Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Pop-ups That Occur Not Using Ie


  • This topic is locked This topic is locked
4 replies to this topic

#1 Septembre

Septembre

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 27 February 2006 - 10:16 PM

Edited: Ran spybot s&d and posted new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:50:28 PM, on 2/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\htj\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\ssqpq.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA8E76A4-4286-4AC8-9519-1F51BA9530DE}: NameServer = 24.158.96.132,24.158.96.133
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Edited by Septembre, 27 February 2006 - 10:51 PM.


BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 28 February 2006 - 01:14 AM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order.


* * * * * *


Please download & run VundoFix.exe
  • Put a check next to Run VundoFix as a task.
  • Click OK when you will receive a message saying vundofix will close and re-open in a minute or less.
  • When VundoFix re-opens, click the Scan button followed by the Remove button
    ** Your desktop will go blank as it starts removing Vundo. **
  • Restart your computer & post the contents of C:\vundofix.txt and a new HiJackThis log.
* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install - CleanUp.exe (not recommended for WinXP64)



* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\ssqpq.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dlle



* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! does not create any backups!!


* * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis
  • VundoFix's log
  • Online scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#3 Septembre

Septembre
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 28 February 2006 - 01:14 PM

I encountered no problems running the scanners.


Logfile of HijackThis v1.99.1
Scan saved at 1:12:55 PM, on 2/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\htj\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA8E76A4-4286-4AC8-9519-1F51BA9530DE}: NameServer = 24.158.96.132,24.158.96.133
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe





VundoFix V4.2.27
Scan started at 11:57:12 AM 2/28/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak2

C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\ssqpq.dll
Attempting to delete C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\ssqpq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\qpqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.bak2 Has been deleted!

Performing Repairs to the registry.
Done!






-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, February 28, 2006 13:12:17
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/02/2006
Kaspersky Anti-Virus database records: 179230
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 53932
Number of viruses found: 35
Number of infected objects: 87
Number of suspicious objects: 4
Duration of the scan process: 2350 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip/drsmartload1.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f09a6e-17b9d4f9.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f09a6e-17b9d4f9.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-4a49c816.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-4a49c816.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Matt\Desktop\backups\backup-20060227-172428-564.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen
C:\gimmygames12.exe Infected: Trojan-Downloader.Win32.Adload.v
C:\htj\backups\backup-20060227-220907-910.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Program Files\Network\ipnetwork.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.y
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\2.tmp/data.rar/eee2.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\2.tmp/data.rar Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\2.tmp Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3.tmp Infected: Trojan-Downloader.Win32.VB.wd
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\4.tmp Infected: Trojan-Downloader.Win32.VB.vv
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\4A.tmp/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\4A.tmp Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\4B.tmp/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\4B.tmp Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\62.tmp Infected: Trojan-Downloader.Win32.VB.wd
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F64.tmp Infected: Trojan-Downloader.Win32.VB.wd
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000006.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000007.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000008.exe Infected: Trojan-Downloader.Win32.Small.bmx
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000009.exe Infected: Trojan-Downloader.Win32.Small.cam
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000010.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000011.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000012.exe Infected: not-a-virus:Downloader.Win32.DigStream
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000013.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000015.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000016.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000019.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000020.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000022.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000023.exe/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000023.exe/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000023.exe/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000023.exe Infected: not-a-virus:AdWare.Win32.Ucmore
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000024.exe Infected: Trojan-Dropper.Win32.Agent.aie
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000025.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000026.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ae
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000027.exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000027.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000027.exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000027.exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000027.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000027.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000027.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000028.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000030.dll Infected: not-a-virus:AdWare.Win32.Sud.a
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000031.exe Infected: Trojan-Downloader.Win32.VB.tw
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000032.exe Infected: Trojan.Win32.Runner.h
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000033.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0002714.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0002715.exe/data0010 Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0002715.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0002719.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0002720.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0002734.exe/data.rar/eee2.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0002734.exe/data.rar Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0002734.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0002736.exe Infected: Trojan-Downloader.Win32.VB.vv
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0002794.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen
C:\usbdrivr098.exe/iol2.exe Infected: Trojan.Win32.LowZones.g
C:\usbdrivr098.exe/dr.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\usbdrivr098.exe/mc-110-12-0000169.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.p
C:\usbdrivr098.exe/mc-110-12-0000169.exe Infected: Trojan-Downloader.NSIS.Agent.p
C:\usbdrivr098.exe/mmxateam.exe Infected: Trojan-Downloader.Win32.VB.sh
C:\usbdrivr098.exe Infected: Trojan-Downloader.Win32.VB.sh
C:\WINDOWS\eee2.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\WINDOWS\pf78.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw
C:\WINDOWS\pf78.exe/data0003 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\pf78.exe/data0006 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\pf78.exe/data0007 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\pf78.exe Infected: Trojan.Win32.VB.tg
C:\WINDOWS\TWF0dA\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\WINDOWS\TWF0dA\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\WINDOWS\unin101.exe Infected: Trojan.Win32.VB.tg
C:\WINDOWS\uni_eh.exe Infected: Trojan.Win32.VB.tg
C:\WINDOWS\webhdll.dll_tobedeleted Infected: not-a-virus:AdWare.Win32.WebHancer
C:\WINDOWS\whCC-GIANT.exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\WINDOWS\whCC-GIANT.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\WINDOWS\whCC-GIANT.exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\WINDOWS\whCC-GIANT.exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\WINDOWS\whCC-GIANT.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\WINDOWS\whCC-GIANT.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer
C:\WINDOWS\whCC-GIANT.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\winsysban12.exe Infected: Trojan-Clicker.Win32.VB.li
C:\winsysupd12.exe Infected: Trojan.Win32.StartPage.aib

Scan process completed.

#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 28 February 2006 - 01:29 PM

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *


Posted Image
  • Download and run - bfu.zip
  • Checkmark the following boxes:
    • Use settings specified in script for the above option
    • Show log after script ends
  • Click the Web button located on the top right corner
  • Copy/Paste this url into the address bar of the Download script window:

    http://metallica.geekstogo.com/alcanshorty.bfu

  • Execute the script by clicking the Execute button.
  • When it finishes running, click the Save button for a copy of the log
  • Post the log created by the script when you have completed the fix
* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * KILLBOX * * * * * * * * * * * * * * * * * * * * * * *


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • All files (if available)
Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy
  • C:\usbdrivr098.exe
    C:\WINDOWS\eee2.exe
    C:\WINDOWS\pf78.exe
    C:\WINDOWS\unin101.exe
    C:\WINDOWS\uni_eh.exe
    C:\WINDOWS\webhdll.dll_tobedeleted
    C:\WINDOWS\whCC-GIANT.exe
    C:\winsysban12.exe
    C:\winsysupd12.exe
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip
    C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f09a6e-17b9d4f9.zip
    C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-4a49c816.zip
    C:\Documents and Settings\Matt\Desktop\backups\backup-20060227-172428-564.dll
    C:\htj\backups\backup-20060227-220907-910.dll
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Program Files\Network\
    C:\WINDOWS\TWF0dA\
Delete the contents of this folder, leaving it empty:
  • C:\Program Files\Trend Micro\Internet Security 12\Quarantine\
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


This will clear the System Volume Information folders
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK


* * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Panda ActiveScan
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • BFU's log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Edited by sUBs, 28 February 2006 - 01:31 PM.


#5 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 10 March 2006 - 09:21 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users