Serious Adware Problem

**evilfantasy** · #11 21st Jan 2008, 23:22

Another scan that will not take long.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
Finally add the contents of the Report.txt in your next post.

----------

Next post
SDFix log

**Psychaospath** · #12 21st Jan 2008, 23:48

ok here u go bud, still got popups lol.

SDFix: Version 1.130
Run by Richard on Tue 01/22/2008 at 01:32 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
No Trojan Files Found

Folder C:\Temp\tn3 - Removed

Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 01:39:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:59,5d,1c,a2,70,7c,1f,15,b0,3e,76,7e,84 ,b3,21,cd,05,92,ee,e2,8d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001]
"a0"=hex:20,01,00,00,b3,f3,e8,53,98,c1,ad,79,af,0d ,6b,ac,05,cd,69,ae,75,..
"khjeh"=hex:b9,fd,ee,ba,2c,ba,17,76,38,29,90,5a,1f ,8b,53,02,5f,e1,be,b9,d1,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001\0Jf40]
"khjeh"=hex:69,6d,7a,50,75,7e,9d,31,42,9c,f7,a2,fb ,8d,fd,a8,aa,f1,c4,6c,89,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001\0Jf41]
"khjeh"=hex:42,32,19,e6,4f,0b,5c,e2,f2,84,48,a1,44 ,49,36,af,14,0b,58,88,9c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:59,5d,1c,a2,70,7c,1f,15,b0,3e,76,7e,84 ,b3,21,cd,05,92,ee,e2,8d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,b3,f3,e8,53,98,c1,ad,79,af,0d ,6b,ac,05,cd,69,ae,75,..
"khjeh"=hex:b9,fd,ee,ba,2c,ba,17,76,38,29,90,5a,1f ,8b,53,02,5f,e1,be,b9,d1,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf40]
"khjeh"=hex:69,6d,7a,50,75,7e,9d,31,42,9c,f7,a2,fb ,8d,fd,a8,aa,f1,c4,6c,89,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf41]
"khjeh"=hex:42,32,19,e6,4f,0b,5c,e2,f2,84,48,a1,44 ,49,36,af,14,0b,58,88,9c,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
Remaining Files:
---------------

Files with Hidden Attributes:
Tue 4 Dec 2007 24 ..SH. --- "C:\WINDOWS\S8610E483.tmp"
Wed 10 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 3 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b94d041 c29d0b8d724c97ae0005e71b\BIT14.tmp"
Mon 3 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f040a43a 7788e207ef67f26bf9f0471f\BIT1F.tmp"
Finished!

**evilfantasy** · #13 21st Jan 2008, 23:55

OK, we are going to have to run a very in-depth scan. This one will take a while so I probably will not be here when you post the log. (if you do tonight) I have to get some sleep but will be back on in the morning. This log is very important!!!

Run CCleaner again to clear out anything that it can. It will help to speed up this scan. It still will take a long time to run so don't be surprised if it goes well over an hour.

Use the Kaspersky Online Scanner

Click Accept.
Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer

When the scan is done, in the Scan is completewindow (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As... (above - red blinking arrow)
Next, in the Save asprompt, Save in area, select: Desktop.
In the File name area, use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please attach the Kaspersky Online Scanner Reportin your next post.

---------------

Next post
Kscan log

Be back on this tomorrow. We will get it, don't worry there. It is just hidden very well. The Kaspersky scan will find it.

**Psychaospath** · #14 22nd Jan 2008, 00:00

k cya round 3:00 pm i have school tomorrow

**evilfantasy** · #15 22nd Jan 2008, 00:03

Sounds good.

Later.

**Psychaospath** · #16 22nd Jan 2008, 13:57

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 22, 2008 6:19:15 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/01/2008
Kaspersky Anti-Virus database records: 526417
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 67894
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:23:16
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temp\Perflib_Perfdata_928.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temp\Perflib_Perfdata_d14.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard\ntuser.dat Object is locked skipped
C:\Documents and Settings\Richard\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP144\A0092919.dll Infected: not-a-virus:AdWare.Win32.Shopper.q skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP174\A0101637.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP175\A0101657.dll Infected: not-a-virus:AdWare.Win32.Shopper.q skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP176\A0101757.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP176\A0101772.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP180\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\RTacDbg.txt Object is locked skipped
C:\WINDOWS\S8610E483.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\ALCXWDMM.sys Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

**evilfantasy** · #17 22nd Jan 2008, 14:16

There is only one place in the log that needs fixed.

Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and save it to your desktop.

Double click OTMoveIt2.exe to launch it.

Be sure there is a check mark next to Unregister Dll's and OCX's

Copy the file path in the code box below to the clipboard by highlighting ALL of them.
Then right-click and choose copy.

Code:

 C:\Program Files\Morpheus\morpheustoolbar.exe

Return to OTMoveIt, right click in the Paste List of Files/Folders to be moved window and choose Paste.
Click the red MoveIt! button.
The list will be processed and the results will appear in the right hand pane.
Copy everything on the Results window to the clipboard by highlighting ALL of them.
Then right-click and choose copy, and paste it on your next reply.
When finished click Exit to exit the program.
Please add the log in your next reply.

If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.

If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at : C:\_OTMoveIt\MovedFiles\********_******.log