Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus And Adware Problem


  • Please log in to reply
14 replies to this topic

#1 Raspy

Raspy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 08 March 2008 - 12:54 PM

Help. One of my good friends got infected and pasted it on to me! Basically the virus was pretty simple. It spreads via MSN messenger and auto emails everyone on your list. How I got hit is a good friend of mine who constantly sends me funny pictures ect sent me a text saying someone looks just like me and to click the link. The link opened a exe file and the rest is history. My operating system is Windows XP SP 2 fully updated. I am running Symantec Antivirus that is also fully updated. Each time I run a full scan Symantec finds and either deletes or quarantines about 10 viruses. I then power off and back on and run the scan again and it will find another 5 or so viruses. For some reason when I use Firefox I don't get the pop ups but if I use Explorer I get 2 million of the same pop ups all saying I am infected with a virus and if I download there antispy/antivirus it will solve it. I have not done this because it just seems like a scam to give you more viruses. When Symantec scans here are the names of the files it finds. It says it is quarantining and deleting but like I said when I rescan it finds the same stuff again.

spyware.goldenkeylog
W32.Scrimge.A
Spyware.familykeylog

Anyways if anyone has any ideas please let me know.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:21 AM

Posted 09 March 2008 - 04:51 PM

Hello Raspy,

Do you have any other security programs installed besides Symantec? If so, please name them.

I would like you to run a scan with SUPERAntiSpyware in Safe Mode. You will, of course, install it in Normal Mode. I would suggest using Firefox to download the program and update it.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Raspy

Raspy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 11 March 2008 - 07:09 PM

Here is my log. Let me know what you think. Super Anti seems to have fixed the problem. Thanks so much in advance.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/11/2008 at 05:46 PM

Application Version : 4.0.1154

Core Rules Database Version : 3417
Trace Rules Database Version: 1409

Scan type : Complete Scan
Total Scan Time : 04:04:55

Memory items scanned : 177
Memory threats detected : 1
Registry items scanned : 5557
Registry threats detected : 10
File items scanned : 65404
File threats detected : 50

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\VTSQP.DLL
C:\WINDOWS\SYSTEM32\VTSQP.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{146E96BF-F6FF-488B-93CE-5BB72D5A6549}
HKCR\CLSID\{146E96BF-F6FF-488B-93CE-5BB72D5A6549}
HKCR\CLSID\{146E96BF-F6FF-488B-93CE-5BB72D5A6549}\InprocServer32
HKCR\CLSID\{146E96BF-F6FF-488B-93CE-5BB72D5A6549}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{146E96BF-F6FF-488B-93CE-5BB72D5A6549}

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{629a5ff7-3a59-4473-a3e6-dd2ca68b5fd7}
HKCR\CLSID\{629A5FF7-3A59-4473-A3E6-DD2CA68B5FD7}
HKCR\CLSID\{629A5FF7-3A59-4473-A3E6-DD2CA68B5FD7}\InprocServer32
HKCR\CLSID\{629A5FF7-3A59-4473-A3E6-DD2CA68B5FD7}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\XYYUHOEK.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{629a5ff7-3a59-4473-a3e6-dd2ca68b5fd7}
C:\WINDOWS\SYSTEM32\DIAAPKWE.DLL
C:\WINDOWS\SYSTEM32\DNIJCDWQ.DLL
C:\WINDOWS\SYSTEM32\GDCMOKAO.DLL
C:\WINDOWS\SYSTEM32\MCIFOPQG.DLL
C:\WINDOWS\SYSTEM32\MRXWJHVE.DLL
C:\WINDOWS\SYSTEM32\RKUKGVWP.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@iacas.adbureau[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@www8.addfreestats[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@enhance[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@media.adrevolver[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@sale.antispywaresuite[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@secure.advancedcleaner[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@sale.pcsecuresystem[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@pcsecuresystem[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@podshow.112.2o7[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@tacoda[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@ads.vlaze[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@imageads0.googleadservices[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@advancedcleaner[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@antispywaresuite[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@zedo[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@bannerads.zwire[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@imageads0.googleadservices[3].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@anat.tacoda[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@toplist[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@adnetserver[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@adinterax[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@burstnet[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@media.adrevolver[3].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@www.burstnet[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner.YOUR-880D7DC693\Cookies\owner@anad.tacoda[1].txt
C:\Documents and Settings\sam\Cookies\sam@atdmt[2].txt
C:\Documents and Settings\sam\Cookies\sam@doubleclick[1].txt

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:21 AM

Posted 11 March 2008 - 08:41 PM

Hello how is the PC running after the scan?

spyware.goldenkeylog & Spyware.familykeylog ..this is actually a legitimate program. ( Publisher: SpyArsenal.com - KMiNT21 Software ). It IS a keylogger. A Keylogger records the keystrokes and activity on your computer to the file that is configurable. The default is wsg.rep. This file is located in the spyware's installation folder. Did you install this? These 3 can be dangerous to your PC's security. If something is monitoring your keystrokes, for passwords ,credit card info etc..

W32.Scrimge.A ... W32.Scrimge.A is a worm that spreads through Microsoft instant messaging clients and opens a back door on the compromised computer.
Commonly spread by MSN with these ..
* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the ----, did you see this?
* hey man, did you take this picture?

Attachment name: img1756.zip .......... info from Symantec.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Ignore any comment to purchase the spyware remover.

Next follow the instructions in this BC Tutorial How to remove the Smitfraud / Generic Zlob

Again let us know how the PC is running.

Edited by boopme, 11 March 2008 - 09:22 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Raspy

Raspy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 12 March 2008 - 12:56 PM

Ok we have a couple things going on. First of all I am going through a messy divorce and my future X wife swears I am hiding money from her. (Which Im not) That would explain the keylogger. I just went into my add/remove programs and removed it. That solved the 2 keylogger issues.

As for the virus and the spamware I ran the superantispyware and it found the stuff mentioned above. IE worked for about 5 mins then about 50 pop ups attacked. Firefox seems to not be affected. Panda wouldnt work with Firefox but I did manage to fight the pop ups and get it to work with IE7 only long enough to have IE7 have an error and close itself.

Anyone have any options or ideas?

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 12 March 2008 - 01:00 PM

Looks like Vundo infection.

Before we try running the fix program, could I ask what the popups showed? If they were ads for anti-malware programs then we can confirm it's Vundo.

#7 Raspy

Raspy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 12 March 2008 - 01:03 PM

Yep they have one page that looks like a warning message that says Im infected then one thats a normal pop up that says I need to buy this software.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 12 March 2008 - 01:12 PM

Now that we have confirmed the Vundo infection, we can proceed to running the fix:
  • Please download VundoFix and save it onto your dektop.
  • Run VundoFix.
  • Select "Scan for Vundo".
  • After the scan, a prompt will come up asking if you want to remove the files. Click "Yes".
  • You will then be prompted to shutdown. Do so and then restart the computer.
Post back with the results.

#9 Raspy

Raspy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 12 March 2008 - 01:32 PM

Vundofix deleted 3 files but as soon as I logged into IE7 I got a pop up to multiple pages.
So Im guessing we still have some lingering problems?

Edited by Raspy, 12 March 2008 - 01:53 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:21 AM

Posted 12 March 2008 - 01:34 PM

Note:
The scan log is kept as vundofix.txt ...
Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Edited by boopme, 12 March 2008 - 01:36 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 12 March 2008 - 01:47 PM

Please remove the link. Though the check with LinkScanner came up empty for exploits, we can't gaurentee it is safe, especially since it came from malware.

Edited by PropagandaPanda, 12 March 2008 - 01:50 PM.


#12 Raspy

Raspy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 12 March 2008 - 01:56 PM

VundoFix V7.0.3

Scan started at 12:19:48 PM 3/12/2008

Listing files found while scanning....

C:\windows\system32\pqstv.ini
C:\windows\system32\pqstv.ini2
C:\windows\system32\vtsqp.dll

Beginning removal...

Attempting to delete C:\windows\system32\pqstv.ini
C:\windows\system32\pqstv.ini Has been deleted!

Attempting to delete C:\windows\system32\pqstv.ini2
C:\windows\system32\pqstv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vtsqp.dll
C:\windows\system32\vtsqp.dll Has been deleted!

Performing Repairs to the registry.
Done!


Currently I am attempting to run Panda. I will report the Panda log if I can make it through the scan without any problems.

#13 Raspy

Raspy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 12 March 2008 - 03:31 PM

I tried to run Panda 3 times and each time IE7 would have some sort of Error that closed the browser (one of the times I have 40 spyware dections.. Firefox wont work because of the active X I am guessing because when I hit the link it gives me a blank page. Any suggestions or am I at the reformat point of giving up and starting over.

Edited by Raspy, 12 March 2008 - 03:32 PM.


#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:21 AM

Posted 13 March 2008 - 02:42 PM

Hello Raspy,

You're not at the reformatting stage. I have problems with the Panda online scan myself. I rarely get it to work. I'd suggest going on to the rest of boopme's instructions and going through the Smitfraud/Generic Zlob removal guide linked to in post #4. boopme may suggest another on-line scanner. We'll see. :thumbsup:

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:21 AM

Posted 13 March 2008 - 04:25 PM

Please download Dr Web-Cureit! to your Desktop. Don't run it yet.

Reboot into safe mode

Run Dr Web-Cureit! by double-clicking on the drweb-cureit.exe file.
Click OK in the prompt window that will open, asking "Start the express scan now".
It will first make a quick scan of your system, let it clean what it finds.
When it says "Done" in the lower left corner click on all your drives.
A red dot will mark the selected drive(s) .
Then click the pedestrian who now has turned green.
It will scan ALL your drives, say Yes to all.
Select 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click File | Save Report List.
Save the report to your Desktop. The report will be called DrWeb.csv
Reboot normally.
Please post this log in your reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users