Computer Hope
Software => Computer viruses and spyware => Topic started by: bigthx on January 28, 2010, 06:38:10 AM
-
A big Thank You in advance to ComputerHope folks for assisting all of us less knowledgeable users.
I have an issue similar to other threads read on your boards. I have reviewed the "Before Requesting Help" post and have a few questions before proceeding further.
ISSUE DESCRIPTION
Continual popups about false security alerts:
"Security Warning - Application cannot be executed. The file wuauclt.exe [or other file name] is infected. Do you want to activate your antivirus software now?"
~~~~~~~~~~~~~~~
"Antivirus software alert!
Infiltration alert
Your computer is being attacked by an Internet Virus. It could be a password-stealing attack, a trojan - dropper or similar.
Details
Attack from: [IP address -- which changes], port [port number -- which changes]
Attacked port: [port number -- which changes]
Threat: Win32/Nuqel.E [or sometimes BankerFox.a]
Do you want to block this attack?"
~~~~~~~~~~~~~~~
"Spyware Alert!
Vulnerabilities found... [cannot read the rest because it is covered by another popup]
Activate Your anitivirus software
Stay unprotected
~~~~~~~~~~~~~~
also what looks like a Java message:
C:\PROGRA~2\Java\jre6\bin\ssvagent.exe
"The remote procedure call failed to execute"
~~~~~~~~~~~~~~
SYSTEM DETAILS and CURRENT STATUS
Windows Vista Home Premium
Norton Internet Security 2010 - subscription current, definitions updated yesterday, scan run after infection and no issues reported
Programs List - 3 unfamiliar items:
* Atheros Driver Installation Program - Atheros - 6/15/2009
* VirtuaGirl HD - [no publisher] - 12/15/2009
* WorkForce 30 Series Info Center - [no publisher] - 10/27/2009
After getting infected, a friend had me turn off Network Connectivity using Control Panel. Internet Explorer continues to try to connect. I cannot close the IE window (have tried clicking the window X, also rightclicking and selecting Close). I am able to start Task Manager, but it just flashes briefly and then disappears.
I have not shut down and rebooted system since infection, because of concern that might exacerbate the current issues.
NEXT STEPS please
- should I turn Connectivity back on and try to download CCleaner, SUPERAntiSpyware, MBAM, etc. -- or does this put information on my PC at more risk due to the infection? (and could this potentially spread the infection to other computers on my home network?) As an alternative, I could download these programs to a clean PC, burn to CD, and then put on the infected PC
- I'm not sure I can run CCleaner since the requirement is to close all browser windows and I cannot currently shut down IE -- should I try rebooting, or will this cause additional issues?
- should I try to close the Java message window?
Stuck at this point. Again, thanks very much for your help.
-
Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the log from ComboFix when you've accomplished that.
-
Thank you Jay - I'm assuming I can run ComboFix even if unable to close all windows (ex. IE), as advised to do in the ComboFix instructions? Am currently at work, but will run this evening and post the log results.
much appreciated!
-
Ok. Post when ready.
-
Jay, I was unable to run ComboFix as my OS is Windows Vista, and ComboFix gave an error saying it was for Windows XP only.
Instead, I completed the recommended Malware Removal Steps. The immediate issue with endless popups appears to now be corrected, but here are the results and log files, for any additional cleanup you would recommend.
Step1: Add/Remove Programs -- 3 unfamiliar programs:
* Atheros Driver Installation Program - Atheros - 6/15/2009
* VirtuaGirl HD - [no publisher] - 12/15/2009
* WorkForce 30 Series Info Center - [no publisher] - 10/27/2009
Step 2: CCleaner -- completed
Step 3: SuperAntiSpyware -- log attached
Step 4: MBAM -- log attached
Step 5: JavaRa and CCleaner -- completed
Step 6: HiJackThis -- log attached
Thanks in advance for your help!
[Saving space, attachment deleted by admin]
-
Do you have a 64 bit computer?
Please paste the contents of the logs.
-
Yes, it is a 64 bit machine with Windows Vista Home Premium, SP1.
Here are the contents of the logs -- sorry about that! thanks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/28/2010 at 11:11 PM
Application Version : 4.33.1000
Core Rules Database Version : 4531
Trace Rules Database Version: 2343
Scan type : Complete Scan
Total Scan Time : 01:12:49
Memory items scanned : 448
Memory threats detected : 0
Registry items scanned : 6196
Registry threats detected : 39
File items scanned : 159968
File threats detected : 3
Trojan.Agent/Gen-FakeSpy[Broad]
[mybkmbrq] C:\USERS\<USERNAME>\APPDATA\LOCAL\JKEGOV\QFGOSYSGUARD.EXE
C:\USERS\<USERNAME>\APPDATA\LOCAL\JKEGOV\QFGOSYSGUARD.EXE
Adware.Tracking Cookie
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\<username>@atdmt[2].txt
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\Low\<username>@microsoftwlcashback.112.2o7[1].txt
Rogue.Agent/Gen
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#knkd
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#aazalirt
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#skaaanret
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#jungertab
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#zibaglertz
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#iddqdops
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#ronitfst
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#tobmygers
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#jikglond
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#tobykke
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#klopnidret
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#jiklagka
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#salrtybek
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#seeukluba
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#jrjakdsd
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#krkdkdkee
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#dkewiizkjdks
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#dkekkrkska
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#rkaskssd
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#kuruhccdsdd
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#krujmmwlrra
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#kkwknrbsggeg
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#ktknamwerr
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#iqmcnoeqz
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#ienotas
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#krkmahejdk
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#otpeppggq
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#krtawefg
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#oranerkka
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#kitiiwhaas
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#otowjdseww
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#otnnbektre
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#oropbbsee
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#irprokwks
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#ooorjaas
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#id
HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#ready
~~~~~~~~~~~~~~~~~~~~~~~~~~
Malwarebytes' Anti-Malware 1.44
Database version: 3655
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000
1/28/2010 11:31:39 PM
mbam-log-2010-01-28 (23-31-39).txt
Scan type: Quick Scan
Objects scanned: 102962
Time elapsed: 2 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:13 PM, on 1/28/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\SysWOW64\polawweb.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Hp\QuickPlay\QPService.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files (x86)\Trend Micro\HijackThis\sniper.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EPSON WorkForce 30 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIEEA.EXE /FU "C:\Windows\TEMP\E_SF886.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files (x86)\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)
--
End of file - 11937 bytes
-
Oh ok. ComboFix does not run on 64-bit machines. Lol.
Download LockSearch (http://jpshortstuff.247fixes.com/LockSearch.exe) to your desktop
- A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
- A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply
==
Please download Runscanner (http://www.runscanner.net/download.aspx) to your desktop and run it.
- When the first page comes up select Beginner Mode
- On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
- At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
- On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
- Call the .run file "redScan" and save it to your desktop. You will see the .run file on your desktop. Open Notepad, then click File > Open - locate the redScan file and open it in Notepad. Finally, copy all the results, and paste them here in your next reply.
==
Please download V-Tool (http://hmoslabs.webs.com/vtool.zip), and save to your Desktop.
- Double-click on vtool.zip, and extract the file to your Desktop.
- Double-click on vtool.cmd to start.
- !! IMPORTANT !!::: At each prompt ("Press any key to continue..."), wait 10 seconds before pressing a key. This tool needs time to process each prompt.
- It will finish eventually and launch a log. Do NOT exit the tool. Allow it to finish. (vtool.txt)
- Post the contents of it in your next reply.
==
Please make sure to post the contents of those logs (LockSearch, RunScanner, and V-Tool) in your next reply.
-
Thanks - will run these when I return from work.
Question please -- from the logs provided previously, could you advise if you consider the state of the machine usable at this point? I am no longer receiving the endless popups.
I'll definitely finish whatever additional steps you suggest, but would appreciate any feedback on what has been done thus far.
thanks
-
It is usable, and feel free to use it. But, be careful until we get your computer clean. Not sure if it is fully clean yet, but at least it is good news the popups are gone.
Post those logs when ready, no hurry. :)
-
Hello again -- here are the requested logs for LockSearch and VTool. Unfortunately could not run RunScanner -- apparently it is not supported on 64bit systems.
Thanks for your help :)
~~~~~~~~~~~~~~~~
LockSearch by jpshortstuff (05.11.09.1)
Log created at 21:06 on 29/01/2010 (<username.)
Scanning C:\
C:\hiberfil.sys
-------------------------
C:\pagefile.sys
-------------------------
-=E.O.F=-
~~~~~~~~~~~~~~~~~~~~~~~~~~
V-Tool by DragonMaster Jay
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3998.2354 [GMT -5:00]
Username: <snipped> - Date: 01/29/2010 - Time: 21:36:31 - Number of processors: 2 - Arch.: AMD64 SF:
((((( Security Software information )))))
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
((((( System File Verify )))))
c:\windows\system32\eventlog.dll is missing! (If XP or lower)
c:\windows\system32\drivers\beep.sys is missing!
((((( System File Enumeration )))))
Volume in drive C has no label.
Volume Serial Number is 4CD2-5B84
Directory of C:\WINDOWS\System32
scecli.dll netlogon.dll cngaudit.dll
3 File(s) 967,168 bytes
Directory of C:\WINDOWS\System32\drivers
atapi.sys
1 File(s) 22,584 bytes
Directory of C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_1a9e8abf
atapi.sys
1 File(s) 22,584 bytes
Directory of C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_1d87dda2
atapi.sys
1 File(s) 22,584 bytes
Directory of C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_95f5a2e9
atapi.sys
1 File(s) 22,584 bytes
Directory of C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_f8cccc79
atapi.sys
1 File(s) 20,072 bytes
Directory of C:\WINDOWS\SysWOW64
scecli.dll netlogon.dll cngaudit.dll
3 File(s) 781,312 bytes
Directory of C:\WINDOWS\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_424bc4aceb06de1c
cngaudit.dll
1 File(s) 14,848 bytes
Directory of C:\WINDOWS\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_942c7ddf9178e048
scecli.dll
1 File(s) 235,520 bytes
Directory of C:\WINDOWS\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_59d652c6f057598d
netlogon.dll
1 File(s) 716,800 bytes
Directory of C:\WINDOWS\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6000.20847_none_37d5e5fef5f86cf7
atapi.sys
1 File(s) 22,584 bytes
Directory of C:\WINDOWS\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_3956c39dd9e73fd2
atapi.sys
1 File(s) 22,584 bytes
Directory of C:\WINDOWS\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.22193_none_398211faf34b271a
atapi.sys
1 File(s) 22,584 bytes
Directory of C:\WINDOWS\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_9e812831c5d9a243
scecli.dll
1 File(s) 177,152 bytes
Directory of C:\WINDOWS\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_642afd1924b81b88
netlogon.dll
1 File(s) 592,384 bytes
Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6
cngaudit.dll
1 File(s) 11,776 bytes
Total Files Listed:
20 File(s) 3,675,120 bytes
0 Dir(s) 163,377,364,992 bytes free
-----------------------------
+++ End-of-file +++
-
Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
- Tick the box next to YES, I accept the Terms of Use
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats and the option Scan unwanted applications is checked
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
-
okay - ESET scanner found and removed:
windows\systems32\dbapmov.dll - variant of win32\Urlbot.NAG trojan
here's the log, although the timestamp looks like it was written at install rather than after the scan was completed:
~~~~~~~~~~~~~~~~~~~
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
~~~~~~~~~~~~~~~~~~~
Ready for the next step :) thanks
-
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from Malwarebytes.org (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).
Alternate link: BleepingComputer.com (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe).
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)
Double Click mbam-setup.exe to install the application.
(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
-
Okay, MBAM log below.
Are MBAM and/or SUPERAntiSpyware something I should run weekly? daily? Both programs seem to currently be configured to check for updates on boot.
thanks!
~~~~~~~~~~~~~~~~~~~~~
Malwarebytes' Anti-Malware 1.44
Database version: 3662
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000
1/30/2010 2:21:19 PM
mbam-log-2010-01-30 (14-21-19).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 290585
Time elapsed: 1 hour(s), 4 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\32788R22FWJFW\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\32788R22FWJFW\pv.com (Trojan.Agent) -> Quarantined and deleted successfully.
-
Arghhhh -- MBAM deleted ComboFix again. It is crazy, when the developer of ComboFix works at Malwarebytes' Corporation, and they detect his own product by accident. :P
To manually create a new Restore Point- Go to Control Panel and select System and Maintenance
- Select System
- On the left select Advance System Settings and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- Go back to the System and Maintenance page
- Select Performance Information and Tools
- On the left select Open Disk Cleanup
- Select Files from all users and accept the warning if you get one
- In the drop down box select your main drive i.e. C
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
You are now done
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe (http://oldtimer.geekstogo.com/OTC.exe) by OldTimer:
- Save it to your Desktop.
- Double click OTC.exe.
- Click the CleanUp! button.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
==
Please download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
==
Download Security Check by screen317 from SpywareInfoforum.org (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or Changelog.fr (http://screen317.changelog.fr/SecurityCheck.exe).- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-
hi Jay - again, thank you for your help.
- Restore point created
- OTC run
- TFC run
OTC does not appear to have removed MBAM, HijackThis, SuperAntiSpyware, or CCleaner. Are any of these useful to run periodically?
Here's the SecurityCheck log:
Results of screen317's Security Check version 0.99.1
Windows Vista (UAC is enabled)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
Norton Internet Security
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware Free Edition
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 18
Java(TM) 6 Update 7
Java Auto Updater
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
-
OTC does not appear to have removed MBAM, HijackThis, SuperAntiSpyware, or CCleaner. Are any of these useful to run periodically?
Yes they are. :)
Please download the newest version of Java from Java.com (http://www.java.com/en/download/manual.jsp).
Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.
Once old versions are gone, please install the newest version.
==
Please consider updating to Windows Vista Service Packs 1 & 2.
Windows Vista Service Packs 1 & 2 contain all the updates released since the first release plus support for new types of hardware and emerging hardware standards.
It is now available via Windows Update (http://support.microsoft.com/kb/935791#Method2) or as a standalone installation here (http://support.microsoft.com/kb/935791#Method3).
==
Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.
Software recommendations
AntiSpyware- SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here (http://www.bleepingcomputer.com/tutorials/tutorial49.html).
- Spybot - Search & Destroy (http://www.safer-networking.org/en/tutorial/index.html).
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.
Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.
Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm (http://www.spywarewarrior.com/rogue_anti-spyware.htm)
Securing your computer- Windows Updates (http://update.microsoft.com) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
- hpHosts file (http://hosts-file.net) replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.
If you are interested:
- Firefox may be downloaded from here: http://www.getfirefox.com (http://www.getfirefox.com)
- Opera is available here: http://www.opera.com/download/ (http://www.opera.com/download/)
-
All done!
Apparently Windows auto updates were turned off -- received and installed 40+ updates, although this does not appear to have updated to Vista SP1 or 2. I need to look into that further. My friend also recommended Firefox, so will try changing over to that browser.
Have also installed SpywareBlaster and Spybot.
Am going to try running some of these tools on another PC in my household -- just in case.
DM Jay, thank you again for all your help! hope never to have to ask for assistance with this sort of a clean up again ;D
-
You're welcome! :)