Malware/Virus problem

[WJKIV]

Hi

I'm new to the forum but I'm hoping you can help me with problem.  I have a Dell Dimension 8400 with 4 CPU 3.8GHz  Pentium chip and 1GB of RAM.  I'm using Windows XP Professional ver. 2002 Service Pack 2.  I use AVG 8.5 for Antivirus / firewall.

I've recently been seeing boxes popping up on my screen telling me I have an infection.  The references are to:

C:\documents and settings\.............\rah_kbhv.exe   (then it says SDK type: Root Kit).

I've also seen a message that says:

C:\Windows\System32\Drivers\SVC Host.exe
Trojan Horse Pakes.CPJ

I followed the instructions on malware and have included the logs as requested for SAS, MBAM, & HJT after updating Java.

One other thing I noticed was a program called "My Way Search" which I could not remove using "Add/Remove Programs" in Windows.

Could you please review the attached logs and let me know the next step to take?  Thanks in advance for your time, I really appreciate your help!


[attachment deleted by admin]

[evilfantasy]

Welcome to CH.

Please download from DDS by sUBs and save it to your Desktop.

Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

• Double click on dds to run it.
  
• When done, DDS.txt will open.
• You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
  
• When done, Attach.txt will open.
• Please copy and paste the contents of DDS.txt and Attach.txt in your next reply.

[WJKIV]

Thank you for your help...

Sorry to ask a dumb question but when I click the link you sent to DDS by sUBs, it takes me to the Tech Support Forum.

 http://www.techsupportforum.com/register.php?do=register


I guess I need a little more info.  Do I have to register and what exactly do you want me to download?

Thanks.

[evilfantasy]

New link.

http://www.forospyware.com/sUBs/dds

[WJKIV]

Thank you, that worked great!  Attached are the files from DDS.............

Regards,
WJKIV

[attachment deleted by admin]

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[WJKIV]

Thanks, okay I'm working on it......I'm having trouble shutting down AVG 8.5.  I went through the components and disabled everything I could find but it still says anti-virus, anti-spyware and anti-root kit are active.  I rebooted.....same thing.  Wouldn't you think they've have ONE place to enable/disable AVG with one click??  Any suggestions would be appreciated.

[evilfantasy]

You should be able to right click the tray icon and turn it off.

After that go ahead and run ComboFix. If AVG tries to block it from running just allow ComboFix to run.

[WJKIV]

Okay, here's the ComboFix log you requested..........

Let me know what you think.  Thanks!

Regards,
WJKIV

[attachment deleted by admin]

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::
uStart Page = about:blank
mDefault_Page_URL =
mSearch Bar =
uSearchAssistant =
uCustomizeSearch =
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}

FIREFOX::
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Did you have McAfee Security Suite installed at one point?

[WJKIV]

Okay, attached is Combofix.txt   I'm not sure about whether AcAfee was installed at one point.  It's possible since a friend owned my computer previously.

Thanks.

Regards,
WJKIV

[attachment deleted by admin]

[evilfantasy]

Download the McAfee Consumer Product Removal Tool to your Desktop.
Using McAfee Consumer Product Removal tool:

• Double click the MCPR.exe
• A Command Line window will be displayed, and then close automatically.
• Wait for a second Command Line window to be displayed.
• Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
• After the second window appears, the program will begin the cleanup.
• Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window: The machine must reboot to complete the un-installation. Reboot now? [y.n]
• Press Y on the keyboard.
• Wait for the computer to restart.
• All McAfee products are now removed from your computer.

.
----------

How is the computer running now?

[WJKIV]

Hi,

I downloaded and ran MCPR.exe and the machine rebooted.  Everything seemed fine.  I ran a scan with AVG 8.5 that is installed on my system and it was clean.  I ran another scan, with the same result.......no threats.

When I shut down my system, the automatic update for Windows wanted to install updates so I set a restore point using System Restore and let automatic update do its thing.

This morning, the system started up without incident but shortly after I started using Outlook, AVG told me the following:

Accessed file is infected

Threat detected!


File name:  C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP242\A0050316.exe

Threat name:  Trojan horse Pakes.CPJ
Detected on open

Details: 

Process name:  C:\WINDOWS\SYSTEM32\svchost.exe
Process ID:   1512

I have not taken any action on this threat.  Sorry if the restore point or the auto update messed up what you were doing.  I probably should have waited on that.  What do you think is next?

[evilfantasy]

We will take care of that now. Let me know if you have any questions.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[WJKIV]

Hi

According to your last message, I got rid of ComboFix, set a new restore point and used Secunia Software Inspector to check for out of date software.  I've updated Microsoft Windows with all critical updates.   I've run my AVG 8.5 twice since that time (over the last week or so) and have been using my system with no sign of any threats whatsoever.

FANTASTIC!!!!

Is there anything else we need to do, i.e. go back to logs that were previously produced to work on any issues that were found?  Also, I mentioned at one point that in trying to use Add or Remove Programs in Windows, I saw "My Way Search Assistant" which was listed as an installed program and was on the list of Malware that was posted on one of the sites you referred me to.  I am not able to remove it in Add Remove Programs but do we need to deal with that or just ignore it now?

I am very appreciative of all your efforts over many days to help me fix my system.  THANK YOU, THANK YOU, THANK YOU!!!!!  At some point, when I am able, maybe I can do something to further your cause.  You are truly doing a great service for others by offering your valuable time and expertise to solve complex issues which are beyond the capabilities of most people.  Thanks again, I really appreciate it more than I can tell you.

Regards,
WJKIV