Solved

Malware fake anti-virus takes over desktop

Posted on 2008-09-29
7
1,015 Views
Last Modified: 2013-12-06
Another client got one of these fake anti-virus malware programs - changing the desktop wallpaper and disabling the Desktop properties on a Win2k machine.
I took a HijackThis snapshot, ran SDFix & ComboFix then took another HijackThis snapshot - I've attached all four logs.
It seems to have cleared up the problem but I'm hoping someone can verify that it's gone from the last HijackThis log - I don't know exactly what to look for.
HijackThis-Before-sdfix-etc..txt
SDFixReport.txt
combofixlog.txt
HijackThis-After-sdfix-etc..txt
0
Comment
Question by:samsterid
  • 3
  • 2
  • 2
7 Comments
 
LVL 3

Assisted Solution

by:Hav0k
Hav0k earned 150 total points
ID: 22598242
SSODL: SetWinDsc - {450BA914-BC73-0948-A058-091904176C33} - C:\Program Files\zqlyvtb\SetWinDsc.dll

get rid of that, for what I can see, you're good to go :)
0
 
LVL 3

Assisted Solution

by:Hav0k
Hav0k earned 150 total points
ID: 22598277
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Sorry, this as well. Wasn't keeping my eyes wide open enough :P
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 300 total points
ID: 22601320

Run combofix again using this script to remove those bad folders and the bad reg entry.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
Folder::
C:\Documents and Settings\All Users\Application Data\ipgfkdwf
C:\Documents and Settings\All Users\Application Data\lormtivu
C:\Program Files\zqlyvtb
C:\Documents and Settings\All Users\Application Data\opgjcdcf
C:\Documents and Settings\All Users\Application Data\nmrwradi

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SetWinDsc"=-
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop(in the same location as Combofix.exe).
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


And fix these entries in Hijackthis (as had been suggested already)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:samsterid
ID: 22629623
Ok - thanks all for the help:
Here is the final HijackThis log:
 - I think it's pretty clean now
hijackthis-final.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22634463
Hijackthis log looks clean!
Have you also run the Combofix' CFScript.txt?
0
 

Author Comment

by:samsterid
ID: 22639037
Yes I ran the CFSript.txt as advised - the last HijackThis scan is afterward - thanks again!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22640185
No problem, glad to know it's been resolved.
You can then uninstall combofix.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.


Thanks!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Symantec Endpoint Protection Blocks Network Printer 5 113
Viruses etc. and W8 and W10 12 64
How to remove audio ad 4 35
Virus Kronos 4 69
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now