Malware/Virus problem

[WJKIV]

Hi

I'm new to the forum but I'm hoping you can help me with problem.  I have a Dell Dimension 8400 with 4 CPU 3.8GHz  Pentium chip and 1GB of RAM.  I'm using Windows XP Professional ver. 2002 Service Pack 2.  I use AVG 8.5 for Antivirus / firewall.

I've recently been seeing boxes popping up on my screen telling me I have an infection.  The references are to:

C:\documents and settings\.............\rah_kbhv.exe   (then it says SDK type: Root Kit).

I've also seen a message that says:

C:\Windows\System32\Drivers\SVC Host.exe
Trojan Horse Pakes.CPJ

I followed the instructions on malware and have included the logs as requested for SAS, MBAM, & HJT after updating Java.

One other thing I noticed was a program called "My Way Search" which I could not remove using "Add/Remove Programs" in Windows.

Could you please review the attached logs and let me know the next step to take?  Thanks in advance for your time, I really appreciate your help!


[attachment deleted by admin]

[evilfantasy]

Welcome to CH.

Please download from DDS by sUBs and save it to your Desktop.

Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

• Double click on dds to run it.
  
• When done, DDS.txt will open.
• You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
  
• When done, Attach.txt will open.
• Please copy and paste the contents of DDS.txt and Attach.txt in your next reply.

[WJKIV]

Thank you for your help...

Sorry to ask a dumb question but when I click the link you sent to DDS by sUBs, it takes me to the Tech Support Forum.

 http://www.techsupportforum.com/register.php?do=register


I guess I need a little more info.  Do I have to register and what exactly do you want me to download?

Thanks.

[evilfantasy]

New link.

http://www.forospyware.com/sUBs/dds

[WJKIV]

Thank you, that worked great!  Attached are the files from DDS.............

Regards,
WJKIV

[attachment deleted by admin]

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[WJKIV]

Thanks, okay I'm working on it......I'm having trouble shutting down AVG 8.5.  I went through the components and disabled everything I could find but it still says anti-virus, anti-spyware and anti-root kit are active.  I rebooted.....same thing.  Wouldn't you think they've have ONE place to enable/disable AVG with one click??  Any suggestions would be appreciated.

[evilfantasy]

You should be able to right click the tray icon and turn it off.

After that go ahead and run ComboFix. If AVG tries to block it from running just allow ComboFix to run.

[WJKIV]

Okay, here's the ComboFix log you requested..........

Let me know what you think.  Thanks!

Regards,
WJKIV

[attachment deleted by admin]

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::
uStart Page = about:blank
mDefault_Page_URL =
mSearch Bar =
uSearchAssistant =
uCustomizeSearch =
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}

FIREFOX::
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Did you have McAfee Security Suite installed at one point?

[WJKIV]

Okay, attached is Combofix.txt   I'm not sure about whether AcAfee was installed at one point.  It's possible since a friend owned my computer previously.

Thanks.

Regards,
WJKIV

[attachment deleted by admin]

[evilfantasy]

Download the McAfee Consumer Product Removal Tool to your Desktop.
Using McAfee Consumer Product Removal tool:

• Double click the MCPR.exe
• A Command Line window will be displayed, and then close automatically.
• Wait for a second Command Line window to be displayed.
• Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
• After the second window appears, the program will begin the cleanup.
• Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window: The machine must reboot to complete the un-installation. Reboot now? [y.n]
• Press Y on the keyboard.
• Wait for the computer to restart.
• All McAfee products are now removed from your computer.

.
----------

How is the computer running now?

[WJKIV]

Hi,

I downloaded and ran MCPR.exe and the machine rebooted.  Everything seemed fine.  I ran a scan with AVG 8.5 that is installed on my system and it was clean.  I ran another scan, with the same result.......no threats.

When I shut down my system, the automatic update for Windows wanted to install updates so I set a restore point using System Restore and let automatic update do its thing.

This morning, the system started up without incident but shortly after I started using Outlook, AVG told me the following:

Accessed file is infected

Threat detected!


File name:  C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP242\A0050316.exe

Threat name:  Trojan horse Pakes.CPJ
Detected on open

Details: 

Process name:  C:\WINDOWS\SYSTEM32\svchost.exe
Process ID:   1512

I have not taken any action on this threat.  Sorry if the restore point or the auto update messed up what you were doing.  I probably should have waited on that.  What do you think is next?

[evilfantasy]

We will take care of that now. Let me know if you have any questions.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[WJKIV]

Hi

According to your last message, I got rid of ComboFix, set a new restore point and used Secunia Software Inspector to check for out of date software.  I've updated Microsoft Windows with all critical updates.   I've run my AVG 8.5 twice since that time (over the last week or so) and have been using my system with no sign of any threats whatsoever.

FANTASTIC!!!!

Is there anything else we need to do, i.e. go back to logs that were previously produced to work on any issues that were found?  Also, I mentioned at one point that in trying to use Add or Remove Programs in Windows, I saw "My Way Search Assistant" which was listed as an installed program and was on the list of Malware that was posted on one of the sites you referred me to.  I am not able to remove it in Add Remove Programs but do we need to deal with that or just ignore it now?

I am very appreciative of all your efforts over many days to help me fix my system.  THANK YOU, THANK YOU, THANK YOU!!!!!  At some point, when I am able, maybe I can do something to further your cause.  You are truly doing a great service for others by offering your valuable time and expertise to solve complex issues which are beyond the capabilities of most people.  Thanks again, I really appreciate it more than I can tell you.

Regards,
WJKIV

[evilfantasy]

Delete An Uninstall Entry

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Highlight the entry you want to remove, My Way Search Assistant
  
• Click Delete this entry

.
That should be all.

[WJKIV]

Thank you for that.

I started HijackThis and opened the uninstall manager but could not find "My Way Search Assistant" on the list.  My Way Search Assistant is still on the list when I go to Add Remove Programs in Windows, however.  It is listed as being used rarely and it shows nothing for file size.  Unlike everything else on the list of currently installed programs, when you click My Way Search Assistant to highlight it, you do not see a "change" or "Remove" button.  Any further thoughts?

Regards,
WJKIV

[evilfantasy]

Download Registry Searchby Bobbi Flekman
(see the link titled RegSearch Download Link)

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter My Way Search Assistant in the top area of the form and then click "OK".
  
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
• Add the contents of the Notepad file to your next reply.

[WJKIV]

Thank you.

I downloaded and ran regsearch.exe and it produced a log in Notepad with the following information:


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 3/29/2009 1:16:46 PM for strings:
;  'my way search assistant'
; Strings excluded from search:
;  (None)
; Search in:
; Registry Keys  Registry Values  Registry Data 
; HKEY_LOCAL_MACHINE  HKEY_USERS 


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7D449D87B79A4004BAA05BDA60389904]
"ProductName"="My Way Search Assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D449D87B79A4004BAA05BDA60389904\InstallProperties]
"DisplayName"="My Way Search Assistant"

; End Of The Log...


Let me know your thoughts.....thank you!

Regards,
WJKIV

[evilfantasy]

This should remove them.

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7D449D87B79A4004BAA05BDA60389904]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D449D87B79A4004BAA05BDA60389904\InstallProperties]
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

[WJKIV]

Thank you.  Okay, I copied the code you sent and saved in notepad as fixme.reg.  I answered yes and I did indeed receive a message that it was successfully added to the registry.  I deleted fixme.reg from the desktop.

Regards,
WJKIV

[evilfantasy]

That should have gotten rid of the leftovers.

Let us know if anything else comes up.

Safe surfing...

[WJKIV]

Well, that seems to have done it, the leftovers are gone!

Again, thank you very much for all your time and patience to help me.  There is no way I could have cleared this problem on my own.  Please know that you are doing a great service and people like myself, who are completely unknown to you out here in cyberspace, really do appreciate what you're doing.  It's nice to know that there are people like you who selflessly seek to do good to help protect those of us from people who seek to do wrong.  I hope to soon follow your example.  God bless you and thank you. Keep up the good work!

Regards,
WJKIV