Help!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by mortderire, May 30, 2008.

  1. mortderire

    mortderire Private E-2

    For the past week or so when I open up IE i get a window saying

    "Insecure Internet activity. Threat of virus attack
    Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
    Also insecure Internet activity can result in revealing your personal information.
    To get full advanced real-time protection for PC and Internet activity, install an antivirus and antispyware software.
    We recommend you to protect your PC now and continue safe Internet browsing.
    Click here to get full advanced real-time protection and continue browsing.
    Continue to this website unprotected (not recommended)."

    I also sometimes get a window with a "page cannot be displayed" message. In the website bar I get the message "res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm"

    I've also got an icon in the bottom right of the screen saying Enable/Disable ShopperLink..I'm guessing this is some sort of malware as well.

    I've gone through the READ & RUN ME FIRST steps and have attached the requested logs below.

    I would appreciate some help in gettin rid of these problems.

    Thanks
     

    Attached Files:

    mortderire, May 30, 2008
    #1
  2. mortderire

    mortderire Private E-2

    heres the other log
     

    Attached Files:

    mortderire, May 30, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your Malwarebytes log shows that you did not fix anything. You need to run a new scan and make sure that you quarantine or delete all problems that it finds. Then attach a new log from it. Afterwards continue on to the below.

    Is your copy of Spyware Doctor a paid version that actually fixes malware problems?


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 4

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
    O2 - BHO: {93b65dcb-e5b0-3b5b-5574-bed3ed27cca1} - {1acc72de-3deb-4755-b5b3-0b5ebcd56b39} - C:\WINDOWS\system32\ubkydixc.dll (file missing)
    O2 - BHO: (no name) - {C71039EB-68AB-431A-9438-34B4C6FF86B5} - C:\Program Files\Win-X-Defender\redir.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/gba1402.exe
    O20 - Winlogon Notify: lynsfgip - lynsfgip.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
    O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)

    After clicking Fix, exit HJT.



    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it. Make sure you scroll down to get everything. There is a lot to remove.:
    Code:
    KILLALL::
Driver::
MpfService
 
RenV::
----a-w         1,743,360 2008-02-06 11:43:57  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w           446,464 2008-02-06 11:55:10  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w           642,560 2008-02-06 11:55:08  C:\Program Files\Dell\Media Experience\PCMService .exe
----a-w           460,784 2008-02-06 11:24:05  C:\Program Files\DellSupport\DSAgnt .exe
----a-w           144,784 2008-02-06 11:55:45  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w         1,694,208 2008-02-06 11:55:51  C:\Program Files\Messenger\msmsgs .exe
----a-w            77,824 2008-02-06 11:55:24  C:\WINDOWS\system32\hkcmd .exe
----a-w           114,688 2008-02-06 11:55:25  C:\WINDOWS\system32\igfxpers .exe
----a-w            94,208 2008-02-06 11:55:25  C:\WINDOWS\system32\igfxtray .exe
----a-w           488,960 2008-02-06 11:55:17  C:\WINDOWS\system32\dla\tfswctrl .exe
 
 
DirLook:
C:\Documents and Settings\Ferdousi\Application Data\IBPlugin
C:\Documents and Settings\Hamza\Application Data\IBPlugin
C:\Documents and Settings\TEMP\Application Data\IBPlugin
C:\Documents and Settings\Faruque\Application Data\IBPlugin
C:\Documents and Settings\Usama\Application Data\IBPlugin
C:\Documents and Settings\Rumman\Application Data\IBPlugin
C:\Documents and Settings\Nabeel\Application Data\IBPlugin
 
File::
C:\WINDOWS\BM13d5313b.txt
C:\WINDOWS\system32\g60.exe
C:\WINDOWS\system32\vntiho18\vntiho182328.exe
C:\WINDOWS\system32\qoiofaex.dll
C:\WINDOWS\system32\mfprwjao.dll
C:\WINDOWS\system32\cnntklte.dll
C:\WINDOWS\system32\lynsfgip.dll
C:\WINDOWS\system32\fjahgocx.dll
C:\WINDOWS\system32\ubkydixc.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\RCX107.tmp
C:\WINDOWS\system32\RCX10D2.tmp
C:\WINDOWS\system32\RCX11E.tmp
C:\WINDOWS\system32\RCX121.tmp
C:\WINDOWS\system32\RCX129.tmp
C:\WINDOWS\system32\RCX130.tmp
C:\WINDOWS\system32\RCX1371.tmp
C:\WINDOWS\system32\RCX13D.tmp
C:\WINDOWS\system32\RCX157.tmp
C:\WINDOWS\system32\RCX15E.tmp
C:\WINDOWS\system32\RCX168.tmp
C:\WINDOWS\system32\RCX16C.tmp
C:\WINDOWS\system32\RCX176.tmp
C:\WINDOWS\system32\RCX186.tmp
C:\WINDOWS\system32\RCX1897.tmp
C:\WINDOWS\system32\RCX18B.tmp
C:\WINDOWS\system32\RCX190.tmp
C:\WINDOWS\system32\RCX1949.tmp
C:\WINDOWS\system32\RCX19A.tmp
C:\WINDOWS\system32\RCX19DA.tmp
C:\WINDOWS\system32\RCX19E.tmp
C:\WINDOWS\system32\RCX1A0.tmp
C:\WINDOWS\system32\RCX1AC.tmp
C:\WINDOWS\system32\RCX1B2.tmp
 
C:\WINDOWS\system32\RCX1B8.tmp
C:\WINDOWS\system32\RCX1BC.tmp
C:\WINDOWS\system32\RCX1F3.tmp
C:\WINDOWS\system32\RCX1FB.tmp
C:\WINDOWS\system32\RCX1FC.tmp
C:\WINDOWS\system32\RCX1FE.tmp
C:\WINDOWS\system32\RCX202.tmp
C:\WINDOWS\system32\RCX203.tmp
C:\WINDOWS\system32\RCX22E.tmp
C:\WINDOWS\system32\RCX246.tmp
C:\WINDOWS\system32\RCX252.tmp
C:\WINDOWS\system32\RCX290.tmp
C:\WINDOWS\system32\RCX2C2.tmp
C:\WINDOWS\system32\RCX2F28.tmp
C:\WINDOWS\system32\RCX309.tmp
C:\WINDOWS\system32\RCX34A.tmp
C:\WINDOWS\system32\RCX34B.tmp
C:\WINDOWS\system32\RCX34C.tmp
C:\WINDOWS\system32\RCX374.tmp
C:\WINDOWS\system32\RCX3DD.tmp
C:\WINDOWS\system32\RCX516.tmp
C:\WINDOWS\system32\RCX519.tmp
C:\WINDOWS\system32\RCX51F.tmp
C:\WINDOWS\system32\RCX522.tmp
C:\WINDOWS\system32\RCX534.tmp
C:\WINDOWS\system32\RCX535.tmp
C:\WINDOWS\system32\RCX544.tmp
C:\WINDOWS\system32\RCX54A.tmp
C:\WINDOWS\system32\RCX54B.tmp
C:\WINDOWS\system32\RCX550.tmp
C:\WINDOWS\system32\RCX552.tmp
C:\WINDOWS\system32\RCX55A.tmp
C:\WINDOWS\system32\RCX561.tmp
C:\WINDOWS\system32\RCX565.tmp
C:\WINDOWS\system32\RCX566.tmp
 
C:\WINDOWS\system32\RCX567.tmp
C:\WINDOWS\system32\RCX568.tmp
C:\WINDOWS\system32\RCX571.tmp
C:\WINDOWS\system32\RCX57F.tmp
C:\WINDOWS\system32\RCX58F.tmp
C:\WINDOWS\system32\RCX5B1.tmp
C:\WINDOWS\system32\RCX5B5.tmp
C:\WINDOWS\system32\RCX5C7.tmp
C:\WINDOWS\system32\RCX5CD.tmp
C:\WINDOWS\system32\RCX5CF.tmp
C:\WINDOWS\system32\RCX5F3.tmp
C:\WINDOWS\system32\RCX5F6.tmp
C:\WINDOWS\system32\RCX603.tmp
C:\WINDOWS\system32\RCX612.tmp
C:\WINDOWS\system32\RCX618.tmp
C:\WINDOWS\system32\RCX634.tmp
C:\WINDOWS\system32\RCX63B.tmp
C:\WINDOWS\system32\RCX63D.tmp
C:\WINDOWS\system32\RCX661.tmp
C:\WINDOWS\system32\RCX672.tmp
C:\WINDOWS\system32\RCX677.tmp
C:\WINDOWS\system32\RCX68C.tmp
C:\WINDOWS\system32\RCX690.tmp
C:\WINDOWS\system32\RCX6C5.tmp
C:\WINDOWS\system32\RCX6CA.tmp
C:\WINDOWS\system32\RCX6D4.tmp
C:\WINDOWS\system32\RCX6D5.tmp
C:\WINDOWS\system32\RCX737.tmp
C:\WINDOWS\system32\RCX74F.tmp
C:\WINDOWS\system32\RCX7CC.tmp
C:\WINDOWS\system32\RCX7CF.tmp
C:\WINDOWS\system32\RCX7D6.tmp
C:\WINDOWS\system32\RCX811.tmp
C:\WINDOWS\system32\RCX86A.tmp
C:\WINDOWS\system32\RCX9E2.tmp
C:\783.bat
 
Folder::
C:\Documents and Settings\Faruque\Application Data\Win-X-Defender
C:\Program Files\Win-X-Defender
C:\Documents and Settings\Usama\Application Data\Win-X-Defender
C:\WINDOWS\system32\vntiho18
C:\WINDOWS\system32\rc34
C:\WINDOWS\system32\nt2
C:\WINDOWS\system32\5022b
C:\Temp\vtmp2
 
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1acc72de-3deb-4755-b5b3-0b5ebcd56b39}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C71039EB-68AB-431A-9438-34B4C6FF86B5}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lynsfgip]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de6a9da0-ddbd-11da-8ae2-000e9bfcb06b}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.



    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 30, 2008
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds