Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I.e. Shutdowns, Script Errors, Spyguard Pro


  • Please log in to reply
8 replies to this topic

#1 Jai.

Jai.

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 08 December 2007 - 07:54 AM

Ive managed to keep my system fairly clean (or so I thought) in the past by running Adaware etc, but in the past few days Ive been getting increasing numbers of popups, script errors, and in the last day SpyGuard Pro has dumped itself on my desktop. I also keep getting Internet Explorer shutdowns- at first with error messages, then without warning (Im having to type this message into Word to stop it closing halfway through, but even since then the whole system has crashed once). I searched the forums and found several sets of instructions for removing SpyGuard Pro, but wondered if anyone had any suggestions as to what to try first, given all the shutdowns Ive been getting.

Any advice would be greatly appreciated, thanks.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 AM

Posted 08 December 2007 - 08:03 AM

Have you tried using System Restore or System Restore from a command prompt in "Safe Mode" to return to a previous state before your problems began?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 AM

Posted 08 December 2007 - 08:08 AM

If that does not work, do this:

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.

Download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Jai.

Jai.
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 08 December 2007 - 08:13 AM

I believe someone else took it back to the last restore point, but it hasn't made any difference. I've just run a fresh Adaware scan, and among the 180+ new objects (never seen anywhere near that many before), it's listing quite a few Win32.Trojan files.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 AM

Posted 08 December 2007 - 08:31 AM

Ok, follow the instructions I provided above. Also, please copy and paste the SAS Scan Log results in your next reply along with vundofix.txt.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Jai.

Jai.
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 08 December 2007 - 02:59 PM

Here are the logs (the SuperAntiSpyware scan took 5 1/4 hours- I'm hoping that's not too much of a bad thing).

Vundofix.txt:


VundoFix V6.7.0

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 13:30:10 08/12/2007

Listing files found while scanning....

C:\windows\system32\rqstv.ini
C:\windows\system32\rqstv.ini2
C:\windows\system32\vtsqr.dll

Beginning removal...

Attempting to delete C:\windows\system32\rqstv.ini
C:\windows\system32\rqstv.ini Has been deleted!

Attempting to delete C:\windows\system32\rqstv.ini2
C:\windows\system32\rqstv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vtsqr.dll
C:\windows\system32\vtsqr.dll Has been deleted!

Performing Repairs to the registry.
Done!


------------------------------------------------------------


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/08/2007 at 07:19 PM

Application Version : 3.9.1008

Core Rules Database Version : 3358
Trace Rules Database Version: 1357

Scan type : Complete Scan
Total Scan Time : 05:14:52

Memory items scanned : 187
Memory threats detected : 2
Registry items scanned : 5551
Registry threats detected : 50
File items scanned : 87403
File threats detected : 200

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\LJJJHGE.DLL
C:\WINDOWS\SYSTEM32\LJJJHGE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B285004D-6D02-4212-91FC-B8F47B68C254}
HKCR\CLSID\{B285004D-6D02-4212-91FC-B8F47B68C254}
HKCR\CLSID\{B285004D-6D02-4212-91FC-B8F47B68C254}\InprocServer32
HKCR\CLSID\{B285004D-6D02-4212-91FC-B8F47B68C254}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{B285004D-6D02-4212-91FC-B8F47B68C254}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ljjjhge
C:\WINDOWS\SYSTEM32\TUVUTSS.DLL

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\AWVTU.DLL
C:\WINDOWS\SYSTEM32\AWVTU.DLL
HKLM\Software\Classes\CLSID\{3ECDA7FD-0282-471D-BE9D-A6409E73A816}
HKCR\CLSID\{3ECDA7FD-0282-471D-BE9D-A6409E73A816}
HKCR\CLSID\{3ECDA7FD-0282-471D-BE9D-A6409E73A816}\InprocServer32
HKCR\CLSID\{3ECDA7FD-0282-471D-BE9D-A6409E73A816}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{CC7315DE-B060-4F08-A713-E46F59D92404}
HKCR\CLSID\{CC7315DE-B060-4F08-A713-E46F59D92404}
HKCR\CLSID\{CC7315DE-B060-4F08-A713-E46F59D92404}\InprocServer32
HKCR\CLSID\{CC7315DE-B060-4F08-A713-E46F59D92404}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSQR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ECDA7FD-0282-471D-BE9D-A6409E73A816}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC7315DE-B060-4F08-A713-E46F59D92404}

Worm.SASSER-E
[Lexmark_X79-55] C:\WINDOWS\SYSTEM32\LSASSS.EXE
C:\WINDOWS\SYSTEM32\LSASSS.EXE
C:\WINDOWS\Prefetch\LSASSS.EXE-29544F4D.pf

Adware.ClickSpring
[Ires] C:\PROGRA~1\SKS~1\WOWEXEC.EXE
C:\PROGRA~1\SKS~1\WOWEXEC.EXE
C:\PROGRAM FILES\SKS~1\WOWEXEC.EXE
C:\WINDOWS\system32\SEMBLY~1\CHOST~1.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1314AFE4-1584-4556-9BDE-88C99501FD9C}\RP187\A0436571.DLL

Adware.Tracking Cookie
C:\Documents and Settings\The Chards\Cookies\the chards@cassava[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adrevolver[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@exitexchange[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@interclick[3].txt
C:\Documents and Settings\The Chards\Cookies\the chards@bs.serving-sys[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ad.zanox[3].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ex=0_[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@e-2dj6wfk4gjdzsgo.stats.esomniture[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@media.adrevolver[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.domainsuite[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.adtrak[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ad.outerinfoads[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ex=1_[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adtech[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@serving-sys[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adopt.euroclick[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@e-2dj6wjk4gmc5kfo.stats.esomniture[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@reduxads.valuead[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@xiti[3].txt
C:\Documents and Settings\The Chards\Cookies\the chards@doubleclick[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.k8l[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@partypoker[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@s[5].txt
C:\Documents and Settings\The Chards\Cookies\the chards@sale.spyguardpro[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@atdmt[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@288_[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@advertising[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@login.tracking101[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adserver.adtech[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@1062542033[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@mediaplex[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adecn[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ad.yieldmanager[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.virginmedia[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads2.k8l[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@spyguardpro[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@888[4].txt
C:\Documents and Settings\The Chards\Cookies\the chards@eas.apm.emediate[3].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.maxecpm[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adsby.zwoops[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@banners.searchingbooth[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adrevolver[3].txt
C:\Documents and Settings\The Chards\Cookies\the chards@protect.spyguardpro[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@url[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@msnportal.112.2o7[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@virginmedia[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@partygaming.122.2o7[1].txt
C:\Documents and Settings\The Chards\Local Settings\Temp\Cookies\the chards@ads.maxecpm[2].txt
C:\Documents and Settings\The Chards\Local Settings\Temp\Cookies\the chards@cassava[1].txt
C:\Documents and Settings\The Chards\Local Settings\Temp\Cookies\the chards@exitexchange[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@centrica.usertracking[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@smileycentral[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@accelerator-media[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.accelerator-media[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.monster[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@stats.esomniture[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adecn[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@interclick[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@media.guardian.co[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.ak.facebook[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@tracking[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@windowsmedia[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.dgm2[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@login.tracking101[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@date.ventivmedia[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@belnk[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@dist.belnk[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@djbanners.deadjournal[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@stats.raileurope.co[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.monster[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.dgm2[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@superstats[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.modthesims2[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.gambling[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@banner.prestigecasino[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ad.feltads[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@yourmedia[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@data2.perf.overture[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ad.zanox[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@tracker.wmps[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@tracking.summitmedia.co[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.precisioncounter[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@m1.webstats4u[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ad.zanox[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ad.ifrance[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@kanoodle[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.contactmusic[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@tracker.netklix[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@banner.32vegas[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@xiti[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@burstnet[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@cassava[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adrevenue[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@eas.apm.emediate[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adrevenue[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@stats[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@atwola[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@booktracker.co[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@maccosmetics.77tracking[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.realtechnetwork[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@mywebsearch[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@azjmp[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@virginmedia[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@burstnet[4].txt
C:\Documents and Settings\The Chards\Cookies\the chards@tracker.netklix[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@banner.cdpoker[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.dealtime[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.clash-media[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@banner.eurogrand[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@superstats[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@cpvfeed[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@xiti[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@anad.tacoda[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@warez[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.precisioncounter[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@srv.warez[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@anad.tacoda[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adopt.specificclick[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.maxecpm[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@adopt.specificclick[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@ads.as4x.tmcs[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.virginmedia[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@m1.webstats4u[3].txt
C:\Documents and Settings\The Chards\Cookies\the chards@burstnet[3].txt
C:\Documents and Settings\The Chards\Cookies\the chards@vhost.oddcast[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@sitestats.tiscali.co[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@tracking.summitmedia.co[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.clickmanage[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@drivecleaner[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.drivecleaner[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@stats.channel4[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@webstats.thefa[1].txt
C:\Documents and Settings\The Chards\Cookies\the chards@nextag[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@www.sublimemedia[2].txt
C:\Documents and Settings\The Chards\Cookies\the chards@teenink[1].txt

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1314AFE4-1584-4556-9BDE-88C99501FD9C}\RP187\A0436567.EXE

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
C:\Documents and Settings\The Chards\Favorites\Antivirus Test Online.url
C:\Documents and Settings\All Users\Desktop\Security Troubleshooting.url
C:\Documents and Settings\All Users\Desktop\Online Security Guide.url

Malware.SpywareQuake
C:\Program Files\SpyQuake2.com\blacklist.txt
C:\Program Files\SpyQuake2.com\ref.dat
C:\Program Files\SpyQuake2.com\SpyQuake2.com.url
C:\Program Files\SpyQuake2.com

Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo\FF\components\FF.dll
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\Outerinfo\FF\components
C:\Program Files\Outerinfo\FF\install.rdf
C:\Program Files\Outerinfo\FF\chrome.manifest
C:\Program Files\Outerinfo\FF
C:\Program Files\Outerinfo
C:\Documents and Settings\The Chards\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\The Chards\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\The Chards\Start Menu\Programs\Outerinfo

Malware.LocusSoftware Inc/SpyGuardPro
HKLM\Software\SpyGuardPro
HKLM\Software\SpyGuardPro#EulaUGA6P_0001_N122M2210

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1281OINADMIN.EXE
C:\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE

Adware.k8l
C:\PROGRAM FILES\MOVIE MAKER\WUORTYMY.HTML

Trojan.Downloader-Gen/WinAble-Installer
C:\PROGRAM FILES\TEMPORARY\WININSTALL.EXE

Adware.Adservs
C:\WINDOWS\SYSTEM32\XC7\MONIDNPR3.EXE
C:\DOCUMENTS AND SETTINGS\THE CHARDS\LOCAL SETTINGS\TEMP\TEMP.FR9F07
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1314AFE4-1584-4556-9BDE-88C99501FD9C}\RP187\A0437555.DLL
C:\WINDOWS\Prefetch\MONIDNPR3.EXE-094F7155.pf

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\PIP5\MMILDOT83122.EXE
C:\WINDOWS\SYSTEM32\WNSTSICOMSV32.EXE
C:\WINDOWS\Q2HHCMQ\KZ11WAK.VBS
C:\WINDOWS\UNINSTALL_NMON.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1314AFE4-1584-4556-9BDE-88C99501FD9C}\RP187\A0436575.EXE
C:\WINDOWS\Prefetch\MMILDOT83122.EXE-397E16D5.pf

Trojan.Homepage
C:\WINDOWS\SYSTEM32\LD100.TMP

Trojan.Downloader-Gen/DualGurl
C:\WINDOWS\TEMP\SVCIPA.EXE

Trojan.Downloader-Gen/MROFIN
C:\WINDOWS\MROFINU1000106.EXE
C:\WINDOWS\MROFINU572.EXE

Trojan.Downloader-Gen/SnapSNet
C:\DOCUMENTS AND SETTINGS\THE CHARDS\LOCAL SETTINGS\TEMP\SNAPSNET.EXE
C:\WINDOWS\Prefetch\SNAPSNET.EXE-339E3D68.pf

Malware.LocusSoftware Inc/BestSellerAntivirus
C:\DOCUMENTS AND SETTINGS\THE CHARDS\LOCAL SETTINGS\TEMP\WINVSNET.EXE
C:\WINDOWS\Prefetch\WINVSNET.EXE-1959A105.pf

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\THE CHARDS\FAVORITES\ONLINE SECURITY TEST.URL

Unclassified.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1314AFE4-1584-4556-9BDE-88C99501FD9C}\RP187\A0436566.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1314AFE4-1584-4556-9BDE-88C99501FD9C}\RP187\A0436569.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1314AFE4-1584-4556-9BDE-88C99501FD9C}\RP187\A0436570.DLL

Trojan.ZQuest
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1314AFE4-1584-4556-9BDE-88C99501FD9C}\RP187\A0436568.DLL

Trojan.ZQuest-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1314AFE4-1584-4556-9BDE-88C99501FD9C}\RP187\A0436576.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1314AFE4-1584-4556-9BDE-88C99501FD9C}\RP187\A0437567.DLL

Trojan.Downloader-Gen/Suspicious
C:\FOUND.094\FILE0010.CHK
C:\SRPY.EXE
C:\FYOF.EXE
C:\WINDOWS\Prefetch\SRPY.EXE-030B908B.pf
C:\WINDOWS\Prefetch\FYOF.EXE-268E16C5.pf

-----------------------------

I'm not sure about anything else yet, but I am still getting the script errors at the moment (all pretty much 'MSN is undefined' on the msn homepage).

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 AM

Posted 08 December 2007 - 04:40 PM

Your system was heavily infected with several different types of malware. One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS - "When should I re-format?".

Should you decide not to follow that advice and want to continue, then do this.

Please print out and follow the generic instructions for using "SmitfraudFix".
(If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!)
-- If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive (usually C:\), and run it from there.

After running SmitFraudFix, a text file named rapport.txt will have automatically been saved to the root of the system drive, usually at C:\rapport.txt. Please copy & paste the contents of that text file into your next reply.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs. From within Add/Remove Programs highlight any of the following programs (if listed) and select "Remove".

ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX By OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Sudoku by OIN
Yazzle Snowballwars by OIN
Yazzle Kobe Balls! by OIN
Zolero Translator
or anything similar with OIN, Outer Info Network or Yazzle in them.

Important! Reboot when done.

If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, then download and run the Purity Scan uninstaller.
  • Save the Uninstaller to your desktop.
  • Double click on the OiUninstaller.exe icon on your desktop.
  • Click on "Run".
  • Enter the four digit code that is displayed and click on "Uninstall".
  • Click on "Ok" and reboot your computer.
Click here for Instructions with screenshots if needed.

Note: OiUninstaller uses UPX (ultimate packer for executables), an advanced file compressor and a method for compressing executable files to reduce their size to save space on a disk and download time. Some anti-virus programs such as Avast and Kaspersky may detect it as malware when attempting to download or unpack the compressed file.

Next, open My Computer or Windows Explorer, navigate to C:\Program Files and delete any of the named program folders listed above that you find (if they still exist).

Also delete the following folders if they still exist
C:\Program Files\SpyQuake2.com <- this folder
C:\Program Files\Outerinfo <- this folder
C:\Documents and Settings\username\Application Data\SpyGuardPro <- this folder
C:\Program Files\SpyGuardPro <- this folder
C:\Program Files\Common Files\SpyGuardPro <- this folder

Please download SDFix by AndyManchesta and save it to your desktop.
alternate download
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save a copy into the SDFix folder as Report.txt.
  • Copy and paste the contents of Report.txt in your next reply.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe


Your Java is out of date. The vundofix log shows you are not using the most current version of Java. Older versions have vulnerabilities that malicious sites can use to infect your system. That's probably how you came to get infected in the first place.

Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Reports/logs to post in your next reply:
* Report.txt <- SDFix report
* rapport.txt

Also let me know how your computer is running.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Jai.

Jai.
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 09 December 2007 - 10:05 AM

Thanks for your reply. No one uses this machine for online banking or similar, but I have got in contact with the person who built it with regards to getting Win XP reinstalled. In the meantime I'll be avoiding connecting, but I have followed your other instructions.

Rapport.txt:

SmitFraudFix v2.259

Scan done at 13:57:08.81, 09/12/2007
Run from C:\Documents and Settings\The Chards\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\config.sy_ Deleted
C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted
C:\WINDOWS\Web\desktop.html Deleted

DNS



Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

-----------------------------------------------

Report.txt:


SDFix: Version 1.117

Run by The Chards on 09/12/2007 at 14:27

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\PROGRA~1\MOVIEM~1\SALUXA - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\mrofinu572.exe.tmp - Deleted
C:\DOCUME~1\THECHA~1\LOCALS~1\Temp\abc123.pid - Deleted
C:\WINDOWS\install.exe - Deleted
C:\WINDOWS\mrofinu572.exe.tmp - Deleted
C:\WINDOWS\system32\alog.txt - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\rozmchild.dll - Deleted



Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\WinAble - Removed
Folder C:\Temp\1cb - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 14:31:23
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\System32\\svchost.exe"="C:\\WINDOWS\\System32\\svchost.exe:*:Enabled:@xpsp2res.dll,-22008"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:@xpsp2res.dll,-22008"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 8 Jun 2000 93,040 ..SH. --- "C:\COMMAND.COM"
Wed 1 Jan 2003 194 ..SH. --- "C:\AUTOEXEC.BAK"
Thu 8 Jun 2000 53,248 ...H. --- "C:\Program Files\Accessories\mspcx32.dll"
Mon 22 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"
Fri 19 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"
Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
Tue 20 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
Tue 23 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"
Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
Mon 2 Dec 2002 431,616 ...HR --- "C:\WINDOWS\system32\Tools\Restart.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"
Sun 9 Apr 2006 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Sun 9 Apr 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!

---------------------------

The computer is running ok (only as slow as it ever is). I haven't been online so I can't say how it is going for long periods, although I did get a couple of IE shutdowns when I was trying to install Java 6.

Thanks for all your help. Could you tell me if I back up the image/document files on CD or flash drive, will it be safe to copy from that drive to another machine?

Edit: I forgot to mention- when I checked Add/Remove Programs for the list you posted, none of those items were present, nor were there any of the files/folders in C:/Program files.

Edited by Jai., 09 December 2007 - 10:09 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 AM

Posted 09 December 2007 - 10:17 AM

Good job.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

if I back up the image/document files on CD or flash drive, will it be safe to copy from that drive to another machine?

Be sure to scan them first with your anti-virus to ensure none of the files are infected. With the amount of malware you had on this system, we could have missed something.

If your computer seems to be slow, read Slow Computer/Browser? Check here first; it may not be malware. There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.
Note: If you are not on a local area network (LAN), disable the Workstation Service which creates and maintains client network connections to remote servers and that should also help to speed up your boot time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users