Tech Support Forum - View Single Post - Constant pop-ups: NetWorm-i.Virus@fp, Spyware.CyberLog-X

hulagirl · 08-01-2008, 08:00 AM

Aloha tech support gurus! I was hoping someone could help me stop these constant "security alert/system alert/critical system warning" pop-ups and other malware. Problem began after installing what looked like a necessary ActiveX plugin to view a set of assembly instructions.

The following info was derived from Spybot S&D's deleted items log: AntiSpyCheck, Zlob.Downloader.vdt, SCKeylogger, Smitfraud-C, Smitfraud-C.gp, SpyLocked.FakeAlert, Win32.GGDoor.

Spybot S&D was installed shortly after the attack. I uninstalled IE7 to stop the constant relaunching of IE browsers. Per the instructions given for posting here I have completed all of the steps in order, including OS updates and reinstalling IE7. Running current avast! v4.8 with Windows firewall. There were no listed malware programs or rogue/suspect programs found in program list. Any help would be greatly appreciated!

Here are the contents of the main.txt file:
Deckard's System Scanner v20071014.68
Run by elaine on 2008-08-01 01:14:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 5 Restore Point(s) --
73: 2008-08-01 10:35:11 UTC - RP156 - Deckard's System Scanner Restore Point
72: 2008-08-01 10:09:36 UTC - RP155 - Software Distribution Service 3.0
71: 2008-08-01 09:49:59 UTC - RP154 - Software Distribution Service 3.0
70: 2008-08-01 09:48:22 UTC - RP153 - Installed Windows Internet Explorer 7.
69: 2008-08-01 09:45:41 UTC - RP152 - Installed Windows IDNMitigationAPIs.

-- First Restore Point --
1: 2008-05-03 03:09:15 UTC - RP84 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as elaine.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:01 AM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Applications\wcs.exe
C:\Program Files\Applications\iebtm.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Applications\wcm.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Applications\iebtmm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\elaine.ELAINE-VAIO\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\elaine.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} - C:\Program Files\Applications\iebt.dll
O3 - Toolbar: Internet Service - {38BF827A-D7C5-46E1-A9A2-47B1B5BB5438} - C:\Program Files\Applications\iebr.dll
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
O4 - HKLM\..\RunOnce: [IERESETICONS] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Applications\wcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerclue.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerclue.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: ceroxylon - {c96395b8-ab09-46a4-b539-7ddf6e061808} - C:\WINDOWS\system32\jkqvjzl.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7873 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\1C1910F8004603
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\1C1910F8004603
Service: NIC1394

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_8190104D&REV_00\4&16793A72&0&23F0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_8190104D&REV_00\4&16793A72&0&23F0
Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-07-31 15:45:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 00:49:45 0 d-------- C:\Program Files\Trend Micro
2008-07-31 23:00:15 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
2008-07-31 22:25:18 0 d-------- C:\ie-spyad_zo
2008-07-31 22:14:01 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-31 22:11:23 0 d-------- C:\Program Files\SpywareBlaster
2008-07-31 19:59:38 0 d-------- C:\Program Files\Panda Security
2008-07-30 14:44:09 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-07-30 13:45:35 0 dr-h----- C:\Documents and Settings\elaine.ELAINE-VAIO\Recent
2008-07-30 13:24:21 0 d-------- C:\Program Files\Applications
2008-07-17 11:25:14 0 d-------- C:\Program Files\Sun

-- Find3M Report ---------------------------------------------------------------

2008-08-01 00:15:46 1469 --a------ C:\Documents and Settings\elaine.ELAINE-VAIO\Application Data\autobahn.log
2008-08-01 00:07:15 0 d-------- C:\Documents and Settings\elaine.ELAINE-VAIO\Application Data\skypePM
2008-07-31 23:57:24 0 d-------- C:\Documents and Settings\elaine.ELAINE-VAIO\Application Data\Skype
2008-07-27 16:38:59 13312 --a-s---- C:\WINDOWS\system32\jkqvjzl.dll
2008-07-17 11:24:24 0 d-------- C:\Program Files\Java
2008-07-13 14:29:44 0 d-------- C:\Program Files\iTunes
2008-07-10 16:40:52 0 d-------- C:\Program Files\iPod
2008-06-29 00:24:25 0 d-------- C:\Documents and Settings\elaine.ELAINE-VAIO\Application Data\LimeWire
2008-06-25 22:22:55 0 d-------- C:\Program Files\QuickTime
2008-06-19 15:51:32 0 d-------- C:\Program Files\Safari
2008-06-18 02:07:40 0 d-------- C:\Program Files\LimeWire
2008-06-12 13:46:45 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-12 13:45:14 0 d-------- C:\Program Files\The Weather Channel FW
2008-06-09 17:14:28 0 d-------- C:\Documents and Settings\elaine.ELAINE-VAIO\Application Data\Apple Computer
2008-05-08 12:18:13 1298 --a------ C:\WINDOWS\mozver.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}]
08/01/2008 12:14 AM 7680 --a------ C:\Program Files\Applications\iebt.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{38BF827A-D7C5-46E1-A9A2-47B1B5BB5438}"= C:\Program Files\Applications\iebr.dll [07/30/2008 01:24 PM 85504]

[-HKEY_CLASSES_ROOT\CLSID\{38BF827A-D7C5-46E1-A9A2-47B1B5BB5438}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [06/29/2004 02:49 PM]
"Switcher.exe"="C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe" [08/03/2004 04:56 PM]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 05:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/25/2004 09:00 PM]
"Mouse Suite 98 Daemon"="ICO.EXE" []
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [11/07/2003 05:21 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/19/2008 04:38 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/08/2008 12:07 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [02/01/2008 05:22 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 09:56 PM]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [06/10/2008 04:18 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IERESETATTRIB"=%SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
"IERESETICONS"=%SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe [3/30/2008 1:52:34 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"=C:\Program Files\Applications\wcs.exe
"start"=C:\Program Files\Applications\iebtm.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{c96395b8-ab09-46a4-b539-7ddf6e061808}"= C:\WINDOWS\system32\jkqvjzl.dll [07/27/2008 04:38 PM 13312]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2008-08-01 01:16:29 ------------

Good afternoon everyone! I wanted to add that in addition to the pop-up messages it launches what looks like a fake IE browser with something called windows-defense.com/2009/1/freescan.php?aid=880348-Windows Internet Explorer.

After closing that window cpu usage goes to 100% with a process called wcs.exe. I can kill it in task manager but it ultimately relaunches itself over and over.

This is making me crazy!