Virus/Malware

[aniketkar94]

My computer has a virus. I think it came from facebook.
I have installed HijackThis and run it through hijackthis.de, deleting the malware entries.

Is my computer clean now?

Thanks in advance! (the log is attached)

[Saving space - attachment deleted by admin]

[CBMatt]

1.  There are still some traces of infection on your computer.
2.  HijackThis.de isn't a reliable source for people who aren't properly trained.
3.  Removing entries with HijackThis without being formerly instructed is strongly advised against.


Download HostsXpert...

• Unzip HostsXpert to your Desktop.
• Open up the HostXpert program.
• Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
• Click Create Back Up.
• Then click on Restore Microsoft's Host Files.
• Close the HostXpert program.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[aniketkar94]

here are the logs

[attachment deleted by admin]

[CBMatt]

Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file.  Open HijackThis and scan again.  Check the following entries, but don't do anything to them yet...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb

O1 - Hosts: 94.247.2.216 www.google.com
O1 - Hosts: 94.247.2.216 search.yahoo.com

O2 - BHO: Dictionary.com BHO - {14998b0b-2671-4adb-a005-dde2fb18eb35} - mscoree.dll (file missing)
O2 - BHO: (no name) - {D032570A-5F63-4812-A094-87D007C23012} - C:\Windows\system32\InternetExplorer.dll (file missing)

O3 - Toolbar: Dictionary.com - {bf2aa568-0085-423c-ba01-69b6705a9a96} - mscoree.dll (file missing)

O4 - HKLM\..\Run: [shell] C:\Windows\system\rundll32.exe 00004
O4 - HKLM\..\Run: [se] C:\Windows\system\se.exe
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe

O13 - Gopher Prefix:

O20 - Winlogon Notify: debcfbfacbecc - C:\Windows\system32\debcfbfacbecc.dll (file missing)

O21 - SSODL: ieModule - {048D10A3-04DF-4D13-A265-352E2720044A} - C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {8B158EC7-D70B-43B2-8770-13085FC22EB1} - C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\cuxxyynqoz.dll

Now, close all windows (including this one) besides HijackThis, then click Fix Checked.  Close HijackThis.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...

Spyware Guard 2008

Please note any other programs that you dont recognize in that list in your next response.

Follow this next set of instructions...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\Program Files\Spyware Guard 2008

File::
C:\Windows\system32\InternetExplorer.dll
C:\Windows\system\rundll32.exe
C:\Windows\system\se.exe
C:\Windows\system\dop.exe
C:\Windows\system32\debcfbfacbecc.dll
C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\cuxxyynqoz.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"se"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Windows\\system\\rundll32.exe"=-
"c:\\Windows\\system\\dop.exe"=-
"c:\\Windows\\system\\se.exe"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not click ComboFix's window while it is running. That may cause your system to freeze



Also, I found this file on your computer: c:\program files\Game.exe

Do you know what this is?  Some infections use this name in the same location, but you have some game-related files in that same folder, so I'm not quite sure what to make of it.  If you don't know what it is, you should upload it to VirusTotal and post back with the results.

[aniketkar94]

Here is the combofix log.  virus total.com had no results for game.exe; every antivirus scanner they used came up with no results.

[attachment deleted by admin]

[CBMatt]

It's probably nothing to worry about, then.  And your ComboFix log looks pretty good.  But can I see a new HijackThis log as well?  I'm sorry, I think I forgot to mention that in my last post.

[aniketkar94]

Here is the HijackThis log.

[attachment deleted by admin]

[CBMatt]

Looks much better.  How is everything running now?

You don't appear to have a decent active firewall.  You're vulnerable without one, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo.  They're all good free firewalls.  Just be sure you only have one installed at a time!  Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

You also need an active anti-virus.  I suggest AVG or Avira.

Since you no longer need ComboFix, go ahead and uninstall it.  Go to Start > Run and type combofix /u (note the space between combofix and /u) and click OK.

If that doesn't work, then download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it yourself.

Also, you'll want to clean out your System Restore.  This is to remove any infected files that have been backed up by Windows.  Please follow these steps...

1.  Go to Start > Programs > Accessories > System Tools > System Restore
2.  Click on System Restore Settings.
3.  Check Turn off System Restore and click OK.
4.  Restart your computer.
5.  Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6.  Create a new restore point and close the program.

System Restore will now be active again.  If you would like to learn more about System Restore, go here.