Suspect malware - at least adware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by goofyrocks, Feb 12, 2010.

  1. goofyrocks

    goofyrocks Private E-2

    Hi,
    Im running a 32 bit version of Windows XP on a 3 year old Compaq computer that I recently discovered was being used by my children 9 and 7. I have to hand it to them for getting that one by me! Now I've got floating ads bouncing around the screen. I had Norton, which I resubscribed to, but it won't update its virus definitions. I cannot run MalwareBytes, even after changing the name of the .exe file. I read and completed the steps (minus the Malwarebytes scan) and the logs are attached. My start bar turns white, my PC doesn't recognize that I have a sound card and my browser is frequently hijacked to sales sites - they vary, or shows an error message - the vary as well - mostly just "file not found". It occasionally reboots itself - suprise! The sound plays sometimes. I cannot find the Superantispyware log in my C drive. My patience runs thin. I think the Major has his work cut out for him, as this Private is ready to surrender.:-D Thank you for any and all help you can offer!! Sincerely, GoofyRocks!
     
    Last edited: Feb 12, 2010
  2. goofyrocks

    goofyrocks Private E-2

    Attachments did not upload...
     

    Attached Files:

  3. goofyrocks

    goofyrocks Private E-2

    .Zip
     

    Attached Files:

  4. evilfantasy

    evilfantasy Malware Fighter

    Hello goofyrocks.

    When you ran the MGTools.exe, did you not get a pop up for the agreement to run HJT? Please make the agreement on the next run of the tools or tell if you get an error message of some sort.

    Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

    Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

    Exit out of MessengerDisable then delete the two files that were put on the desktop.



    Go to Add or Remove Programs and uninstall:

    - J2SE Runtime Environment 5.0 Update 6

    Now see here and install the new version of Java: Updating Sun Java



    1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
    It must be Notepad, not Wordpad.
    2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

    Code:
    KillAll::
    
    File::
    C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\sgqwvi
    C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\xhwhnl
    C:\WINDOWS\Temp\symlcsv1.exe
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "midi9"=-
    
    
    3. Go to the Notepad window and click Edit > Paste
    4. Then click File > Save
    5. Name the file CFScript.txt - Save the file to your Desktop
    6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    [​IMG]

    ComboFix will begin to execute, just follow the prompts.
    After reboot (in case it asks to reboot), it will produce a log for you.
    Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip file that will be created along with the new ComboFix log.
     
    Last edited by a moderator: Feb 13, 2010
  5. goofyrocks

    goofyrocks Private E-2

    So far so good! The ads are gone. but there is an affected registry key. I'll post twice only to upload the rest of the logs. Thanks so much for your help so far!!!
    GoofyRocks.
     

    Attached Files:

  6. goofyrocks

    goofyrocks Private E-2

    The rest of the logs.....
    Goofyrocks.
    :)
     

    Attached Files:

  7. evilfantasy

    evilfantasy Malware Fighter

    Why did you run so many extra scans. Some of which we don't use here? Try to stick with my instructions. It makes it easier for both of us if you do.



    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

    • O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    • O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
    • O3 - Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
    • O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
    After clicking Fix checked, exit HijackThis.



    Download The Avenger by Swandog46 and save it to your desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Code box below, and paste it into the Input script here window:

    Code:
    Comment:
    
     Files to delete:
    C:\WINDOWS\Temp\symlcsv1.exe
     
     Folders to delete:
    c:\documents and settings\Compaq_Administrator\Local  Settings\Application Data\xhwhnl
    C:\Documents and Settings\Compaq_Administrator\Local  Settings\Application Data\sgqwvi
     
     
    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

    * Add the Avenger log in your next post.
     
  8. goofyrocks

    goofyrocks Private E-2

    Sorry about the extra scans. I thought the info might be of use to you. No more, I promise.

    The bouncy ads are back....

    Here's the log.

    Thank you again for all your help!

    Sincerely,
    GoofyRocks
     

    Attached Files:

  9. evilfantasy

    evilfantasy Malware Fighter

    Open Malwarebytes' Anti-Malware.

    * Click the Update tab.
    * Click Check for Updates
    * If an update is found, it will download and install.
    * Click the Scanner tab.
    * Select Perform Quick Scan, then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * Copy & Paste the entire report in your next reply.

    Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




    Delete your current version of ComboFix and download it again!

    Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

    Link #1
    Link #2

    **Note: It is important that it is saved directly to your Desktop

    Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

    Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

    Double click combofix.exe & follow the prompts.
    Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
    When finished ComboFix will produce a log for you.
    Post the ComboFix log in your next reply.

    Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

    Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

    If you have problems with ComboFix usage, see How to use ComboFix
     
  10. goofyrocks

    goofyrocks Private E-2

    Ok -
    Two more logs as requested. Thanks again!
     

    Attached Files:

  11. evilfantasy

    evilfantasy Malware Fighter

    What sort of ads are these? Are they always the same or random?



    ESET Online Scan

    Scan your computer with the ESET FREE Online Virus Scan

    * Click the ESET Online Scanner button.

    * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
    * Double click on the esetsmartinstaller_enu.exe icon on your desktop.
    * Place a check mark next to YES, I accept the Terms of Use.

    * Click the Start button.
    * Accept any security warnings from your browser.
    * Leave the check mark next to Remove found threats and place a check next to Scan archives.
    * Click the Start button.
    * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
    * When the scan completes, click List of found threats.
    * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
    * Click the <<Back button then click Finish.

    In your next reply please include the ESET Online Scan Log
     
  12. goofyrocks

    goofyrocks Private E-2

    They are a 2" by 2" box that tracks diagonally across the screen. The ad content changes and there is a name that starts with a v - Veritas I think. I also now have something called buzzdock on the Bing search engine - I just noticied this today - although I generally search with Bing... You are a gem for helping me!
    GoofyRocks
     
  13. evilfantasy

    evilfantasy Malware Fighter


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds