Hello,

This morning I was downloading ringtones on a website and all was well until one that I downloaded throw up 50 pop-ups and starting making Horse sounds really loudly.

I opened up task manager straight away and deleated a bunch of stuff I didn't recognise.

Strangly AVG disappeared from my computer at the same time.

Loads of 'XXXXX Program Didn't Install Correctly' promts came up and then instantly a warning that my computer was running low on memory. I checked it straight away and it was down to 875MB!! from the 62GB it was earlier today.

I have ran Malwarebytes which found loads of stuff and also ran AVG again from a fresh Install.

I am still however getting popups aswell as the Disk Space still only being back up to 3.7GB

Windows Security is also infected in someway as I am unable to switch it on:



Any help would be great.

Thanks in advance,

Declan

This post has been edited by decbohan22: Sep 13 2009, 10:41 AM

Hello decbohan22

Welcome to G2Go.
=====================

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Standard Registry box change it to All.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

===========
Download This file. Note its name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "Yes" to begin the scan.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Thanks ..




Okay, did that ..  OTL_TXT_and_Extras.Txt ( 218.96K ) Number of downloads: 139


Situation now worse. Windows Security switched off and unaccesible and Desktop is locked and can only access programmes and files through the start menu

This post has been edited by decbohan22: Sep 13 2009, 11:22 AM

Do you have the other log?

This appears to be the source of infection:
C:\users\declan\documents\downloads\programs\keygen.vidcrop.pro.1.0.0.11.exe
Keygens are used to make expensive free and they are illegal and most if not all of them come with a malware surprise.
Stay away from cracks\keygens of any kind or this will continue to happen.

See if you can get me the other log and we will continue from there.

Not sure what a keygen is but I did downloaded Vidcrop from a website earlier - so that's what it was. It was from a video on Youtube and in the description area on the right was that link. It didn't download so thought no more of it ..

The other file that you need is just below that one in the TXT file .. I cut & pasted both in the one document.

Thanks for your help. Really appreciate ie ..

This post has been edited by decbohan22: Sep 13 2009, 11:43 AM

Hi no I meant the rootkit scan log it is not in with the rest it is only 2 OTL files.
See if you can get that for me please.

Hi,

Okay .. took a while as the program kept crashing. Four times in all - so I just kept rebooting.

At the end it said:

"GMER HAS FOUND SYSTEM MOD CAUSED BY ROOTKIT ACTIVITY"

and also the following part was RED:

"Library C:\Program (*** hidden *** ) @ C:\Program [3268] 0x00400000"

If there is anything else you need just let me know.

Thanks again ..

 GMERResults.txt ( 8.86K ) Number of downloads: 2



GMER 1.0.15.15077 [RootLogThing.exe] - http://www.gmer.net
Rootkit scan 2009-09-13 21:53:22
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

INT 0x61 ? 9C118CD0
INT 0x71 ? 9C0FA050
INT 0xB3 ? 9C0FACD0

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [749D7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A2A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [749DBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [749CF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [749D75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [749CE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74A08395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [749DDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [749CFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [749CFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [749C71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74A5CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [749FC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [749CD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [749C6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [749C687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [749D2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp tdifw_drv.sys
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp tdifw_drv.sys
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp tdifw_drv.sys
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\Program [3268] 0x00400000

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E652B76-8D91-FE0C-7086-1312CF84256D}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E652B76-8D91-FE0C-7086-1312CF84256D}@oagakhclcljedjbbdcbdpchgndbdfp 0x64 0x61 0x67 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E652B76-8D91-FE0C-7086-1312CF84256D}@oacbcpbgcacclehljhmmefopcpalap 0x6A 0x61 0x6A 0x61 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E652B76-8D91-FE0C-7086-1312CF84256D}@namaihcdlihoflleafbdkgapjmnk 0x6A 0x61 0x6A 0x61 ...

---- EOF - GMER 1.0.15 ----

This post has been edited by decbohan22: Sep 13 2009, 03:03 PM

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi, here you go ..

 Combo_Fix_Log.txt ( 35.62K ) Number of downloads: 10

First: Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
• If an update is found, it will download and install the latest version.
• Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
Second: Online Scanner
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

Thanks, here are those reports ..

Malwarebytes
__________________________________________________________________________________________
Malwarebytes' Anti-Malware 1.41
Database version: 2794
Windows 6.0.6002 Service Pack 2

14/09/2009 03:02:40
mbam-log-2009-09-14 (03-02-40).txt

Scan type: Quick Scan
Objects scanned: 90829
Time elapsed: 9 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syntpenh (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Synaptics\SynTP\syntpenh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\rthdvcpl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\hkcmd.exe113 (Trojan.Downloader) -> Quarantined and deleted successfully.
_____________________________________________________________________________________




KASPERSKY
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 14, 2009
Operating system: Microsoft Windows Vista Business Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 14, 2009 05:39:06
Records in database: 2803095
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 122281
Threats found: 1
Infected objects found: 8
Suspicious objects found: 0
Scan duration: 06:09:33


File name / Threat / Threats count
C:\Program Files\Adobe\acrotray .exe Infected: Backdoor.Win32.Small.yb 1
C:\Program Files\AVG\AVG8\avgtray.exe183 Infected: Backdoor.Win32.Small.yb 1
C:\Program Files\Synaptics\SynTP\syntpenh.exe104 Infected: Backdoor.Win32.Small.yb 1
C:\Program Files\Synaptics\SynTP\syntpenh.exe156 Infected: Backdoor.Win32.Small.yb 1
C:\Program Files\Synaptics\SynTP\syntpenh.exe180 Infected: Backdoor.Win32.Small.yb 1
C:\Program Files\Windows Defender\msascui.exe -hide Infected: Backdoor.Win32.Small.yb 1
C:\Qoobox\Quarantine\C\Windows\System32\rthdvcpl .exe.vir Infected: Backdoor.Win32.Small.yb 1
C:\Users\Declan\AppData\Roaming\IDM\rthdvcpl.exe Infected: Backdoor.Win32.Small.yb 1

Selected area has been scanned.
----------------------------------------------------------------------------------

1. Open notepad and copy/paste the text in the codebox below into it:








Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.

===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Where to I get the CFScript.txt from?

Please read my previous post.
You have to create a text file called cfscript.
Then the contents would be the text inside of the code box in my above post.

I did read it but you never said I had to call the txt file CFScript.

Anyway, I have uploaded it.

Thanks again for your time ..