Tech Support Forum Being attacked by adware/spyware...help
 User Name Remember Me? Password
 Site Map Posting Help Register Rules Search Today's Posts Mark Forums Read Advertise

# Being attacked by adware/spyware...help

This is a discussion on Being attacked by adware/spyware...help within the Resolved HJT Threads forums, part of the Tech Support Forum category. I gave this computer to my daughter and she accidentally infected it with multiple problems. We now have an understanding

06-26-2009, 09:53 PM   #1
Registered Member

Join Date: Oct 2007
Location: Little Rock, AR
Posts: 67
OS: XP

I gave this computer to my daughter and she accidentally infected it with multiple problems. We now have an understanding as to how to keep these off, but i need help removing them if possible...thanks.

GMER 1.0.15.14972 - https://www.gmer.net
Rootkit scan 2009-06-26 23:25:22
Windows 5.1.2600 Service Pack 3

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\USB_RNDIS \Device\{FCA22336-5931-44E8-93F4-E80B36EF256D} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACsmnaxvmp.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\system32\drivers\UACsmnaxvmp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\UACsmnaxvmp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACfqxotfqr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACjpumlwuw.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACheexnqcn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACracbfprb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACxfpapeil.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACtkowfovw.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACbpasjjpg.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACiiyvmext.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACdujwqbit.dll
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] \systemroot\system32\drivers\UACsmnaxvmp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\UACsmnaxvmp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACfqxotfqr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACjpumlwuw.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACheexnqcn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACracbfprb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACxfpapeil.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACtkowfovw.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACbpasjjpg.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACiiyvmext.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACdujwqbit.dll

---- EOF - GMER 1.0.15 ----
Attached Files
 ark.zip (926 Bytes, 20 views) Attach.zip (1.7 KB, 22 views)

 06-28-2009, 10:19 AM #2 Security Team Analyst   Join Date: Jan 2009 Posts: 553 OS: Win98SE, XP Home SP3, Windows 7 64-bit Hello and welcome to Tech Support Forum. My name is km2357 and I will be helping you to remove any infection(s) that you may have. I will be giving you a series of instructions that need to be followed in the order in which I give them to you. If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again. Please do not start another thread or topic, I will assist you at this thread until we solve your problems. Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same. Please run DDS again. I need to see the main log, DDS.txt in your next post/reply.

 06-29-2009, 12:40 PM #6 Security Team Analyst   Join Date: Jan 2009 Posts: 553 OS: Win98SE, XP Home SP3, Windows 7 64-bit If you haven't already you need to install an Anti-Virus program ASAP on the computer. The longer the computer goes without an AV, the better its chances of being infected/reinfected. Step # 1: Add/Remove Programs Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel. Media Access Startup PC Confidential 2008 System Search Dispatcher Reboot your Computer. Step # 2: Run CFScript Please Note: When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the script below, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK on the message box. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: https://www.techsupportforum.com/2214139-post5.html KILLALL:: Collect:: c:\windows\system32\drivers\UACsmnaxvmp.sys File:: c:\windows\Klupakusadiyur.dat Folder:: c:\documents and settings\Kyrsti\Local Settings\Application Data\Internet Saving Optimizer c:\documents and settings\Kyrsti\Local Settings\Application Data\Media Access Startup c:\program files\Media Access Startup c:\program files\Internet Saving Optimizer c:\program files\System Search Dispatcher c:\program files\DoubleD c:\program files\Winferno c:\program files\Free Offers from Freeze.com Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}] Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Note: This CFScript is for use on alanh's computer only! Do not use it on your computer. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. In your next post/reply, I need to see the following: 1. The ComboFix Log that appears after Step 2 has been completed.
 07-04-2009, 10:54 AM #12 Security Team Analyst   Join Date: Jan 2009 Posts: 553 OS: Win98SE, XP Home SP3, Windows 7 64-bit Kaspersky found files in the Qoobox folder which is where ComboFix keeps its quarantined files. I'll show you how to remove those in an upcoming post. Kaspersky also found some infected System Restore points. They are harmless where they are. I'll show you how to remove them and set up a new, clean one in an upcoming post. The DDS log you posted is an old one (from Fri 06/26/2009). Please run DDS again and post a new log. Regarding the internet crashing, when did it start? Did it start before the computer got infected? Before you came to Tech Support Forum looking for help?
07-04-2009, 09:59 PM   #14
Security Team
Analyst

Join Date: Jan 2009
Posts: 553
OS: Win98SE, XP Home SP3, Windows 7 64-bit

Quote:
 It crashes usually when its moved.
By "Its" I assume you mean your internet crashes when your wireless router/modem is physically moved? That sounds more like a hardware problem, then a malware problem. If that is the case, it'd be best to post a thread in the Networking Support section of Tech Support Forum and explain to them why your Internet is crashing. They'd be better equipped than I to help you solve your problem.

Since you reported that the pop-ups have stopped and your problem appears to be non-malware related, I'll go ahead and have you do a final clean up and give you some tips to help keep the computer clean in the future.

To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /u & click OK

Empty your Recycle Bin.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point
• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
• Select the More options tab
• Choose the option to clean up system restore and OK it.
• This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.

Make your Internet Explorer more secure This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub frames across different domains to Prompt
5. When all these settings have been made, click on the OK button.
6. If it asks you if you want to save the settings, press the Yes button.
7. Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please checkHide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK
• Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
• Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
• Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware
• Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
1. Click the start button on the task bar at the bottom of your screen
2. Click run
3. In the dialog box, type services.msc
4. hit enter, then locate dns client
5. Highlight it, then doubleclick it.
6. On the dropdown box, change the setting from automatic to manual.
7. Click ok..
• Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
• Please read Tony Klein's excellent article: How I got Infected in the First Place
• Please read Understanding Spyware, Browser Hijackers, and Dialers
• Please read Simple and easy ways to keep your computer safe and secure on the Internet
• If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
Opera.
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
• Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
• If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

https://users.telenet.be/bluepatchy/m...revention.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.

 07-05-2009, 03:03 AM #15 Registered Member   Join Date: Oct 2007 Location: Little Rock, AR Posts: 67 OS: XP Thanks for all your help. I think I got it all right.
 07-06-2009, 12:27 AM #16 Security Team Analyst   Join Date: Jan 2009 Posts: 553 OS: Win98SE, XP Home SP3, Windows 7 64-bit You're welcome. I'm glad I was able to help you out. Good luck and safe surfing!

 Posting Rules You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is on Smilies are on [IMG] code is on HTML code is OffTrackbacks are Off Pingbacks are Off Refbacks are Off Forum Rules

 » Recent Discussions [SOLVED] How to disable pop-up page

 » Site Navigation > FAQ