popups and stuff you're bored of hearing

hermanntrude · Joined: Dec 26, 2005 Posts: 25

hi

I got tricked into clicking. A website told me i needed to update flash and so i clicked and flash didnt get updated but i got a bunch of popups instead, many of which are designed specifically to get me to click more buttons by pretending to save me from malware. Very ironic.

Here are the hijackthis and pandascan logfiles:

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 00:44:31, on 03/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\freddy45.exe
C:\windows\mstre19.exe
C:\windows\pp10.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\DeskPins\DeskPins.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Documents and Settings\User\Desktop\files\anti-hijacking stuff\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy45.exe
O4 - HKLM\..\Run: [sysmstray] C:\windows\mstre19.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SYSDLL] SYSDLL
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://badgerpoke.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

pandascan:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-06-03 00:43:24
PROTECTIONS: 0
MALWARE: 13
SUSPECTS: 5
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00110851 adware/qoologic Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\webnexus
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@yadro[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@burstnet[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@bluestreak[1].txt
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\services\cmdservice
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_cmdservice
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\currentcontrolset\services\cmdservice
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@atwola[1].txt
00956422 W32/Koobface.BW.worm Virus/Worm No 0 Yes No C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\T3T76T4U\nfr[1].exe
00956422 W32/Koobface.BW.worm Virus/Worm No 0 Yes No C:\WINDOWS\st_1243991676.exe
00956424 Trj/BHO.EO Virus/Trojan No 0 Yes No C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\T3T76T4U\6244[1].exe
00956449 Trj/BHO.EO Virus/Trojan No 0 Yes No C:\WINDOWS\system32\sysloc\sysloc.dll
01132533 Trj/Lineage.BZE Virus/Trojan No 1 No No C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\Runtime.Software.Data.Recovery\Runtime.Software.Data.Recovery.rar[DiskExplorer.for.NTFS.v3.03\v3.03.Crack-ARN\NtExplorer.exe]
01132533 Trj/Lineage.BZE Virus/Trojan No 1 Yes No C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\Runtime.Software.Data.Recovery\DiskExplorer.for.NTFS.v3.03\v3.03.Crack-ARN\NtExplorer.exe
01313896 Trj/Lineage.BZE Virus/Trojan No 1 No No C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\Runtime.Software.Data.Recovery\Runtime.Software.Data.Recovery.rar[RAID.Reconstructor.v3.03\v3.03.Crack-ARN\raid.exe]
01313896 Trj/Lineage.BZE Virus/Trojan No 1 Yes No C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\Runtime.Software.Data.Recovery\RAID.Reconstructor.v3.03\v3.03.Crack-ARN\raid.exe
03918970 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\O&O DiskRecovery\O&O DiskRecovery.rar[O&O DiskRecovery V4.0.1231\Keygen\DiskRecovery 4.0.1231.exe]
03918970 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\O&O DiskRecovery\O&O DiskRecovery V4.0.1231\Keygen\DiskRecovery 4.0.1231.exe
03918970 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\O&O DiskRecovery\O&O DiskRecovery V4.1.1334_Vistaready\Keygen\O&O.Products-kg.exe
03918970 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\O&O DiskRecovery\O&O DiskRecovery.rar[O&O DiskRecovery V4.1.1334_Vistaready\Keygen\O&O.Products-kg.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\windows\mstre19.exe
No c:\windows\mstre19.exe
No C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\Runtime.Software.Data.Recovery\GetDataBack.for.FAT.V3.03\v3.03.011.Crack-ARN\gdb.exe
No C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\Runtime.Software.Data.Recovery\Runtime.Software.Data.Recovery.rar[GetDataBack.for.FAT.V3.03\v3.03.011.Crack-ARN\gdb.exe]
No C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\176XGG0O\ms.19[1].exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

needless to say, any help will be enormously appreciated

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-hkey_local_machine\software\microsoft\windows\currentversion\uninstall\webnexus]
[-hkey_local_machine\system\controlset001\services\cmdservice]
[-hkey_local_machine\system\controlset001\enum\root\legacy_cmdservice]
[-hkey_local_machine\system\currentcontrolset\services\cmdservice]

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy45.exe
O4 - HKLM\..\Run: [sysmstray] C:\windows\mstre19.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKCU\..\Run: [SYSDLL] SYSDLL

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Documents and Settings\User\Cookies\user@atwola[1].txt
C:\Documents and Settings\User\Cookies\user@bluestreak[1].txt
C:\Documents and Settings\User\Cookies\user@burstnet[2].txt
C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\User\Cookies\user@yadro[2].txt
C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\O&O DiskRecovery\O&O DiskRecovery V4.0.1231\Keygen\DiskRecovery 4.0.1231.exe
C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\O&O DiskRecovery\O&O DiskRecovery V4.1.1334_Vistaready\Keygen\O&O.Products-kg.exe
C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\Runtime.Software.Data.Recovery\DiskExplorer.for.NTFS.v3.03\v3.03.Crack-ARN\NtExplorer.exe
C:\Documents and Settings\User\Desktop\files\!Data.Recovery.MegaPack.by.TommY@erektor(last_hope)\Runtime.Software.Data.Recovery\RAID.Reconstructor.v3.03\v3.03.Crack-ARN\raid.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\T3T76T4U\6244[1].exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\T3T76T4U\nfr[1].exe
C:\windows\freddy45.exe
C:\windows\ld08.exe
C:\windows\mstre19.exe
C:\windows\pp10.exe
C:\WINDOWS\st_1243991676.exe
C:\WINDOWS\system32\sysloc\sysloc.dll
SYSDLL

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

You have an outdated version of HijackThis. Download the newest version at http://www.greyknight17.com/spy/HijackThis.exe and run it.

1. If it gives you an intro screen, just choose Do a system scan and save a logfile.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the HijackThis log here.