6 replies to this topic

[Dougedo]

Hi, hoping I'm posting in the right place to get some help with my problem. I'm always very careful where I surf and what I download. Not sure how I got infected but all my efforts at removal have failed. I've been getting hammered with pop-ups and other nafarious actions on my laptop. Periodically I hear strange sounds coming from it even with 'NO' windows open(chirping bird, piano keys, dialoge for some pop-up ad that is not open, etc.). Also periodically the Outlook set-up wizard starts, note: laptop is old work laptop and has not been config'd for my home ISP email servers as I just use yahoo for email. My efforts so far have been; Installed Comcast toolbar, ran toolbar Spyware scan and it found many items the last of which it said was a Trojan of some kind, selected remove and quarantine, now I run it often as I surf and it returns several 'Tracking cookies' , the sites referenced by the cookies I've added to restricted web sites list thru Tools>Internet Options>Security>Restricted sites but they keep reappearing?? Searched for .exe files 'created' around the timeframe the infection began and deleted files that I did not recognize. Searched Google for similar issues for 'ads.k8l.info' pop-up issues and d/l'd SUPERAntiSpyware Free Edition and ran, also found many items(files, cookies, registry) for removal and quarantine. The laptop has McAfee Desktop firewall and Virus Scan but the definitions are outdated. IE is ver 6.0.2800.1106CO SP1. I would greatly appreciate any assistance with this malicious adware. Thanks and Regards

[ken545]

Hello Dougedo

Welcome to the Whatthetech Malware Removal Forum,


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and Paste the entire report in your next reply along with a Hijackthis log.

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

• Open HJT Scan and Save a Log File, it will open in Notepad
• Go to Format and make sure Wordwrap is Unchecked
• Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


Post the Malwarebytes log and a Hijackthis log please

[Dougedo]

Hi and thanks for your assistance. I followed your instructions and below are the log files. I just d/l'd and ran them without disabling any McAfee prgms I have installed or the SuperAntiSpyware, Comcast toolbar that I have tried for this problem to date. MalwareBytes found 4 items, 1 Malware file trace, an Adware dll and 2 others. Removed per your instructions.
Thanks again;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:50 PM, on 4/5/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Franklin VPN Client\cvpnd.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
D:\PersApps\Webshots\webshots.scr
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Franklin Templeton Investments
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: 0 - {DC310461-CDB1-41DE-89BE-62CFF5C37945} - C:\Program Files\Outlook Express\xunaj.dll (file missing)
O2 - BHO: (no name) - {e2c80ab6-85cb-4ac7-9e1d-06d211ee1ce8} - C:\WINNT\system32\vjnlnvr.dll (file missing)
O2 - BHO: (no name) - {E9FCF511-46AF-0E22-DA26-30E671890A99} - C:\WINNT\system32\tsrlii.dll (file missing)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeFireTray] C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PersApps\IPod\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Cwoa] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\RACLE~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default user')
O4 - Startup: Webshots.lnk = D:\PersApps\Webshots\Launcher.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O15 - Trusted Zone: http://edrweb.franklintempleton.com (HKLM)
O15 - Trusted Zone: http://lmsprod.noam.corp.frk.com (HKLM)
O15 - Trusted Zone: http://myworktools.noam.corp.frk.com (HKLM)
O15 - Trusted Zone: http://psportaltest.noam.corp.frk.com (HKLM)
O15 - Trusted Zone: http://sacsun98.noam.corp.frk.com (HKLM)
O15 - Trusted Zone: http://sacsun99.noam.corp.frk.com (HKLM)
O15 - Trusted Zone: http://*.ftimarketing.com (HKLM)
O15 - Trusted Zone: http://*.intranet (HKLM)
O15 - Trusted Zone: http://*.sacgiweb (HKLM)
O15 - Trusted Zone: http://*.sacr01giww1 (HKLM)
O15 - Trusted Zone: http://*.sacr01giww2 (HKLM)
O15 - Trusted Zone: http://*.stpgiweb (HKLM)
O15 - Trusted Zone: http://*.stpr01giww1 (HKLM)
O15 - Trusted Zone: http://*.stpr01giww2 (HKLM)
O15 - Trusted Zone: http://*.torr01fln01 (HKLM)
O15 - Trusted Zone: http://*.torr01fln07 (HKLM)
O15 - Trusted Zone: http://*.torr01fln08 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = noam.corp.frk.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noam.corp.frk.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe (file missing)
O23 - Service: Crystal Query Server - Unknown owner - C:\PROGRA~1\SEAGAT~1\QUERYS~1\querysrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Franklin VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: BeyondLogic RmtExec Server (rexesvr) - http://www.beyondlogic.org - C:\WINNT\System32\rexesvr.exe
O23 - Service: Remote Task Manager Service (RTM) - Unknown owner - C:\WINNT\System32\rtmservice.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\cewuewu.html

--
End of file - 8144 bytes

Malwarebytes' Anti-Malware 1.10
Database version: 594

Scan type: Quick Scan
Objects scanned: 48740
Time elapsed: 11 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{7e412486-3c80-4dc0-996a-6076d4c67fd3} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7e412486-3c80-4dc0-996a-6076d4c67fd3} (Adware.TTC) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\dalix777444.dll (Adware.TTC) -> Quarantined and deleted successfully.

Looking forward to your next steps and cleaning my laptop of these annoying sounds and pop-ups, not to mention the performance factor.

[ken545]

Hello,

You do have a few things going on, I need you to look over all the 015 entries on your HJT log and add the ones you don't know to this list to be removed.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: 0 - {DC310461-CDB1-41DE-89BE-62CFF5C37945} - C:\Program Files\Outlook Express\xunaj.dll (file missing)
O2 - BHO: (no name) - {e2c80ab6-85cb-4ac7-9e1d-06d211ee1ce8} - C:\WINNT\system32\vjnlnvr.dll (file missing)
O2 - BHO: (no name) - {E9FCF511-46AF-0E22-DA26-30E671890A99} - C:\WINNT\system32\tsrlii.dll (file missing)

O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\cewuewu.html




Please download OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  

  C:\Program Files\Outlook Express\cewuewu.html
  C:\Program Files\Outlook Express\xunaj.dll
  C:\WINNT\system32\vjnlnvr.dll
  C:\WINNT\system32\tsrlii.dll

• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.





This tool needs to be run in Safemode for it to be effective

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Post the OTMoveIt log, the SDFix log and a new HJT log please

[Dougedo]

Hello and sorry for the delayed response. Seems to be working better and the mysterious noises and pop-ups are gone but some questions regarding your last reply; HJT: The laptop is an old company machine still with the company image, all the 015 entries are fine to me. I'm concerned that the 'kernel' entry relates to the company image? Could this be the case? I would not want to mess with it if it is as I do not have any restore/backup disks/prgms for this machine? OTMoveIt2: Can you explain what this exe does please? After this experience and in general very leary about d/l'g any executables? SDFix: Same questions as for OTMoveIt2 please? Thanks again for you expert help with this problem. Regards, Doug

[ken545]

Doug,

Sorry for the late reply but with you not posting back in over a month your post fell off my list, but I have you back now. We are one of the leading forums for the removal of malware and viruses not for trying to infect your computer, do you think that we would have you download any programs that are not safe???????????????????

Kernel.exe is part of the SDBot worm, its not related to your company logo.

Its been over a month since you posted your HJT log and your system may have changed so post a new HJT log please. If your hesitant about proceeding with the cleaning you may want to consider taking your computer to a shop. Don't mean to seem stern but we clean computers of the viruses and malware that people get, we do not infect them.

Ken

Edited by ken545, 19 May 2008 - 02:44 AM.

[ken545]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log