Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rrup.exe Adware I Can't Remove


  • Please log in to reply
4 replies to this topic

#1 fadenwalker

fadenwalker

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 16 November 2005 - 01:27 AM

Ive read alot of other post here and they've been helpful. I hope someone can help me with this. I've been battling pop-ups lately. They seem to be related to a process rrup.exe. Evertime I delete it, it comes right back. Ive used trend micro sysclean, microsoft antispyware, norton, mcafee stinger and hijackthis to no avail. I am so frustrated. Ive deleted this rrup.exe 100 times and it comes back. Another scan with MS antispyware said it found virumundo, it also comes back. If someone would check my hjt log and help I would be forever grateful.

Faden


Logfile of HijackThis v1.99.1
Scan saved at 10:21:57 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\W?nSxS\smss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Poker.com\poker.cor
C:\Documents and Settings\User\Desktop\cleaners\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssttr.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sienmybh] C:\WINDOWS\system32\W?nSxS\smss.exe
O4 - HKCU\..\Run: [Osus] "C:\Program Files\htwu\rrup.exe" -vt ndrv
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

This is an online scan from kaspersky:

KASPERSKY ON-LINE SCANNER REPORT
Sunday, November 13, 2005 16:35:06
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/11/2005
Kaspersky Anti-Virus database records: 149969
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 59361
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 3532 sec

Infected Object Name - Virus Name
C:\Documents and Settings\User\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.av
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\UVQR45U7\!update-2795[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.av
C:\Program Files\htwu\rrup.exe Infected: Trojan-Downloader.Win32.PurityScan.av

Scan process completed.

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 November 2005 - 03:17 PM

Hi fadenwalker and Welcome to the Bleeping Computer!

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


  • At this point press enter one time.

  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\ssttr.dll
  • Press Enter to continue with the fix.

  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\rttss.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

    O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssttr.dll

    O4 - HKCU\..\Run: [Sienmybh] C:\WINDOWS\system32\W?nSxS\smss.exe

    O4 - HKCU\..\Run: [Osus] "C:\Program Files\htwu\rrup.exe" -vt ndrv

    O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan-> results of the SpySweeper Scan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Edited by Cretemonster, 19 November 2005 - 03:20 PM.


#3 fadenwalker

fadenwalker
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 28 November 2005 - 11:52 PM

Cretemonster-

Thanks for the reply. Soory my response is delayed.... I was away for the holiday weekend. I will apply the instructions in the morning and post the results tomorrow. Thanks again so much for your help.

Faden

#4 fadenwalker

fadenwalker
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 29 November 2005 - 06:51 PM

OK. I ran everything you said. Here are the results......

WEBROOT SPY SWEEPER RESULTS

********
2:08 PM: | Start of Session, Tuesday, November 29, 2005 |
2:08 PM: Spy Sweeper started
2:08 PM: Sweep initiated using definitions version 576
2:08 PM: Starting Memory Sweep
2:12 PM: Memory Sweep Complete, Elapsed Time: 00:03:31
2:12 PM: Starting Registry Sweep
2:12 PM: Found Adware: diamond deal casino
2:12 PM: HKLM\software\sportsinteraction casino\ (21 subtraces) (ID = 125187)
2:12 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sportsinteraction casino\ (2 subtraces) (ID = 125189)
2:12 PM: Found Adware: purityscan
2:12 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137348)
2:12 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137349)
2:12 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137678)
2:12 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137679)
2:12 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 137680)
2:12 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 137687)
2:12 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 139091)
2:12 PM: HKU\S-1-5-21-2115544269-134166494-204380095-1006\software\sportsinteraction casino\ (125 subtraces) (ID = 125186)
2:12 PM: Registry Sweep Complete, Elapsed Time:00:00:29
2:12 PM: Starting Cookie Sweep
2:12 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:12 PM: Starting File Sweep
2:13 PM: Found Adware: internetoptimizer
2:13 PM: c:\windows\stwsi (ID = -2147480829)
2:13 PM: c:\documents and settings\all users\start menu\programs\sportsinteraction casino (2 subtraces) (ID = -2147481088)
2:15 PM: slots3reel_reel0.slt (ID = 59033)
2:16 PM: slots3reel_reel1.slt (ID = 59034)
2:16 PM: slots3reel_reel2.slt (ID = 59035)
2:16 PM: slots5reel-reel0.slt (ID = 59036)
2:16 PM: slots5reel-reel1.slt (ID = 59037)
2:16 PM: slots5reel-reel2.slt (ID = 59038)
2:16 PM: slots5reel-reel3.slt (ID = 59039)
2:16 PM: slots5reel-reel4.slt (ID = 59040)
2:18 PM: card_draw_right.ani (ID = 59004)
2:18 PM: card_flip.ani (ID = 59005)
2:18 PM: card_peek_dealer_down.ani (ID = 59006)
2:18 PM: card_peek_dealer_up.ani (ID = 59007)
2:18 PM: card_stand_center.ani (ID = 59008)
2:18 PM: card_stand_dealer.ani (ID = 59009)
2:18 PM: card_stand_left.ani (ID = 59010)
2:18 PM: card_stand_right.ani (ID = 59011)
2:22 PM: back.z (ID = 58992)
2:22 PM: card_1.3d (ID = 58994)
2:22 PM: card_1b.3d (ID = 58995)
2:23 PM: slots5reel-reel0.slt (ID = 59036)
2:23 PM: slots5reel-reel1.slt (ID = 59037)
2:23 PM: slots5reel-reel2.slt (ID = 59038)
2:23 PM: slots5reel-reel3.slt (ID = 59039)
2:23 PM: slots5reel-reel4.slt (ID = 59040)
2:23 PM: slots3reel_reel0.slt (ID = 59033)
2:23 PM: card_away_center.ani (ID = 58996)
2:23 PM: card_away_dealer.ani (ID = 58997)
2:23 PM: card_away_left.ani (ID = 58998)
2:23 PM: card_away_right.ani (ID = 58999)
2:23 PM: card_draw_center.ani (ID = 59000)
2:23 PM: card_draw_dealer.ani (ID = 59001)
2:23 PM: card_draw_dealer_face_down.ani (ID = 59002)
2:23 PM: card_draw_left.ani (ID = 59003)
2:23 PM: slots3reel_reel1.slt (ID = 59034)
2:23 PM: slots3reel_reel2.slt (ID = 59035)
2:27 PM: card_1.3d (ID = 58994)
2:28 PM: card_1b.3d (ID = 58995)
2:28 PM: card_away_center.ani (ID = 58996)
2:28 PM: card_away_dealer.ani (ID = 58997)
2:28 PM: card_away_left.ani (ID = 58998)
2:28 PM: card_away_right.ani (ID = 58999)
2:28 PM: card_draw_center.ani (ID = 59000)
2:28 PM: card_draw_dealer.ani (ID = 59001)
2:28 PM: card_draw_dealer_face_down.ani (ID = 59002)
2:28 PM: card_draw_right.ani (ID = 59004)
2:28 PM: card_flip.ani (ID = 59005)
2:28 PM: card_peek_dealer_down.ani (ID = 59006)
2:28 PM: card_peek_dealer_up.ani (ID = 59007)
2:28 PM: card_stand_center.ani (ID = 59008)
2:28 PM: card_stand_dealer.ani (ID = 59009)
2:28 PM: card_stand_left.ani (ID = 59010)
2:28 PM: card_stand_right.ani (ID = 59011)
2:28 PM: mblackjack.dll (ID = 59028)
2:28 PM: card_draw_left.ani (ID = 59003)
2:28 PM: mblackjack.dll (ID = 59028)
2:29 PM: back.z (ID = 58992)
2:29 PM: sportsinteraction casino setup.exe (ID = 59024)
2:31 PM: Warning: Invalid file - not a PKZip file
2:31 PM: Warning: Invalid file - not a PKZip file
2:31 PM: Warning: Invalid file - not a PKZip file
2:31 PM: Warning: Invalid file - not a PKZip file
2:31 PM: Warning: Invalid Stream
2:31 PM: Warning: Invalid Stream
2:31 PM: uninstall sportsinteraction casino.lnk (ID = 59024)
2:31 PM: File Sweep Complete, Elapsed Time: 00:18:51
2:31 PM: Full Sweep has completed. Elapsed time 00:22:59
2:31 PM: Traces Found: 272
2:42 PM: Removal process initiated
2:43 PM: Quarantining All Traces: purityscan
2:43 PM: Quarantining All Traces: internetoptimizer
2:43 PM: Quarantining All Traces: diamond deal casino
2:43 PM: Removal process completed. Elapsed time 00:00:51
********
2:05 PM: | Start of Session, Tuesday, November 29, 2005 |
2:05 PM: Spy Sweeper started
2:05 PM: Updating spyware definitions
2:06 PM: Your spyware definitions have been updated.
2:08 PM: | End of Session, Tuesday, November 29, 2005 |

VUNDOFIX.TXT FILE

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\ssttr.dll

The second filepath entered was C:\WINDOWS\system32\rttss.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 136 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe


Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\ssttr.dll Deleted sucessfully.
C:\WINDOWS\system32\rttss.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


ACTIVESCAN RESULTS


Incident Status Location

Adware:Adware/MediaTickets Not disinfected C:\PROGRAM FILES\HTWU\RRUP.EXE
Adware:Adware/MediaTickets Not disinfected C:\Program Files\htwu\rrup.exe
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:Adware/MediaTickets Not disinfected C:\Program Files\htwu\rrup.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vtstt.dll

NEW HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 3:48:31 PM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\W?nSxS\smss.exe
C:\Program Files\htwu\rrup.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\cleaners\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssttr.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sienmybh] C:\WINDOWS\system32\W?nSxS\smss.exe
O4 - HKCU\..\Run: [Osus] "C:\Program Files\htwu\rrup.exe" -vt ndrv
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Thanks again for your help

Faden

#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 November 2005 - 05:02 AM

Allright,now we are getting somewhere!


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet


Go back into Safe Mode and be sure Windows is Showing Hidden Files and Folders.
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Now heres a tricky step,I need for you to look for a folder that may have the very same name as a legit windows folder.

C:\WINDOWS\system32\W?nSxS

The legit folder is located at--> C:\WINDOWS\WinSxS

So go to the System32 folder and see if there is a folder inside it labeled WinSxS,dont do anything with it just yet,just let me know in the next post what you find.

Now locate and delete the following

C:\WINDOWS\system32\vtstt.dll<-- File

C:\Program Files\htwu<-- Folder


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssttr.dll (file missing)

O4 - HKCU\..\Run: [Sienmybh] C:\WINDOWS\system32\W?nSxS\smss.exe

O4 - HKCU\..\Run: [Osus] "C:\Program Files\htwu\rrup.exe" -vt ndrv

O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply>>Close>>Follow the Prompts to Restart!

Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Post back with a fresh HijackThis log and the reports from WinPFind and Kaspersky




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users