Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Type Of Hijacker/malware/spyware/pop Up Thingie..


  • Please log in to reply
9 replies to this topic

#1 ihatevirii

ihatevirii

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 28 March 2008 - 05:26 PM

Hey Everyone,
I am here today requesting help with some type of hijacker/malware/spyware/pop up thingie.. I'm not really sure exactly what this thing is, but it's on my work computer and my boss isn't going to be happy with me if I don't get rid of it.
I have tried everything.
I've gone online searching everywhere for what it is and ways to stop it and what I should do and so far have had no luck.
The good thing is I got rid of everything else that was wrong with this computer.
But I still haven't been able to get rid of what started me on my virus adventure.
I have installed Spy-Bot, Ad-Aware, AVG, Windows Defender, and McAfee. I have scanned with ALL of them.
I have removed/quarantined everything all of those programs found.
Still, this thing remains. :thumbsup: It shows up in the taskbar as a little yellow triangle saying my computer needs to be fixed. Then randomly maybe every 30/45minutes a window pops up with links to this website:
Here is what it looks like:
Posted Image
Posted Image
Posted Image
Posted Image
If anybody knows what this is or what I can do please let me know!
Any help is greatly appreciated!!
Thanks,
Bryan

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:06:05 PM

Posted 28 March 2008 - 07:38 PM

Hello and welcome Bryan


Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#3 ihatevirii

ihatevirii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 31 March 2008 - 02:10 PM

don77..
I downloaded smitfraudfix
and ran the scan..
here is the rapport you requested:


SmitFraudFix v2.309

Scan done at 15:07:23.04, Mon 03/31/2008
Run from C:\Documents and Settings\AJ\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\jwpijuzc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Icon Remover\IconRemover.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\IEPro\MiniDM.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\AJ


C:\Documents and Settings\AJ\Application Data


Start Menu


C:\DOCUME~1\AJ\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.annegeddes.com/images/_postcards/ltwl/thumbs/pwlekc132t.jpg"
"SubscribedURL"="http://www.annegeddes.com/images/_postcards/ltwl/thumbs/pwlekc132t.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://www.annegeddes.com/images/_postcards/babyclothing/thumbs/pbcekc4544t.jpg"
"SubscribedURL"="http://www.annegeddes.com/images/_postcards/babyclothing/thumbs/pbcekc4544t.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://www.annegeddes.com/images/_postcards/babyclothing/thumbs/lbcekc4497t.jpg"
"SubscribedURL"="http://www.annegeddes.com/images/_postcards/babyclothing/thumbs/lbcekc4497t.jpg"
"FriendlyName"=""

IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\Windows\\System32\\wsaupdater.exe,"
"OldUserinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: Compact Wireless-G USB Adapter #6 - Packet Scheduler Miniport
DNS Server Search Order: 199.45.32.43
DNS Server Search Order: 151.197.0.39

Description: Compact Wireless-G USB Adapter #6 - Packet Scheduler Miniport
DNS Server Search Order: 199.45.32.43
DNS Server Search Order: 151.197.0.39

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2B80C79A-0784-48B7-BE52-0C062C9AD462}: DhcpNameServer=199.45.32.43 151.197.0.39
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8258C96-0B9C-46AB-BF57-1D6989F58F23}: DhcpNameServer=199.45.32.43 151.197.0.39
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2B80C79A-0784-48B7-BE52-0C062C9AD462}: DhcpNameServer=199.45.32.43 151.197.0.39
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8258C96-0B9C-46AB-BF57-1D6989F58F23}: DhcpNameServer=199.45.32.43 151.197.0.39
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2B80C79A-0784-48B7-BE52-0C062C9AD462}: DhcpNameServer=199.45.32.43 151.197.0.39
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F8258C96-0B9C-46AB-BF57-1D6989F58F23}: DhcpNameServer=199.45.32.43 151.197.0.39
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=199.45.32.43 151.197.0.39
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=199.45.32.43 151.197.0.39
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=199.45.32.43 151.197.0.39


Scanning for wininet.dll infection


End

#4 ///

///

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 31 March 2008 - 07:54 PM

Do you still have a problem or is it resolved? Get an anti-virus or anti-spyware program if you still have the problem. Get WOT add on for IE on the addon site http://www.windowsmarketplace.com/details....;itemid=6003789 get siteadvisor http://www.siteadvisor.com/download/ie.html avoid going on bad sites and protect your computer from getting infections.

Try Spywaredoctor http://pack.google.com/intl/en/pack_instal..._campaign=en_US It's helped me during an infection :trumpet:
Also clean your PC http://www.ccleaner.com/ with a high overwrite to remove any data they can track your computer with :thumbsup:

I have IE7Pro too it's a good add-on :flowers: google all your programs to see if they have a history of malware.

Edited by ///, 31 March 2008 - 08:01 PM.


#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:06:05 PM

Posted 31 March 2008 - 08:57 PM

Do you still have a problem or is it resolved? Get an anti-virus or anti-spyware program if you still have the problem. Get WOT add on for IE on the addon site http://www.windowsmarketplace.com/details....;itemid=6003789 get siteadvisor http://www.siteadvisor.com/download/ie.html avoid going on bad sites and protect your computer from getting infections.

Try Spywaredoctor http://pack.google.com/intl/en/pack_instal..._campaign=en_US It's helped me during an infection :trumpet:
Also clean your PC http://www.ccleaner.com/ with a high overwrite to remove any data they can track your computer with :thumbsup:

I have IE7Pro too it's a good add-on :flowers: google all your programs to see if they have a history of malware.



while I appreciate your help here if you look there is an Anti Virus program running, Windows Defender, Tea timer from Spybot S&D.


Now lets get on with getting rid of this pest


OTMoveIt2 -

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\jwpijuzc.exe

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Next
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Please post back the requested logs when completed please.


Also I noticed you have started another topic at another forum which you have not received a reply to as of yet could you please post back to that topic and let them know your receiving help already and to close that one.

It would be appreciated :inlove:

#6 ihatevirii

ihatevirii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 04 April 2008 - 12:50 PM

Thanks So Much don77.

I have mentioned on the other site for the post to be removed:
http://forums.techguy.org/malware-removal-...tml#post5759026

They weren't trying to help me anyway! :thumbsup:

So I used the OTMoveIt2 and here is the result:

C:\WINDOWS\system32\jwpijuzc.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on

04042008_133304

Now I am in the process of getting and using the Malwarebytes Anti-Malware.
I will post the results afterwards.

Thanks Again!

#7 ihatevirii

ihatevirii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 04 April 2008 - 02:46 PM

Okay I THINK IT WORRRKED!!! :trumpet:

don77 you rock! thanks so much.

Here is the log from MBAM:

Malwarebytes' Anti-Malware 1.10
Database version: 591

Scan type: Quick Scan
Objects scanned: 56028
Time elapsed: 19 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dwnrpofk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Installer\{8865f559-f185-49d5-8906-f014c5679434} (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\AJ\Application Data\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\NPROTECT\03838225.dll (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\AJ\Application Data\PC-Cleaner\log.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\AJ\Application Data\PC-Cleaner\settings.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> Quarantined and deleted successfully.


:flowers:

Thanks Again! :thumbsup:

#8 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:06:05 PM

Posted 05 April 2008 - 09:24 AM

Your very welcome :thumbsup:


Lets just run one scan if you would please and then we will wrap this up

Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#9 ihatevirii

ihatevirii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 07 April 2008 - 04:34 PM

don77: I actually have the full version of Kaspersky Anti-Virus now installed on this computer which you helped me to fix.
I have already done a full system scan and removed everything it found.

However the other computer here at my job is having problems now! :thumbsup:
It randomly pulls up this blue screen of death type thing and I don't know what to do?

Here it is:

Posted Image

Thanks again in advance.

#10 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:06:05 PM

Posted 08 April 2008 - 01:17 PM

Do you not have an IT department at your job ? I usually stay clear of work machines as its very common for the IT folks to put restrictions on the machine and such




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users