Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cool Web Search Infection


  • Please log in to reply
7 replies to this topic

#1 Warning

Warning

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 27 May 2008 - 07:44 PM

Operation system Window XP Home edition

My mom switched on my laptop in the morning of May 26, and downloaded a movie thru pipi.cn (a chinese movie search engine). Since then, several things have happened.

1) A warning symbol (golden triangle with a exclamation sign in the middle) will appear every 2 minutes. A message bubble will appear on top of it bearing 4 different messages. They are, "Your Security and privacy are at risk!...", " Warning: Your computer is infected with spyware!...", "Internet attack attempt detected:...", and "Your computer is working slowly!...". When I clicked the bubble, an ie window opened and loaded a webpage selling anti-spyware softwares. It's URL is <http://windows-privacy-protection.com/?aid=444.0>. But I see the address "about:security" in the address bar. I must add that I foolishly downloaded one of the advertised softwares, SpyMaxx, and used it to scan my laptop.

2) Hijacked desktop. My desktop turned turqoise blue. Although I tried to change to desktop thru Display Properties, but it would change back automatically around every 60.5 seconds. I notice this phenomenon is coupled with a two flickers of blackness of all the icons on the desktop as well. A warning in yellow font, "Warning: Spyware threat has been detected on your PC..." and a link to the aforementioned website is on the desktop as well.

3) Pop-up Windows. A window with a red border and a eye-catching red panel with the title "Windows Security Center system warning" on the title bar appears around every 19 minutes. It has a white box that shows the file infected and the name of the threat. The file changes, from helpcvs.exe, to funny.exe, loader.exe, notepad 32.exe and several different others have appeared in rotation. It also has a link to the aforementioned website as well.
A window with the term "Windows Security Center" in the title bar appears periodically as well. And this one features a blue panel with the shield symbol and the words Security Center. And of course the link is there.

4) My task manager function is disabled. I tried every solution suggested by PC hell @ <http://www.pchell.com/support/taskmanagerdisabled.shtml>, none worked.

5) Takes double amount of time to start up then usual.

Solutions I have tried

1)Spybot. Updated 5/26. Set it off to search and destroy. The first time it froze when it was destroying the malwares. The second time it completed the job, but the trouble remained.

2)Ad-Ware SE Personal. Updated 5/26. Same fate. Added VX2 plug-in. Found out I'm safe from it.

3)Bazooka. The solution pages for CoolWebSearch and its variants are offline. Manual removal thru regedit suggested for RDLL Backdoor, SmartSearch, SmartSearch.iexplorer doesn't work. Either the registry I should delete does not exist, or the suggest Key does not exist. And when I delete the suggested files thru Window Explorer, they keep coming back. I notice that all the symptoms displayed in normal mode appear in safe mode as well, all except the desktop, which turned black and message-less.

4)Foolishly downloaded and tried SpyMaxx. Argh, that horrible creature. Fortunately, I did not pay for it and looked to solution else where.

5)CWS shredder. Used it to scan and destroy many times. The same 13 CWS variants always remain.

6)Spyware doctor. Updated 5/26. No luck there.

7)Finally found this forum. Found an entry titled "Cool Web Search Infection With All The Bells And Whistles, Hijacked desktop, can't restore, can't taskmanager" posted 11:42am May 25, 2008 by pambanter showing the very similar trouble I have. Overjoy!

8)Malwarebytes' Anti-Malware. Did the scan suggested by moderator-boopme. Around a dozen malwares were found and destroyed. Upon restart Mbam did not start automatically. I turned it on again and found and destroyed 1 malware. However, all the symptoms still remain.

What should I do?
:thumbsup:

Edited by Orange Blossom, 27 May 2008 - 09:15 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:24 PM

Posted 27 May 2008 - 10:12 PM

Ok now run this tool and post back the scan report.
SmitFraudFix by S!Ri

The report can be found at the root of the system drive, usually at C:\rapport.txt

To fix the Task Manager issue please follow the instructions in Post #4 here...
http://www.bleepingcomputer.com/forums/t/132872/task-manager-disabled/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Warning

Warning
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 27 May 2008 - 11:35 PM

Thanks a trillion for your help, boopme. Here's Smit Scan report.

SmitFraudFix v2.323

Scan done at 20:39:10.50, Tue 05/27/2008
Run from C:\Documents and Settings\Pak Lam\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\vbpdtvdp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\Sktempdm.exe
C:\Program Files\Net Tools\CPU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\ppfilm\jfCacheMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NJStar Communicator\NJCOM32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\accesss.exe FOUND !
C:\WINDOWS\astctl32.ocx FOUND !
C:\WINDOWS\avpcc.dll FOUND !
C:\WINDOWS\clrssn.exe FOUND !
C:\WINDOWS\cpan.dll FOUND !
C:\WINDOWS\default.htm FOUND !
C:\WINDOWS\iexplorer.exe FOUND !
C:\WINDOWS\loader.exe FOUND !
C:\WINDOWS\mtwirl32.dll FOUND !
C:\WINDOWS\notepad32.exe FOUND !
C:\WINDOWS\olehelp.exe FOUND !
C:\WINDOWS\systeem.exe FOUND !
C:\WINDOWS\systemcritical.exe FOUND !
C:\WINDOWS\time.exe FOUND !
C:\WINDOWS\users32.exe FOUND !
C:\WINDOWS\waol.exe FOUND !
C:\WINDOWS\win32e.exe FOUND !
C:\WINDOWS\win64.exe FOUND !
C:\WINDOWS\winajbm.dll FOUND !
C:\WINDOWS\window.exe FOUND !
C:\WINDOWS\winmgnt.exe FOUND !
C:\WINDOWS\x.exe FOUND !
C:\WINDOWS\xplugin.dll FOUND !
C:\WINDOWS\xxxvideo.hta FOUND !
C:\WINDOWS\y.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pak Lam


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pak Lam\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PAKLAM~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\vbpdtvdp.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{22C666EF-0508-4985-9172-F87D700043A0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{22C666EF-0508-4985-9172-F87D700043A0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{22C666EF-0508-4985-9172-F87D700043A0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#4 Warning

Warning
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 May 2008 - 12:09 AM

I followed quietman 7's suggestion (A million thanks to you as well) from topic132872, post 4 to solve the taskmanager issue and here's the result.

When I double-clickd regtmcmdrestore.vbs in my desktop a new window opened. It has C:\WINDOES\System32\CScript.exe in its title bar. It also has 2 lines- 'Microsoft<R> Window Script Host Version 5.6' and 'Copyright <C> Microsoft Corporation 1996-2001. All rights reserved.' in the window.

The up and down cursor of the window is 0.6cm long (my display resolution is 1024x768). I can drag it down, although there is nothing under the two lines I mentioned.

A size 3cmx3cm window with a minicule window as an icon in the title bar also appeared. It takes more than a second to appear the first time after the CScript.exe window was displayed. It takes less than a second for it to show up the second and third time I tried. The window has the word 'Finished!' in the middle, and there's a OK button beneath the word. A "Dong" sound was heard when this appear.

Task manager is still disabled. I tried the procedure in safe mode as well, no good.

Edited by Warning, 28 May 2008 - 12:30 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:24 PM

Posted 28 May 2008 - 11:22 AM

You did not follow all the instructions for using Smitfruadfix. The rapport.txt you posted indicates that you only ran option #1 while in normal mode. You still need to complete the next step. Please print out these "instructions". Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.
The program will go through a series of cleanup processes and automatically start the Disk Cleanup program to remove Temporary files. Wait for the tool to complete and Disk Cleanup to finish.

Then please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Warning

Warning
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 May 2008 - 11:47 PM

Thanks for the help again. Really appreciate it.

Here's the correct SmitFraudFix log.

SmitFraudFix v2.323

Scan done at 20:23:15.17, Wed 05/28/2008
Run from C:\Documents and Settings\Pak Lam\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\accesss.exe Deleted
C:\WINDOWS\astctl32.ocx Deleted
C:\WINDOWS\avpcc.dll Deleted
C:\WINDOWS\clrssn.exe Deleted
C:\WINDOWS\cpan.dll Deleted
C:\WINDOWS\default.htm Deleted
C:\WINDOWS\iexplorer.exe Deleted
C:\WINDOWS\loader.exe Deleted
C:\WINDOWS\mtwirl32.dll Deleted
C:\WINDOWS\notepad32.exe Deleted
C:\WINDOWS\olehelp.exe Deleted
C:\WINDOWS\systeem.exe Deleted
C:\WINDOWS\systemcritical.exe Deleted
C:\WINDOWS\time.exe Deleted
C:\WINDOWS\users32.exe Deleted
C:\WINDOWS\waol.exe Deleted
C:\WINDOWS\win32e.exe Deleted
C:\WINDOWS\win64.exe Deleted
C:\WINDOWS\winajbm.dll Deleted
C:\WINDOWS\window.exe Deleted
C:\WINDOWS\winmgnt.exe Deleted
C:\WINDOWS\x.exe Deleted
C:\WINDOWS\xplugin.dll Deleted
C:\WINDOWS\xxxvideo.hta Deleted
C:\WINDOWS\y.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\default.htm Deleted
C:\WINDOWS\iexplorer.exe Deleted


»»»»»»»»»»»»»»»»»»»»»»»» End

#7 Warning

Warning
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 May 2008 - 11:52 PM

And here's the SDFix log.


SDFix: Version 1.186
Run by Pak Lam on Wed 05/28/2008 at 20:56

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\x.exe - Deleted
C:\WINDOWS\y.exe - Deleted
C:\WINDOWS\accesss.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\avpcc.dll - Deleted
C:\WINDOWS\clrssn.exe - Deleted
C:\WINDOWS\cpan.dll - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\ctrlpan.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\editpad.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\iedll.exe - Deleted
C:\WINDOWS\iexplorer.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\loader.exe - Deleted
C:\WINDOWS\msconfd.dll - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mssys.exe - Deleted
C:\WINDOWS\msupdate.exe - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\mtwirl32.dll - Deleted
C:\WINDOWS\notepad32.exe - Deleted
C:\WINDOWS\olehelp.exe - Deleted
C:\WINDOWS\qttasks.exe - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll16.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\sistem.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\systeem.exe - Deleted
C:\WINDOWS\systemcritical.exe - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\users32.exe - Deleted
C:\WINDOWS\waol.exe - Deleted
C:\WINDOWS\win32e.exe - Deleted
C:\WINDOWS\win64.exe - Deleted
C:\WINDOWS\winajbm.dll - Deleted
C:\WINDOWS\window.exe - Deleted
C:\WINDOWS\winmgnt.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\xxxvideo.hta - Deleted
C:\WINDOWS\x.exe - Deleted
C:\WINDOWS\y.exe - Deleted
C:\WINDOWS\accesss.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\avpcc.dll - Deleted
C:\WINDOWS\clrssn.exe - Deleted
C:\WINDOWS\cpan.dll - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\ctrlpan.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\editpad.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\iedll.exe - Deleted
C:\WINDOWS\iexplorer.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\loader.exe - Deleted
C:\WINDOWS\msconfd.dll - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mssys.exe - Deleted
C:\WINDOWS\msupdate.exe - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\mtwirl32.dll - Deleted
C:\WINDOWS\notepad32.exe - Deleted
C:\WINDOWS\olehelp.exe - Deleted
C:\WINDOWS\qttasks.exe - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll16.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\sistem.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\systeem.exe - Deleted
C:\WINDOWS\systemcritical.exe - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\users32.exe - Deleted
C:\WINDOWS\waol.exe - Deleted
C:\WINDOWS\win32e.exe - Deleted
C:\WINDOWS\win64.exe - Deleted
C:\WINDOWS\winajbm.dll - Deleted
C:\WINDOWS\window.exe - Deleted
C:\WINDOWS\winmgnt.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\xxxvideo.hta - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 21:35:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:0c844c9a
"s1"=dword:5a71cce2
"s2"=dword:92c2cc19
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:24,39,69,c4,73,30,90,06,ee,8b,b1,2a,db,33,50,fa,75,44,18,18,c1,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:24,39,69,c4,73,30,90,06,ee,8b,b1,2a,db,33,50,fa,75,44,18,18,c1,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1611C4BA-A2C1-22E3-FD1F-1CB764464185}]
"bbpcbkecpogkkmlpdcgafkdlmdoaijacmnkl"=hex:6b,61,66,61,6c,6e,67,67,65,66,66,66,65,68,63,62,69,62,6e,6a,6b,..

scanning hidden files ...

C:\WINDOWS\iedll.exe
C:\WINDOWS\sistem.exe 20736 bytes
C:\WINDOWS\svchost32.exe 28928 bytes
C:\WINDOWS\svcinit.exe 22272 bytes
C:\WINDOWS\systeem.exe 22016 bytes
C:\WINDOWS\systemcritical.exe 27904 bytes
C:\WINDOWS\time.exe 9728 bytes
C:\WINDOWS\users32.exe 28160 bytes
C:\WINDOWS\waol.exe 24832 bytes
C:\WINDOWS\loader.exe 12800 bytes
C:\WINDOWS\msconfd.dll 9984 bytes
C:\WINDOWS\msspi.dll 13056 bytes
C:\WINDOWS\mssys.exe 9472 bytes
C:\WINDOWS\msupdate.exe 17920 bytes
C:\WINDOWS\mswsc10.dll 26368 bytes
C:\WINDOWS\mswsc20.dll 26112 bytes
C:\WINDOWS\mtwirl32.dll 16128 bytes
C:\WINDOWS\win32e.exe 24832 bytes
C:\WINDOWS\win64.exe 29952 bytes
C:\WINDOWS\winajbm.dll 22016 bytes
C:\WINDOWS\window.exe 14592 bytes
C:\WINDOWS\winmgnt.exe 11776 bytes
C:\WINDOWS\x.exe 25600 bytes
C:\WINDOWS\xplugin.dll 20736 bytes
C:\WINDOWS\xxxvideo.hta 30976 bytes
C:\WINDOWS\y.exe 12544 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 26


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\CCTV\\cctv_client.exe"="C:\\Program Files\\CCTV\\cctv_client.exe:*:Enabled:UUSEE"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\One Step Up\\utorrent.exe"="C:\\One Step Up\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\ppfilm\\jfCacheMgr.exe"="C:\\Program Files\\ppfilm\\jfCacheMgr.exe:*:Enabled:jfCacheMgr(http://www.ppfilm.cn)"
"C:\\Program Files\\ppfilm\\KmLiveUpdate.exe"="C:\\Program Files\\ppfilm\\KmLiveUpdate.exe:*:Enabled:KmLiveUpdate(http://www.ppfilm.cn)"
"C:\\Program Files\\ppfilm\\ppFilmPlayer.exe"="C:\\Program Files\\ppfilm\\ppFilmPlayer.exe:*:Enabled:ppFilmPlayer"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

Remaining Files :

C:\WINDOWS\x.exe Found
C:\WINDOWS\y.exe Found
C:\WINDOWS\accesss.exe Found
C:\WINDOWS\astctl32.ocx Found
C:\WINDOWS\avpcc.dll Found
C:\WINDOWS\clrssn.exe Found
C:\WINDOWS\cpan.dll Found
C:\WINDOWS\ctfmon32.exe Found
C:\WINDOWS\ctrlpan.dll Found
C:\WINDOWS\default.htm Found
C:\WINDOWS\directx32.exe Found
C:\WINDOWS\dnsrelay.dll Found
C:\WINDOWS\editpad.exe Found
C:\WINDOWS\explore.exe Found
C:\WINDOWS\explorer32.exe Found
C:\WINDOWS\funniest.exe Found
C:\WINDOWS\funny.exe Found
C:\WINDOWS\gfmnaaa.dll Found
C:\WINDOWS\helpcvs.exe Found
C:\WINDOWS\iedll.exe Found
C:\WINDOWS\iexplorer.exe Found
C:\WINDOWS\inetinf.exe Found
C:\WINDOWS\internet.exe Found
C:\WINDOWS\loader.exe Found
C:\WINDOWS\msconfd.dll Found
C:\WINDOWS\msspi.dll Found
C:\WINDOWS\mssys.exe Found
C:\WINDOWS\msupdate.exe Found
C:\WINDOWS\mswsc10.dll Found
C:\WINDOWS\mswsc20.dll Found
C:\WINDOWS\mtwirl32.dll Found
C:\WINDOWS\notepad32.exe Found
C:\WINDOWS\olehelp.exe Found
C:\WINDOWS\qttasks.exe Found
C:\WINDOWS\quicken.exe Found
C:\WINDOWS\rundll16.exe Found
C:\WINDOWS\rundll32.vbe Found
C:\WINDOWS\searchword.dll Found
C:\WINDOWS\sistem.exe Found
C:\WINDOWS\svchost32.exe Found
C:\WINDOWS\svcinit.exe Found
C:\WINDOWS\systeem.exe Found
C:\WINDOWS\systemcritical.exe Found
C:\WINDOWS\time.exe Found
C:\WINDOWS\users32.exe Found
C:\WINDOWS\waol.exe Found
C:\WINDOWS\win32e.exe Found
C:\WINDOWS\win64.exe Found
C:\WINDOWS\winajbm.dll Found
C:\WINDOWS\window.exe Found
C:\WINDOWS\winmgnt.exe Found
C:\WINDOWS\xplugin.dll Found
C:\WINDOWS\xxxvideo.hta Found
C:\WINDOWS\x.exe Found
C:\WINDOWS\y.exe Found
C:\WINDOWS\accesss.exe Found
C:\WINDOWS\astctl32.ocx Found
C:\WINDOWS\avpcc.dll Found
C:\WINDOWS\clrssn.exe Found
C:\WINDOWS\cpan.dll Found
C:\WINDOWS\ctfmon32.exe Found
C:\WINDOWS\ctrlpan.dll Found
C:\WINDOWS\default.htm Found
C:\WINDOWS\directx32.exe Found
C:\WINDOWS\dnsrelay.dll Found
C:\WINDOWS\editpad.exe Found
C:\WINDOWS\explore.exe Found
C:\WINDOWS\explorer32.exe Found
C:\WINDOWS\funniest.exe Found
C:\WINDOWS\funny.exe Found
C:\WINDOWS\gfmnaaa.dll Found
C:\WINDOWS\helpcvs.exe Found
C:\WINDOWS\iedll.exe Found
C:\WINDOWS\iexplorer.exe Found
C:\WINDOWS\inetinf.exe Found
C:\WINDOWS\internet.exe Found
C:\WINDOWS\loader.exe Found
C:\WINDOWS\msconfd.dll Found
C:\WINDOWS\msspi.dll Found
C:\WINDOWS\mssys.exe Found
C:\WINDOWS\msupdate.exe Found
C:\WINDOWS\mswsc10.dll Found
C:\WINDOWS\mswsc20.dll Found
C:\WINDOWS\mtwirl32.dll Found
C:\WINDOWS\notepad32.exe Found
C:\WINDOWS\olehelp.exe Found
C:\WINDOWS\qttasks.exe Found
C:\WINDOWS\quicken.exe Found
C:\WINDOWS\rundll16.exe Found
C:\WINDOWS\rundll32.vbe Found
C:\WINDOWS\searchword.dll Found
C:\WINDOWS\sistem.exe Found
C:\WINDOWS\svchost32.exe Found
C:\WINDOWS\svcinit.exe Found
C:\WINDOWS\systeem.exe Found
C:\WINDOWS\systemcritical.exe Found
C:\WINDOWS\time.exe Found
C:\WINDOWS\users32.exe Found
C:\WINDOWS\waol.exe Found
C:\WINDOWS\win32e.exe Found
C:\WINDOWS\win64.exe Found
C:\WINDOWS\winajbm.dll Found
C:\WINDOWS\window.exe Found
C:\WINDOWS\winmgnt.exe Found
C:\WINDOWS\xplugin.dll Found
C:\WINDOWS\xxxvideo.hta Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 24 Jun 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 18 Jul 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Mon 11 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT2.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT3.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Pak Lam\Application Data\U3\temp\Launchpad Removal.exe"
Wed 31 Oct 2007 19,968 A..H. --- "C:\Documents and Settings\Pak Lam\My Documents\Ultimate Orgasm\Chaffey\Acctg1a\Project\~WRL2062.tmp"
Wed 31 Oct 2007 19,968 A..H. --- "C:\Documents and Settings\Pak Lam\My Documents\Ultimate Orgasm\Chaffey\Acctg1a\Project\~WRL3057.tmp"

Finished!

[b]All the symptoms remain. A pop-up window (The red panel one I mentioned in post 1) appeared during the SDFix scan as well.[/b]

Edited by Warning, 28 May 2008 - 11:54 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:24 PM

Posted 29 May 2008 - 06:19 AM

Appears you are dealing with several types of malware. One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?" and "Help: I Got Hacked. Now What Do I Do?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users