Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I think its MalWare... need help please

Started by BlueDog1 , Mar 29 2008 01:36 AM

  • Please log in to reply

#1
BlueDog1
Posted 29 March 2008 - 01:36 AM

BlueDog1

    New Member

  • Member
  • Pip
  • 3 posts
Good day,

Sorry for the long post, I figured it would be better to tell you too much vice too little. I'm not quite certain what I have but know it's related to an EXE file that was downloaded and executed.

I have read and completed the suggested actions as stated in "Read This Before Posting a Hijackthis Log".

ATF Cleaner - Ran Ok

System Restore - Completed as directed. No problem.

AVG Anti-spyware - Configured it, ran it, lots of info found. Unable to create/save a report. I took screen shots and attached them in a file but I'm unable to upload them as attachment. Note that at some point, a pop-up came up with the message "registry editing disable by your administrator". After reboot, I get a msg telling me that I need to re-install it as it will no longer work. I did not re-install, and continued with suggested tasks.

SuperAntiSpyware - See log

Step 2 - Online Panda Active Scan.

I get a msg telling me that the page cannot be accessed. Note that I do have Internet access... this msg
comes up when I try to go to sites usch as McAfee, Panda.

...That's where I am...


Current situation:

Limited Internet access, pop-up warning of false true spyware infections. I also noticed that the scroll bars are gone in MS Word (I tried to re-activate the scroll bars but the box is always clear when I go back to that Word menu).

How I got there:

My son downloaded a game from the Internet and ran the EXE file that he had saved on the desktop.

What happened:

First, the wall paper was changed to reflect a message warning us of a spyware infection and a link was provided to download a software to scan the system (link was not followed). Then, new icons with message/warning bubbles appeared in the tray at the bottom right of the screen.. more warning about spyware infections and links provided. Then my recollection of what I saw gets a little fuzzy as a lot of things kinda happened very fast.. Windows security center window opening suggesting that I turn on protections and install ultimate defender and ultimate cleaner (I did not activate/installed options as this appears to be bogus info). Security system warning appeared warning me about TraojanDownloader.xs (also appears bogus). By that time, I noticed that I no longer had access to the Task Mgr (ctrl-alt-del), a pop-up told me that it was disabled and I needed to contact the administrator. The Control panel icon was also no longer available in the start menu. Internet remained functional but limited. For instance, I was redirected when I tried to connect to McAfee.com to some bogus site.

The sick machine:

The problem occurred on a laptop. No Antivirus/Spyware protection was running at the time of the occurrence as the free offer that came with the system had expired. Of course when the temporary license expired, I did not install the Internet Security Suite (McAfee) I'm running on the desktop. The laptop is running on Windows XP and has SP2 installed. It connects to the Internet via a wireless connection (the desktop uses DSL). Because connectivity issues related to the current issue, I'm running the laptop besides the desktop as it's easier to follow instructions on one screen while taking the required actions on the laptop.

What I've done so far:

Before I came across your site, I downloaded Superantispyware and ran it. The problem remained. Using options from their tool menu, I was able to regain access to the task-manager and control panel. However, I still get the pop-ups at regular interval (every few minutes) and I'm still getting re-directed when I try to access specific sites (such as Panda and McAfee).

When I boot the laptop (screen shots available but unable to upload):

I get this message the msg error loading C:\windowsystem32\drvjup.dll (I think this started after I used SuperAntispyware to regain some control)...

Then messages and pop ups tell me that I need to install soft ware and that I have infections, etc...

Your help would be greatly appreciated.

Many thanks,

K


****AVG Spyware Log****
Unable to save a log (options setup correctly as per instructions, no report to save at the end). I Saved screen shots hoping they can help, but I'm unable to upload the Word document (~480K). Note that during the scan, a pop-up msg said "registry edition disabled by your administrator".

****SuperAntiSpyware Log (3rd scan log)****
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/29/2008 at 07:17 AM

Application Version : 4.0.1154

Core Rules Database Version : 3426
Trace Rules Database Version: 1418

Scan type : Complete Scan
Total Scan Time : 01:30:33

Memory items scanned : 386
Memory threats detected : 0
Registry items scanned : 5543
Registry threats detected : 0
File items scanned : 73949
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Karl\Cookies\karl@stopzilla[1].txt
C:\Documents and Settings\Karl\Cookies\[email protected][2].txt

Trojan.Unclassified/Tmp-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9F7443AE-7A82-4777-BD06-7573548B73B2}\RP109\A0064820.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9F7443AE-7A82-4777-BD06-7573548B73B2}\RP109\A0064822.EXE


****HijackThis******

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:56 AM, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\pwkznnkk.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\sldpj0.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Karl\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe
O1 - Hosts: 221.135.111.121 Download.mcafee.com
O1 - Hosts: 221.135.111.121 Download.mcafee.com
O2 - BHO: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~1.CPL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Winupdates] sldpj0.exe
O4 - HKLM\..\Run: [pwkznnkk] C:\WINDOWS\system32\pwkznnkk.exe
O4 - HKLM\..\Run: [gvcbqxad] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\gvcbqxad.dll"
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvjup.dll,startup
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [q4xL6pqab6] C:\WINDOWS\TEMP\win2B.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101912634187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1171870741096
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O21 - SSODL: AlrtChk - {5adb1c2e-967e-4aa0-a7f6-59a0f7432022} - C:\WINDOWS\Installer\{5adb1c2e-967e-4aa0-a7f6-59a0f7432022}\AlrtChk.dll (file missing)
O21 - SSODL: UnknownService - {acf25561-4769-4624-89d5-2c87ca6f511b} - C:\WINDOWS\Installer\{acf25561-4769-4624-89d5-2c87ca6f511b}\UnknownService.dll (file missing)
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~1.CPL
O21 - SSODL: PrxChk - {63372ad5-2ca1-4298-8b18-4603eaefe86a} - C:\WINDOWS\Installer\{63372ad5-2ca1-4298-8b18-4603eaefe86a}\PrxChk.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9131 bytes


****Uninstall List****
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
Apple Mobile Device Support
Apple Software Update
AVG Anti-Spyware 7.5
Bonjour
Compatibility Pack for the 2007 Office system
getPlus®_ocx
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel® Extreme Graphics 2 Driver
iolo technologies' System Mechanic 7
iTunes
J2SE Runtime Environment 5.0 Update 12
Java™ 6 Update 3
Medi@Show
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
MSXML 4.0 SP2 (KB936181)
Norton Security Scan

Attached Files


  • 0

Advertisements

#2
BlueDog1
Posted 29 March 2008 - 01:41 AM

BlueDog1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Looks like one attachment made it, despite the upload failure msg I received. Here is the other file with screen shots of AVG anti spy ware (I was unable to produce a log at the end of the scan).

Looking fwd to receive your feedback, thanks,

K

Attached Files


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP