Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware removal


  • This topic is locked This topic is locked
7 replies to this topic

#1 chi-chi

chi-chi

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 12 January 2009 - 01:49 PM

This looks like a pretty fast and knowledgeable forum so I am posting for help. I keep getting new browser pop-ups while online. Also a spyware program automatically was installed on my PC. I removed the program (using the add/remove programs in the control panel) but i am still getting pop ups. I used ad-aware and removed the infections but when i re run a scan they are still present. Any help on fixing these would be helpful thanks in advance. For time sake below is a hijack this log if it helps.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:32 PM, on 01/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\xxxx\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\firefox.exe
C:\Program Files\Network Associates\VirusScan\scan32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [d4b3e524] rundll32.exe "C:\WINDOWS\system32\ybofuigp.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxx.INTERNAL
O17 - HKLM\Software\..\Telephony: DomainName = xxx.INTERNAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxx.INTERNAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxx.INTERNAL
O20 - AppInit_DLLs: kflynk.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 5112 bytes

BC AdBot (Login to Remove)

 


#2 chi-chi

chi-chi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 12 January 2009 - 02:21 PM

I just removed some program that was also misc. got installed called shopping reports. But I am still getting the same 6 Virtumonde malware infections in my adaware scan. The problem still seems to have ceased.. for now

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:11 PM

Posted 13 January 2009 - 06:28 AM

Hi,

Is this a log from a company owned computer or work computer?
If so, then there are a few things that need attention first before we proceed with this..

* You must inform your Supervisor immediately.

This because of:
  • Most company machines are connected into a network at some time or other, and your infection may compromise the security of that network.
  • If sensitive material is compromised by an infection, your company could be held liable.
* Your Company must give permission for us to give you assistance.

This because of:
  • We are not here to replace your company's IT Department. If there's an IT Department, then they are responsible to deal with this.
  • There may be sensitive material on your computer that your company would not want revealed in an open forum.
Also, since this is a computer used at work - the first thing I always advise is to back up important files you don't want to lose, this since malware causes a system unstable and it may happen that it suddenly won't boot anymore, because of the damage already present.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 chi-chi

chi-chi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 13 January 2009 - 10:38 AM

Thanks for your help. Below is my combo fix log.

ComboFix 09-01-12.03 - xxxx 2009-01-13 10:19:54.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1726 [GMT -5:00]
Running from: c:\documents and settings\xxxx\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kmd.exe
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekakmppyrbn.sys
c:\windows\system32\hkbrwwmg.dll
c:\windows\system32\kflynk.dll
c:\windows\system32\khfdCSih.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mlJcbApp.dll
c:\windows\system32\pgiufoby.ini
c:\windows\system32\ppAbcJlm.ini
c:\windows\system32\ppAbcJlm.ini2
c:\windows\system32\qoMFYsQJ.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekamqerftjl.dll
c:\windows\system32\senekamycjgryv.dll
c:\windows\system32\vtUkLdDT.dll
c:\windows\system32\ybofuigp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-12 14:30 . 2009-01-12 15:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-12 14:30 . 2009-01-12 15:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-12 13:27 . 2009-01-12 13:27 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 14:45 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-13 14:12 --------- d-----w c:\program files\CCleaner
2009-01-12 18:28 --------- d-----w c:\program files\Lavasoft
2009-01-12 18:25 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-12 19:41 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-11 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-04 17:32 --------- d-----w c:\program files\BitLord
2008-12-03 22:08 --------- d-----w c:\documents and settings\xxxx\Application Data\Cogniview
2008-12-03 22:07 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-03 22:07 --------- d-----w c:\documents and settings\All Users\Application Data\Cogniview
2008-12-03 22:06 --------- d-----w c:\program files\CogniView
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kflynk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\mlJcbApp

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2109043195-537022207-5522801-2906\Scripts\Logon\0\0]
"Script"=d:\public\inventory.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"5800:TCP"= 5800:TCP:VNC1

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-09-19 58048]
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\bxpaxhyj.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{05CE553E-BE92-46F6-B7E8-58AE76724CBB} - (no file)
BHO-{1b2c1367-a039-412d-9d23-66b79b30e5f7} - c:\windows\system32\kflynk.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\vtUkLdDT.dll
BHO-{96BD928B-A007-4B56-9DF2-63F4EDEF1B96} - c:\windows\system32\mlJcbApp.dll
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\vtUkLdDT.dll
Notify-vtUkLdDT - (no file)


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\xxxx\Application Data\Mozilla\Firefox\Profiles\sqm55b27.default\
FF - plugin: c:\documents and settings\xxxx\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\xxxx\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 10:26:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\UltraVNC\winvnc.exe
.
**************************************************************************
.
Completion time: 2009-01-13 10:32:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 15:32:25

Pre-Run: 25,462,648,832 bytes free
Post-Run: 25,393,586,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

132 --- E O F --- 2008-12-18 22:15:18

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:11 PM

Posted 13 January 2009 - 10:44 AM

Hi,

Just some leftovers we have to deal with.

Navigate to and delete the following file:

c:\windows\Tasks\bxpaxhyj.job

Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 chi-chi

chi-chi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 13 January 2009 - 10:57 AM

Thanks a milli. I am done w/ all the above and will now see if the problem persists. If this is in fact the last post it means problem solved. and thanks again. I will post if the issue arises again.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:11 PM

Posted 13 January 2009 - 11:12 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:11 PM

Posted 16 January 2009 - 05:45 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users