Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ultimate Cleaner


  • Please log in to reply
3 replies to this topic

#1 mikey44

mikey44

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 11 February 2007 - 01:10 AM

I was informed by my parents that they've gotten a message saying that they have thousands of viruses... from the program Ultimate Cleaner. I know that it is not real but we want to get rid of that and we dont know how. any help is appreciated.
heres the log

Logfile of HijackThis v1.99.1
Scan saved at 11:35:05 PM, on 2/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\SYSTEM32\Brmfrmps.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://apps.choicecentral.com/loginmgr/log...fCMD%253DLOGOUT
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AE08C1B-808B-7CBA-3916-0361D24C8CBE} - C:\WINNT\system32\tvvztwn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINNT\system32\psc_mon.exe
O4 - HKLM\..\Run: [pjuqpc.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\pjuqpc.dll,xhilk
O4 - HKLM\..\RunServices: [Microsoft Configuration] mcfg.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels88.exe
O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 11 February 2007 - 07:57 AM

Hi, I would like to take a look at this log for you
and will get back you you as soon as I can.

Thank You.

#3 mikey44

mikey44
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 11 February 2007 - 01:15 PM

i was able to get the malicious software off as much as I could by my directions over the phone. I had them have AVG resident shield delete or quarantine all the files that were coming up. Then I had them boot into safe mode and run autoruns and delete all the entries that I knew were incorrect. Then I ran HJT again and fixed whatever entries looked bad(there was only one left). currently, it seems like the only one that's left is the "O10" one, which was the broken internet access. I will call them soon today and get a new HJT log.

Thank you

#4 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 13 February 2007 - 11:55 AM

mikey44 :thumbsup:

Copy and Paste this post into a new text document

Step 1

Like to ask if HijackThis.exe is running from it's own folder
if not to please create a New Folder for HijackThis on the C: drive,

Open My Computer ( Windows key + E )
then double click on Local Disk (C:)
Now right click and select
New > Folder and name it HJT.

Please now move HijackThis.exe into the new HJT folder.
Do this BEFORE you proceed!


Now Go to Start | Control Panel | Add/Remove Programs and Uninstall:

Ultimate Cleaner <--This is not a recommended Anti-Spyware Product, More Information at Spyware Warrior

Double-click on My Computer, Double-click on Local Disk
and navigate to then Right Click on and Delete this Bold folder

C:\Program Files\Ultimate Cleaner


Step 2

Download LSPfix.

Unzip it to the desktop and run it. Check "I know what I'm doing",
and then select each instance of rsvp32_2.dll in the left-hand panel
and click >> to move it to the right-hand panel.

Then click Finish to allow LSPfix to rebuild the LSP chain.


Step 3

Download the latest SmitfraudFix by S!Ri from either of these mirrors to your desktop:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip
http://siri.geekstogo.com/SmitfraudFix.zip

Right click SmitfraudFix.zip and Extract (unzip) the SmitfraudFix folder inside to your desktop.
Open the SmitfraudFix folder and double-click "smitfraudfix.cmd"
Select option #1 - "Search" by typing "1" and press "Enter".
Please copy & paste the SmitfraudFix text file which appears back here please.

------------------------------------------------

As you have Zone Alarm & AVG anti-virus running
I would like to ask about the Symantec/Norton entries that are also showing in this log

Please Re-scan with HijackThis and post

1/ The new HJT log
2/ The SmitfraudFix text file
3/ Any Symantec/Norton information

Thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users