Malware Protector 2008/Bug Screen and Background virus

[Arturo312]

Last night I was attacked by this when visiting a video game site and quickly exited. Im running xp with sp2 and Webroot Spy Sweeper with Antivirus. I removed the Malware Protector 2008 shortly after it installed using the Control panel. I think the spy sweeper blocked most of it but I think some traces still remain.

I followed the steps in the thread before posting and it seems the background and bug screensaver is gone but if someone could just take a quick look at the logs and tell me how bad the infestation was and if it was completely removed, it would be very much appreciated and thanks.




[recovering space - attachment deleted by admin]

[Broni]

Do you use Norton as your AV, and firewall? It's not clear from the log, if it's running in full.

Open HJT, checkmark all O18 entries, click "Fix checked", and post new log.

[Arturo312]

I fixed the entries and re-scaned with Hijack. Webroot spysweeper also has antivirus protection and my firewall is the regular Windows one.

[recovering space - attachment deleted by admin]

[Broni]

It's still not clear. What's the story with Norton?
Spysweeper is NOT a substitute for antivirus program.

[Arturo312]

I used to have Norton installed but removed it when I got my new AV. The full name of my AV is "Webroot Spy Sweeper with Antivirus" if that was the thing that was confusing.

[Broni]

"Webroot Spy Sweeper with Antivirus"...fair enough, but I can see, the above product includes firewall, as well. Is it disabled, since you have Windows firewall up?
Run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039 to remove Norton's leftovers, answer my question about firewall, and post new HJT log.

I'm off to EURO 2008 soccer game, so I'll be out for couple of hours.

[Arturo312]

Ok, Norton's been removed, Av firewall is disabled which is why I have Windows firewall and heres the new log.

Also should I re-scan in safe mode or is that unnessary?

Thanks for helping me out Broni

[recovering space - attachment deleted by admin]

[Broni]

You're welcome
I'm not familiar with Webroot firewall, but Windows firewall is definitely the lowest quality firewall, so you may reconsider.

...and no, HJT has to be run in Normal Mode.

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

- *O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
- *O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
- *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
- *O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
- O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
- *O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
- O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
- *O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
- *O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
- *O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware.exe"
- O4 - Startup: GameSpot Download Manager.lnk = D:\stuff\GameSpot\GameSpotDownloadManager_Win32.exe
- O4 - Global Startup: Remocon Driver.lnk = ?
- O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
- O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
- O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://gn.one2bill.de/soft/axload.cab
- *O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SASWINLO.dll

4. Click on Fix checked button.

5. Restart computer in Safe Mode (keep tapping F8 key, when your computer starts, until menu appears)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

7. Delete following files/folders (if present):

- sysrest32.exe, regscan.exe files from C:\WINDOWS\system32
- GameSpotDownloadManager_Win32.exe file from D:\stuff\GameSpot

8. Restart in Normal Mode.

9. Post new HijackThis log.

[Arturo312]

Ok followed everything you said but the files in Safe mode weren't present and heres the new log:

[Saving space - attachment deleted by admin]

[Broni]

Very good

Your computer is clean

1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html.
Run CCleaner.

2. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. (optional) Download, and install free version of ThreatFire: http://www.threatfire.com/. It'll give you an extra protection against malwares. It won't interfere with your antivirus program

6. Read "So how did I get infected in the first place?": http://www.castlecops.com/postlite7736-.html

7. Let me know, how your computer is doing.

[Arturo312]

Thank you very much Broni It was a big help and it seems CCleaner is similar to the program Window Washer.

[Broni]

You're very welcome
Is computer doing OK?

[Arturo312]

Yes, computers ok.

After the computer got infected I didn't really notice any significant change in performance besides the the bug screen saver and background change.

Does that mean it wasnt that bad?

[Broni]

If you could only see some other logs....
You had just light infection.