Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Have Js/psyme Trojan...


  • Please log in to reply
13 replies to this topic

#1 april_c

april_c

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 27 April 2008 - 02:57 PM

Hi. I noticed one day (about a week ago) that my desktop background had been changed to a blue screen with yellow lettering that says:

"Warning: Spyware threat has been detected on your PC. Your computer has sevral fatal errors due to spyware activity. It is strongly recommended to install an antispyware software to close all security vulnerabilities. Antispyware software helps protect your PC against spyware and other security threats. CLICK HERE TO SCAN YOUR PC FOR SPYWARE."

Whenever I go to my homepage (Google) and type in something in the search bar and click on the links provided, it usually takes me to a different site other than what it is supposed to take me to. Usually it is a site for antispyware, malware or something similar...although sometimes it takes me to ebay or other search engine sites. I have AVG free edition anti-virus installed on my computer. I have been using that for about the past 2 1/2-3 years and its always kept all the "bad stuff" from getting onto my computer. This is really the first thing I've seen that it hasn't taken care of. After running a scan on my computer with AVG it listed one thing that it didn't seem to be able to get rid of which was called JS/Psyme. I have read on other forums that alot of people have Hijack This so I have downloaded this onto my computer, but haven't used it yet. I also downloaded Crap Cleaner, or CCleaner. Haven't used anything but AVG so far since I'm familiar with it and have used it for quite some time. I am running XP Pro SP2 on my PC. Can anyone please tell me how to get rid of this very annoying trojan? Please! Also, let me know if you would like me to post my Hijack This log or any other info.

Thank you in advance for the help!!

-April C.

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,193 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:20 PM

Posted 27 April 2008 - 03:52 PM

Welcome to Bleeping Computer april_c.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 april_c

april_c
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 27 April 2008 - 08:58 PM

Ok, here is the result of the SuperAntiSpyware free edition scan after following all of your directions:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2008 at 09:04 PM

Application Version : 4.0.1154

Core Rules Database Version : 3448
Trace Rules Database Version: 1440

Scan type : Complete Scan
Total Scan Time : 00:28:29

Memory items scanned : 176
Memory threats detected : 0
Registry items scanned : 4433
Registry threats detected : 92
File items scanned : 73499
File threats detected : 45

Trojan.Downloader-Gen/Insider
[Insider] C:\PROGRAM FILES\INSIDER\INSIDER.EXE
C:\PROGRAM FILES\INSIDER\INSIDER.EXE

Trojan.Unknown Origin
[qdyCNzW7MF] C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\ZEZKTAVQ\JINILMRW.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\ZEZKTAVQ\JINILMRW.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultra soft
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultra soft#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultra soft#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultra soft#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultra soft#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultra soft#EstimatedSize

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f}
HKCR\CLSID\{1A8523DC-1DD2-11B2-8F50-A0F5B7CB9B7F}
HKCR\CLSID\{1A8523DC-1DD2-11B2-8F50-A0F5B7CB9B7F}\InprocServer32
HKCR\CLSID\{1A8523DC-1DD2-11B2-8F50-A0F5B7CB9B7F}\InprocServer32#ThreadingModel
HKCR\CLSID\{1A8523DC-1DD2-11B2-8F50-A0F5B7CB9B7F}\InprocServer32#t
C:\WINDOWS\RUPUDSFK.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f}
HKCR\CLSID\{1A8523DC-1DD2-11B2-8F50-A0F5B7CB9B7F}

Adware.Mirar/NetNucleus
HKLM\Software\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}
HKCR\CLSID\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}
HKCR\CLSID\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}
HKCR\CLSID\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\InprocServer32
HKCR\CLSID\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\InprocServer32#ThreadingModel
HKCR\CLSID\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\ProgID
HKCR\CLSID\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\Programmable
HKCR\CLSID\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\TypeLib
HKCR\CLSID\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\WINATS.DLL
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Ticket
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib#Version
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version
HKCR\Mirar_Dummy_ATS.Mirar_Dummy_ATS1
HKCR\Mirar_Dummy_ATS.Mirar_Dummy_ATS1\CLSID
HKCR\Mirar_Dummy_ATS.Mirar_Dummy_ATS1\CurVer
HKCR\Mirar_Dummy_ATS.Mirar_Dummy_ATS1.1
HKCR\Mirar_Dummy_ATS.Mirar_Dummy_ATS1.1\CLSID
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0\win32
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\FLAGS
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\HELPDIR
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/WinATS.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/WinATS.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/WinATS.dll#{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}#SystemComponent
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}#Installer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\Contains
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\Contains\Files
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\Contains\Files#C:\WINDOWS\system32\WinATS.dll
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\DownloadInformation
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\DownloadInformation#CODEBASE
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\DownloadInformation#INF
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\InstalledVersion
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDB-6E20-489C-9041-C1E8A0352E75}\InstalledVersion#LastModified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\System32\WinATS.dll [  ]
C:\WINDOWS\Downloaded Program Files\WinATS.inf

Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}

Adware.2020Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}

Adware.180solutions/SurfAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}

Adware.WebHancer
HKLM\Software\WebHancer
HKLM\Software\WebHancer#BaseDir
HKLM\Software\WebHancer\CC
HKLM\Software\WebHancer\CC#DistTag
HKLM\Software\WebHancer\CC#id

Adware.IPWins
HKU\S-1-5-21-1202660629-1965331169-725345543-1003\Software\IpWins

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion

Trojan.DNSChanger-Codec
HKU\S-1-5-21-1202660629-1965331169-725345543-1003\Software\uninstall

Adware.AdSponsor/ISM
HKU\S-1-5-21-1202660629-1965331169-725345543-1003\Software\antica

Adware.WinTouch/XInside
C:\Program Files\InetGet2

Trojan.Unclassified-Packed/Suspicious
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\CBKVUZIN.DLL

Malware.DriveCleaner
C:\DOCUMENTS AND SETTINGS\APRIL\APPLICATION DATA\DRVCLEANER.EXE

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE

Trojan.FakeDrop-2020Search
C:\WINDOWS\2020SEARCH.DLL

Trojan.Fake-Drop/Gen
C:\WINDOWS\2020SEARCH2.DLL
C:\WINDOWS\APPHELP32.DLL
C:\WINDOWS\ASFERROR32.DLL
C:\WINDOWS\ASYCFILT32.DLL
C:\WINDOWS\ATHPRXY32.DLL
C:\WINDOWS\ATI2DVAA32.DLL
C:\WINDOWS\ATI2DVAG32.DLL
C:\WINDOWS\AUDIOSRV32.DLL
C:\WINDOWS\AUTODISC32.DLL
C:\WINDOWS\AVIFILE32.DLL
C:\WINDOWS\AVISYNTHEX32.DLL
C:\WINDOWS\AVIWRAP32.DLL
C:\WINDOWS\BJAM.DLL
C:\WINDOWS\BOKJA.EXE
C:\WINDOWS\BROWSERAD.DLL
C:\WINDOWS\CDSM32.DLL
C:\WINDOWS\CHANGEURL_30.DLL
C:\WINDOWS\MSA64CHK.DLL
C:\WINDOWS\MSAPASRC.DLL
C:\WINDOWS\MSPPHE.DLL
C:\WINDOWS\MSSVR.EXE
C:\WINDOWS\NTNUT.EXE
C:\WINDOWS\SAIEMOD.DLL
C:\WINDOWS\SHDOCPE.DLL
C:\WINDOWS\SHDOCPL.DLL
C:\WINDOWS\STCLOADER.EXE
C:\WINDOWS\SWIN32.DLL
C:\WINDOWS\VOICEIP.DLL
C:\WINDOWS\WINSB.DLL

Trojan.Downloader-Gen/Installer
C:\WINDOWS\B104.EXE

Rogue.WinPerformance
C:\WINDOWS\PERFINFO\QDYCNZW7MFWP.EXE

Trojan.Unclassified/Multi-Dropper
C:\WINDOWS\SYSTEM32\DALKTENO.EXE
C:\WINDOWS\SYSTEM32\PIJWZSDM.EXE
C:\WINDOWS\SYSTEM32\RIBSVAFM.EXE

Trojan.Unclassified/WinSelf
C:\WINDOWS\WINSELF.EXE


Please let me know what I need to do next. Thanks!

-April C.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,193 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:20 PM

Posted 27 April 2008 - 09:13 PM

Wow a lot of baddies and rogue spyware.
Tell us how the PC is running after this scan and log.
What firewall do you have?
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 april_c

april_c
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 27 April 2008 - 09:53 PM

I just have Windows firewall. I will go ahead and continue with the steps you have listed for Malwarebytes Anti-Malware, post the log here and also let you know how things are running.

I really appreciate all of your help so far! :thumbsup:

-April C.

#6 april_c

april_c
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 27 April 2008 - 10:35 PM

Here is the log after running Malwarebytes Anti-Malware:


Malwarebytes' Anti-Malware 1.11
Database version: 692

Scan type: Quick Scan
Objects scanned: 37161
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 25
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 25

Memory Processes Infected:
c:\program files\Bat\X_Bat.exe (Adware.Batco) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Application Data\Common\huvktgnu.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\Bat\Bat.dll (Adware.Batco) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Insider (Adware.DnsInsider) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EnAppSrv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AplSmartSet (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Insider (Adware.DnsInsider) -> Quarantined and deleted successfully.
C:\WINDOWS\PerfInfo (Rogue.WinPerformance) -> Quarantined and deleted successfully.
C:\Program Files\Bat (Adware.Batco) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dustin\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
c:\program files\Bat\Bat.dll (Adware.Batco) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Common\huvktgnu.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Common\ipwzkncb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.info (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.original (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Info.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.txt (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.log (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dustin\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000090.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.inf (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wr.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\April\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.



Please let me know what the next steps are...thanks.

-April C.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:20 PM

Posted 28 April 2008 - 06:52 AM

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM and post the new log report.

After running a scan on my computer with AVG it listed one thing that it didn't seem to be able to get rid of which was called JS/Psyme

AVG FAQ 1317: JS/Psyme found in "Temporary Internet Files" folder

When done, lets us know how your computer is running and if there are any more reports/signs of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 april_c

april_c
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 30 April 2008 - 06:18 PM

Yes, I did reboot and I have run another scan. Here is the log file:

Malwarebytes' Anti-Malware 1.11
Database version: 692

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 115738
Time elapsed: 37 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP469\A0047384.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP469\A0047388.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP469\A0047390.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP469\A0047391.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP469\A0047392.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP469\A0047397.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP469\A0047645.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP469\A0047651.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP469\A0047662.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP470\A0047675.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP470\A0047681.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP471\A0047691.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP472\A0047748.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP472\A0047755.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP473\A0047772.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP473\A0047774.dll (Adware.Mirar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP473\A0047777.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP473\A0047808.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP473\A0047813.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A455D211-5D22-43B7-9462-E122A8E0CD28}\RP473\A0047826.exe (Adware.Batco) -> Quarantined and deleted successfully.


What should I do next? My computer desktop still has a blue screen with yellow writing with the message that I listed in my first post on this forum. However, when I type in a search on Google and click on the search result links it is working better now. Before it would bring me to webpages that I didn't intend to go to, mainly spyware removal sites. Now it will actually let me go to the websites that I'm wanting to go to. I think pretty much everything except for my desktop is back to normal....but I don't know. Take a look at my latest log and let me know what you think. It still said it found 20 infected files. Thanks.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,193 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:20 PM

Posted 30 April 2008 - 07:53 PM

Some malware is living in the systen Restore. we'll fix that after this.

Download Attribune's ATF Cleanerand then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 april_c

april_c
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 30 April 2008 - 08:56 PM

I have completed the ATF Cleaner and Super Anti-Spyware scans. I have pasted the log from Super Anti-Spyware below. There were no threats detected.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/30/2008 at 09:48 PM

Application Version : 4.0.1154

Core Rules Database Version : 3451
Trace Rules Database Version: 1443

Scan type : Complete Scan
Total Scan Time : 00:28:37

Memory items scanned : 179
Memory threats detected : 0
Registry items scanned : 4417
Registry threats detected : 0
File items scanned : 73554
File threats detected : 0

Please let me know what to do in order to remove the malware that is in the system restore. Thanks!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,193 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:20 PM

Posted 30 April 2008 - 09:02 PM

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 april_c

april_c
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 30 April 2008 - 09:35 PM

Ok, I have done what you said above. The only problem I am having now is that whenever I boot up my computer, right after it gets done booting a message appears that says:

RegSvr32

LoadLibrary ("C:\DocumentsandSettings\All Users\ApplicationData\cbkvuzin.dll") failed - The specified module could not be found.

What does this mean? And how would I fix this? I'm not even sure if this is something that would effect anything I would need to do on my computer...but I would like to still fix this error message if possible. Any ideas?

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 PM

Posted 30 April 2008 - 09:47 PM

http://www.bleepingcomputer.com/forums/ind...st&p=809006

please read the part relating to autoruns
Chewy

No. Try not. Do... or do not. There is no try.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:20 PM

Posted 01 May 2008 - 05:22 AM

My computer desktop still has a blue screen with yellow writing with the message that I listed in my first post on this forum.

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").
These are some common malware related entries you may see:
  • Security Info
  • Warning Message
  • Security Desktop
  • Warning Homepage
  • Privacy Protection
  • Desktop Uninstall
If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users