Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Mock Antivirus Program, Unwanted Desktop Icons, Pop ups, etc!


  • Please log in to reply
1 reply to this topic

#1 Mr Coolwhip

Mr Coolwhip

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 25 December 2008 - 10:08 AM

Hello!

Well, I have a pretty annoying case of spyware at the moment. It started with unwanted pop ups coming up every 2 minutes or so when I was browsing the internet. It is not spread to having horrible desktop icons (porn) and a mock antivirus program coming up, and occasionally shutting down my computer. Upon restart, I have a blue screen that talks about the antivirus program and that its unsafe, then it comes up to the windows loading screen with a blue subtitle that says "Unregistered version of Rapid Antispy". Finally, it takes me back to the desktop where everything is still in tact (windows open, etc) It's quite irritating at this point, and I would greatly appreciate some help removing this guy =] Thank you!

Heres my DDS report:


DDS (Version 1.1.0) - NTFSx86
Run by Sam at 7:54:42.90 on Thu 12/25/2008
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.557 [GMT -7:00]


============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\~.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe -k imgsvc
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\NOTEPAD.EXE
F:\Mozilla Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SFCDisable=4 (0x4)
BHO: {be82ef6c-193c-ff88-3d74-b60afd406692}: {296604df-a06b-47d3-88ff-c391c6fe28eb} - e:\windows\system32\cjvhug.dll
BHO: {30a6bb80-9b32-496c-9e16-90d0d75ed232} - e:\windows\system32\khfGwXpq.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - e:\windows\system32\ssqOFXnM.dll
BHO: {714810c3-d1cb-4fad-9eb8-f8e277980eee} - e:\windows\system32\fcyvt.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: {e4eeffed-93cd-4cf0-a0f3-50d139121fee} - e:\windows\system32\nnnopqq.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [Aim6] "e:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [msiexec.exe] ~.exe
mRun: [SunJavaUpdateSched] "e:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [98defedb] rundll32.exe "e:\windows\system32\pfwkxjgl.dll",b
mExplorerRun: [user32.dll] e:\program files\video activex access\iesmn.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - e:\program files\java\jre1.6.0_01\bin\ssv.dll
TCP: {3F76B8E9-66A1-491F-B05E-01813FE8D39A} = 192.168.2.1
Notify: fcyvt - e:\windows\system32\fcyvt.dll
Notify: nnnopqq - nnnopqq.dll
Notify: ssqOFXnM - ssqOFXnM.dll
Notify: winxmb32 - winxmb32.dll
AppInit_DLLs: cjvhug.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: {e4eeffed-93cd-4cf0-a0f3-50d139121fee} - e:\windows\system32\nnnopqq.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - e:\windows\system32\ssqOFXnM.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 e:\windows\system32\khfGwXpq

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\sam\applic~1\mozilla\firefox\profiles\wxx67305.sam2\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

============= SERVICES / DRIVERS ===============

R1 IKFileFlt;File Filter Driver;e:\windows\system32\drivers\ikfileflt.sys [2007-8-7 39376]
R1 IKFileSec;File Security Driver;e:\windows\system32\drivers\ikfilesec.sys [2007-8-7 53840]
R1 IkSysFlt;System Filter Driver;e:\windows\system32\drivers\iksysflt.sys [2007-8-7 57424]
R1 IKSysSec;System Security Driver;e:\windows\system32\drivers\iksyssec.sys [2007-8-7 83024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"e:\program files\viewpoint\common\ViewpointService.exe" [2007-1-10 24652]
R3 maestro;ESS Maestro Audio Driver (WDM);e:\windows\system32\drivers\maestro.sys [2006-4-21 48768]
S2 sdCoreService;Spyware Doctor Service; []
S3 cusbohcn;cusbohcn; []
S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;e:\windows\system32\drivers\ubVeo532.sys [2002-7-1 95232]
S3 mamotou;mamotou;e:\windows\system32\drivers\mamotou.sys [2007-1-3 49399]
S4 Au10cntsfm;Au10cntsfm; []

=============== Created Last 30 ================

2008-12-24 13:18 <DIR> -cd----- e:\docume~1\sam\applic~1\s_6149_fHx8fHx8fDEyNDI3ODMyMTh8_
2008-12-24 13:18 <DIR> -cd----- e:\docume~1\sam\applic~1\Rapid Antivirus
2008-12-24 09:37 1,661,209 -c-sh--- e:\windows\system32\lgjxkwfp.ini
2008-12-24 09:26 129,024 ac------ e:\windows\system32\cjvhug.dll
2008-12-24 09:26 129,024 ac------ e:\windows\system32\jsilnaqt.dll
2008-12-23 23:32 <DIR> -cd----- e:\docume~1\alluse~1\applic~1\AVS4YOU
2008-12-23 23:28 <DIR> -cd----- e:\program files\common files\AVSMedia
2008-12-23 23:27 1,700,352 ac------ e:\windows\system32\GdiPlus.dll
2008-12-23 23:27 974,848 ac------ e:\windows\system32\mfc70.dll
2008-12-23 23:27 487,424 ac------ e:\windows\system32\msvcp70.dll
2008-12-23 23:27 24,576 ac------ e:\windows\system32\msxml3a.dll
2008-12-23 17:50 129,024 ac------ e:\windows\system32\mpqhcw.dll
2008-12-23 17:49 129,024 ac------ e:\windows\system32\ibrtdicl.dll
2008-12-23 17:47 1,661,209 -c-sh--- e:\windows\system32\yyjxrnsd.ini
2008-12-22 17:47 129,024 ac------ e:\windows\system32\gozjfh.dll
2008-12-22 17:47 129,024 ac------ e:\windows\system32\jvxtkbtk.dll
2008-12-22 17:44 1,661,209 -c-sh--- e:\windows\system32\gybfxgcs.ini
2008-12-22 17:44 72,704 ac------ e:\windows\system32\scgxfbyg.dll
2008-12-22 15:25 1,661,209 -c-sh--- e:\windows\system32\ibcogunj.ini
2008-12-22 15:16 129,024 ac------ e:\windows\system32\qqglhz.dll
2008-12-22 15:16 129,024 ac------ e:\windows\system32\aufbihmv.dll
2008-12-21 15:15 129,024 ac------ e:\windows\system32\jqxyel.dll
2008-12-21 15:15 129,024 ac------ e:\windows\system32\axfjoxdy.dll
2008-12-20 15:02 1,661,209 -c-sh--- e:\windows\system32\ekippfck.ini
2008-12-20 15:02 72,704 ac------ e:\windows\system32\kcfppike.dll
2008-12-20 15:01 129,024 ac------ e:\windows\system32\cfvsif.dll
2008-12-20 15:01 129,024 ac------ e:\windows\system32\anjtgoxy.dll
2008-12-19 16:20 <DIR> -cd----- e:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-19 16:20 <DIR> -cd----- e:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-19 16:20 <DIR> -cd----- e:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-19 11:54 129,024 ac------ e:\windows\system32\ijlzlh.dll
2008-12-19 11:54 129,024 ac------ e:\windows\system32\ryhwrrdy.dll
2008-12-19 11:49 1,661,209 -c-sh--- e:\windows\system32\hditbjom.ini
2008-12-19 10:14 1,661,209 -c-sh--- e:\windows\system32\heytisjo.ini
2008-12-19 10:08 129,024 ac------ e:\windows\system32\klkhww.dll
2008-12-19 10:08 129,024 ac------ e:\windows\system32\cenysimn.dll
2008-12-18 10:49 <DIR> -cd----- e:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-18 10:10 1,663,458 -c-sh--- e:\windows\system32\nmpfrdrq.ini
2008-12-18 10:07 129,024 ac------ e:\windows\system32\jhprrp.dll
2008-12-18 10:07 129,024 ac------ e:\windows\system32\mxbtxywb.dll
2008-12-17 05:59 1,663,458 -c-sh--- e:\windows\system32\lextnqgi.ini
2008-12-17 05:56 129,024 ac------ e:\windows\system32\cpkxhu.dll
2008-12-17 05:56 129,024 ac------ e:\windows\system32\lafnwxix.dll
2008-12-16 20:52 129,024 ac------ e:\windows\system32\sshbeg.dll
2008-12-16 20:52 129,024 ac------ e:\windows\system32\xrsxlbbe.dll
2008-12-16 20:49 1,646,211 -c-sh--- e:\windows\system32\rqkexhsb.ini
2008-12-16 15:02 <DIR> -cd----- e:\windows\iqrw
2008-12-16 15:02 <DIR> -cd----- e:\program files\common files\iqrw
2008-12-15 20:50 129,024 ac------ e:\windows\system32\vnronm.dll
2008-12-15 20:50 129,024 ac------ e:\windows\system32\cdmcngcm.dll
2008-12-15 20:47 1,646,212 -c-sh--- e:\windows\system32\coaapdqp.ini
2008-12-14 22:37 <DIR> -cdsh--- e:\windows\R2FnbGlv
2008-12-14 22:32 <DIR> -cd----- e:\docume~1\sam\applic~1\SpeedRunner
2008-12-14 22:27 <DIR> -cd----- e:\docume~1\sam\applic~1\Twain
2008-12-14 22:22 <DIR> -cd----- e:\program files\Webtools
2008-12-14 20:49 1,647,120 -c-sh--- e:\windows\system32\giklffaj.ini
2008-12-14 20:46 129,024 ac------ e:\windows\system32\nxelpq.dll
2008-12-14 20:46 129,024 ac------ e:\windows\system32\layuqjwn.dll
2008-12-14 10:52 129,024 ac------ e:\windows\system32\sdiqvf.dll
2008-12-14 10:52 129,024 ac------ e:\windows\system32\dkgblsgu.dll
2008-12-14 10:44 1,647,120 -c-sh--- e:\windows\system32\ffvwjtbn.ini
2008-12-14 10:23 <DIR> -cd----- e:\docume~1\sam\applic~1\RegSweep
2008-12-14 10:22 1,647,120 -c-sh--- e:\windows\system32\cjnmrqep.ini
2008-12-14 10:19 129,024 ac------ e:\windows\system32\tciwic.dll
2008-12-14 10:19 129,024 ac------ e:\windows\system32\jaeiaxmw.dll
2008-12-14 01:51 0 ac------ e:\windows\system32\mcrh.tmp
2008-12-13 23:00 1,647,120 -c-sh--- e:\windows\system32\fcwpkbty.ini
2008-12-13 23:00 129,024 ac------ e:\windows\system32\ljgkvg.dll
2008-12-13 23:00 129,024 ac------ e:\windows\system32\makiaten.dll
2008-12-13 22:21 129,024 ac------ e:\windows\system32\nrcewv.dll
2008-12-13 22:21 129,024 ac------ e:\windows\system32\mbvllyld.dll
2008-12-13 22:16 1,647,120 -c-sh--- e:\windows\system32\cubwwrec.ini
2008-12-13 22:15 946,551 ac-sh--- e:\windows\system32\qpXwGfhk.ini2
2008-12-13 22:15 946,551 ac-sh--- e:\windows\system32\qpXwGfhk.ini
2008-12-13 22:15 302,592 -c------ e:\windows\system32\khfGwXpq.dll
2008-12-13 22:10 66,560 ac------ e:\windows\system32\efcButqq.dll
2008-12-13 22:10 34,816 ac------ e:\windows\system32\ssqOFXnM.dll
2008-12-13 22:10 198,716 ac------ e:\windows\system32\wpv491229211116.cpx
2008-12-13 22:10 45,056 -c------ e:\windows\system32\wpv791229157187.cpx
2008-12-13 22:10 83,968 ac------ e:\windows\system32\~.exe

==================== Find3M ====================

2007-08-07 13:59 8,192 ac------ e:\docume~1\sam\applic~1\__c003BB5A.exe
2007-08-07 13:58 8,192 ac------ e:\docume~1\sam\applic~1\__c00AAF6E.exe
2006-03-12 21:50 1,444 ac------ e:\documents and settings\sam\keys.dat
2005-07-29 16:24 472 ac-shr-- e:\windows\r2fnbglv\lZIBv35S.vbs
2007-09-02 18:05 1,913,038 -c-sh--- e:\windows\system32\tvycf.bak1
2007-09-02 18:04 1,912,364 -c-sh--- e:\windows\system32\tvycf.bak2

============= FINISH: 7:56:43.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:23 AM

Posted 06 January 2009 - 03:28 PM

Hello Mr Coolwhip,

I do not see any sign of an antivirus having been installed on this system. Not at all from the logs, and there's no sign one was running when you generated the logs.
That being the case, you're best thing to do is to wipe clean the system and do a fresh install of Windows XP. Sorry to have to be very frank.
There are several pieces of Vundo present, along with who knows other co-infectors.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users