Icy Mt. Posted August 5, 2010 ID:296119 Share Posted August 5, 2010 First off, let me thank all the experts here who help the regular folks get their PCs back. If this isn't posted in the right place, please accept my apologies and relocate.I just helped someone remove a Fake Anti-Virus infection using a combination of Malwarebytes, CCleaner, HiJackThis, judicious deletion of avt.exe, uwuw.exe and a related .dll from the registry, removing the /AnVi directory, and a lot of searching in this forum. I've been doing this for years and so I have a good working knowledge of the MS registry, of what programs are normal/OK in startup and what programs/entries are normal in a task list -> processes. I thought I had completely removed this infection but a few hours later, the user opened up IE and we found out that there was still some malware: the dreaded Google redirect. It seems that this was part of the payload of the original infection as the user claims that this was the first time that they had opened IE since I (prematurely, it seems) pronounced the box cured. Malwarebytes was turning up nothing so after a few minutes of searching here, I ran HiJackThis and the only thing out of the ordinary was this entry:O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cabI used HJT to remove this entry, disabled System Restore, enabled System Restore and rebooted. Since then, all systems have been normal and I have a very happy user. Now I'm sitting here wondering why I violated my standard procedures and changed two things at once. Can any of the experts here tell me whether it was the O16 entry AND/OR the System Restore disable/enable that cured this?If it was the O16 entry, why does a seemingly legitimate website have a hijacker on their site? Link to post Share on other sites More sharing options...
Gammo Posted August 7, 2010 ID:297394 Share Posted August 7, 2010 Hi,By disabling system restore you delete all system restore points. Malware in system restore points is inactive, so this action wasn't the solution.The O16 entry and the website look legitimate to me. However, SystemLookup flags the entry as malicious.If one of these two steps was the solution, then it had to be deleting the O16 entry. Link to post Share on other sites More sharing options...
Icy Mt. Posted August 10, 2010 Author ID:299021 Share Posted August 10, 2010 Thanks, Gammo. Another mystery solved. Link to post Share on other sites More sharing options...
Gammo Posted August 10, 2010 ID:299034 Share Posted August 10, 2010 You're welcome. Link to post Share on other sites More sharing options...
Recommended Posts