Got an infection? Look here first!

[d4rkn1ght]

Hello Fellow TechKingser!!

Sorry to hear you're infected, but don't worry yet; this forum is here for us to be able to help you!

First, please note that all of us here are humans, so forgive any rudeness and late replies! :P

To get you started, please follow these basic steps so that malware removal is made easier!

If you're running Windows XP,
1.
First, enable the viewing of hidden files and folders:
• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

If you're running Windows Vista,
1.
First, enable the viewing of hidden files and folders:
• Click Start.
• Open Computer.
• Press the ALT key.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

2.
Next, I'll need you to disable User Account Control, or UAC. UAC is a security system introduced in Vista that aims to improve security by limiting what applications can do to a computer system. Even though this is a useful feature, this can hinder the malware removal process when several tools may be used, and you can choose to enable this feature when the malware removal process is finished.

• Please download this file: Enable-Disable UAC
• Unzip the archive.
• Run it, and when a black window pops up, type in D.
• When the tool has finished, click any key to continue, and then reboot.

Also, don't forget to follow these guidelines:
1. Be polite! Respect us and we'll respect you.
2. Don't hijack threads! Always start your own thread, so as to not get problems confused.
3. Give descriptive titles.

And of course, don't forget to always follow the Forum Rules!

Get Started!
Next, click on the link below which corresponds best to your problem.

General Infections
Slow Computer
Rogue Antimalware
Vundo/Virtumundo
Bootup Problems

PS: Do not post in this thread!

 

[greensman]

Infected... have Kaspersky and HiJackThis logs....

I already posted this at AD but it seems to be a bit slow there and I'm NOT up for reading 2-4 hours of material to know what to do at this point.. A mate of mine asked to help with his computer but I dove in over me head on this one. lol. I've run Avast FREE, Ad-Aware FREE, Spy-Bot S&D. I've now included a Kaspersky and HiJackThis log for your perusal. ;)

from Ad..... tia for getting to this...

I'm working on a friends computer and this thing is FUBARed!! lol Anyway I read the instructions so kindly set out by Fredil and I'm needing some assistance of course. Any ideas and cures would be appreciated. tia for the help...

Kaspersky log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 14, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 14, 2009 05:45:38
Records in database: 2042558
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 78624
Threat name: 9
Infected objects: 93
Suspicious objects: 0
Duration of the scan: 01:49:31


File name / Threat name / Threats count
C:\WINDOWS\system32\byXQIBqo.dll/C:\WINDOWS\system32\byXQIBqo.dll Infected: Trojan.Win32.Monder.atzu 3
C:\WINDOWS\system32\azempk.dll//UPX/C:\WINDOWS\system32\azempk.dll//UPX Infected: Packed.Win32.Krap.o 23
C:\WINDOWS\system32\tkbgmi.dll//UPX/C:\WINDOWS\system32\tkbgmi.dll//UPX Infected: Packed.Win32.Krap.o 24
C:\WINDOWS\system32\lulcfmlv.dll//UPX/C:\WINDOWS\system32\lulcfmlv.dll//UPX Infected: Packed.Win32.Krap.o 9
C:\Documents and Settings\Jeremy Rotramel\Desktop\InstallAVg_770522168440.exe Infected: Packed.Win32.Katusha.a 1
C:\Documents and Settings\Jeremy Rotramel\Local Settings\Application Data\Mozilla\Firefox\Profiles\ji86vnd2.default\Cache\66F72F03d01 Infected: Trojan-Downloader.Win32.Agent.brdu 1
C:\Documents and Settings\Jeremy Rotramel\Local Settings\Temporary Internet Files\Content.IE5\H4127O38\index[1] Infected: Packed.Win32.Krap.o 1
C:\Documents and Settings\Jeremy Rotramel\Local Settings\Temporary Internet Files\Content.IE5\M7G5OEN1\qw[1] Infected: Packed.Win32.Krap.o 1
C:\Documents and Settings\Jeremy Rotramel\Local Settings\Temporary Internet Files\Content.IE5\N9YHCC2K\nano[1] Infected: Trojan-Downloader.Win32.FraudLoad.vohb 1
C:\Documents and Settings\Jeremy Rotramel\My Documents\My Downloads\mw_setup.exe Infected: not-a-virus:FraudTool.Win32.MalwareWipe.u 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151399.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151400.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151401.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151402.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151403.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151404.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151405.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151406.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151407.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151408.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151409.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151410.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151411.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151412.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151413.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151414.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151415.dll Infected: Trojan.Win32.Monder.bjny 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP672\A0151579.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP675\A0151892.dll Infected: Trojan-Downloader.Win32.Agent.bkqa 1
C:\WINDOWS\system32\azempk.dll Infected: Packed.Win32.Krap.o 1
C:\WINDOWS\system32\byXQIBqo.dll Infected: Trojan.Win32.Monder.atzu 1
C:\WINDOWS\system32\gxlfsdlf.dll Infected: Trojan.Win32.Monder.bjny 1
C:\WINDOWS\system32\jehbtbvh.dll Infected: Packed.Win32.Krap.o 1
C:\WINDOWS\system32\lulcfmlv.dll Infected: Packed.Win32.Krap.o 1
C:\WINDOWS\system32\qdfcyeoy.dll Infected: Trojan.Win32.Monder.bjny 1
C:\WINDOWS\system32\qnfdioka.exe Infected: Trojan-Downloader.Win32.FraudLoad.vohb 1
C:\WINDOWS\system32\tkbgmi.dll Infected: Packed.Win32.Krap.o 1
C:\WINDOWS\system32\xvssmthp.exe Infected: Trojan-Downloader.Win32.FraudLoad.vohb 1

The selected area was scanned.

 

[greensman]

HiJackThis log to add...

HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:42 PM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Jeremy Rotramel\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [4C7EF70D6FD5570D5DC65BE9F3B1DD3E] C:\Program Files\A360\av360.exe
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

 

[greensman]

and the second half.....

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) -
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) -
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} -
O20 - AppInit_DLLs: wbpvch.dll vsrusm.dll uzrgdv.dll mkxkqz.dll kxstaf.dll hrjtxj.dll hnxuqf.dll odhwrp.dll
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11877 bytes

 

[axxxo]

well if kasperky cant clean it up, full reinstallation?

 

[greensman]

NO... lol. That's what I thought but it seems that I'm getting there with this computer from HE!!... lol.

I did what I was told and I'm trying to post it here. :)

I'm adding the logs as attachments as the size goes beyond the post limit and it makes it 'easier' to handle as well. Hope it worked.

...gm

MWB log

 

[greensman]

combofix log

...gm

 

[greensman]

HJT log

...gm

 

[greensman]

just helping the messed up out...lol

I'm posting this stuff here to help out the people in need. d4rkn1ght or Hiteck if you feel this is out of line just delete some of my posts. I know the directions weren't fully "divulged" from DK but hey... I'm posting the logs anywho. :)

I like the site so far and still learning as they say.. good for the change to "Planet Earth"... me likey that too.

Thanks goes out to DK for his help and instruction. Still got a few more steps to go but it's getting there.

....gm

 

[axxxo]

lol, gotcha now gm, this guy must have loved certain dodgy sites and proboably gave program permissions all over the place to have done this much damage! :)
on the second half of the hijackthis log on the last 016 line is a virus if you want to edit it out gm :)

 

[greensman]

lol, gotcha now gm, this guy must have loved certain dodgy sites and proboably gave program permissions all over the place to have done this much damage! :)
on the second half of the hijackthis log on the last 016 line is a virus if you want to edit it out gm :)

That was the first HJT log and I'm looking at the other one to see what it has. I'm trying to do some of this on me own.... so I"m getting to stuff slowly. ROFL.

Thanks for helping.

 

[d4rkn1ght]

Rogue Antimalware

1. Introduction

What are rogue programs? Simply, they are programs which appear to do something, but rather, give false information and may also spy on you. The signs are obvious:

• programs you did not install give messages,
• pop ups saying you have a virus,
• and warning signs parading all around your screen.


*********************************************************************


2. Researching

Believe it or not, when it comes to dealing with rogue antimalware, Google may very well be your best friend. The internet is a vast storage of information, and somewhere deep down there is bound to contain a website with removal instructions on your particular rogue antimalware program. That is the page we will look for, and it most probably wouldn't be that hard to find it.


Simply go to www.google.com, and type in "Name Of Rogue Program" removal.

Depending on what type of rogue antimalware program you have, the results will probably range from 100 million to 9.8 trillion, so there most probably will not be a problem. :)


Things to look for:

• Date of rogue program creation.

If you happen to be infected with the very latest type, also known as a zero-day malware, the results might not prove that useful, so it's always good to wait for a while longer before following instructions on removal websites if the creation date is recent.

• Changes made to system (Files/Folders/Registry Keys/Services/Drivers)

After all, the whole point of researching is to remove what the malware has done to your computer, isn't it? This is the most important single step, and should not be relied on one website alone! While some websites may have good information, no website will have everything you need to know, so multiple websites are always good. Chances are, the websites you visit will also tell you how to remove such changes.

• Malware Family

If you know what family of malware the rogue program belongs to, this will help greatly. There are many great tools out there specializing in removal of malware families, such as Vundo or Smitfraud. If, let's say, you get infected by WinAntivirus, which is a variant of Vundo, simply download Vundofix by Atribune to remove your problem.


These are only the basics. If you find more information on your particular rogue program, the better.


*********************************************************************


3. Scanning

It is also important to scan with a good antispyware scanner to remove any traces you might have missed out. Here are the instructions for running a scan with SuperAntispyware.

Please download Superantispyware Free and install it. Follow the prompts and reboot if required.

Launch Superantispyware Free either by running C:\Program Files\SUPERANTISPYWARE.exe or right-click on the SuperAntispyware icon in your task bar (it looks like a bug) and click on Scan for Spyware, Adware, Malware...

Configuring SuperAntispyware

• Click on Preferences.
• In the tab General and Startup, make sure the box Start SuperAntispyware when Windows starts is unchecked. This will prevent SuperAntispyware from starting everytime, because it may interfere with other fixes that may be run.
• Navigate to the tab Scanning Control.
• Make sure only these boxes are checked:

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining
Scan Alternate Data Streams
Use Kernel Direct File Access (recommended)
Use Kernel Direct Registry Access (recommended)
Use Direct Disk Access (recommended)

• Click on Close.

Updating SuperAntispyware

• At the main window, click on Check for Updates....
• Wait for SuperAntispyware to be fully updated.

Scanning Time

• Boot into safe mode by repeatedly pressing the F8 key after you press the power button. If safe mode does not work, do the scan in normal mode.
• Launch SuperAntispyware.
• At the main window, click on Scan your Computer....
• Make sure all drives (excluding CD drives) are checked, select Perform Complete Scan, and then click on Next.
• Wait for the scan to complete, and then click on Next>. This will quarantine and remove all detected items.
• Reboot your computer.


*********************************************************************


4. Final Clean Up

Time to clean up the itty-bitty problems you might have left. Rogue anti-malware programs are notorious for disabling the Task Manager, Control Panel, and even Destop and Screensaver options! Here are some fixes that you can run if you do indeed have such problems:

Fix Desktop and ScreenSaver tabs in Desktop Options

Restore Task Manager, Folder Options, and Regedit

You will have to restart your computer for the changes to take effect.

You can also run generic cleanup programs such as Disk Cleaners and Defragmenters to speed up your computer. Free examples include CCleaner and Defraggler, both from Piriform.


*********************************************************************


5. Need More Help?

Let's say you didn't manage to get rid of the malware, or you still have problems left over. We, here, the TechKings forums are available if you need help! Simply follow the instructions below to post a HijackThis log which will be needed if you decide to post here.

Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.

Rename HijackThis(.exe) to scanner(.exe).

Next, run scanner(.exe). A window will pop up.

• Click on the button which says Main Menu, then Do a system scan and save a logfile.
• Please wait for the scan to be completed.
• After the scan has completed, a text window will pop up. Please post the contents of this window here.

This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.

NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.


*********************************************************************


6. Final Words

Prevention is better than cure. Find out how you got infected, and then immunize yourself so that your computer will never get infected that way again!

Best Regards

Back to Start

 

[axxxo]

hi d4rkn1ght, why is hijack renamed to scanner?

 

[d4rkn1ght]

General Infections

Before we enter the more advanced stages of malware removal, let's do a little cleanup and preparatory steps. If you are unable to perform any of the steps below, say so when you start a new thread.

1.
Let's make sure we have a System Restore point so that if something goes wrong, you can return your system to an earlier state.

Download SysRestorePoint to your desktop and unzip it.
• Double click SysRestorePoint.exe so that we can make a new system restore point.
• A box will pop up after it has made a new point, usually after a few seconds. Close that window and exit the program.

2.
As many malware will hide in Windows' temporary folders, cleaning out these places will speed up the malware removal process.

• Download TFC to your desktop, or other location.
• Save any unsaved work. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• If prompted, click "Yes" to reboot.
Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

3.
If you have an antivirus/antispyware,

Please reboot your computer into Safe Mode by doing the following:
• Restart your computer
• After pressing the power button, repeatedly tap the F8 key.
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose the administrator's account.

Scan your computer with your antivirus/antispyware in Safe Mode, and post the logs here.

4.
Test your computer extensively to give an exact picture of all the problems plaguing your computer. (e.g. Control Panel not working, Ctrl-Alt-Del not accessible, Slow Right Click)

Okay... here comes the hard part. Next, we're gonna have to run a series (actually, three)of diagnostic tools on your computer. It won't be easy, but it'll give a deep look into your computer to tell what the problem is. If you are unable to perform any of the steps below, say so when you start a new thread.

Note: For easier cleanup when the malware removal process is over, it is recommended to create a new folder named Checkup on your desktop and save all downloaded tools from steps below into that folder.

TO DO: Before following the steps below, disable any security programs you have (antivirus/antispyware/firewall/HIPS) and disconnect your computer from the internet. Also close all other running programs such as Microsoft Word, Internet Explorer, etc.

1.
• Please download RSIT from here.
• Please download the HijackThis zip file and unzip HijackThis.exe into the same folder as RSIT.exe. We will need it later.
• Run RSIT.exe and follow the prompts.
• When the scan is finished, two notepad windows will pop up; log.txt and info.txt. They are also located at C:\rsit.
• Post log.txt and info.txt here.

2.
• Please download GMER:
• Unzip (extract) it into the same folder as HijackThis and RSIT.
• Double-click gmer.exe to run it.
• Let the gmer.sys driver load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.
• Click the Rootkit tab.
• Make sure only these boxes on the right of the screen are checked. Do not check Show All.

System
Modules
Processes
Threads
Libraries
Services
Registry
Files
C:\ and any other drives
ADS

• Then click the Scan button. Wait for the scan to finish.
• Once done, click the Copy button.
• This will copy the results to the clipboard. Open Notepad, paste the log into it, and save it. Post this log to your next reply.

3.
• Please download DiagTool into the same folder as RSIT and HijackThis.
• Unzip the archive.
• Double click DiagTool.exe. Nothing will appear, so that is normal.
• When the scan is finished, a pop up will tell you. Click on OK.
• A notepad window should appear; loggy.txt. Post this here. This is also located at C:\loggy.txt.

Things I'll need in your thread:
1. A detailed description of what your problem is.
2. Logs from your antivirus/antispyware.
3. What security programs you have (e.g. Antivirus, Antispyware, Firewall)
4. RSIT logs
5. GMER log
6. DiagTool log


Hope you get your problem fixed!!

Best Regards

Back to Start

 

[d4rkn1ght]

There is a great guide on BleepingComputer.com on how to remove Vundo/Virtumundo
http://www.bleepingcomputer.com/malware-removal/remove-vundo-virtumonde

If you still need help, simply follow these instructions and start a new thread!

Best Regards

Back to Start

 

[d4rkn1ght]

If for some reason your computer cannot boot up normally, be sure to try these steps first.

1.
Please reboot your computer into Safe Mode by doing the following:
• Restart your computer
• After pressing the power button, repeatedly tap the F8 key.
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose the administrator's account.

Can your computer boot up in Safe Mode? If so, post a new thread with a description of your problem.

2.
Follow this tutorial on how to use the Avira RescueCD to scan your computer for infections without the need to boot Windows.

If none of the above work, you may have to send your computer to the local technician, who may have to either take out your hard drive or reinstall Windows, both of which regrettably are tasks unable to be done over a forum...

Hope your problem gets fixed!

Best Regards

Back to Start

 

[d4rkn1ght]

Please note that a Slow Computer does not equal Malware Infection. Read here first:
http://www.bleepingcomputer.com/forums/topic87058.html

If you still suspect an infection, simply follow these instructions and start a new thread!

Best Regards

Back to Start