hijackthis log / spyware /trojan /popups

Hello, I'm brand new in this forum, and I need some help, pls, trying to clean some virus(es).
I downloaded some setup.exe and of course it came with a trojan inside.:cry
First of all, it started with some voices on the speakers, and then with popups, saying the pc has a spyware, and redirecting automatically to a website to download PC-Antispyware software.
(See pics TaskbarWarning.JPG, TaskbarWarning2.JPG, popup-trojan.JPG, popup-pc-antispyware.JPG, popup-installation.JPG)

My pc has Windows XP, with SP2 and Norton Antivirus 2006, and so far with this and some spywares(Smatfix, BitDefender Online Scanner) I've downloaded I was able to clean the voices in the speakers, but not the popups.

Finally, I found your forum, and tried following the steps previous to make a post:
1. download AVG Anti-Spyware Free Edition
2. installed Ad-Aware SE
3. reboot my computer in SafeMode
5. Tried scanning with Ad-Aware, but did not work in safe mode. I've already executed before all this but got nothing in the log.
6. Run AVG and got report.txt
7. Reboot in normal mode.
8. Execute Panda ActiveScan and got its report.

The only one that finds something is Panda.


HERE IS THE HIJACKTHIS LOG
-----------------------------------
(This is the last log, the first one I got, had some "no file" and "missing" that I cleaned, if you need it, I can post it)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:48 AM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal



When I executed the AVG, I found some weird things like, a vynczupw.exe(googled it but no results), an empty entry, etc, here are the windows.
avgScreen1.JPG
avgScreen2.JPG
avgSreen3.JPG

Please I need some help, as I don't know what else to do!!
Thanks

 

Welcome to MajorGeeks.com!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

Read & RUN ME FIRST Before Asking for Support

 

Hello Lev,
As you advised, I did everything that is written in the Read & Run Me First link.
Of course after intalling so many programs the pc is now much slower! And they keep appearing msgs saying that the registry is being modified...I guess because of the Spybot program.

Nothing has changed, I keep on having these popus I was mentioning in the first post.

So now, I updated/installed Sun Java as recommended, setup Normal Startup mode, Installed and ran CCleaner, Installed and ran SuperAntiSpyware, Spybot, Malwarebytes and MGTools, and got all the reports.
The only different thing I did, is that I had the System Restore turned off, and I turned it on before starting with the Spybot process. And today I ended the process vynczupw.exe from the taskMgr.

And after all these, I still have the popus.....:cry

So, I'm posting here the logs to see if you/someone can help me with this.(See attached 2 examples of the popups)

Thanks so much!!!!!


Edited: Removed un-needed CCleaner log and attached SAS and Malwarebytes logs, removed attached picture as too small to read anyway.

 

Hello again,

Doing some research in the net about this file I don't know what it is...VYNCZUPW.EXE(I have more files weird names to research), I took a look in the registry and it appears in the folders ACMRU:

HKEY_USERS\S-1-5-21-1445983303-1494567589-2421504027-1007\Software\Microsoft\Search Assistant\ACMru\5603]
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

I found as well in the net the following:
"Simple solution !
Go to the registry, do a search for ACMru and delete the folder and all
it's subfolders.
Normally you will find a backdoor trojan agent like "A0030882.exe" and
similar. No matter how often you run your virus scan that has picked it
up, and yet unable to find it to remove, so I resort to the registry to
delete these stupid files.
....
5603 just happens to be a subfolder of ACMru.
Just delete the lot. I do without hesitation and have no problems. Just
reboot. "
In the links:
http://www.derkeiler.com/Newsgroups/microsoft.public.windowsxp.security_admin/2004-12/0987.html
http://www.tutorials-win.com/XPSecurity/ACMRus-spyware/


In the same folder ACMRU I have the following:
HKEY_USERS\S-1-5-21-1445983303-1494567589-2421504027-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"000=vynczupw.exe"

HKEY_USERS\S-1-5-21-1445983303-1494567589-2421504027-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"001=guqplghq"

HKEY_USERS\S-1-5-21-1445983303-1494567589-2421504027-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"002=Qvdntlmw"

From which Qvdntlmw, I've already removed with one of the antispyware I've downloaded.

Furthermore, this file vynczupw.exe is as well in the Run and Cache folders:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"guqplghq=C:\WINDOWS\system32\vynczupw.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Windows\system32\vynczupw.exe = vynczupw"

And is of course running as a service......

I ended the process as I said before, and so far, no popup has appeared, but I'm not sure if I rename the file or delete it from c:\windows\system32, it will affect something else?????

Hope this help to find a solution to my problem
Thanks!!!!!!!!!!

 

Thank you so much for your help.

I followed your steps:
1-Disable Messenger with the tool you linked, it asked me to reboot, but I didn't yet.
2-Uninstall AskTBar from control panel, and now I reboot.
3-Run MGTools/analyse.exe, the option 'Do a system scan only', but I didn't find the following entries(I guess because I deinstalled AskTBar???):
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
4-Clicked Fix, exit HJT.
5-Downloaded and executed Avenger, but I copied the registry as it was a file to delete. It rebooted.
6- After reading the file I executed again Avenger withthe right command for the registry to be deleted, but it popup a msg "Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|guqplghq"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program."
7- I executed and rebooted anyway.

And after loading windows it appeared a dr Watson, so went to Event Viewer and found the following Errors:
"The server {1BA06D22-B9EE-4C61-8CD9-5FC9E9FA3264} did not register with DCOM within the required timeout."

"DCOM got error "The service did not respond to the start or control request in a timely fashion. " attempting to start the service LiveUpdate with arguments "" in order to run the server:
{03E0E6C2-363B-11D3-B536-00902771A435}"

"Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect."

So I didn't run Ccleaner, but did the logs to post them here.

Question1: Can I delete the registry entry by hand????
Question2: What are these errors in Eventviewer???

Thanks again!!!

 

Furthermore the DCOM errors, I still have ad.yieldmanager.com, tribalfusion and stat.onestat found as spyware.
Is there a way to get rid of these???

Thanks

 

Thank you so much for your help, Chaslang, and sorry for the inconveniences, will be extremely careful next time.

Regarding cookies are not malware, after scanning several times my PC with Panda Activescan, as it's recommended in your "How to Protect yourself from malware!" cookies were the only spyware it found, so I wanted to get rid of them before going on with updating Windows.

Anyway, so, I'm glad to hear my system is clean now!!

But after deinstalling SUPERAntiSpyware,SpyBot , Malwarebytes Anti-Malware and MGtools, now I have the following event in the EventViewer:

"The following boot-start or system-start driver(s) failed to load:
SASKUTIL"

After researching in the net I found it belongs to SuperAntiSpyware, is it true??? Is there a way not to have this event anymore??? The file SASKUTil.sys does not exist anymore after the deinstallation, but I still have references in the registry.

Another question, can I deinstall CCleaner and HijackThis???

Thanks once more!!!

 

Thank you foryour reply!

I've tried installing SuperAntiSpyware, rebooting, uninstalling it again, and rebooting, but still have the error in the event viewer.
I'm uninstalling it from the control panel, because I don't see any 'uninstall' from the Start/Programs/SuperAntiSpyware.
Is this procedure correct or I'm missing something, because I still can see the SuperAntiSpyware folder in c:\program files, although it's empty...:cry

Well, thanks again, and will follow your advice and keep CCleaner and Spybot.

 

Well, it's shown as an 'Error' in the EventViewer. Date and time, are of today. I don't know the SUPERAntiSpyware was uninstalled properly, when I run the uninstall from the control panel, it said it was already done.
I don't see any SUPERAntiSpyware service running, or any relationship to a service, the only thing I see is the empty folder in c:\ and some references in the registry such as HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\Legacy_SASKUTIL and inside it has a key 000 with String Class refering to LegacyDriver and DeviceDesc refering to SASKUTIL.

Yes, I know that many programs do not properly cleanup after themselves upon uninstalling, and that's the reason I don't like to intall them, unless extremely necessary....

Here are the MGTools logs.

Thanks

 

Here attached is the RegSearch.txt.

Thanks!!!

 

Hello Chaslang,

Here is attached the new RegSearch.

Thanks again.

 

Hello Chaslang,

Well, followed your steps, and got a new file RegSearch. The only thing is when it rebooted I got a blue screen with the disk check...It checked everything and apparently every thing was ok.
But when I went to the eventviewer, I saw several boot-start or system-start driver(s) failed to start... I guess it was the first boot and that's why it went to the disk check???

Well, now in the Regsearch file it shows only 2 entries... I have some knowledge of regedit, if it's easier to delete it by hand....Otherwise, will do whatever you tell me.

Thanks

 

Sorry, forgot to tell you that I don't have the eventviewer error of SASKUTIL device anymore...!!!!!!!

Thanks

 

Oh, OK, we've got it!!!

THANKS again!!!!!!! For the help and the patience...