rogue "antispyware" download

yanqui · Mar 24, 2008

this issue got cleaned up but came back so it's something that was written to execute at startup or something like that. The cmputer isn't running badly, but we know we got rid of a lot of crap. Logs are attached, and thanks in advance.

TimW · Mar 25, 2008

Please use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 11"
J2SE Runtime Environment 5.0 Update 6"
Java(TM) 6 Update 2"
Java(TM) 6 Update 3"
Java(TM) SE Runtime Environment 6 Update 1

Please disable all anti-virus and anti-spyware programs while we do the following:

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {a4b08e3a-1dd1-11b2-9d7a-f80ebca8f920} - C:\WINDOWS\ezyvknml.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [B1yy0vzU7C] C:\WINDOWS\mpyfupmz.exe
O4 - HKLM\..\Policies\Explorer\Run: [JbtlyvzU7C] rundll32.exe "C:\WINDOWS\tshadihq.dll",DllCleanServer
Click to expand...

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"B1yy0vzU7C"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"xwduxgvs"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a4b08e3a-1dd1-11b2-9d7a-f80ebca8f920}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]
Click to expand...

Now download The Avenger by Swandog469, and save it to your Desktop.
* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\WINDOWS\dcdsxsfc.exe
C:\WINDOWS\srmtqjad.exe
C:\WINDOWS\system32\sbwltbxa.exe
C:\WINDOWS\mpyfupmz.exe
C:\Documents and Settings\All Users\Application Data\xwduxgvs.dll
C:\appreq.xml
C:\appres.xml
C:\lbresp.xml
C:\lbresq.xml
C:\WINDOWS\tshadihq.dll
C:\WINDOWS\123messenger.per
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020se~1.dll
C:\WINDOWS\2020se~2.dll
C:\WINDOWS\apphel~1.dll
C:\WINDOWS\asferr~1.dll
C:\WINDOWS\asycfi~1.dll
C:\WINDOWS\athprx~1.dll
C:\WINDOWS\ati2dv~1.dll
C:\WINDOWS\ati2dv~2.dll
C:\WINDOWS\audios~1.dll
C:\WINDOWS\autodi~1.dll
C:\WINDOWS\avifil~1.dll
C:\WINDOWS\avisyn~1.dll
C:\WINDOWS\aviwra~1.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\change~1.dll
C:\WINDOWS\dcdsxsfc.exe
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\ezyvknml.dll
C:\WINDOWS\JbtlyvzU7C.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\srmtqjad.exe
C:\WINDOWS\stcloa~1.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\tshadihq.dll
C:\WINDOWS\unins000.dat
C:\WINDOWS\unins000.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\sbwltbxa.exe
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\system32\msnsa32.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\egathdrv.sys
C:\WINDOWS\didduid.ini

Folders to delete:
C:\Program Files\stc
C:\Program Files\Sysmnt
C:\WINDOWS\LUHTHHGR
C:\WINDOWS\FLEOK
C:\Program Files\180SEA~1
C:\Program Files\180SEA~2
C:\Program Files\180SOL~1
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now install:
Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Be sure to tell us how things are running.

yanqui · Mar 25, 2008

I'll get ready to do those things, with one exception, and that's Java. I recognize the security flaws in teh older versions of Java, but, unfortunately, plugging those holes disables some of the processes in some of our software. Until we can get those software developers to work around those plugs, we're stuck at the older versions of Java.

TimW · Mar 25, 2008

That's fine ....go ahead and do the rest.

yanqui · Mar 25, 2008

here are the most recent logs. I ran SuperAnti again and again, and it kept catching things, so some of the stuff Avenger was suppsoed to find it didn't. BUT--My desktop is back to normal, but I still can't use the taskbar. It's still greyed out. Logs are attached, and thanks agian.

TimW · Mar 25, 2008

A few things left to remove:

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\ntnut.exe
C:\WINDOWS\uccspecb.sys
C:\WINDOWS\WPCMAPI.INI
C:\WINDOWS\system32\WER8274.DLL
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Tell me exactly what is being reported and the exact path to it.

And did you set this policy:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000001

If not:
Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
Click to expand...

yanqui · Mar 25, 2008

We're getting there! No, I hadn't set the task manager disable policy; that was one of the first problems we noticed. That's fixed. Here's what avenger reports:

"No rootkits found!

File "C:\WINDOWS\telefonos.txt" deleted successfully.
File "C:\WINDOWS\textos.txt" deleted successfully.
File "C:\WINDOWS\ntnut.exe" deleted successfully.
File "C:\WINDOWS\uccspecb.sys" deleted successfully.
File "C:\WINDOWS\WPCMAPI.INI" deleted successfully.
File "C:\WINDOWS\system32\WER8274.DLL" deleted successfully.

Completed script processing."

By the way, the fingerprint software server on this laptop is gone. Did we do that? It would be a thinkvantage or thinkpad program, and I think it's something like fss--something.

TimW · Mar 25, 2008

I see it in your add/remove program list...so you may have to re-install it.

Are you having any other problems?

yanqui · Mar 25, 2008

Nope, back to normal, found it, repaired it, doing the final cleanup steps I've saved from previous experiences here and setting up this machine for "safe surf."

thanks a million!

TimW · Mar 25, 2008

You are very welcome ....surf safe...

Log in or Sign up

rogue "antispyware" download

yanqui Private E-2

Attached Files:

ComboFix.txt

saslog.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

yanqui Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

yanqui Private E-2

Attached Files:

MGlogs.zip

avenger.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

yanqui Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

yanqui Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member