Tech Support Team

live4tenors · #1 (**permalink**) **Top** 23rd March 2009, 10:09 PM

Symptoms:
Computer would crash at the slightest thing.
Excessive CPU usage when there shouldnt have been any at all.
Advertisement pop-ups consistently appearing, even though a pop-up blocker was and is in effect.

Computer Specs (to the best of my knowledge):
MS Windows Vista Home Premium SP1
AMD Turion 64x2 Mobile Technology TL-56, 1.0 GB RAM, NVIDIA GeForce Go 6150

I went through and followed all of the steps in evilfantasy's thread Malware Removal Guide. Here are the logs that were produced by that process:

SUPERAnti-Spyware Log:

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

Generated 03/23/2009 at 02:33 AM

Application Version : 4.25.1014

Core Rules Database Version : 3808
Trace Rules Database Version: 1763

Scan type : Complete Scan
Total Scan Time : 00:14:27

Memory items scanned : 697
Memory threats detected : 0
Registry items scanned : 9211
Registry threats detected : 17
File items scanned : 1344553
File threats detected : 42

Adware.Vundo Variant
HKU\S-1-5-21-3651988030-2816261115-2443883187-1000\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{7FC6B132-EA18-4D69-86E0-423E7B940BDC}

Adware.Tracking Cookie
C:\Users\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@cdn.at.atwola[1].txt
C:\Users\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@advertising[1].txt
C:\Users\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@ar.atwola[1].txt
C:\Users\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@at.atwola[1].txt
C:\Users\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@atwola[2].txt
C:\Users\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@atdmt[1].txt
C:\Users\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@247realmedia[1].txt
C:\Documents and Settings\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@ar.atwola[1].txt
C:\Documents and Settings\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@at.atwola[1].txt
C:\Documents and Settings\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@atwola[2].txt
C:\Documents and Settings\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@cdn.at.atwola[1].txt
C:\Documents and Settings\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@ar.atwola[1].txt
C:\Documents and Settings\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@at.atwola[1].txt
C:\Documents and Settings\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@atwola[2].txt
C:\Documents and Settings\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@cdn.at.atw ola[1].txt
C:\Documents and Settings\The Kids\Cookies\the_kids@ar.atwola[1].txt
C:\Documents and Settings\The Kids\Cookies\the_kids@at.atwola[1].txt
C:\Documents and Settings\The Kids\Cookies\the_kids@atwola[2].txt
C:\Documents and Settings\The Kids\Cookies\the_kids@cdn.at.atwola[1].txt
C:\Users\The Kids\AppData\Roaming\Microsoft\Windows\Cookies\the _kids@atwola[1].txt
C:\Users\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@247realmed ia[1].txt
C:\Users\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@ad.yieldma nager[1].txt
C:\Users\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@advertisin g[1].txt
C:\Users\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@ar.atwola[1].txt
C:\Users\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@at.atwola[1].txt
C:\Users\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@atdmt[1].txt
C:\Users\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@atwola[1].txt
C:\Users\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@cdn.at.atw ola[1].txt
C:\Users\The Kids\Application Data\Microsoft\Windows\Cookies\the_kids@doubleclic k[1].txt
C:\Users\The Kids\Cookies\the_kids@247realmedia[1].txt
C:\Users\The Kids\Cookies\the_kids@ad.yieldmanager[1].txt
C:\Users\The Kids\Cookies\the_kids@advertising[1].txt
C:\Users\The Kids\Cookies\the_kids@ar.atwola[1].txt
C:\Users\The Kids\Cookies\the_kids@at.atwola[1].txt
C:\Users\The Kids\Cookies\the_kids@atdmt[1].txt
C:\Users\The Kids\Cookies\the_kids@atwola[1].txt
C:\Users\The Kids\Cookies\the_kids@cdn.at.atwola[1].txt
C:\Users\The Kids\Cookies\the_kids@doubleclick[1].txt

Trojan.DNSChanger-Codec
HKCR\e405.e405mgr
HKCR\e405.e405mgr\CLSID
HKCR\e405.e405mgr\CurVer
HKCR\e405.e405mgr.1
HKCR\e405.e405mgr.1\CLSID

Adware.E404 Helper/Hij
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version

Adware.Vundo/Variant-MSFake
C:\DOCUMENTS AND SETTINGS\THE KIDS\APPDATA\LOCALLOW\GARAGEGAMES\IAPLAYER\PRODUCT S\WWW_INSTANTACTION_COM\101\INSTALL\D3DX9_33.DLL
C:\USERS\THE KIDS\APPDATA\LOCALLOW\GARAGEGAMES\IAPLAYER\PRODUCT S\WWW_INSTANTACTION_COM\101\INSTALL\D3DX9_33.DLL

Unclassified.Unknown Origin
C:\DOCUMENTS AND SETTINGS\THE KIDS\DESKTOP\MEDIA\SIBELIUS EVERYTHING\SIBELIUS5\SIBELIUS4WINDOWSKEYGENWEASEL\ KEYGEN.NFO
C:\USERS\THE KIDS\DESKTOP\MEDIA\SIBELIUS EVERYTHING\SIBELIUS5\SIBELIUS4WINDOWSKEYGENWEASEL\ KEYGEN.NFO

HIJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:15 PM, on 3/23/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskmgr.exe
C:\Users\The Kids\Desktop\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tblive.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 216.107.250.194 nprotect.lineage2.com
O1 - Hosts: 78.46.49.43 l2authd.lineage2.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tblive.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O3 - Toolbar: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tblive.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pasco.k12.fl.us
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pasco.k12.fl.us
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx. dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10107 bytes

Before going through the steps in the Malware Removal Guide, the only things i had done previously were to try and attempt to run several scans in AVG and Ad-Aware 2008. These usually did not produce any results because my computer would crash before they could ever complete the scan. There was one time however when AVG was able to pick up something; a .dll file with the "gaop" prefix of the FakeAlert virus family (the full .dll is gaopdxxdeyicbx.dll). In one of the above scans in the Malware Removal Guide process (SUPERAnti-spyware I believe), a .dll file with the "gaop" prefix was found and removed, so i am hoping that the issue has been resolved. However, I will let you guys take a look at what i've posted and see what you guys think.

Thanks for all the help,

Live4tenors