Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with malware Pop-ups,Ads


  • This topic is locked This topic is locked
2 replies to this topic

#1 AngelsPlight

AngelsPlight

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 28 February 2009 - 04:08 PM

I have this really pesky malware in my computer. At first I thought it was removed with Kaspersky so I was relieved but yesterday night I left me computer on and went to sleep and the virus probably restored itself and created more versions of itself in my system. I managed to install AVG and did a complete scan and removed 11 malware but the problem persisted so I decided to run the computer in safe mode. Since I'm currently in my dorms I'm not going to be headed back to my home to get a a CD or Ghost to fix my system for a week so I have to do it manually right now.
Actions the Malware performed:
- Download programs (one was from zangocash)
- Create mini ads on top of every website
- Automatic Pop-ups
- Pop ups when I open folders or browse the internet
- Disable Task Manager
- Disable installing rights with a "The system administrator has set policies to prevent this installation" message
- Disable anti-virus from running
- Slow down opening Windows
- Created .dll's in System32
- Changed Wallpaper
- Makes infection message pop-up
- Disabled my firewall

Infected files found by the online scan included:
system32\uokmvdfb.dll - Trojan-Win32.Monder.bdri
system32\u7287853.dll - Trojan-GameThief.Win32.OnLineGames.bkvv
system32\qoMFuTLc.dll - Trojan-Win32.Monderb.alcl
system32\pmnoOFxv.dll - Trojan-Win32.Monder.atxq
system32\20092756.dll - Trojan-GameThief.Win32.WOW.fgh
system32\3361\SVCHOST.EXE - Trojan-Win32.Agent.bsqv
system32\in f\xccdgb16_090131.dll - Trojan-Spy.Win32.Pophot.qzv
xccdf32_090131a.dll - Trojan-Spy.Win32.Pophot.qzv
xccdf16_09131a.all - Trojan-Spy.Win32.Pophot.qzu
And 2 more files in Temporary Files I deleted with
Trojan-Win32.Monder.bqyg
Trojan-Win32.Monder.bdri

There was only about 3 files infected the day I got this and I *thought* I solved the problem with Kaspersky but it seems Kaspersky couldn't wipe out the malware and It created many more forms of itself. This is actually the 1st virus related problem I had and I never thought it would be such a problem. Even though I am currently running Windows in safe mode, pop-ups and mini ads still come up.

Heres the DDS:

DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Vincent at 15:01:08.75 on Sat 02/28/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1076 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Vincent\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Vincent\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Vincent\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Vincent\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Vincent\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: CDNSCacheObj Object: {376892ae-1825-4e5f-9f85-23f9640051cc} - c:\windows\mplayerplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BitComet] "c:\program files\bitcomet\BitComet.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [Google Update] "c:\documents and settings\vincent\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Framework Windows] frmwrk32.exe
mRun: [Explorer] c:\windows\system32\msrstart.exe
mRun: [svchost.exe] "c:\windows\system32\3361\svchost.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [svchost.exe] "c:\windows\system32\3361\svchost.exe"
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090131a.dll xccd16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\108mbp~1.lnk - c:\program files\108mbps wireless lan adapter\WLANPRO.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\reg.lnk - c:\program files\108mbps wireless lan adapter\Reg.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - c:\program files\imacros\imacros.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\temp\ntdll64.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230073648734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232988320687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: wbsys.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vincent\applic~1\mozilla\firefox\profiles\wqgz1dfm.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\vincent\application data\mozilla\firefox\profiles\wqgz1dfm.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\vincent\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

S0 lnmlwqis;lnmlwqis;c:\windows\system32\drivers\hlkmqxaw.sys []
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-28 96520]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-28 26824]
S1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2007-3-18 33920]
S2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe [2004-8-4 48128]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-28 231192]
S2 defaultlib;Service AntiVir;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe [2004-8-4 182784]
S2 softyinforwow1;.Freame Micer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 48128]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-23 24652]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys --> c:\windows\system32\drivers\dump_wmimmc.sys [?]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-8-4 2176]

=============== Created Last 30 ================

2009-02-28 12:50 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-28 12:14 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-28 12:05 10,240 a------- c:\windows\instsp1.exe
2009-02-28 12:05 88,064 a------- c:\windows\system32\uokmvdfb.dll
2009-02-28 12:05 2,917 a--sh--- c:\windows\system32\wHknnqss.ini
2009-02-28 12:05 372 a--sh--- c:\windows\system32\wHknnqss.ini2
2009-02-28 12:05 2,204 a------- c:\windows\lnmlwqis
2009-02-28 12:04 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-28 12:04 96,520 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-28 12:04 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-28 12:04 <DIR> --d----- c:\program files\AVG
2009-02-28 12:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-28 11:58 48,128 a------- c:\windows\system32\pmnoOFxv.dll
2009-02-28 11:54 32 a------- c:\windows\system32\work.ini
2009-02-28 11:26 529 a------- c:\windows\system32\winlogon2.exe
2009-02-28 11:13 228 a------- c:\windows\system32\hgset.ini
2009-02-28 11:13 <DIR> --d----- c:\windows\system32\3361
2009-02-28 07:22 4,785 a------- c:\windows\system32\warning.gif
2009-02-28 07:22 1,394 a------- c:\windows\system32\ahtn.htm
2009-02-28 07:22 433 a------- c:\windows\system32\win32hlp.cnf
2009-02-28 07:22 90,112 ac------ c:\windows\system32\dllcache\userinit.exe
2009-02-28 07:22 104,960 a------- c:\windows\system32\ntdll64.exe
2009-02-28 06:52 1 a------- c:\windows\system32\uniq.tll
2009-02-28 06:52 30,720 a------- c:\windows\system32\frmwrk32.exe
2009-02-28 06:52 30,720 a------- c:\windows\system32\998.exe
2009-02-27 23:27 <DIR> --d----- c:\program files\Bonjour
2009-02-27 23:20 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-27 02:26 <DIR> --d----- c:\program files\Kaspersky Lab
2009-02-27 02:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-02-27 02:18 47,616 a------- c:\windows\system32\qoMFuTLc.dll
2009-02-27 02:02 <DIR> --d----- c:\docume~1\vincent\applic~1\Symantec
2009-02-27 01:55 1,060,864 a------- c:\windows\system32\MFC71.DL1
2009-02-27 01:55 503,808 a------- c:\windows\system32\MSVCP71.DL1
2009-02-27 01:55 348,160 a------- c:\windows\system32\MSVCR71.DL1
2009-02-27 01:55 <DIR> --d----- c:\program files\Symantec
2009-02-27 01:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-02-23 15:43 347,832 a------- c:\windows\system32\iimds.dll
2009-02-23 15:43 233,144 a------- c:\windows\system32\IMImage.dll
2009-02-23 15:43 57,016 a------- c:\windows\system32\imsys.dll
2009-02-23 15:43 14,848 a------- c:\windows\system32\iimir.dll
2009-02-23 15:43 <DIR> --d----- c:\program files\iMacros
2009-02-17 11:37 <DIR> --d----- c:\program files\Blaze Media Pro
2009-02-17 11:37 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{DE097E60-7F86-4350-B083-1F09B6906C92}
2009-02-17 10:22 <DIR> --d----- c:\program files\Media Player Classic
2009-02-11 16:31 42,672 a------- c:\windows\system32\wbsys.dll
2009-02-11 16:31 <DIR> --d----- c:\program files\Stardock
2009-02-10 11:29 <DIR> --d----- c:\docume~1\vincent\applic~1\Azureus
2009-02-10 11:29 <DIR> --d----- c:\program files\Azureus
2009-02-09 20:34 <DIR> --d----- C:\Python26
2009-02-04 11:33 <DIR> --d----- c:\windows\system32\Adobe
2009-02-02 11:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Messenger Plus!
2009-02-02 11:55 <DIR> --d----- c:\program files\Messenger Plus! Live
2009-01-29 15:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-29 15:52 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-02-28 12:08 251,392 a------- c:\windows\xccdf32_090131a.dll
2009-02-28 07:22 90,112 a------- c:\windows\system32\userinit.exe
2009-02-28 07:07 90,112 a------- c:\windows\system32\20092756.dll
2009-02-28 07:07 77,824 a------- c:\windows\system32\u7287853.dll
2009-02-28 07:07 36,352 a------- c:\windows\xccdf16_090131a.dll
2009-02-28 07:07 155,175 a------- c:\windows\system32\icv.exe
2009-02-27 04:49 240,640 a------- c:\windows\system32\w.exe
2009-01-25 22:51 50,688 a------- c:\windows\system32\wbhelp2.dll
2008-12-23 18:34 246,583 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-14 02:59 44,544 a------- c:\windows\system32\SystemHookCore.dll
2008-12-04 16:52 2,131,968 a------- c:\windows\system32\python26.dll

============= FINISH: 15:01:21.89 ===============

Attached Files


Edited by AngelsPlight, 28 February 2009 - 06:10 PM.


BC AdBot (Login to Remove)

 


#2 AngelsPlight

AngelsPlight
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 28 February 2009 - 05:55 PM

Fixed it ~ Managed to find soemone in my dorm with the old version of Symactac Ghost

Edited by AngelsPlight, 28 February 2009 - 08:47 PM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:55 PM

Posted 01 March 2009 - 06:13 PM

Thanks for informing us.

Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users