Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IEXPLORER.EXE - Invisible Clicks, Lowered Wave Volume, Random popups...


  • This topic is locked This topic is locked
2 replies to this topic

#1 d4k

d4k

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 15 July 2010 - 08:27 PM

Hi, i need help... The virus downloaded it self through a website running a javascript i think. The remaining exe files were located in local settings/temp called "smss.exe" "5266262.exe" "loader.exe" and they were infected with some trojan cryptic and torjan clicker. My AVG removed these, but i think the damage is already done because these files were probably already executed on my machine. Now im getting an fake iexplorer.exe in my taskbar that gives me weird clicking noises and it randomly lowers my sound wave volume to 0, it also throws up an popup add every now and then.

GMER wouldn't finnish properly, ill try running it tomorrow again if nessesary, i got bluescreen twice (no clue why, i never bsod otherwise).

I found this while googling and i saw this thread was created only a few hours before mine, so im thinking this virus is new.

http://www.bleepingcomputer.com/forums/t/332088/invisible-adsclicking-and-lowered-wave-volume/ <- exactly same issues as me!

Thanks for the help guys!

DDS Log:

CODE
DDS (Ver_10-03-17.01) - NTFSx86  
Run by Joneri at  3:21:48,71 on 2010-07-16
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional  5.1.2600.3.1252.46.1053.18.2013.1100 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\Program\Lenovo\ATK Hotkey\GFNEXSrv.exe
C:\Program\Lenovo\ATK Hotkey\LFKAS.exe
C:\Program\AVG\AVG9\avgchsvx.exe
C:\Program\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program\AVG\AVG9\avgwdsvc.exe
svchost.exe 4
C:\Program\Intel\WiFi\bin\EvtEng.exe
C:\Program\AVG\AVG9\avgcsrvx.exe
C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
svchost.exe 4
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program\Lenovo\HOTKEY\LVOSDSVC.exe
C:\Program\Lenovo\ATK Hotkey\LCONTROL.exe
C:\Program\Lenovo\ATK Hotkey\LFKA.exe
C:\Program\Apoint2K\Apoint.exe
C:\Program\Keyboard Mapper\KeyRemapper.exe
C:\Program\Lenovo\HOTKEY\TPONSCR.exe
C:\Program\Apoint2K\ApMsgFwd.exe
C:\Program\Lenovo\Zoom\TpScrex.exe
C:\Program\Apoint2K\Apntex.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Mozilla Firefox\plugin-container.exe
C:\stinger1001934.exe
C:\PSISetup.exe
C:\Program\Outlook Express\msimn.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [KeyMapperStarup] "c:\program\keyboard mapper\KeyRemapper.exe"  /background
uRun: [SUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPHOTKEY] c:\program\lenovo\hotkey\LVOSDSVC.exe
mRun: [LCONTROL] "c:\program\lenovo\atk hotkey\LCONTROL.exe"
mRun: [LFKA] "c:\program\lenovo\atk hotkey\LFKA.exe"
mRun: [Apoint] c:\program\apoint2k\Apoint.exe
mRun: [PSQLLauncher] "c:\program\thinkvantage fingerprint software\launcher.exe" /startup
uPolicies-explorer: NoWinKeys = 1 (0x1)
uPolicies-explorer: StartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoInternetIcon = 1 (0x1)
uPolicies-explorer: NoDesktop = 1 (0x1)
IE: Skicka till &Bluetooth-enhet... - c:\program\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Skicka till Bluetooth - c:\program\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267548623625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {48C540C4-8009-4114-8E40-9D38291CAAC2} = 192.168.0.1
Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\program\thinkvantage fingerprint software\psqlpwd.dll
Notify: tphotkey - c:\program\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\program\thinkvantage fingerprint software\psqlpwd.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonnye~1\applic~1\mozilla\firefox\profiles\8nqwbs4l.default\
FF - prefs.js: browser.startup.homepage - hxxp://dkeserver.se/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color",               "#551A8B");
c:\program\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program\mozilla firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-2 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-2 29584]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]
R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG Free WatchDog;c:\program\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 LFKAS;Service of LFKA;c:\program\lenovo\atk hotkey\LFKAS.exe [2010-3-2 208896]
R2 smihlp;SMI Helper Driver (smihlp);c:\program\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-3-2 116224]
R3 lnvobus;Ericsson F3507g Mobile Broadband Minicard Composite Device driver (WDM);c:\windows\system32\drivers\lnvobus.sys [2010-3-2 282880]
R3 lnvocard;Ericsson F3507g Mobile Broadband Minicard Device Management;c:\windows\system32\drivers\lnvocard.sys [2010-3-2 356480]
R3 lnvogps;Ericsson F3507g Mobile Broadband Minicard GPS Port;c:\windows\system32\drivers\lnvogps.sys [2010-3-2 77864]
R3 lnvomdfl;Ericsson F3507g Mobile Broadband Minicard Modem Filter;c:\windows\system32\drivers\lnvomdfl.sys [2010-3-2 15104]
R3 lnvomdfl2;Ericsson F3507g Mobile Broadband Minicard Data Modem Filter;c:\windows\system32\drivers\lnvomdfl2.sys [2010-3-2 15104]
R3 lnvomdm;Ericsson F3507g Mobile Broadband Minicard Modem Driver;c:\windows\system32\drivers\lnvomdm.sys [2010-3-2 365056]
R3 lnvomdm2;Ericsson F3507g Mobile Broadband Minicard Data Modem;c:\windows\system32\drivers\lnvomdm2.sys [2010-3-2 408960]
R3 lnvond5;Ericsson F3507g Mobile Broadband Minicard Network Adapter (NDIS);c:\windows\system32\drivers\lnvond5.sys [2010-3-2 25984]
R3 lnvounic;Ericsson F3507g Mobile Broadband Minicard Network Adapter (WDM);c:\windows\system32\drivers\lnvounic.sys [2010-3-2 375424]
R3 Sony_EricssonWWSC;Ericsson F3507g Mobile Broadband Minicard PC SC Port;c:\windows\system32\drivers\lnvoscard.sys [2010-3-2 24232]
S3 freenet;Freenet background service;c:\program\freenet\bin\wrapper-windows-x86-32.exe -s c:\program\freenet\wrapper.conf --> c:\program\freenet\bin\wrapper-windows-x86-32.exe -s c:\program\freenet\wrapper.conf [?]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]

============== File Associations ===============

.txt=UltraEdit.txt

=============== Created Last 30 ================

2010-07-16 01:16:14    525824    ----a-w-    C:\dds.scr
2010-07-16 00:56:50    0    d-----w-    c:\program\Secunia
2010-07-16 00:56:16    755264    ----a-w-    C:\PSISetup.exe
2010-07-16 00:52:30    8251911    ----a-w-    C:\stinger1001934.exe
2010-07-16 00:35:53    293376    ----a-w-    C:\snm6vjrl.exe
2010-07-16 00:35:14    294400    ----a-w-    C:\exeHelper.com
2010-07-16 00:25:10    1870800    ----a-w-    C:\HousecallLauncher.exe
2010-07-16 00:14:17    0    d-----w-    c:\program\Trend Micro
2010-07-16 00:14:01    812344    ----a-w-    C:\HJTInstall.exe
2010-07-16 00:11:15    390656    ----a-w-    C:\STOPzilla_Setup.exe
2010-07-16 00:06:48    0    d-----w-    c:\docume~1\jonnye~1\applic~1\SUPERAntiSpyware.com
2010-07-16 00:06:48    0    d-----w-    c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-16 00:06:42    0    d-----w-    c:\program\SUPERAntiSpyware
2010-07-16 00:06:00    9070816    ----a-w-    C:\SUPERAntiSpyware.exe
2010-07-15 23:02:44    12536    ----a-w-    c:\windows\system32\avgrsstx.dll
2010-07-14 04:44:52    744448    -c----w-    c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 10:21:27    0    d-----w-    c:\docume~1\jonnye~1\applic~1\BID
2010-07-11 10:20:51    0    d-----w-    C:\Ny mapp
2010-07-07 14:05:32    14904    ----a-w-    c:\windows\system32\drivers\psi_mf.sys
2010-06-24 11:19:36    0    d-----w-    c:\docume~1\jonnye~1\applic~1\Mp3tag
2010-06-24 11:19:20    0    d-----w-    c:\program\Mp3tag

==================== Find3M  ====================

2010-07-15 23:56:35    79140    ----a-w-    c:\windows\system32\perfc01D.dat
2010-07-15 23:56:35    435098    ----a-w-    c:\windows\system32\perfh01D.dat
2010-07-15 23:02:08    216400    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2010-05-02 08:10:15    1851264    ----a-w-    c:\windows\system32\win32k.sys
2010-04-20 05:34:53    285696    ----a-w-    c:\windows\system32\atmfd.dll
2007-07-07 06:07:06    812544    ----a-w-    c:\program\DoubleKiller.exe
2007-02-01 16:02:54    313344    ----a-w-    c:\program\hjsplit.exe
2006-11-01 11:06:52    215928    ----a-w-    c:\program\pagedfrg.exe

============= FINISH:  3:22:49,81 ===============




BC AdBot (Login to Remove)

 


#2 d4k

d4k
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 15 July 2010 - 09:09 PM

bah, finally managed to fix the issue, downloaded http://www.esagelab.com/resources.php?s=bootkit_remover

ran remove.exe, said there was another boot sector.

ran command to clean mbr

start > run > "%userprofile%\Desktop\remover.exe" fix \\.\PhysicalDrive0

(meaning you must place remover.exe on your desktop taking that you're running a english os).

reboot

no more click n clacks, try at your own risk, doing anything with the bootsectors can screw your computer

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 AM

Posted 15 July 2010 - 11:56 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users