Free Malware Removal Forum

[onlyliberty]

OK this is probably the usual. I think i let my guard down installing something. So now I am getting lots of popups. The popups are however in internet explorer and i am using firefox. I have tried Spybot Search and Destroy with latest update. (pre and post startup) I am using AVG free edition for virus scanning. And i have also scanned a removed a little bit with Ad-Aware (latest update.

Here is my Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:03 AM, on 10/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\Documents and Settings\Brett\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
d:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\regsvr32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\uoyzsydz.exe,
O2 - BHO: (no name) - {0DC86901-E80E-4A0A-BFAC-661C1F67DDFC} - D:\WINDOWS\system32\xxyyYqQk.dll (file missing)
O2 - BHO: (no name) - {46D7049A-9DB9-4AEC-82B1-F101B9367CB1} - D:\WINDOWS\system32\tuvUNfcY.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: agadoo browser enhancer - {D9624D21-D71D-F56B-E6CE-B3FC620BD233} - D:\WINDOWS\system32\nvsmdbfhmnmil.dll
O2 - BHO: {f49108c9-768e-9918-c974-117afbd01bcd} - {dcb10dbf-a711-479c-8199-e8679c80194f} - D:\WINDOWS\system32\cbrduh.dll
O2 - BHO: mysidesearch search enhancer - {ec04991f-c65e-3d51-2dea-d87073b746af} - D:\WINDOWS\system32\brzbkmushndslr.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [itype] "d:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [lptxcpqfenu] D:\WINDOWS\System32\regsvr32.exe /s "D:\WINDOWS\system32\nvsmdbfhmnmil.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3430] command /c del "D:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1615] cmd /c del "D:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Brett\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 3986576140
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll cbrduh.dll
O20 - Winlogon Notify: tuvUNfcY - tuvUNfcY.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - D:\WINDOWS\444.471.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7089 bytes
Thank you for your patience and time.

[mz30]

Hi
I'm Mz30
I will be helping you with your malware issue's.
I am currently reviewing your hjt log and will post back soon with instructions.
As I am still in training, everything that I post to you, must be checked by an Admin or Moderator. Therefore there could be a delay between posts, but it shouldn't be too long.

• The fixes i post, are for fixing your issues only and by no means should be used on another computer.
• Continue to respond to this thread until I give you the All Clean,as even if you appear clean the chances are you are not.
• Please bookmark or favourite this page. In case you need it as reference.
• Please remember that all the staff here are volunteers and help in our free time and you will sometimes have to wait for a reply.
  
  Important
• Please do not attempt to remove anything or fix anything unless i ask,This includes running any sort of anti-virus/spyware programs as they may make thing's harder to remove.

[onlyliberty]

thank you!

[mz30]

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.

They allow outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:

• The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
• The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a <ENTER TYPE>, the worst kind.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
• Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
  Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063.

If you decide to clean please follow the instructions below.


----------------------------------------

Download ComboFix from one of these locations:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this topic if you need help to disable your protection programs.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a HijackThis log so we can continue cleaning the system.

[onlyliberty]

Wow...it's a good thing I stopped using the windows portion of my computer and went to the linux portion. I was thinking of doing a reformat and this just confirmed it. Thanks.

[mz30]

Your very welcome

['KotaGuy]

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.