Removing Malware from Macbook Pro running Windows XP

I have acquired some Malware on the Windows "side" of my machine. I know there are two:

Plus! Network
Another which presents a popup saying:
"attention it is important that you download flv mplayer to continue"

How can I remove them.
I have Avast and Malware Bytes Anti-Malware which I run regularly to remove viruses and malware but they do not remove them
bogormanAsked:
Who is Participating?
 
☠ MASQ ☠Connect With a Mentor Commented:
How did TDSS go?
0
 
Michael-BestCommented:
"attention it is important that you download flv mplayer to continue"

Do you get this message when trying to play a particular media file?
The media file is fake and only an invitation for you to download malware...delete that media file.

Free Malware Removers:

1. Malwarebytes:
 http://www.malwarebytes.org/

2. Combo Fix:
 http://www.bleepingcomputer.com/download/search/?keyword=combofix

3. Rogue Killer:
 http://www.bleepingcomputer.com/download/roguekiller/

4. Hitman Pro:
 http://www.surfright.nl/en/hitmanpro/

5. TDS Killer:
 http://www.bleepingcomputer.com/download/tdsskiller/

6. SuperAntiSpyware:
 www.superantispyware.com
0
 
☠ MASQ ☠Commented:
Looks like you have two toolbars remaining from your malware infections that are causing the redirects.  Removal depends on which browser is affected.  MBAM should run normally in your Windows environment.

How are you running Windows?  Parallels?

It's probably worth checking if the browser hijackers are still present but MBAM should have sorted them out (it runs fine in a virtualized Windows install like yours) Look for report referring to PUP's (Potentially Unwanted Programs) discovered on your Windows install.

So let's start by finding which browser needs cleaning up.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
bogormanAuthor Commented:
Hi MASQUERAID and Michael,
Thanks for your help so far.
MASQUERAID:   Am running Parallels. Some time ago I noticed it, I think, in IE which kept taking me to a Plus! Network page. This did not occur again until a day or so ago.
Recently when Using Dreamweaver 8 and the preview in browser button I got a black page with the "attention it is important that you download flv mplayer to continue" message.
Are these things "in the browser" or a more general infection of Windows?    The attention message was in Firefox.
Regards
Brian
0
 
bogormanAuthor Commented:
MASQUERAID:   Also, in Firefox, I get a popup:

A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.en_GB.VLQ0ymJuRTk.O/m=plusone/rt=j/sv=1/d=1/ed=1/am=AQ/rs=AItRSTP49CKRV9H9H8Evg75ZBHciJL1Bcw/cb=gapi.loaded_0:23

B
0
 
☠ MASQ ☠Commented:
Download HJT
http://sourceforge.net/projects/hjt/

Create a folder called HJT on your desktop and copy the file inside this.  Open the folder, right-click the utility and choose Run as administrator.  Accept the licence, choose scan and create log file.  Check the contents of the file and that you are happy to post this publicly then either add the content to a post or attach it as a .txt file using the Attach file link at the bottom of this page.
0
 
bogormanAuthor Commented:
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 10:58:56, on 05/11/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
CHROME: 30.0.1599.101
FIREFOX: 17.0.1 (en-GB)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ceTe Software\DynamicPDF WebCache v1.0.0\DynamicPDF.WebCache.Service.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\WINDOWS\system32\wuauclt.exe
\psf\Home\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O3 - Toolbar: DebugBar (Toolbar) - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Parallels Tools Center] "C:\Program Files\Parallels\Parallels Tools\prl_cc.exe"
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\Alwil Software\Avast5\AvastUI.exe" /nogui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'Default user')
O4 - .DEFAULT User Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'Default user')
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Inspect Element with DebugBar - res://C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll/247
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: prl_uprof - C:\Program Files\Parallels\Parallels Tools\prl_uprof.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DynamicPDF WebCache - Unknown owner - C:\Program Files\ceTe Software\DynamicPDF WebCache v1.0.0\DynamicPDF.WebCache.Service.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Parallels Coherence Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
O23 - Service: Parallels Tools Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 9263 bytes
0
 
ArneLoviusCommented:
As you are running under parallels, you could try the rescue CD's from AVG, Kaspersky and Sophos.

Alternatively, you could just create a new Windows install and copy your files across..
0
 
☠ MASQ ☠Commented:
Hi bogorman, sorry just getting to the end of a 70+ hour week, going to get some sleep and back to this if the suggestion about using a recovery disk doesn't help.  The HJT log looks pretty clean though, this is hiding somewhere else in the virtual partition.
0
 
bogormanAuthor Commented:
Hi MASQUERAID, you certainly deserve that sleep!  
Would rather not have to obtain a recovery disk.
Strangely enough have not had popups recently and the Plus!Network page also hasn't appeared.
Can you tell me if there is any danger of transferring these viruses/malware when I upload files to my website?  (The webhosters have anti-virus software which runs every day and I have Malwarebytes and Avast which are always active).   If this would be sufficient I will probably not do anything more.
You mention something hiding in the virtual machine. Can I recreate this and then put the backup into it?
Brian
0
 
☠ MASQ ☠Commented:
Sorry again! Not recovery disk - rescue disk!!

Almost certainly these are installations on your PC image and are not "infectious" in the computer virus sense.

Have a look through your installed program list in Windows to check you recognise everything & then look at running TDSS Killer just to check the virtual boot sector
0
 
ArneLoviusCommented:
I would try the AVG rescue disk

go to here http://www.avg.com/gb-en/download.prd-arl download the iso and then set it as the boot device in your windows VM, then leave it to examine the windows VM disk
0
 
bogormanAuthor Commented:
MASQUERAID:   Have examined installed programs and there is nothing that appears to be malicious.  Re TDSS Killer - discs seem only to be for Vista and up. I have XP.
ArneLovius:   Is the file avg_arl_cdi_all_120_130801a6481.iso  suitable for windows xp
0
 
☠ MASQ ☠Commented:
TDSS Killer works in XP too - on the web page there are links to instruction pages for Vista etc but that shouldn't be read as the only versions it runs in.
0
 
ArneLoviusCommented:
the iso is a bootable image, you do not install it, but boot the VM with it
0
 
bogormanAuthor Commented:
Thanks everyone for your help.
MASQUERAID's suggestions removed a number of viruses. The others did not seem to, but Thanks
Brian
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.