Solved

Removing Malware from Macbook Pro running Windows XP

Posted on 2013-11-03
18
882 Views
Last Modified: 2013-11-29
I have acquired some Malware on the Windows "side" of my machine. I know there are two:

Plus! Network
Another which presents a popup saying:
"attention it is important that you download flv mplayer to continue"

How can I remove them.
I have Avast and Malware Bytes Anti-Malware which I run regularly to remove viruses and malware but they do not remove them
0
Comment
Question by:bogorman
  • 6
  • 6
  • 3
  • +1
18 Comments
 
LVL 34

Expert Comment

by:Michael-Best
ID: 39620342
"attention it is important that you download flv mplayer to continue"

Do you get this message when trying to play a particular media file?
The media file is fake and only an invitation for you to download malware...delete that media file.

Free Malware Removers:

1. Malwarebytes:
 http://www.malwarebytes.org/

2. Combo Fix:
 http://www.bleepingcomputer.com/download/search/?keyword=combofix

3. Rogue Killer:
 http://www.bleepingcomputer.com/download/roguekiller/

4. Hitman Pro:
 http://www.surfright.nl/en/hitmanpro/

5. TDS Killer:
 http://www.bleepingcomputer.com/download/tdsskiller/

6. SuperAntiSpyware:
 www.superantispyware.com
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39620405
Looks like you have two toolbars remaining from your malware infections that are causing the redirects.  Removal depends on which browser is affected.  MBAM should run normally in your Windows environment.

How are you running Windows?  Parallels?

It's probably worth checking if the browser hijackers are still present but MBAM should have sorted them out (it runs fine in a virtualized Windows install like yours) Look for report referring to PUP's (Potentially Unwanted Programs) discovered on your Windows install.

So let's start by finding which browser needs cleaning up.
0
 

Author Comment

by:bogorman
ID: 39621254
Hi MASQUERAID and Michael,
Thanks for your help so far.
MASQUERAID:   Am running Parallels. Some time ago I noticed it, I think, in IE which kept taking me to a Plus! Network page. This did not occur again until a day or so ago.
Recently when Using Dreamweaver 8 and the preview in browser button I got a black page with the "attention it is important that you download flv mplayer to continue" message.
Are these things "in the browser" or a more general infection of Windows?    The attention message was in Firefox.
Regards
Brian
0
 

Author Comment

by:bogorman
ID: 39621255
MASQUERAID:   Also, in Firefox, I get a popup:

A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.en_GB.VLQ0ymJuRTk.O/m=plusone/rt=j/sv=1/d=1/ed=1/am=AQ/rs=AItRSTP49CKRV9H9H8Evg75ZBHciJL1Bcw/cb=gapi.loaded_0:23

B
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39622351
Download HJT
http://sourceforge.net/projects/hjt/

Create a folder called HJT on your desktop and copy the file inside this.  Open the folder, right-click the utility and choose Run as administrator.  Accept the licence, choose scan and create log file.  Check the contents of the file and that you are happy to post this publicly then either add the content to a post or attach it as a .txt file using the Attach file link at the bottom of this page.
0
 

Author Comment

by:bogorman
ID: 39623884
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 10:58:56, on 05/11/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
CHROME: 30.0.1599.101
FIREFOX: 17.0.1 (en-GB)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ceTe Software\DynamicPDF WebCache v1.0.0\DynamicPDF.WebCache.Service.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\WINDOWS\system32\wuauclt.exe
\psf\Home\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O3 - Toolbar: DebugBar (Toolbar) - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Parallels Tools Center] "C:\Program Files\Parallels\Parallels Tools\prl_cc.exe"
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\Alwil Software\Avast5\AvastUI.exe" /nogui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'Default user')
O4 - .DEFAULT User Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'Default user')
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Inspect Element with DebugBar - res://C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll/247
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: prl_uprof - C:\Program Files\Parallels\Parallels Tools\prl_uprof.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DynamicPDF WebCache - Unknown owner - C:\Program Files\ceTe Software\DynamicPDF WebCache v1.0.0\DynamicPDF.WebCache.Service.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Parallels Coherence Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
O23 - Service: Parallels Tools Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 9263 bytes
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 39633092
As you are running under parallels, you could try the rescue CD's from AVG, Kaspersky and Sophos.

Alternatively, you could just create a new Windows install and copy your files across..
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39634284
Hi bogorman, sorry just getting to the end of a 70+ hour week, going to get some sleep and back to this if the suggestion about using a recovery disk doesn't help.  The HJT log looks pretty clean though, this is hiding somewhere else in the virtual partition.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:bogorman
ID: 39634510
Hi MASQUERAID, you certainly deserve that sleep!  
Would rather not have to obtain a recovery disk.
Strangely enough have not had popups recently and the Plus!Network page also hasn't appeared.
Can you tell me if there is any danger of transferring these viruses/malware when I upload files to my website?  (The webhosters have anti-virus software which runs every day and I have Malwarebytes and Avast which are always active).   If this would be sufficient I will probably not do anything more.
You mention something hiding in the virtual machine. Can I recreate this and then put the backup into it?
Brian
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39634564
Sorry again! Not recovery disk - rescue disk!!

Almost certainly these are installations on your PC image and are not "infectious" in the computer virus sense.

Have a look through your installed program list in Windows to check you recognise everything & then look at running TDSS Killer just to check the virtual boot sector
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 39634630
I would try the AVG rescue disk

go to here http://www.avg.com/gb-en/download.prd-arl download the iso and then set it as the boot device in your windows VM, then leave it to examine the windows VM disk
0
 

Author Comment

by:bogorman
ID: 39638237
MASQUERAID:   Have examined installed programs and there is nothing that appears to be malicious.  Re TDSS Killer - discs seem only to be for Vista and up. I have XP.
ArneLovius:   Is the file avg_arl_cdi_all_120_130801a6481.iso  suitable for windows xp
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39639491
TDSS Killer works in XP too - on the web page there are links to instruction pages for Vista etc but that shouldn't be read as the only versions it runs in.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 39643261
the iso is a bootable image, you do not install it, but boot the VM with it
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 500 total points
ID: 39652967
How did TDSS go?
0
 

Author Closing Comment

by:bogorman
ID: 39685028
Thanks everyone for your help.
MASQUERAID's suggestions removed a number of viruses. The others did not seem to, but Thanks
Brian
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now