Single Infection Automated Fixes

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Single Infection Automated Fixes

Postby TeMerc » Fri Jun 23, 2006 11:01 pm

The fixes listed here in this forum are fixes which relate to a specific fix, and only to a specific fix. Be warned these infections rarely come as one, but rather include any number of lessor or more vicious infections.

Users are advised to seek help in Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Fri Jun 23, 2006 11:10 pm

Look2Me Infection ComboFix now targets this infection
Symptoms:
Unwanted popups along with similar 020 entries in HJT:
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\hpj0231mg.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\e602lgdo160c.dll
O20 - Winlogon Notify: TESING - H:\WINDOWS\system32\p0r40a9qed.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\irr2l59o1.dll

Fix by Atribune
**********************************************************************************************
Please download Look2Me-Destroyer to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from this link and place it in your C:\Windows\System32 Directory.

Users are advised to seek help in Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.
Last edited by TeMerc on Sun Sep 23, 2007 10:55 am, edited 4 times in total.
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Fri Jun 23, 2006 11:12 pm

SmitFraudFix By S!Ri WIN2K\XP
Symptoms:
Any number of alleged anti-spywarre apps which falsely claim users are infected. In many cases they use fake Windows Security Alert dialog windows. Some of these are:
  • SpywareQuake
  • SpyFalcon
  • SpySheriff
  • Spy Killer
Popups are very common also.

This infection is also called 'Zlob'.
***********************************************
Option 1: Search
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Option 2: Fix
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!

Please download Malwarebytes' Anti-Malware from here and save it to your desktop. If you're using IE7 you may get prompted to allow the download, please do so.
  • Double-click mbam-setup.exe icon: Image and when the download dialog box appears, please tick the 'Launch Malwarebytes' Anti-Malware when download completes' as displayed:Image
  • Select your language when this option is displayed.
  • Follow default installation instructions
  • Decide if you would like a 'Start Menu' folder created when this option is displayed
  • Choose your options of preference on the 'Select Additional Tasks' screen
  • Review your choices at the 'Ready To Install' screen
  • At the end, be sure a checkmark is placed next to 'Update Malwarebytes' Anti-Malware' and 'Launch Malwarebytes' Anti-Malware' as displayed here:Image
  • Then click the Image button
  • Please read the information box when it appears and click the Image button
  • Please allow access via your firewall if an alert is presented to you
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select 'Perform full scan' as displayed here: Image
  • Then click button Image
  • When the scan is complete, you will be presented with a message as such, click the Image button then click the Show Results' button
  • Be sure that each item has its box ticked, and click 'Remove Selected'.
  • When completed, a log will open in Notepad. Please save it to your desktop for easy access. Copy the contents of the file and paste it back into your thread for review. The log is also default saved to the following location: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the MBAM report and a new HijackThis log.

Warning : running option #2 on a non infected computer will remove your Desktop background

Users are advised to seek help in Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.
Last edited by TeMerc on Sun Sep 23, 2007 10:48 am, edited 5 times in total.
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Fri Jun 23, 2006 11:14 pm

VUNDO FIX BY WIN2K\XP ATRIBUNE
Symptoms:
02 BHOs with some of the following random files and matching 020 entries in HJT log file.
  • MSEvents Object
  • MFCOptimizeClass
  • ATLDistrib Object
  • WTLHelper Object
  • ADOUsefulNet Object
  • RawExecAction Object
  • DosSpecFolder Object
  • InfoDocReader Object
Also randonmly named 020s .exes may match the BHO

***********************************************

Please download VundoFix.exe to your desktop.
  • Double-click *VundoFix.exe* to run it.
  • Click the *Scan for Vundo* button.
  • Once it's done scanning, click the *Remove Vundo* button.
  • You will receive a prompt asking if you want to remove the files, click *YES*
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click *OK*.
  • Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button" when VundoFix appears at reboot.

Sometimes VundoFix does not get all the files, in these instances you need to manually add them for removal:
ADD FILES
Double click the Vundofix.exe to run it.
  • Right click in the vundofix white window and click 'Add more files?'
  • Enter the following file path(s) to be deleted and click the [Add Files] button, then hit the [Close Window] button:
  • Click the [Remove Vundo] button and let Vundofix run.
Once it has run, reboot and post a fresh HJT log please.
Users are advised to seek help in Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.
Last edited by TeMerc on Sun Sep 23, 2007 10:53 am, edited 6 times in total.
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Fri Jun 23, 2006 11:18 pm

Wareout Fix by LonnyJones Win2K\XP
Symptoms:
Users complain of popups for Wareout. Some users have the following types of entries in their HJT log file:
  • O1 - Hosts: localhost 127.0.0.1
  • O4 - HKLM\..\Run: [exe.oqsmd] C:\WINDOWS\system32\dmsqo.exe
  • O4 - HKLM\..\Run: [exe.zpomd] C:\WINDOWS\system32\dmopz.exe
  • O4 - HKLM\..\Run: [exe.jlamd] C:\WINDOWS\system32\dmalj.exe
  • O4 - HKLM\..\Run: [exe.uqhmd] C:\WINDOWS\system32\dmhqu.exe


**********************************************************************************************
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
Subratam
Bleeping Computing

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once rebooted please post the text that will open (report.txt) and a new Hijackthis log file into this thread.
Users are advised to seek help in Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.
Last edited by TeMerc on Sat Jul 15, 2006 3:06 pm, edited 3 times in total.
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Fri Jun 23, 2006 11:35 pm

Nail/epolvy/dsr bundle by Lavasoft
Symptoms:
Several distinct entries in HJT log files:
  • F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
  • O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
  • O4 - HKLM\..\Run: [jxfsyjy] c:\windows\system32\ihqeoca.exe
  • O4 - HKLM\..\Run: [dfbpwv] c:\windows\system32\jjgvkc.exe
  • O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Popups for Aurora are also popular symptoms.

**********************************************************************************************
BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.
  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  3. From the main ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes (the status bar at the bottom will display "Update successful")
  5. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  6. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  7. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.
TeMerc wrote:Users are advised to seek help in Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Thu Sep 28, 2006 2:18 pm

ComboFix By Subs & Tutorial by Bleeping Computer
ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a log when it is finished that contains a great deal of information that an experienced helper can use to diagnose, retrieve samples of, and remove infections that are not automatically removed.

Due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer. Instead you should use this guide to download and run ComboFix and then post the resulting log in a forum that contains helpers who understand how to diagnose them. These helpers will then help you clean your computer of infections so that it is running properly again.
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XP and have a Windows CD, then you can follow the instructions found in the tutorial listed below.

0-= Bleeping ComboFix tutorial
Run ComboFix:
Download combofix.exe and save it to your desktop
  • Close any open browsers.
  • Before starting ComboFix disable and exit any anti-virus software, anti-spyware or any other security related software as they may interfere with ComboFix's operation.
  • Double click combofix.exe & follow the prompts.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • When finished, it shall produce a log for you and display it on your desktop called c:\combofix.txt. By default this log is located on your 'C' drive. Post that log in your next reply.
  • Then run HJT and post that log as well
Note:Do not click ComboFix's window, it may cause it to stall.

TeMerc wrote:Users are advised to seek help in our Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.
Last edited by TeMerc on Fri Nov 23, 2007 11:52 am, edited 1 time in total.
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Sun Sep 23, 2007 11:07 am

SDFix by AndyManchesta

Tis tool targets a huge list of files numbered in the hundreds and covers so many variants of bots, spam bots, proxies, back doors that it's too long to list here. Instead you can view the change log

The tool fixes several registry entries which get changed, such as disabling any of the following tasks:
  • Task manager
  • Registry editor
  • Run command
===============================================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Users are advised to seek help in our Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Sun Sep 23, 2007 11:17 am

No LOP, LOP infection removal tool.

While this infection does not pop up too often, the newer variants are tricky. This tool looks in the right places to delete the proper files.

Please Download NoLop.exe to your desktop.
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop if not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log

Note:If you receive the error, that mscomctl.ocx or one of its dependencies are not correctly registered, please download this file to your system32 folder then rerun the program: http://www.boletrice.com/downloads/mscomctl.ocx

Soemtimes No LOP can't get the jobs listed in task scheduler folder, then we need to run this tool below:
Download Deljob.exe and save it to your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply together with a new HijackThis log.
===============================================
Users are advised to seek help in our Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.
Image


Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 2 guests