Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2009 and other popups


  • This topic is locked This topic is locked
20 replies to this topic

#1 Pixel556

Pixel556

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 08 December 2008 - 06:11 PM

Hello,
I would appreciate some help, if possible. I've downloaded and used Spybot S&D and Spyware Blaster, and that seemed to get rid of some popups. I still get Antivirus 2009, as well as other popups that are invasive, and sometimes shut down my web browser.
I am running Windows XP, with Service pack 3. I have my firewall up. Because of the popups, I can't get the Kaspersky online scanner to fully update, it just gets shut down. Also, there is an error message when I try to use the RSIT program.
Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:51 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\userinit.exe,E:\WINDOWS\system32\twext.exe,
O4 - HKLM\..\Run: [itype] "E:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] E:\WINDOWS\System32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: StartupCop Pro.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1223667890359
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: hgdrrq.dll pnfksw.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\hpzipm12.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)

--
End of file - 4184 bytes

Any help would be great. I'd love to get my computer free of the clutches of evil pop-ups.
-Ian

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 15 December 2008 - 10:32 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..

In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 Pixel556

Pixel556
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 16 December 2008 - 03:56 PM

Thank you for responding Panda. I really appreciate the help. Here is my GMER txt file, and the OTScanit is attached.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-16 12:52:11
Windows 5.1.2600 Service Pack 3


---- Services - GMER 1.0.14 ----

Service system32\DRIVERS\obvious.sys (*** hidden *** ) [SYSTEM] obvious <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious@ServiceBinary E:\WINDOWS\system32\drivers\OBVIOUS.SYS
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious@Group SCSI Miniport
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious@ImagePath system32\DRIVERS\obvious.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious@Tag 34
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious\Enum
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious\Enum@Count 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious\Enum@NextInstance 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious\Enum@INITSTARTFAILED 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious\parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious\parameters\pnpinterface
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious\parameters\pnpinterface@1 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious\security
Reg HKLM\SYSTEM\CurrentControlSet\Services\obvious\security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC8 0x14 0x5F 0x5C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x81 0x94 0x26 0xC9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0xA8 0x1F 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD4 0x34 0x05 0x27 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC8 0x14 0x5F 0x5C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x81 0x94 0x26 0xC9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0xA8 0x1F 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD4 0x34 0x05 0x27 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC8 0x14 0x5F 0x5C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x81 0x94 0x26 0xC9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0xA8 0x1F 0x85 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD4 0x34 0x05 0x27 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC8 0x14 0x5F 0x5C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x81 0x94 0x26 0xC9 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0xA8 0x1F 0x85 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD4 0x34 0x05 0x27 ...
Reg HKLM\SYSTEM\ControlSet005\Services\obvious@ServiceBinary E:\WINDOWS\system32\drivers\OBVIOUS.SYS
Reg HKLM\SYSTEM\ControlSet005\Services\obvious@Group SCSI Miniport
Reg HKLM\SYSTEM\ControlSet005\Services\obvious@ImagePath system32\DRIVERS\obvious.sys
Reg HKLM\SYSTEM\ControlSet005\Services\obvious@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet005\Services\obvious@Start 1
Reg HKLM\SYSTEM\ControlSet005\Services\obvious@Type 1
Reg HKLM\SYSTEM\ControlSet005\Services\obvious@Tag 34
Reg HKLM\SYSTEM\ControlSet005\Services\obvious\Enum
Reg HKLM\SYSTEM\ControlSet005\Services\obvious\Enum@Count 0
Reg HKLM\SYSTEM\ControlSet005\Services\obvious\Enum@NextInstance 0
Reg HKLM\SYSTEM\ControlSet005\Services\obvious\Enum@INITSTARTFAILED 1
Reg HKLM\SYSTEM\ControlSet005\Services\obvious\parameters
Reg HKLM\SYSTEM\ControlSet005\Services\obvious\parameters\pnpinterface
Reg HKLM\SYSTEM\ControlSet005\Services\obvious\parameters\pnpinterface@1 1
Reg HKLM\SYSTEM\ControlSet005\Services\obvious\security
Reg HKLM\SYSTEM\ControlSet005\Services\obvious\security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC8 0x14 0x5F 0x5C ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x81 0x94 0x26 0xC9 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0xA8 0x1F 0x85 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD4 0x34 0x05 0x27 ...

---- EOF - GMER 1.0.14 ----

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 16 December 2008 - 10:23 PM

Hello.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.
To disable SpyBot's TeaTimer:
You can find instructions with visuals here.
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
    The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Right click and extract avenger.exe to your desktop
  • Start the Avenger by clicking on its icon on your desktop.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Files to replace with dummy:
    %systemroot%\system32\bdurxqij.dll
    %systemroot%\system32\bpqanksb.dll
    %systemroot%\system32\cnejacnr.ini
    %systemroot%\system32\dpjtej(2).dll
    %systemroot%\system32\ecssfsog.dll
    %systemroot%\system32\efcburhx.dll
    %systemroot%\system32\eqedzc.dll
    %systemroot%\system32\fhvfnvck.dll
    %systemroot%\system32\hgdrrq.dll
    %systemroot%\system32\ivdwiyjd.dll
    %systemroot%\system32\jhdwsiqv.dll
    %systemroot%\system32\jiqxrudb.ini
    %systemroot%\system32\kagurqmr.dll
    %systemroot%\system32\laddkscl.dll
    %systemroot%\system32\lcskddal.ini
    %systemroot%\system32\lvabel.dll
    %systemroot%\system32\lyxluc.dll
    %systemroot%\system32\mljdstsi.dll
    %systemroot%\system32\ngaxnigc.ini
    %systemroot%\system32\pnfksw.dll
    %systemroot%\system32\pnpnyfxt.ini
    %systemroot%\system32\pptbjddi.dll
    %systemroot%\system32\prcikuvw.ini
    %systemroot%\system32\prcikuvw.ini2
    %systemroot%\system32\qhbaxq.dll
    %systemroot%\system32\rkveuw.dll
    %systemroot%\system32\rncajenc.dll
    %systemroot%\system32\sqgohmhi.dll
    %systemroot%\system32\sweejf.dll
    %systemroot%\system32\vzpyoz.dll
    %systemroot%\system32\wvukicrp.dll
    %systemroot%\system32\xlybymke.ini
    %systemroot%\system32\xpevnjni.dll
    %systemroot%\system32\digeste.dll
    
    Folders to delete:
    %systemroot%\system32\twain_32
    
    Registry keys to delete:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E98FC8B-FA13-4136-991F-3DC68AFDD486}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{514ec952-4c27-4cd8-a13d-550d8ae8cd95}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.
Note that, after running the Avenger, you may recieve some "file not found" errors next boot. This is normal.

Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Registry - Safe List]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {2A58D744-F992-41C9-AF04-8F2C93BC373C} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YY -> {3E98FC8B-FA13-4136-991F-3DC68AFDD486} [HKLM] -> %SystemRoot%\system32\wvUkICrP.dll [Reg Error: Value  does not exist or could not be read.]
    YY -> {514ec952-4c27-4cd8-a13d-550d8ae8cd95} [HKLM] -> %SystemRoot%\system32\vzpyoz.dll [Reg Error: Value  does not exist or could not be read.]
    YN -> {542B622E-DB48-41B8-AF19-01A435BD795B} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YY -> {A63E645F-13BD-45ED-B15F-6E8C1BD57279} [HKLM] -> %SystemRoot%\system32\mlJDstSi.dll [Reg Error: Value  does not exist or could not be read.]
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YY -> hgdrrq.dll -> %SystemRoot%\system32\hgdrrq.dll
    YY -> pnfksw.dll -> %SystemRoot%\system32\pnfksw.dll
    YY -> lvabel.dll -> %SystemRoot%\system32\lvabel.dll
    YY -> lyxluc.dll -> %SystemRoot%\system32\lyxluc.dll
    YY -> eqedzc.dll -> %SystemRoot%\system32\eqedzc.dll
    YY -> vzpyoz.dll -> %SystemRoot%\system32\vzpyoz.dll
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    YY -> mlJDstSi -> %SystemRoot%\system32\mlJDstSi.dll
    < ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    YN -> "{A63E645F-13BD-45ED-B15F-6E8C1BD57279}" [HKLM] -> %SystemRoot%\system32\mlJDstSi.dll []
    < SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
    *SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
    YN ->  digeste.dll -> 
    < SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    *LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    YY -> E:\WINDOWS\system32\wvUkICrP -> %SystemRoot%\system32\wvUkICrP.dll
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    [Files/Folders - Created Within 30 Days]
    NY -> vzpyoz.dll -> %SystemRoot%\System32\vzpyoz.dll
    NY -> xpevnjni.dll -> %SystemRoot%\System32\xpevnjni.dll
    NY -> lcskddal.ini -> %SystemRoot%\System32\lcskddal.ini
    NY -> laddkscl.dll -> %SystemRoot%\System32\laddkscl.dll
    NY -> eqedzc.dll -> %SystemRoot%\System32\eqedzc.dll
    NY -> sqgohmhi.dll -> %SystemRoot%\System32\sqgohmhi.dll
    NY -> jiqxrudb.ini -> %SystemRoot%\System32\jiqxrudb.ini
    NY -> bdurxqij.dll -> %SystemRoot%\System32\bdurxqij.dll
    NY -> PrCIkUvw.ini2 -> %SystemRoot%\System32\PrCIkUvw.ini2
    NY -> cnejacnr.ini -> %SystemRoot%\System32\cnejacnr.ini
    NY -> rncajenc.dll -> %SystemRoot%\System32\rncajenc.dll
    NY -> lyxluc.dll -> %SystemRoot%\System32\lyxluc.dll
    NY -> jhdwsiqv.dll -> %SystemRoot%\System32\jhdwsiqv.dll
    NY -> lvabel.dll -> %SystemRoot%\System32\lvabel.dll
    NY -> pptbjddi.dll -> %SystemRoot%\System32\pptbjddi.dll
    NY -> xlybymke.ini -> %SystemRoot%\System32\xlybymke.ini
    NY -> pnfksw.dll -> %SystemRoot%\System32\pnfksw.dll
    NY -> fhvfnvck.dll -> %SystemRoot%\System32\fhvfnvck.dll
    NY -> ngaxnigc.ini -> %SystemRoot%\System32\ngaxnigc.ini
    NY -> hgdrrq.dll -> %SystemRoot%\System32\hgdrrq.dll
    NY -> kagurqmr.dll -> %SystemRoot%\System32\kagurqmr.dll
    NY -> pnpnyfxt.ini -> %SystemRoot%\System32\pnpnyfxt.ini
    NY -> qhbaxq.dll -> %SystemRoot%\System32\qhbaxq.dll
    NY -> bpqanksb.dll -> %SystemRoot%\System32\bpqanksb.dll
    NY -> rkveuw.dll -> %SystemRoot%\System32\rkveuw.dll
    NY -> ivdwiyjd.dll -> %SystemRoot%\System32\ivdwiyjd.dll
    NY -> twain_32 -> %SystemRoot%\System32\twain_32
    NY -> sweejf.dll -> %SystemRoot%\System32\sweejf.dll
    NY -> ecssfsog.dll -> %SystemRoot%\System32\ecssfsog.dll
    NY -> dpjtej(2).dll -> %SystemRoot%\System32\dpjtej(2).dll
    NY -> PrCIkUvw.ini -> %SystemRoot%\System32\PrCIkUvw.ini
    NY -> wvUkICrP.dll -> %SystemRoot%\System32\wvUkICrP.dll
    NY -> mlJDstSi.dll -> %SystemRoot%\System32\mlJDstSi.dll
    NY -> efcBuRHx.dll -> %SystemRoot%\System32\efcBuRHx.dll
    [Alternate Data Streams]
    NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
    [Empty Temp Folders]
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.


Re-enable your protection at this time.

Please post back with:
-the Avenger log
-the OTScanIt fix log
-the Malware Bytes log
-a new OTscanIt scan log (settings at default, attached) You may run out of attachment space. If so, go to your Control Panel to remove your previous attachments to make room for new ones.

How is your computer running now?

With Regards,
The Panda

Edited by PropagandaPanda, 16 December 2008 - 10:23 PM.


#5 Pixel556

Pixel556
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 17 December 2008 - 06:03 PM

Attached are all the logs that you listed. I wasn't sure if you wanted the logs in the reply or attached. I haven't seen any of the popups yet, but I will post back if they happen. Thank you for all your help. Much appreciated.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 18 December 2008 - 12:29 AM

Hello.

Usually, it would be best to post the logs other than OTScanIt.txt directly into your reply. Doesn't matter that much to me though.

That looks much better.

Please run this fix with OTScanIt:
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {034FD09A-39C8-4D88-94CD-221EF11A0F19} [HKLM] -> %SystemRoot%\system32\wvUkICrP.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{32110020-9C62-456E-82D0-FC03C195BBCD}" [HKLM] -> %ProgramFiles%\SUPERBAR\SUPERBAR.dll [SuperBar]
[Files/Folders - Created Within 30 Days]
NY -> SWFuIFNhbGlzaA -> %SystemRoot%\SWFuIFNhbGlzaA
[Files/Folders - Modified Within 30 Days]
NY -> 18 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp
NY -> 15 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp
NY -> 86B8B3D18FD32DD9.job -> %SystemRoot%\tasks\86B8B3D18FD32DD9.job

Update Java to Version 6 Update 10
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please then install the latest Java, Java SE Runtime Environment (JRE) 6 Update 10 from this page. Follow the prompts and select the appropriate settings for your machine (most likely "Windows"). Click on the "Required File" jre-6u10-windows-i586-p.exe to download the installer. Double click the installer to run. Delete the installer after use.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the OTScanIt fix log
-the F-Secure scan log
-a new HijackThis log/

With Regards,
The Panda

#7 Pixel556

Pixel556
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 18 December 2008 - 04:41 PM

Here is the OTScan log:

[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{034FD09A-39C8-4D88-94CD-221EF11A0F19}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{034FD09A-39C8-4D88-94CD-221EF11A0F19}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32110020-9C62-456E-82D0-FC03C195BBCD} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32110020-9C62-456E-82D0-FC03C195BBCD}\ deleted successfully.
[Files/Folders - Created Within 30 Days]
E:\WINDOWS\SWFuIFNhbGlzaA folder moved successfully.
[Files/Folders - Modified Within 30 Days]
E:\WINDOWS\msdownld.tmp folder deleted successfully.
E:\WINDOWS\NV25082512.TMP folder deleted successfully.
E:\WINDOWS\NV31721304.TMP folder deleted successfully.
E:\WINDOWS\tasks\86B8B3D18FD32DD9.job moved successfully.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.3.1 fix logfile created on 12182008_130839

Here is the F-Secure log:

Scanning Report
Thursday, December 18, 2008 13:26:16 - 13:37:05

Computer name: PIXEL
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\
Result: 2 malware found
AdWare.Win32.BHO (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Statistics
Scanned:

* Files: 12920
* System: 3485
* Not scanned: 0

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 0

Files not scanned:

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Blacklight: 2.4.1093
* F-Secure Hydra: 2.8.8110, 2008-12-18
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure AVP: 7.0.171, 2008-12-18

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:21 PM, on 12/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [itype] "E:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] E:\WINDOWS\System32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


Thank you again for your help. So far, i've had no pop-ups or anything else strange, so its running so much better. I really appreciate this, thank you.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 19 December 2008 - 12:22 AM

Hello.

That HijackTHis log is incomplete. Please post a full one :thumbsup: . Want to check everything over before we wrap up.

With Regards,
The Panda

#9 Pixel556

Pixel556
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 20 December 2008 - 02:03 AM

Sorry about that. Here's a full HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:01 PM, on 12/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [itype] "E:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] E:\WINDOWS\System32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = E:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: StartupCop Pro.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1223667890359
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\hpzipm12.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)

--
End of file - 4516 bytes

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 20 December 2008 - 02:49 AM

Looks good :thumbsup: .

Remove ERUNT Backups
You should remove all the backups that ERUNT has made. Those backups may contain old registry keys, possibly those created by malware.

Delete everything under:
C:\WINDOWS\erdnt\

ERUNT will automatically remove backups older than 30 days, so there is no need to clear that folder manually in the future.

It is a good idea to have ERUNT installed, even when you are not infected. Tasks like installing programs and changing settings, which involve working with the registry, can cause problems that can be quickly undone by reverting to a backup. However, if you wish to uninstall the program, do so using Add/Remove Programs.

Run Cleanup with OTScantIt
This will remove all the tools we used.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Click the CleanUp bottun.
  • Restart if prompted.
Set New System Restore Point
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked "Create a Restore Point" on the first screen then click Next. Give the R.P. a name then click Create. The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type:
    cleanmgr
  • Click OK.
  • Click the More Options Tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#11 Pixel556

Pixel556
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 20 December 2008 - 01:37 PM

I have Spybot and Spyware blaster installed, do I need to have them active all the time to be effective? If so, how? Thank you so much for all your help. My computer is running much more smoothly.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 21 December 2008 - 04:14 AM

Hello.

Both SpyBot's Teatimer and Spyware Blaster help prevent infection.

You can find a guide on using TeaTimer here.

SpywareBlaster, I'm not too fimiliar with.

You should also install an antivirus now, if you have not already.After installing, update the database, run a full system scan and remove any items found.

With Regards,
The Panda

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 27 December 2008 - 11:49 PM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 13 January 2009 - 08:31 PM

Reopened.

I hope you did not get reinfected. Please take a new OTScanIt log.

With Regards,
The Panda

#15 Pixel556

Pixel556
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 17 January 2009 - 05:25 PM

I don't know how I possibly got re-infected, but multiple people use this computer. Thank you so much for reopening this, Panda. Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:43 PM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {F6629A97-F800-4349-B435-582328373BCD} - (no file)
O4 - HKLM\..\Run: [itype] "E:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] E:\WINDOWS\System32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = E:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: StartupCop Pro.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1223667890359
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - AppInit_DLLs: fgehwf.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\hpzipm12.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)

--
End of file - 4488 bytes

Also, I tried to do a System Restore, but my computer couldn't seem to find the restore point I made when it was all clean.
Thank you again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users