Virus trying to sell me things?

**pete21** · #1 4th Oct 2008, 16:16

i got a virus if you can call it that because it was mainly advertising products bringing me on to my Question..this virus made popups accrue on my screen removed my programs in start menu well hidden them maybe to stop me from using my anti virus programs but am not a avridge user so was able to find programs other ways even removed my seriul key being displayed and replacing it with (virus found!)
WHY arnt these company's getting court orders and fined?
they must be breaking some sort of law write?
i gave no permission for this softwear to go on my pc ONLY the soo called sound driver

surly the company's trying to sell products are asking the virus maker to put them in or something?
i even got a popup saying my windows is not genuine

and asking me to purchase one of a non Microsoft website
i feel sorry and worried for the avridge users that fall for this
it took me 2 hours to remove every last bit of this virus/spywear
about 6 anti virus/spywear programs and un do registry tweaks witch is serious am just looky the virus dident go all the way in registry because i would be looking at a fresh install

but with hep in the past from this website i new exacy what to do and what programs to use to get rid of this virus

so thanks computerJUICE
special thanks also to evilfantasy which has helped me everytime

**Hybr!d** · #2 4th Oct 2008, 16:17

Post the log files from the malware guide fella.

**pete21** · #3 4th Oct 2008, 16:38

i new you would ask i tho i delited them but this is what i found

Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 5.1.2600 Service Pack 3

03/10/2008 16:06:19
mbam-log-2008-10-03 (16-06-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 94046
Time elapsed: 1 hour(s), 38 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 11
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\ (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (HH:mm:ss) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\peter's PC\Application Data\Adobe\Player.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\fkebanrw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

SPYBOT results
http://i124.photobucket.com/albums/p...-results-1.jpg

**evilfantasy** · #4 4th Oct 2008, 17:05

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

**pete21** · #5 4th Oct 2008, 17:54

ComboFix 08-10-04.02 - peter's PC 2008-10-05 1:48:23.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.438 [GMT 1:00]
Running from: C:\Documents and Settings\peter's PC\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
.

2008-10-05 01:05 . 2008-10-05 01:05 <DIR> d-------- C:\Program Files\Common Files\NSV
2008-10-03 11:09 . 2008-10-03 11:09 14,852 --a------ C:\WINDOWS\system32\Setup_ver1.1441.0.exe
2008-10-02 08:12 . 2006-11-02 02:50 128,104 --a------ C:\WINDOWS\system32\drivers\WimFltr.sys
2008-09-29 21:41 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-29 20:32 . 2008-09-29 21:00 <DIR> d-------- C:\Program Files\TESTOUT
2008-09-29 20:32 . 2003-06-23 02:44 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.DLL
2008-09-29 20:32 . 1999-12-16 00:01 49,152 --a------ C:\WINDOWS\system32\TSCCVID.DLL
2008-09-27 00:26 . 2008-10-02 10:11 <DIR> d-------- C:\Program Files\vLite (for vista)
2008-09-22 15:11 . 2008-09-22 15:25 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-09-22 15:11 . 2008-09-22 15:23 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\NCH Swift Sound
2008-09-22 15:11 . 2008-09-22 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-09-21 21:21 . 2008-09-21 21:21 472,576 --a------ C:\WINDOWS\uninstall.exe
2008-09-21 21:21 . 2008-09-21 21:23 69,736 --a------ C:\WINDOWS\uninstall.dat
2008-09-21 21:21 . 2008-09-21 21:23 312 --a------ C:\WINDOWS\uninstall.xml
2008-09-14 19:01 . 2008-09-27 01:41 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\dvdcss
2008-09-13 23:47 . 2008-09-13 23:47 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-09-13 23:46 . 2008-09-13 23:46 <DIR> d-------- C:\WINDOWS\Sallys Spa
2008-09-13 14:03 . 2008-09-13 14:03 133,872 --a------ C:\WINDOWS\~GLC0001.TMP
2008-09-13 14:01 . 2008-09-13 14:01 133,872 --a------ C:\WINDOWS\~GLC0000.TMP
2008-09-11 16:41 . 2008-09-13 13:56 <DIR> d-------- C:\Program Files\vghd
2008-09-11 16:41 . 2008-09-11 16:41 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\vghd
2008-09-09 15:41 . 2008-03-19 21:54 2,350,208 --a------ C:\WINDOWS\system32\ntoskrnl.exe.zottel
2008-09-09 15:41 . 2008-03-19 21:59 2,227,072 --a------ C:\WINDOWS\system32\ntkrnlpa.exe.zottel
2008-09-07 01:34 . 2008-09-07 01:34 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\Camfrog
2008-09-07 00:01 . 2008-09-07 00:12 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\Bioshock
2008-09-06 23:57 . 2008-09-06 23:57 <DIR> dr-h----- C:\Documents and Settings\peter's PC\Application Data\SecuROM
2008-09-06 23:57 . 2008-09-06 23:57 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2008-10-04 00:18 5,632 --sha-w C:\Program Files\Common Files\Thumbs.db
2008-10-04 00:18 --------- d-----w C:\Program Files\Styler
2008-10-03 23:08 118,784 ----a-w C:\WINDOWS\Web\Wallpaper\Flight Over New York Wallpaper dir\uninstall.exe
2008-10-03 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-10-03 11:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-03 11:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-02 12:44 --------- d-----w C:\Program Files\Steam
2008-09-30 14:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-27 12:54 --------- d-----w C:\Program Files\MotoKit
2008-09-18 19:39 --------- d-----w C:\Documents and Settings\peter's PC\Application Data\OpenOffice.org2
2008-09-15 14:41 --------- d-----w C:\Documents and Settings\peter's PC\Application Data\Winamp
2008-09-13 12:56 152,920 ----a-w C:\WINDOWS\system32\vghd.scr
2008-09-09 23:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-06 23:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-02 18:17 --------- d-----w C:\Program Files\Applications
2008-09-01 10:38 --------- d-----w C:\Program Files\MSN Messenger
2008-09-01 10:38 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-09-01 03:15 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-31 00:05 --------- d-----w C:\Program Files\Cool MP3 Splitter
2008-08-30 14:04 --------- d-----w C:\Program Files\nLite
2008-08-30 01:58 --------- d-----w C:\Program Files\OpenOffice.org 2.1
2008-08-28 22:31 --------- d-----w C:\Program Files\Windows Live
2008-08-28 00:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-27 21:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-27 12:56 --------- d-----w C:\Program Files\VirtuallTek
2008-08-25 23:02 --------- d-----w C:\Program Files\RocketDock
2008-08-25 23:00 --------- d-----w C:\Program Files\Motherboard Monitor 5
2008-08-25 23:00 --------- d-----w C:\Program Files\FREE Hi-Q Recorder
2008-08-25 22:59 --------- d-----w C:\Program Files\Folder Lock
2008-08-25 22:59 --------- d-----w C:\Program Files\DivX
2008-08-25 22:56 --------- d-----w C:\Program Files\Winamp
2008-08-22 10:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-17 16:30 8,704 --sha-w C:\Program Files\Thumbs.db
2008-08-14 01:32 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-08-14 01:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-08-11 01:17 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-11 01:17 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-08-09 23:00 --------- d-----w C:\Program Files\Trend Micro
2008-08-09 14:06 --------- d-----w C:\Program Files\Mouse
2008-08-07 10:22 --------- d-----w C:\Documents and Settings\peter's PC\Application Data\skypePM
2008-07-25 18:06 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-07-17 13:38 51,712 ----a-w C:\WINDOWS\system32\sirenacm.dll
2008-05-24 23:16 89 -c--a-w C:\WINDOWS\system32\config\systemprofile\Del20DA.b at
2008-05-24 23:16 89 ----a-w C:\Documents and Settings\Default User\Del20DA.bat
2008-05-13 09:54 89 ------w C:\Documents and Settings\Default User\Del20DE.bat
2008-03-19 20:55 113,664 -c--a-w C:\WINDOWS\inf\hdaudio.sys
2001-11-23 19:08 712,704 -c----w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2008-05-24 23:23 16,384 -csha-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
2008-05-24 23:23 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-05-24 23:23 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052420080 525\index.dat
2008-05-24 23:23 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-03-19 21:55 361344 cef393e4697b14d310320a62c3643f77 C:\WINDOWS\system32\drivers\tcpip.sys

2008-03-19 21:59 2227072 0ee1df3c80ee02cf2bd1ef43ae443d80 C:\WINDOWS\system32\ntkrnlpa.exe

2008-03-19 21:54 2350208 6ca4f9e8435530a6791e40a62f0bcc8e C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"MBM 5"="C:\PROGRAM FILES\MOTHERBOARD MONITOR 5\MBM5.EXE" [2004-06-12 594944]
"AVG8_TRAY"="C:\PROGRAM FILES\AVG\AVG8\avgtray.exe" [2008-10-02 1234712]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"C-Media Mixer"="Mixer.exe" [2002-07-13 C:\WINDOWS\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-03-19 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\peter's PC\Start Menu\Programs\Startup\
Styler.lnk - C:\Documents and Settings\peter's PC\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [5/25/2008 12:25:04 AM 15086]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Steam\\SteamApps\\andy_birk\\day of defeat source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"8054:TCP"= 8054:TCP:BitComet 8054 TCP
"8054:UDP"= 8054:UDP:BitComet 8054 UDP

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-01 97928]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-01 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 76040]
R2 WUSB54GSv2SVC;WUSB54GSv2SVC;C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe WUSB54GSv2.exe [ ]
R3 PAC207;Trust WB-1400T Webcam;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2007-05-14 508288]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRI VERS\motccgpfl.sys [2007-01-22 7680]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
S4 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-01 875288]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\peter's PC\Application Data\Mozilla\Firefox\Profiles\w6863rbh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
.
.
------- File Associations -------
.
inffile=C:\WINDOWS\system32\Notepad2.exe %1
inifile=C:\WINDOWS\system32\Notepad2.exe %1
txtfile=C:\WINDOWS\system32\Notepad2.exe %1
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 01:51:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
Completion time: 2008-10-05 1:52:31
ComboFix-quarantined-files.txt 2008-10-05 00:52:25

Pre-Run: 45,088,874,496 bytes free
Post-Run: 45,081,821,184 bytes free

168

**evilfantasy** · #6 4th Oct 2008, 18:03

Download OTMoveIt2 by OldTimer and save it to your Desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

1. Double-click OTMoveIt2.exe to run it.
2. Copy the lines in the codebox below.

Code:

[kill explorer]
C:\WINDOWS\~GLC0001.TMP
C:\WINDOWS\~GLC0000.TMP
EmptyTemp
[start explorer]

3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
4. Click the red Moveit! button.
5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
6. Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

How is everything now?