ID: 22601320

Run combofix again using this script to remove those bad folders and the bad reg entry.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
Folder::
C:\Documents and Settings\All Users\Application Data\ipgfkdwf
C:\Documents and Settings\All Users\Application Data\lormtivu
C:\Program Files\zqlyvtb
C:\Documents and Settings\All Users\Application Data\opgjcdcf
C:\Documents and Settings\All Users\Application Data\nmrwradi

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SetWinDsc"=-
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop(in the same location as Combofix.exe).
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


And fix these entries in Hijackthis (as had been suggested already)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:samsterid
ID: 22629623
Ok - thanks all for the help:
Here is the final HijackThis log:
 - I think it's pretty clean now
hijackthis-final.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22634463
Hijackthis log looks clean!
Have you also run the Combofix' CFScript.txt?
0
 

Author Comment

by:samsterid
ID: 22639037
Yes I ran the CFSript.txt as advised - the last HijackThis scan is afterward - thanks again!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22640185
No problem, glad to know it's been resolved.
You can then uninstall combofix.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.


Thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Full list of ransomwares to date 6 140
Zepto Virus Infection 3 100
Gpora virus - GPO  lockdown on RDS/TS server 6 37
SMTP log file for IMSVA 5 35
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question