Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't access Microsoft.com, or any antispyware sites...


  • This topic is locked This topic is locked
8 replies to this topic

#1 Caked

Caked

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 09 August 2009 - 05:56 PM

Alright, a few days ago I somehow started getting fake spyware popups where they want you to buy their software and whatnot. I had ad-aware installed and it got rid of most of it.

Now I'm having a problem accessing the sites aforementioned. I can't update MBAM, and I need to get on M$.com to download .NET Framework. I couldn't update SUPERAntiSpyware, either.

If anyone could help me, I'd be greatly appreciated.

Here is my DDS.txt

DDS (Ver_09-07-30.01) - NTFSx86
Run by Kirschbaum at 17:50:04.34 on Sun 08/09/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2893 [GMT -5:00]

AV: 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
C:\WINDOWS\TEMP\tor2.tmp
svchost.exe C:\WINDOWS\TEMP\VRT4.tmp
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefoxx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kirschbaum.KIRSCHBA-C6BB7F\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: MJCore class: {d88e1558-7c2d-407a-953a-c044f5607cea} - c:\program files\jcore\Jcore2.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
dRun: [SfKg6wIPuSpdc] c:\documents and settings\kirschbaum.kirschba-c6bb7f\application data\microsoft\windows\rfvsp.exe
dRun: [pridl] "c:\documents and settings\kirschbaum.kirschba-c6bb7f\application data\pridl\pridl.exe" 61A847B5BBF72811329B385672FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
IE: Save YouTube Video as MP3
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: Antiwpa - antiwpa.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" --> c:\program files\eset\eset nod32 antivirus\ekrn.exe [?]
S2 gsfw;gsfw;c:\windows\system32\drivers\couojo.sys --> c:\windows\system32\drivers\couojo.sys [?]

=============== Created Last 30 ================

2009-08-09 17:42 <DIR> --d----- c:\program files\Jcore
2009-08-09 17:42 55,296 a------- c:\windows\system32\drivers\UACd.sys
2009-08-09 17:42 44 a------- c:\windows\system32\6.tmp
2009-08-09 17:42 <DIR> --d----- c:\docume~1\kirsch~1.kir\applic~1\pridl
2009-08-09 16:47 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-08-09 16:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-09 16:47 <DIR> --d----- c:\docume~1\kirsch~1.kir\applic~1\SUPERAntiSpyware.com
2009-08-09 16:29 0 a------- c:\windows\system32\C.tmp
2009-08-09 16:06 0 a------- c:\windows\system32\9.tmp
2009-08-09 16:06 44 a------- c:\windows\system32\8.tmp
2009-08-09 14:39 44 a------- c:\windows\system32\5.tmp
2009-08-09 13:11 44 a------- c:\windows\system32\2.tmp
2009-08-09 08:26 44 a------- c:\windows\system32\3F8.tmp
2009-08-09 00:06 138,064 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-09 00:05 189,184 a------- c:\windows\system32\PnkBstrB.exe
2009-08-09 00:05 189,184 a------- c:\windows\system32\PnkBstrB.xtr
2009-08-09 00:05 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-08-08 16:04 <DIR> --d----- c:\documents and settings\kirschbaum.kirschba-c6bb7f\Downloads
2009-08-08 12:22 44 a------- c:\windows\system32\1FD.tmp
2009-08-08 12:22 89 a------- C:\Work at home.url
2009-08-08 12:22 361,344 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-08-08 00:16 <DIR> --d----- c:\docume~1\kirsch~1.kir\applic~1\NewsLeecher
2009-08-08 00:15 <DIR> --d----- c:\program files\NewsLeecher
2009-08-07 11:48 44 a------- c:\windows\system32\5F.tmp
2009-08-07 07:11 <DIR> --d----- c:\program files\Raxco
2009-08-07 01:33 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-07 01:33 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-07 01:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 01:01 <DIR> --d----- C:\fixwareout
2009-08-07 00:21 <DIR> --ds---- c:\documents and settings\kirschbaum.kirschba-c6bb7f\UserData
2009-08-07 00:08 44 a------- c:\windows\system32\16.tmp
2009-08-06 07:33 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\LogMeIn
2009-08-06 07:29 <DIR> --d----- c:\program files\SABnzbd
2009-08-06 07:23 0 a------- c:\windows\system32\1D.tmp
2009-08-06 07:23 84 a------- c:\windows\system32\1B.tmp
2009-08-06 07:14 <DIR> --d----- c:\program files\ESET
2009-08-06 07:08 <DIR> --d----- c:\docume~1\kirsch~1.kir\applic~1\uTorrent
2009-08-06 07:03 41,038 a------- c:\windows\system32\hyth
2009-08-06 01:01 <DIR> --d----- c:\docume~1\kirsch~1.kir\applic~1\Malwarebytes
2009-08-06 00:58 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-08-06 00:41 1,110,399 a------- c:\windows\system32\UACmsjplvmiik.db
2009-08-06 00:41 257,536 a------- c:\windows\system32\resdll.dll
2009-08-05 23:09 <DIR> --d----- c:\docume~1\kirsch~1.kir\applic~1\Xfire
2009-08-05 22:34 0 a------- c:\windows\ativpsrm.bin
2009-08-05 22:32 614,400 -------- c:\windows\system32\ati2sgag.exe
2009-08-05 22:31 141,568 a------- c:\windows\system32\drivers\Rtenicxp.sys
2009-08-05 22:31 73,728 a------- c:\windows\system32\RtNicProp32.dll
2009-08-05 22:21 <DIR> --d----- c:\documents and settings\Kirschbaum.KIRSCHBA-C6BB7F
2009-08-05 22:20 8,192 a------- c:\windows\REGLOCS.OLD
2009-08-05 22:18 28,160 ac------ c:\windows\system32\dllcache\migregdb.exe
2009-08-05 22:17 290,816 ac------ c:\windows\system32\dllcache\adsiis51.dll
2009-08-05 22:16 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-08-05 22:15 726,078 ac------ c:\windows\system32\dllcache\srchui.dll
2009-08-05 22:14 26,112 ac------ c:\windows\system32\dllcache\write.exe
2009-08-05 20:16 <DIR> --d----- c:\program files\Trend Micro
2009-08-05 17:12 4,444 a------- c:\windows\system32\pid.PNF
2009-08-05 17:10 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-08-05 17:09 6,400 a------- c:\windows\system32\drivers\enum1394.sys
2009-08-05 17:08 74,240 a------- c:\windows\system32\usbui.dll
2009-08-05 17:02 <DIR> --d--r-- c:\documents and settings\all users.windows\Documents
2009-08-05 17:01 10,288 a----r-- c:\windows\SET62.tmp
2009-08-05 17:01 16,535 a----r-- c:\windows\SET2B.tmp
2009-08-05 17:01 1,088,840 a----r-- c:\windows\SET1F.tmp
2009-08-05 17:01 1,296,669 a----r-- c:\windows\SET1C.tmp
2009-08-05 16:57 66,082 ac------ c:\windows\system32\dllcache\c_28595.nls
2009-08-05 16:56 10,288 a----r-- c:\windows\SET27.tmp
2009-08-05 16:55 16,535 a----r-- c:\windows\SET8.tmp
2009-08-05 16:55 1,088,840 a----r-- c:\windows\SET4.tmp
2009-08-05 16:55 1,296,669 a----r-- c:\windows\SET3.tmp
2009-08-05 16:54 261 a------- c:\windows\system32\$winnt$.inf
2009-08-04 16:28 <DIR> --d----- c:\program files\common files\DVDVideoSoft
2009-07-27 15:58 <DIR> --d----- c:\program files\Cool MP3 Splitter
2009-07-26 23:22 <DIR> --d----- c:\program files\BitPim
2009-07-23 20:58 41,872 a------- c:\windows\system32\xfcodec.dll
2009-07-18 01:09 <DIR> --d----- c:\program files\MKVtoolnix
2009-07-17 11:10 232,200 a------- c:\windows\system32\PDBoot.exe

==================== Find3M ====================

2009-08-08 12:22 361,344 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-08-06 22:37 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-05 22:15 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-07-02 12:49 4,125,696 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-07-02 12:25 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-07-02 12:24 335,872 a------- c:\windows\system32\ati2dvag.dll
2009-07-02 12:07 311,296 a------- c:\windows\system32\atiiiexx.dll
2009-07-02 12:06 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-07-02 12:05 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-07-02 12:05 46,592 a------- c:\windows\system32\Ati2mdxx.exe
2009-07-02 12:05 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-07-02 12:05 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-07-02 12:04 622,592 a------- c:\windows\system32\ati2evxx.exe
2009-07-02 12:02 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-07-02 11:56 3,014,272 a------- c:\windows\system32\ati3duag.dll
2009-07-02 11:54 11,698,176 a------- c:\windows\system32\atioglxx.dll
2009-07-02 11:44 2,139,904 a------- c:\windows\system32\ativvaxx.dll
2009-07-02 11:44 887,724 a------- c:\windows\system32\ativva6x.dat
2009-07-02 11:31 49,664 a------- c:\windows\system32\atimpc32.dll
2009-07-02 11:31 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-07-02 11:28 487,424 a------- c:\windows\system32\atikvmag.dll
2009-07-02 11:27 45,056 a------- c:\windows\system32\aticalrt.dll
2009-07-02 11:26 45,056 a------- c:\windows\system32\aticalcl.dll
2009-07-02 11:26 151,552 a------- c:\windows\system32\atiadlxx.dll
2009-07-02 11:26 17,408 a------- c:\windows\system32\atitvo32.dll
2009-07-02 11:25 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-07-02 11:25 3,248,128 a------- c:\windows\system32\aticaldd.dll
2009-07-02 11:24 376,832 a------- c:\windows\system32\atiok3x2.dll
2009-07-02 11:20 651,264 a------- c:\windows\system32\ati2cqag.dll
2009-06-18 14:29 197,654 a------- c:\windows\system32\atiicdxx.dat

============= FINISH: 17:50:13.62 ===============


Also, I went ahead and ran SUPERAntiSpyware in safe mode and this was the resulting log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/09/2009 at 05:39 PM

Application Version : 4.27.1002

Core Rules Database Version : 4040
Trace Rules Database Version: 1980

Scan type : Complete Scan
Total Scan Time : 00:44:45

Memory items scanned : 209
Memory threats detected : 0
Registry items scanned : 2923
Registry threats detected : 0
File items scanned : 20251
File threats detected : 4

Trojan.Fake-Alert/Trace
C:\Documents and Settings\Kirschbaum.KIRSCHBA-C6BB7F\Local Settings\Temporary Internet Files\fbk.sts

Trojan.Agent/Gen
C:\WINDOWS\system32\B.TMP

Trojan.Dropper/Gen-Packed
C:\DOCUMENTS AND SETTINGS\KIRSCHBAUM.KIRSCHBA-C6BB7F\APPLICATION DATA\MICROSOFT\WINDOWS\RFVSP.EXE

Rootkit.Agent/Gen-UAC
C:\WINDOWS\SYSTEM32\DRIVERS\UACD.SYS


I believe I have attached everything required, and given as much information. If I'm missing something, please let me know. :thumbup2:

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 10 August 2009 - 05:12 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Caked

Caked
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 August 2009 - 06:02 AM

I attempted to run ComboFix.exe, but I received the following error:

Posted Image

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 10 August 2009 - 07:44 AM

Please do this step before you sleep or when you don't use the computer as it will take quite a while..

Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

  • Click on SCAN NOW
  • Click Accept.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  • The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop.
  • In the File name area use KScan, or something similar.
  • In Save as type: click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
Posted Image

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Caked

Caked
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 August 2009 - 02:17 PM

Unfortunately, that is one of the websites I'm unable to access DUE to this spyware/virus.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 10 August 2009 - 02:34 PM

I strongly suspect the computer is infected with patching virus such as Sality or Virut.. If that's the case, it will be very bad..

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\Windows\explorer.exe
      C:\Windows\System32\smss.exe
      C:\Windows\System32\lsass.exe
      C:\Windows\System32\svchost.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Caked

Caked
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 August 2009 - 05:15 PM

I couldn't figure out how to scan multiple files at once, so I have four reports. Here they are:

http://virscan.org/report/65240e4d800e641a...68c335f819.html
http://virscan.org/report/81e6b64f49ea9909...a17e8ec650.html
http://virscan.org/report/83f7116d66090d74...1934aef16c.html
http://virscan.org/report/02ed2cb2b6931ea3...6c3a453bac.html

Thanks for all your help so far.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 10 August 2009 - 09:30 PM

Unfortunately, your computer is infected with Virut.. To date, nothing to my knowledge able to cure it 100% successfully..

A quote from an expert (sUBs)

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use this website > http://www.windowsreinstall.com/

Note: If you have to backup files, do so only for MS Office documents & any non executable file. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.


full reformat means, format on ALL partitions..

Looking at log, I would advised you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar/.pif/.asp/.php/.iso files...


Make sure you back-up everything ONLY via CD or DVD (non-rewritable).. If you need to backup into external hard drive or thumbdrive, make sure it is EMPTY.. Meaning NO FILE inside it.. Format the external drive first before attach it to the infected computer.. A single .exe file inside the external drive may infected other computers as well

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Caked

Caked
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 12 August 2009 - 10:50 AM

Done and done. I appreciate all your help and it seems the virus is gone now as I can access Microsoft.com, etc.

Thanks again for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users