Clients Laptop

g4m3rof1337

Active Member
I'm trying to fix a laptop that has been Fubar'd.. The trojan changed her wallpaper to a blue screen with text saying she needs anti spyware software, with a link to download some, on the wallpaper. It also opens a lot of windows, one of them was a clip to a Power Puff Girl thing.

She's using XP, and I don't think she'll have her restore discs.. I'll ask, but I don't want to count on it.


I was thinking about just wiping the drive clean, and doing a clean install, though I don't have an XP discs.





Any ideas?




Thanks.
 
Umm well once things get that bad it is best to do a restore or reformat/reinstall but I can at least tell you some stuff to do that will remove some of the annoyances while you try to fix it.

1. Download StartupCPL
http://www.mlin.net/StartupCPL.shtml
download the installable one
it installs its own entry inside the Control Panel called "startup"
run it in safe mode and uncheck EVERYTHING, some things are harmless but to free up resources just uncheck everything in every tab.
the startupCPL is basically a tool to stop things that startup automatically upon boot, most likely some of the spyware will put itself back in the list but it will help with the ones that don't.

2. install zonealarm firewall (or any other firewall of your choice if you don't like Zonealarm)

3. Install a good antivirus and run a boot scan (avast has a good one)

4. Isolate any other problems and use google to fix them.

These steps will at least help in the diagnostic process and keep you from getting any more spyware/viruses (hopefully)
 
I'm trying to fix a laptop that has been Fubar'd.. The trojan changed her wallpaper to a blue screen with text saying she needs anti spyware software, with a link to download some, on the wallpaper. It also opens a lot of windows, one of them was a clip to a Power Puff Girl thing.

She's using XP, and I don't think she'll have her restore discs.. I'll ask, but I don't want to count on it.


I was thinking about just wiping the drive clean, and doing a clean install, though I don't have an XP discs.







Any ideas?




Thanks.

Between Malwarebytes antimalware, superantispyware and combofix, the system should just be about back to normal after running them.
 
So install MalwareBytes, run it, and that should take care of the whole problem..?


I read this, and thought that.
Important: Please read before posting Thread said:
Before posting any Malware Removal problem please run a scan with Malwarebytes' Anti-Malware. If you are still experiencing problems, post the log it produces along with a HijackThis log and a detailed description of the problems you are experiencing:
 
I'd say run Malwarebytes, run hijackthis, then post both logs in this thread.
 
So install MalwareBytes, run it, and that should take care of the whole problem..?


I read this, and thought that.

Basically, MalwareBytes will give us a good idea of the initial infected and then if it spread we can identify where it would have spread and deleted files accordingly. (If applicable)
 
Alright, MB is scanning, but also, a program that was ran, called like Super Anti Virus or something, uninstalled/deleted a Registry file, I believe it's the one that makes it boot, because ever since it did, I can't boot normally, I have to go into Safe Mode.




Scan results will be posted soon.




Thanks.
 
I would boot into a PE and run some anti virus and spyware stuff and then probably clean up all temp files and registry junk, and then boot into safe mode and see what processes are running at start up. Then watch to see what processes try to access the internet to send anything back out.
 
Here are the logs.

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 2

10/6/2008 8:10:43 PM
mbam-log-2008-10-06 (20-10-32).txt

Scan type: Quick Scan
Objects scanned: 46515
Time elapsed: 10 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 23
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 17
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c005FC42.jpg (Trojan.Downloader) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\getsn32.msiesn (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{252874d8-5b00-4b93-a282-4ca656598278} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e221c81b-e518-4f93-b0d2-14e52065417a} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2d9f1530-0b38-4dcb-a90a-cecd559f3514} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d9f1530-0b38-4dcb-a90a-cecd559f3514} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{e6be5e3a-23f3-4ec2-b9b7-bcd9a601f2a3} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{38754e01-ac2e-482b-95fa-f1aee41823c4} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9f146720-43f3-4fa6-b9e5-4fb13f8c2ffd} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c005fc42 (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\GetPack (Adware.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avicore (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b0dbe16a (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,) Good: (userinit.exe) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\enB (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\hcp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\Xtmp (Trojan.Agent) -> No action taken.
C:\Program Files\VnrBlock (Trojan.Agent) -> No action taken.
C:\Program Files\Twain (Trojan.Agent) -> No action taken.
C:\Program Files\Registry Defender Platinum (Rogue.RegistryDefender) -> No action taken.
C:\Program Files\Registry Defender Platinum\backup (Rogue.RegistryDefender) -> No action taken.
C:\Program Files\Mjcore (Trojan.BHO) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\NetMon (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\lynch\Application Data\Microsoft\dtsc (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\dtvbnnfa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\afnnbvtd.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\nyncpmpl.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\lpmpcnyn.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\getsn32.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\smwin32.dll (Trojan.FakeAlert) -> No action taken.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> No action taken.
C:\Program Files\VnrBlock\xenvertupd.exe (Trojan.Agent) -> No action taken.
C:\Program Files\VnrBlock\xtarga.gz (Trojan.Agent) -> No action taken.
C:\Program Files\Registry Defender Platinum\report.csv (Rogue.RegistryDefender) -> No action taken.
C:\Program Files\Registry Defender Platinum\backup\9_7_2008.reg (Rogue.RegistryDefender) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\lynch\Application Data\Microsoft\dtsc\s (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\__c005FC42.jpg (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\default.htm (Trojan.Agent) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\gside.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BMb3e8d2f6.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BMb3e8d2f6.txt (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\lynch\Desktop\Real Music Ringtones.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\lynch\Desktop\Internet Security Suite.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\lynch\Start Menu\Programs\Startup\DW_Start.lnk (Malware.Links) -> No action taken.
C:\Documents and Settings\lynch\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> No action taken.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:35 PM, on 10/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,
O2 - BHO: (no name) - {19A5C91E-07D8-0F5B-8E4E-5AC00351829E} - C:\WINDOWS\system32\xxu.dll (file missing)
O2 - BHO: getsn32.msiesn - {2D9F1530-0B38-4DCB-A90A-CECD559F3514} - C:\WINDOWS\system32\getsn32.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5709047F-5FEF-4F4F-81F8-BB50725AB5D0} - C:\WINDOWS\system32\iifdbXOI.dll (file missing)
O2 - BHO: OIN Analytics - {6B221E01-F517-4959-8C41-81948E7F2F17} - C:\Program Files\OINAnalytics\OINAnalytics1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prunnet] "C:\DOCUME~1\lynch\LOCALS~1\Temp\prun.exe"
O4 - HKLM\..\Run: [b0dbe16a] rundll32.exe "C:\WINDOWS\system32\dtvbnnfa.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [36188939323610645882190786107678] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKCU\..\Run: [Gfkd] "C:\Program Files\Common Files\F?nts\n?pdb.exe"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntltdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\dwwnw64r.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189198643578
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: hnlled.dll,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avicore - avicore.dll (file missing)
O20 - Winlogon Notify: iiffCSKB - iiffCSKB.dll (file missing)
O20 - Winlogon Notify: __c005FC42 - C:\WINDOWS\SYSTEM32\__c005FC42.jpg
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Unknown owner - C:\WINDOWS\system32\basfipm.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: EvtEng - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WLANKEEPER - Unknown owner - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6646 bytes
 
You didn't select an action after the malwarebytes scan, run it again and select "remove", see the sticky for more instructions if you need them.
 
So, rerun MalwareBytes, but choose Remove?

Then show the log again?


And run Comboflix after I run the Remove Scan?




Thanks.
 
What do I do about restoring the missing registry file?


It's the file that when deleted, won't let you boot up normally, so I'm in Safe Mode.




Thanks.
 
Back
Top