Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Leftover Stuff From Malware


  • This topic is locked This topic is locked
14 replies to this topic

#1 Erin328

Erin328

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 26 July 2007 - 10:33 AM

Ok, finally got Smitfraud-C.Core Service and Virtumonde cleaned out. DriveCleaner2006 does not seem to want to go away now. Had some WinAntiSpyware as well. The only thing that seems to be hanging on at this point is the DriveCleaner. Here is the HijackThis log. Thanks for your help!

Logfile of HijackThis v1.99.1
Scan saved at 3:24:28 AM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\safeandsecure\safeandsecure\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SafeandSecure\SafeandSecure\app\Prism.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\PROGRA~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\Kevin\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\xxyvtqq.dll (file missing)
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\ebarkhoc.dll (file missing)
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\SafeandSecure\SafeandSecure\app\AuthBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {DF820D7C-BCD5-4615-99A0-5782BD343D98} - C:\WINDOWS\system32\sstqn.dll (file missing)
O3 - Toolbar: Safe and Secure Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\SafeandSecure\SafeandSecure\app\AuthBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AuthStart] C:\Program Files\SafeandSecure\SafeandSecure\app\authstart.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\lvypsxnm.dll",forkonce
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\safeandsecure\safeandsecure\app\CurtainsSysSvcNt.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

BC AdBot (Login to Remove)

 


#2 POADB

POADB

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 26 July 2007 - 02:12 PM

Welcome to BleepingComputer, :thumbsup:

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

I recommend that you "track this topic" to be notified when a reply has been made. At the top if this thread choose Options > Track This Topic and then select Immediate Email Notification.

Regards

POADB.

#3 Erin328

Erin328
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 26 July 2007 - 02:38 PM

Thanks so much! I will be sure to add the topic tracking.

Erin

#4 POADB

POADB

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 26 July 2007 - 02:54 PM

Hi Erin

finally got Smitfraud-C.Core Service and Virtumonde cleaned out.


I'm interested in how you believe to have accomplished this? As a pre-caution, I'm running scans and tools to help detect left overs. Please proceed as below.

For Your Information:

HIJACK THIS IN TEMP FOLDER

You are running HiJackThis from a temporary directory! This is a bad idea, as HJT creates backups that we may need.
Please create a folder (for example C:\\HJT or C:\\Program Files\\HiJackThis) and move the file to this new location.

How to make a permanent folder:
  • Click My Computer, then Local Disk (C:) and then on Program Files.
  • From the menu bar, choose File -> New -> Folder.
  • That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
  • Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.
I recommend you make a desktop shortcut, by right clicking the HiJackThis.exe file. Scroll to Send To > Desktop (shortcut)

Downloads:

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Online Scan:

You may now open an Internet Browser to return to your Thread and complete the below instructions.

Perform an online scan with Internet Explorer with Panda ActiveScan
  • Click on Posted Image located at the bottom of the page.
  • A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  • Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting Posted Image
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on Posted Image then click Posted Image
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Checklist:

In your next post, please include fresh logs from:
  • HiJackThis
  • Smitfraud report
  • Vundofix.txt
  • Online scan


#5 Erin328

Erin328
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 26 July 2007 - 03:21 PM

Hi,

I used smitrem.exe from http://noahdfear.geekstogo.com/ and a vundo removal tool from F-Secure. I will follow the instructions you have sent. I do not think I will have access to this PC again until the weekend. I will perform the tasks and post as soon as possible. Thank you for your help!

Erin

#6 Erin328

Erin328
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 26 July 2007 - 03:23 PM

Oh also, after I ran those tools, SmitFraud and Virtumonde were no longer showing up as entries when I ran Spybot. I HOPEthey are really gone. Guess I will find out when I try the new steps!!

#7 POADB

POADB

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 26 July 2007 - 03:25 PM

Thank you for the information Erin :thumbsup:

SmitRem is an alternative to Smitfraud fix, though analysts recommend Smitfraud fix for XP/2000.
I've not used F-Secure's vundo tool, as the tools we use are quite accurate.

You did a good job, only redundant entries of the Vundo infection remain in your HJT log. I will help you clean them out when you return with all the results. :flowers:

Thanks

Edited by POADB, 26 July 2007 - 03:27 PM.


#8 Erin328

Erin328
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 31 July 2007 - 09:58 PM

Ok, I ran the tools and have attached logs from each. Please take a look and let me know how to proceed.
Thanks for your help. :thumbsup:

Attached Files



#9 POADB

POADB

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 01 August 2007 - 12:38 PM

Hi Erin,

Thanks for posting your results. I am reviewing them now and creating a fix for you. I will post back once my fix has been checked by an expert analyst.

#10 Erin328

Erin328
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 02 August 2007 - 07:47 AM

Thank you very much!!

#11 POADB

POADB

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 02 August 2007 - 02:57 PM

Introduction:

Before you begin, please read through my proposed fix and download all the files I ask you to before going offline. It's important you ask any questions before we start so that I can answer any concerns that you may have.

In addition, I would like you to print out or copy & paste the below instructions to Notepad/Wordpad so that you can view them offline.

Please allow yourself a few spare hours and follow my instructions in the order they are presented. Do not miss a step. You should not have any browsers open during the cleaning process.

For Your Information:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 u2.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. In your case, it is J2SE Runtime Environment 5.0 Update 3
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windowsi586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Downloads:

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in the same directory as the HiJackThis program.

Please download ATF Cleaner by Atribune

Please download Combofix from here: combofix.exe or here combofix.exe.

Turn off your Internet. Please close your Internet Browser(s) and refer to the instructions offline, as suggested in my introduction.

Purge Temps

We shall be using ATF Cleaner to remove bad data from Temp locations. We shall also be clearing out unwanted Internet Cache and Cookies. As an advisory, please move any data you want to keep out of Temp locations before running the tool.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click: Empty Selected
If you use Firefox
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close the program.

ComboFix

Extract combofix & place it on the desktop. Then run the tool from Start > Run, copy and paste the following, into the RUN command box.

"%userprofile%\desktop\combofix.exe" /v ebarkhoc sstqn xxyvtqq lvypsxnm

It shall produce a log at C:\ComboFix. Please post it on your next reply.

Safe Mode:

REBOOT TO SAFE MODE
  • Restart the computer.
  • Wait for the first BEEP and begin tapping the F8 key on your keyboard.
  • Continue to do so until the 'Windows Advanced Options' menu appears.
  • Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.
  • Logon to your usual account.
Add/Remove Programs:

Please uninstall the following via Add/Remove in the Control Panel:

Yazzle

Exit Control Panel.

HJT Fixes:

Launch HiJackThis & run a scan. Select(tick) the following & click [Fix checked] :

O2 - BHO: (no name) - {DF820D7C-BCD5-4615-99A0-5782BD343D98} - C:\WINDOWS\system32\sstqn.dll (file missing)
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\lvypsxnm.dll",forkonce
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll (file missing)


Exit HJT.

Deletions:

Using Windows Explorer (right-click your Start button and select Explore), please navigate to and delete the following:

FILES (if they exist):

c:\windows\system32\unPPC.exe
c:\windows\smdat32m.sys
C:\WINDOWS\b136.old
C:\WINDOWS\poolsv.exe


FOLDERS

c:\program files\Need2Find
C:\Program Files\poolsv


Please EMPTY this folder VirusBin, which contains quarantined infections:

C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\iAqEhih28nkx\VirusBin\

Please let me know if you encountered any problems finding or deleting files/folders

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4

[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM]

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Online Scan:

REBOOT BACK TO NOMRAL MODE
Please return back to your thread at BleepingComputer.com

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Checklist:

Please create an uninstall list:
  • Start HiJackThis
  • Press 'Config'
  • Press 'Misc Tools'
  • Press 'Open Uninstall Manager'
  • Press 'Save List'
  • Save the log to a convenient location and post it in your next reply.
In your next post, please include fresh logs from:
  • Uninstall List
  • HiJackThis
  • ComboFix Log
  • Online scan
Please provide details of any problems you encountered whilst performing the above steps & update me on how the computer behaves now.

#12 Erin328

Erin328
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 07 August 2007 - 09:08 AM

Ok, I followed the instructions as listed and my logs are attached. I ran into a couple things that I could not do.
Yazzle was not listed in Add/Remove Programs
The following HJT objects were not present when I ran it:
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\lvypsxnm.dll",forkonce
C:\Windows\poolsv.exe and C:\Program Files\poolsv were not present

I created the reg file as described and saved it with the quotes. I was prompted about merging, and then got an error. A screen shot is in the attached word doc.

Other than those issues, everything else ran fine.

Thank you!!

Erin

Sorry...forgot to attach the error screen shot!

Attached Files



#13 POADB

POADB

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 08 August 2007 - 02:48 AM

Introduction:

As before, please read through my proposed fix and download all the files I ask you to before going offline. It's important you ask any questions before we start so that I can answer any concerns that you may have.

In addition, I would like you to print out or copy & paste the below instructions to Notepad/Wordpad so that you can view them offline.

Please allow yourself a few spare hours and follow my instructions in the order they are presented. Do not miss a step. You should not have any browsers open during the cleaning process.

For Your Information:

Open Spybot - Search & Destroy.
  • On the left side, click "Recovery".
  • Select (place a check) beside ALL the backup files that contain quarantined items.
  • Click on the Purge Selected Items button. A dialog will appear, stating that the backup will be removed. Click Yes.
  • Exit Spybot S&D
Downloads:

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in the same directory as the HiJackThis program.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. We shall use this later.

Turn off your Internet. Please close your Internet Browser(s) and refer to the instructions offline, as suggested in my introduction.

Add/Remove

Uninstall the following via Add/Remove in Control Panel:

Viewpoint Media Player

Exit Add/Remove and close Control Panel.

HJT Fixes:

Launch HiJackThis & run a scan. Select(tick) the following & click [Fix checked] :

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Close HiJackThis.

Deletions:
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\WINDOWS\system32\lvypsxnm.dll
    C:\WINDOWS\system32\sstqn.dll
    C:\WINDOWS\system32\sstqn.dll.bak
    C:\WINDOWS\system32\nqtss.bak2
    C:\WINDOWS\system32\nqtss.ini2
    C:\WINDOWS\system32\nqtss.bak1
    C:\WINDOWS\system32\8748FE3215.sys
    C:\WINDOWS\smdat32m.sys
    
    Registry::
    [-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM]
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Purge Temps

We used ATF-Cleaner in our last run to clear temp locations, however some seem to have been missed.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program and reboot when prompted.


Online Scan:

You may now open an Internet Browser to return to your Thread and complete the below instructions.

Perform an online scan with Internet Explorer with Panda ActiveScan
  • Click on Posted Image located at the bottom of the page.
  • A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  • Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting Posted Image
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on Posted Image then click Posted Image
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Checklist:

In your next post, please include fresh logs from:
  • C:\ComboFix.txt
  • HiJackThis
  • Online scan
Please provide details of any problems you encountered whilst performing the above steps & update me on how the computer behaves now.

#14 Erin328

Erin328
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 15 August 2007 - 07:32 AM

Ok, steps followed as stated and logs are attached. Everything seemed to go off without a hitch!!

Attached Files



#15 POADB

POADB

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 15 August 2007 - 02:43 PM

Things are much better now. Please follow next instructions.

Add/Remove Programs:

Please uninstall via Add/Remove, if found (they may not exist):

Altnet
Need2Find
PeoplePC


ComboScript Deletions

Open notepad and copy/paste the text in the codebox below into it:

Folder::
F:\Program Files\PeoplePC
F:\Program Files\Need2Find
F:\Program Files\Altnet

Registry::
[-hkey_current_user\software\Need2Find]

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Additional House Kepping

Please EMPTY this folder:

F:\Kevin\Cookies\



Finally

Well done! :thumbsup: Your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
  • CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start ? Run ? type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK
  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.
  • FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html


  • Microsoft Windows Update ? http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  • http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here: http://www.winpatrol.com/features.html
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day. Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users