Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Removing Malware from Macbook Pro running Windows XP

Posted on 2013-11-03
18
Medium Priority
?
920 Views
Last Modified: 2013-11-29
I have acquired some Malware on the Windows "side" of my machine. I know there are two:

Plus! Network
Another which presents a popup saying:
"attention it is important that you download flv mplayer to continue"

How can I remove them.
I have Avast and Malware Bytes Anti-Malware which I run regularly to remove viruses and malware but they do not remove them
0
Comment
Question by:bogorman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 3
  • +1
18 Comments
 
LVL 34

Expert Comment

by:Michael-Best
ID: 39620342
"attention it is important that you download flv mplayer to continue"

Do you get this message when trying to play a particular media file?
The media file is fake and only an invitation for you to download malware...delete that media file.

Free Malware Removers:

1. Malwarebytes:
 http://www.malwarebytes.org/

2. Combo Fix:
 http://www.bleepingcomputer.com/download/search/?keyword=combofix

3. Rogue Killer:
 http://www.bleepingcomputer.com/download/roguekiller/

4. Hitman Pro:
 http://www.surfright.nl/en/hitmanpro/

5. TDS Killer:
 http://www.bleepingcomputer.com/download/tdsskiller/

6. SuperAntiSpyware:
 www.superantispyware.com
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39620405
Looks like you have two toolbars remaining from your malware infections that are causing the redirects.  Removal depends on which browser is affected.  MBAM should run normally in your Windows environment.

How are you running Windows?  Parallels?

It's probably worth checking if the browser hijackers are still present but MBAM should have sorted them out (it runs fine in a virtualized Windows install like yours) Look for report referring to PUP's (Potentially Unwanted Programs) discovered on your Windows install.

So let's start by finding which browser needs cleaning up.
0
 

Author Comment

by:bogorman
ID: 39621254
Hi MASQUERAID and Michael,
Thanks for your help so far.
MASQUERAID:   Am running Parallels. Some time ago I noticed it, I think, in IE which kept taking me to a Plus! Network page. This did not occur again until a day or so ago.
Recently when Using Dreamweaver 8 and the preview in browser button I got a black page with the "attention it is important that you download flv mplayer to continue" message.
Are these things "in the browser" or a more general infection of Windows?    The attention message was in Firefox.
Regards
Brian
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 

Author Comment

by:bogorman
ID: 39621255
MASQUERAID:   Also, in Firefox, I get a popup:

A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.en_GB.VLQ0ymJuRTk.O/m=plusone/rt=j/sv=1/d=1/ed=1/am=AQ/rs=AItRSTP49CKRV9H9H8Evg75ZBHciJL1Bcw/cb=gapi.loaded_0:23

B
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39622351
Download HJT
http://sourceforge.net/projects/hjt/

Create a folder called HJT on your desktop and copy the file inside this.  Open the folder, right-click the utility and choose Run as administrator.  Accept the licence, choose scan and create log file.  Check the contents of the file and that you are happy to post this publicly then either add the content to a post or attach it as a .txt file using the Attach file link at the bottom of this page.
0
 

Author Comment

by:bogorman
ID: 39623884
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 10:58:56, on 05/11/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
CHROME: 30.0.1599.101
FIREFOX: 17.0.1 (en-GB)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ceTe Software\DynamicPDF WebCache v1.0.0\DynamicPDF.WebCache.Service.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\WINDOWS\system32\wuauclt.exe
\psf\Home\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O3 - Toolbar: DebugBar (Toolbar) - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Parallels Tools Center] "C:\Program Files\Parallels\Parallels Tools\prl_cc.exe"
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\Alwil Software\Avast5\AvastUI.exe" /nogui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'Default user')
O4 - .DEFAULT User Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'Default user')
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Inspect Element with DebugBar - res://C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll/247
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: prl_uprof - C:\Program Files\Parallels\Parallels Tools\prl_uprof.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DynamicPDF WebCache - Unknown owner - C:\Program Files\ceTe Software\DynamicPDF WebCache v1.0.0\DynamicPDF.WebCache.Service.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Parallels Coherence Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
O23 - Service: Parallels Tools Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 9263 bytes
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 39633092
As you are running under parallels, you could try the rescue CD's from AVG, Kaspersky and Sophos.

Alternatively, you could just create a new Windows install and copy your files across..
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39634284
Hi bogorman, sorry just getting to the end of a 70+ hour week, going to get some sleep and back to this if the suggestion about using a recovery disk doesn't help.  The HJT log looks pretty clean though, this is hiding somewhere else in the virtual partition.
0
 

Author Comment

by:bogorman
ID: 39634510
Hi MASQUERAID, you certainly deserve that sleep!  
Would rather not have to obtain a recovery disk.
Strangely enough have not had popups recently and the Plus!Network page also hasn't appeared.
Can you tell me if there is any danger of transferring these viruses/malware when I upload files to my website?  (The webhosters have anti-virus software which runs every day and I have Malwarebytes and Avast which are always active).   If this would be sufficient I will probably not do anything more.
You mention something hiding in the virtual machine. Can I recreate this and then put the backup into it?
Brian
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39634564
Sorry again! Not recovery disk - rescue disk!!

Almost certainly these are installations on your PC image and are not "infectious" in the computer virus sense.

Have a look through your installed program list in Windows to check you recognise everything & then look at running TDSS Killer just to check the virtual boot sector
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 39634630
I would try the AVG rescue disk

go to here http://www.avg.com/gb-en/download.prd-arl download the iso and then set it as the boot device in your windows VM, then leave it to examine the windows VM disk
0
 

Author Comment

by:bogorman
ID: 39638237
MASQUERAID:   Have examined installed programs and there is nothing that appears to be malicious.  Re TDSS Killer - discs seem only to be for Vista and up. I have XP.
ArneLovius:   Is the file avg_arl_cdi_all_120_130801a6481.iso  suitable for windows xp
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39639491
TDSS Killer works in XP too - on the web page there are links to instruction pages for Vista etc but that shouldn't be read as the only versions it runs in.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 39643261
the iso is a bootable image, you do not install it, but boot the VM with it
0
 
LVL 63

Accepted Solution

by:
☠ MASQ ☠ earned 2000 total points
ID: 39652967
How did TDSS go?
0
 

Author Closing Comment

by:bogorman
ID: 39685028
Thanks everyone for your help.
MASQUERAID's suggestions removed a number of viruses. The others did not seem to, but Thanks
Brian
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question