[DNA1 DemonK01]

I'm having a dire problem with what seems to be AdWare/Spyware running on my computer.

I left my computer running last night and awoke to find that 9 Internet Explorer browsers were running simultaneously. My first instinct is to open the Task Manager and close them, but when I press CTRL+ALT+Delete, the option to bring up the Task Manager is greyed out.

Then, to my next instinct, I ran a scan through NOD32 and to my dismay it found nothing. Then I went to Malwarebytes on my computer and tried to run it from the shortcut on my desktop only to discover that it no longer existed on my system. Amazing.

I then attempted to download the program again. This worked up until I needed to reboot for the installation to be complete. I rebooted and went to the new shortcut, which now held for me the same result; deleted.

Now, periodically a new tab will open in my FireFox browser (that's why the 9 IE browsers was so shocking; I don't use IE) taking me to a site to download "SpyWare Doctor". Just a moment ago, I checked the URL before it changed to the Spyware Doctor website and it was something similar to "chocolatetruffles".

If anyone can help it will be greatly appreciated and if you need further information, I'll do whatever I can to provide.

[Essexboy]

Hi lets see if this works - Two programmes for you

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
  
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.
  
  
• Click on the “Execute selected scripts”.
  
• Automatic scanning, healing and system check will be executed.
  
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.
  
  
• Click on the "Execute selected scripts".
  
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post

THEN

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
  • Reg - Shell Spawning
    
    
  • File - Lop Check
    
    
  • File - Purity Scan
    
    
  • Evnt - EvtViewer (last 10)
  
  
• Under the Custom Scan box paste this in
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
  
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post

[DNA1 DemonK01]

Here are the two files from AVZ.

I'm working on the following step now.

Attached File(s)

•  virusinfo_syscheck.zip (58.75K)
  Number of downloads: 22
•  virusinfo_syscure.zip (57.72K)
  Number of downloads: 25

[Essexboy]

A few meanies there - could I also have the OTS run log

AVZ FIX

• Double click on AVZ.exe
  
  
• Click File > Custom scripts
  
  
• Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
  

  begin
  SearchRootkit(true, true);
  SetAVZGuardStatus(True);
  SetAVZPMStatus(True);
   TerminateProcessByName('c:\docume~1\mypc~1\locals~1\temp\setup.exe');
   TerminateProcessByName('c:\docume~1\mypc~1\locals~1\temp\services.exe');
   BC_DeleteFile('c:\docume~1\mypc~1\locals~1\temp\services.exe');
   DeleteFile('c:\docume~1\mypc~1\locals~1\temp\services.exe');
   BC_DeleteFile('c:\docume~1\mypc~1\locals~1\temp\setup.exe');
   DeleteFile('c:\docume~1\mypc~1\locals~1\temp\setup.exe');
   BC_DeleteFile('C:\DOCUME~1\MYPC~1\LOCALS~1\Temp\services.exe');
   DeleteFile('C:\DOCUME~1\MYPC~1\LOCALS~1\Temp\services.exe');
   BC_DeleteFile('C:\DOCUME~1\MYPC~1\LOCALS~1\Temp\setup.exe');
   DeleteFile('C:\DOCUME~1\MYPC~1\LOCALS~1\Temp\setup.exe');
   BC_DeleteFile('C:\WINDOWS\ohacaguh.dll');
   DeleteFile('C:\WINDOWS\ohacaguh.dll');
   BC_DeleteFile('C:\WINDOWS\system32\dpjzh.dll');
   DeleteFile('C:\WINDOWS\system32\dpjzh.dll');
   BC_DeleteFile('C:\WINDOWS\system32\rejiwike.dll');
   DeleteFile('C:\WINDOWS\system32\rejiwike.dll');
   BC_DeleteFile('C:\WINDOWS\system32\zirejoji.dll');
   DeleteFile('C:\WINDOWS\system32\zirejoji.dll');
   RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','asg984jgkfmgasi8ug98jgkfgfb');
   BC_DeleteFile('C:\DOCUME~1\MYPC~1\LOCALS~1\Temp\vvn4x.exe');
   DeleteFile('C:\DOCUME~1\MYPC~1\LOCALS~1\Temp\vvn4x.exe');
   RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','sefjhf98jfoidsfoishgoiusgdgfgd');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\6to4\Parameters','ServiceDll');
   BC_DeleteFile('C:\WINDOWS\system32\6to4v32.dll');
   DeleteFile('C:\WINDOWS\system32\6to4v32.dll');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Fxicefokibof');
   BC_DeleteFile('C:\WINDOWS\kbenmsau.dll');
   DeleteFile('C:\WINDOWS\kbenmsau.dll');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{C4BF49A2-94F1-42BD-F034-3604811C807D}');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','zupekujol');
   BC_DeleteFile('c:\windows\system32\kozizahu.dll');
   DeleteFile('c:\windows\system32\kozizahu.dll');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{e18cba47-f1a2-445c-bbe4-ceb9aa3794ba}');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','zolutefaz');
   BC_DeleteFile('zirejoji.dll');
   DeleteFile('zirejoji.dll');
  BC_ImportDeletedList;
  ExecuteSysClean;
  BC_Activate;
  RebootWindows(true);
  end.

  
  
  
• Note: When you run the script, your PC will be restarted
  
  
• Click Run
  
  
• Restart your PC if it doesn't do it automatically.

ON COMPLETION

• Start AVZ.
  
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
  
• Click on the "Execute selected scripts".
  
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post

[DNA1 DemonK01]

(edited)

Here's the OTS file and the new AVZ file

Attached File(s)

•  OTS.Txt (98.47K)
  Number of downloads: 49
•  virusinfo_syscheck.zip (55.71K)
  Number of downloads: 20

[Essexboy]

And more to go - one of these is a Chinese one released less that a week ago. On completion of these runs can you let me know how your system is behaving

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YY -> (BtwSvc) BtwSvc [Auto | Running] -> C:\WINDOWS\system32\BtwSvc.dll
YY -> (peersvc) peersvc  Service [Auto | Stopped] -> C:\WINDOWS\system32\PeerSvc.exe
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {C4BF49A2-94F1-42BD-F034-3604811C807D} [HKLM] -> C:\WINDOWS\System32\dpjzh.dll [C:\WINDOWS\system32\dpjzh.dll]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Fxicefokibof" -> C:\WINDOWS\ohacaguh.DLL [rundll32.exe "C:\WINDOWS\ohacaguh.dll",Startup]
YY -> "smss32.exe" -> C:\WINDOWS\system32\smss32.exe [C:\WINDOWS\system32\smss32.exe]
YY -> "Warning: do not remove it!" -> C:\WINDOWS\System32\fpplock.exe [fpplock.exe]
< Run [HKEY_USERS\S-1-5-21-1409082233-1390067357-1606980848-1002\] > -> HKEY_USERS\S-1-5-21-1409082233-1390067357-1606980848-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "smss32.exe" -> C:\WINDOWS\system32\smss32.exe [C:\WINDOWS\system32\smss32.exe]
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1409082233-1390067357-1606980848-1002] > -> HKEY_USERS\S-1-5-21-1409082233-1390067357-1606980848-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableTaskMgr" -> [1]
YN -> \\"DisableRegistryTools" -> [1]
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> buy-internet-security10.com .[http] -> Trusted sites
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1409082233-1390067357-1606980848-1002\] > -> HKEY_USERS\S-1-5-21-1409082233-1390067357-1606980848-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> buy-internet-security10.com .[http] -> Trusted sites
YN -> is-soft-download.com .[http] -> Trusted sites
YN -> is-software-download25.com .[http] -> Trusted sites
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\winlogon32.exe -> C:\WINDOWS\system32\winlogon32.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{C4BF49A2-94F1-42BD-F034-3604811C807D}" [HKLM] -> C:\WINDOWS\System32\dpjzh.dll [lkjah87hfijgnfasidofgysgiughnjfkgfgdfgf]
[Files/Folders - Created Within 30 Days]
NY ->  dxayligu.exe -> C:\dxayligu.exe
NY ->  fpmhwfpv.exe -> C:\fpmhwfpv.exe
[Files/Folders - Modified Within 30 Days]
NY ->  zotameda.dll -> C:\WINDOWS\System32\zotameda.dll
NY ->  zirejoji.bak -> C:\WINDOWS\System32\zirejoji.bak
NY ->  rejiwike.bak -> C:\WINDOWS\System32\rejiwike.bak
NY ->  jajeluvi.dll -> C:\WINDOWS\System32\jajeluvi.dll
NY ->  pidurave.dll -> C:\WINDOWS\System32\pidurave.dll
NY ->  yonujoli -> C:\WINDOWS\System32\yonujoli
NY ->  Wjunobil.dat -> C:\WINDOWS\Wjunobil.dat
NY ->  IS15.exe -> C:\WINDOWS\System32\IS15.exe
NY ->  helper32.dll -> C:\WINDOWS\System32\helper32.dll
NY ->  warning.html -> C:\WINDOWS\System32\warning.html
NY ->  Ydacahixusoyaqox.bin -> C:\WINDOWS\Ydacahixusoyaqox.bin
NY ->  t1p0_725528826937.b1k -> C:\WINDOWS\System32\t1p0_725528826937.b1k
NY ->  uses32.dat -> C:\WINDOWS\System32\uses32.dat
NY ->  flags.ini -> C:\WINDOWS\System32\flags.ini
NY ->  dpjzh.bak -> C:\WINDOWS\System32\dpjzh.bak
NY ->  dxayligu.exe -> C:\dxayligu.exe
NY ->  fpmhwfpv.exe -> C:\fpmhwfpv.exe
NY ->  winlogon32.exe -> C:\WINDOWS\System32\winlogon32.exe
NY ->  smss32.exe -> C:\WINDOWS\System32\smss32.exe
NY ->  lnfae.exe -> C:\lnfae.exe
NY ->  jvgf.exe -> C:\jvgf.exe
NY ->  3 C:\Documents and Settings\My PC\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\My PC\Local Settings\Temp\*.tmp
[Files - No Company Name]
NY ->  zotameda.dll -> C:\WINDOWS\System32\zotameda.dll
NY ->  zirejoji.bak -> C:\WINDOWS\System32\zirejoji.bak
NY ->  rejiwike.bak -> C:\WINDOWS\System32\rejiwike.bak
NY ->  jajeluvi.dll -> C:\WINDOWS\System32\jajeluvi.dll
NY ->  pidurave.dll -> C:\WINDOWS\System32\pidurave.dll
NY ->  yonujoli -> C:\WINDOWS\System32\yonujoli
NY ->  uzi3ndu1.sys -> C:\WINDOWS\System32\drivers\uzi3ndu1.sys
NY ->  Wjunobil.dat -> C:\WINDOWS\Wjunobil.dat
NY ->  Ydacahixusoyaqox.bin -> C:\WINDOWS\Ydacahixusoyaqox.bin
NY ->  t1p0_725528826937.b1k -> C:\WINDOWS\System32\t1p0_725528826937.b1k
NY ->  uses32.dat -> C:\WINDOWS\System32\uses32.dat
NY ->  flags.ini -> C:\WINDOWS\System32\flags.ini
NY ->  IS15.exe -> C:\WINDOWS\System32\IS15.exe
NY ->  helper32.dll -> C:\WINDOWS\System32\helper32.dll
NY ->  warning.html -> C:\WINDOWS\System32\warning.html
NY ->  winlogon32.exe -> C:\WINDOWS\System32\winlogon32.exe
NY ->  smss32.exe -> C:\WINDOWS\System32\smss32.exe
NY ->  dpjzh.bak -> C:\WINDOWS\System32\dpjzh.bak
NY ->  jvgf.exe -> C:\jvgf.exe
NY ->  lnfae.exe -> C:\lnfae.exe
[Custom Scans]
YY ->  dxayligu.exe -> C:\dxayligu.exe
YY ->  fpmhwfpv.exe -> C:\fpmhwfpv.exe
YY ->  jvgf.exe -> C:\jvgf.exe
YY ->  lnfae.exe -> C:\lnfae.exe
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[DNA1 DemonK01]

That's a huge breath of fresh air. Everything seems to be in order. I am wholeheartedly grateful for your help in both efficiency and speedy response.

I believe these are the files you wanted to review. If not, I will provide the ones you wanted.

Attached File(s)

•  Copy_of_01312010_155345.txt (14.66K)
  Number of downloads: 24
•  OTS.Txt (83.55K)
  Number of downloads: 42

[Essexboy]

Could you run malwarebytes now please whilst I check the log

[DNA1 DemonK01]

It finished scanning. Do you want to look at those logs too? It appears there are 5 logs all with similar names for MalwareBytes.

[Essexboy]

There are a few recalcitrant entries to go - but I will see if MBAM gets them first

Meanwhile what problems do you have now ?

[DNA1 DemonK01]

My browser is no longer redirecting links and I haven't gotten any new tabs lately. It seems as if it's acting normal but MalwareBytes told me there were a few infections it didn't remove.

Attached File(s)

•  mbam_log_2010_01_31__16_21_32_.txt (6.13K)
  Number of downloads: 33

[Essexboy]

OK that took out all the orphaned registry keys and all the files I was after bar two

Could you run a further quick scan to see if they were removed on boot

Should take no longer that 5 minutes this time

[DNA1 DemonK01]

Immediately after I posted the reply with the MalwareBytes log, I started a full system scan. It should be the same if I post the log as opposed to a quick scan, correct?

[Essexboy]

To be honest there is no real difference - but don't tell

[DNA1 DemonK01]

Lol, that surely indicates how experienced I am, doesn't it?

Anyway, Malwarebytes is almost finished...I'm hoping. It has a total of 23 minutes elapsed now and over 50,000 files scanned.

I'll post the log the second it's finished.