Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ads audio in background, and others weird files


  • Please log in to reply
7 replies to this topic

#1 AmazingTrans

AmazingTrans

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 05 January 2011 - 09:01 PM

Happy New Year Ads-Buster,

My computer has been having weird audio coming up saying "congratulations you have won" and many more with no popups. When i checked with my task manager, it seems that iexpore.exe is opening somewhere and files such as hkid##.exe is running, 8D66383d.exe is running in multiple (and this file is located in C:\Documents and Settings\All Users\Application Data) i tried deleting, and then later sometimes it will reappear. I did a ccleaner as well to remove the 8D66383d in the registry. still no hope.

What can i do? Please help me. I tried running dds to create a log but once it ran till some point, it just froze the whole laptop.
Then i ran Gmer, i think it froze up as well. I am running it again to make sure it complete.(this one seems to be taking a very very long time)(felt asleep when i was waiting for it to complete.)

Thanks!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 05 January 2011 - 09:51 PM

Hello, I moved you to the Am I Infected forum as you couldn't post the required logs for that one.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware


Now an Online scan. Let me know if they are gone after these.
Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 AmazingTrans

AmazingTrans
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 08 January 2011 - 09:21 AM

Boopme,

Thanks for your help! Here are the log file.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5466

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/7/2011 10:51:56 PM
mbam-log-2011-01-07 (22-51-56).txt

Scan type: Quick scan
Objects scanned: 142152
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\documents and settings\all users\application data\8D66383d.exe (Trojan.Agent) -> 308 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\qni8hj710fdl (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Documents and Settings\Project Engineer\Local Settings\Temp\hki252.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\all users\application data\8D66383d.exe (Trojan.Agent) -> Delete on reboot.

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

ESET SCANNER
C:\Program Files\Apoint\Apoint.exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Java\Java Update\jusched.exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\gAlwaysIdle\gidle .exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\gAlwaysIdle\gidle .exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\gAlwaysIdle\gidle .exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\gAlwaysIdle\gidle .exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\gAlwaysIdle\gidle.exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\Logitech\QuickCam\Quickcam.exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined
C:\WINDOWS\ime\IMJP8_1\imjpmig.exe.tmp a variant of Win32/Kryptik.JGL trojan cleaned by deleting - quarantined


Hope to hear from you!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 08 January 2011 - 10:22 AM

looks good,I take it the ad has stopped.

Any particular reason you have not install XP's service pack 3?
You have...Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
Close all open browsers before using, especially FireFox. <-Important!!!
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 AmazingTrans

AmazingTrans
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 08 January 2011 - 03:36 PM

I'm back!

Here is the MBAUM Log. BoopMe, i actually did mbaum before this and no ads. But, after i kept my pc on for hours later, those hki files, and 800something files appears again, and the pc started talking. Not sure where it really comes from. I even tried deleting them manually, and remove them from the registry by using ccleaner. To no avail. I will try to take a closer look to see what cause it next time. Thanks for the help.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5466

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/7/2011 10:51:56 PM
mbam-log-2011-01-07 (22-51-56).txt

Scan type: Quick scan
Objects scanned: 142152
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\documents and settings\all users\application data\8D66383d.exe (Trojan.Agent) -> 308 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\qni8hj710fdl (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Documents and Settings\Project Engineer\Local Settings\Temp\hki252.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\all users\application data\8D66383d.exe (Trojan.Agent) -> Delete on reboot.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/08/2011 at 02:00 PM

Application Version : 4.47.1000

Core Rules Database Version : 6161
Trace Rules Database Version: 3973

Scan type : Complete Scan
Total Scan Time : 00:34:50

Memory items scanned : 513
Memory threats detected : 0
Registry items scanned : 6531
Registry threats detected : 3
File items scanned : 16737
File threats detected : 4

Trojan.Agent/Gen-Virut
[SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Project Engineer\Cookies\project_engineer@atdmt.combing[2].txt
C:\Documents and Settings\Project Engineer\Cookies\project_engineer@ad.wsod[2].txt
C:\Documents and Settings\Project Engineer\Cookies\project_engineer@atdmt[2].txt

Trojan.Hugipon
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters#ServiceDll

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 08 January 2011 - 08:40 PM

Uggghhh!!
Trojan.Agent/Gen-Virut[SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE


This infection has started to attack your exe files. It will eventually attack all.



I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a dangerous polymorphic file infector with IRCBot functionality which infects .exe, .scr files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of damage can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/Virut

Virut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files (which could number in the thousands) cannot be deleted and anti-malware scanners cannot disinfect them properly. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes' has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.


This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 AmazingTrans

AmazingTrans
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 10 January 2011 - 12:24 AM

Thanks. I will take these precaution steps to fix this.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 10 January 2011 - 10:27 AM

here's a bit more info from our quietman7....
In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.


2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.


If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Windows XP Home and Professional forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users