113577url.cptgt.com

General Topics
1

We keep getting pop ups. Some are web page commercials so to speak, some are audio where there is audio but no visual pop up. Several times I have gotten a page that wants me to choose to remove a virus, the name of this page is 113577url.cptgt.com. I have done a boot scan twice, the first time things were found and we did choose to delete because it said they could not be repaired. Please help, we really cannot afford to put the laptop back in the shop right now.
Thanks!
Linda

2

Try using the free version of malwarebytes antimalware and see what it finds.
Download it, install it, update it, and then run a Full scan.
Let it fix what it finds and post the resulting log here.
You can get it at the link below.

http://www.malwarebytes.org/mbam.php

3

I already have Malwarebytes and have run a full scan twice. Both times it says that nothing was found! I did another avast scan this am and it found some files but I could not do anything with them because every choice said this is a window folder are you sure…No I am not sure, I do not want to remove necessary files/folders. I will run another Malwarebytes and see if it finds anything.

Updated Malwarebytes and ran another scan. It found no infected files.

4

Hi I would like to look at two areas on your computer - these programmes are purely analysis for now

Please download MBRCheck.exe to your desktop.

[]Be sure to disable your security programs
[]Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*]A window similar to this should open on your desktop:

http://i677.photobucket.com/albums/vv132/RPMcMurphy_album_photos/mbrcheck.png

[*]If you are prompted with options, enter N at the prompt and press [i]Enter[/i]
[*]Press [i]Enter[/i] again
[*]A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

.
THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

5
I will run another Malwarebytes and see if it finds anything.
did you update it before you scanned ?.......lots of people forget to do that and scan with a very old database!
6

I did update this last time. I guess I was thinking Malwarebytes did automatic updates, but it does not.

7

[quote author=essexboy link=topic=67485.msg568692#msg568692 date=1292191915]
Hi I would like to look at two areas on your computer - these programmes are purely analysis for now

Please download MBRCheck.exe to your desktop.
[*]Be sure to disable your security programs
[*]Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

I will try this afterwhile. Fixing supper right now. It is funny. The few minutes that I have been online checking out the forum posts regarding my issue, I have had 3 windows to pop up and all three are Avast windows.

8

Busymama62 have you used a boot cd to fix this if try gdata boot cd https://www.gdatasoftware.co.uk/support/main-subjects/upgrade-service/download.html

9

No I have not. Going to show my ignorance here…does a boot cd, remove all you installed programs?

10

No the idea of the GData boot CD (and other such anti-virus boot CDs) is to clean the malware outside of windows, so that you can get at it whilst it isn’t running in windows, where it might have protective measure working to protect against its removal…

11

if its a rouge,virus,malware,or other stuff yes.but if you have clean programs it will not remove them.

12

MBRCheck, version 1.2.3
(c) 2010, AD
Here is what came up. You said for me to download OTL next. Where do I find OTL. According to the following results there is an issue. I did turn my Avast back on to log on to post this and Avast poped up the window Avast has blocked a threat, no further action needed. I will do the OTL scan once I have it downloaded. Do I turn off my Avast to run it? Thank you very much!!!

Well I am having to delete part of this text file. I hope I leave what you need to see.

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 185):
0xBA7A7000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5C4000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA458000 \SystemRoot\System32\drivers\vga.sys
0xBA5C6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5C8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA460000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA468000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA5A4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA94C8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA946F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA308000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xA941F000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA93FD000 \SystemRoot\System32\drivers\afd.sys
0xBA318000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9332000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB9D27000 ??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
0xA92C2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB9DE3000 \SystemRoot\System32\Drivers\Fips.SYS
0xA929C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB9DD3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA9275000 \SystemRoot\System32\Drivers\aswSP.SYS
0xBA478000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB9CFA000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA488000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA490000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xBA498000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB9DB3000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xB9CF6000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xB9DA3000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB9CF2000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB9D93000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA4A0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB9CEE000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA91E5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5CA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA9517000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA4A8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA698000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF041000 \SystemRoot\System32\ialmdev5.DLL
0xBF075000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA91C9000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA90C5000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA8F26000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA8CC9000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA8CB4000 \SystemRoot\system32\drivers\wdmaud.sys
0xA937D000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA7EF000 ??\C:\WINDOWS\system32\drivers\epm-psd.sys
0xA8A48000 ??\C:\WINDOWS\system32\drivers\epm-shd.sys
0xA8C81000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xBA604000 ??\C:\WINDOWS\system32\drivers\osaio.sys
0xBA71B000 ??\C:\WINDOWS\system32\drivers\osanbm.sys
0xA8798000 \SystemRoot\system32\DRIVERS\srv.sys
0xA82F7000 \SystemRoot\System32\Drivers\HTTP.sys
0xA924D000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 39):
0 System Idle Process
4 System
288 C:\WINDOWS\System32\SMSS.EXE
344 CSRSS.EXE
368 C:\WINDOWS\System32\winlogon.exe
412 C:\WINDOWS\System32\services.exe
424 C:\WINDOWS\System32\LSASS.EXE
572 C:\WINDOWS\System32\svchost.exe
632 svchost.exe
712 C:\WINDOWS\System32\svchost.exe
792 svchost.exe
840 svchost.exe
920 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1156 C:\WINDOWS\System32\spoolsv.exe
1656 svchost.exe
1868 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
1912 C:\WINDOWS\Explorer.EXE
1960 C:\WINDOWS\System32\svchost.exe
1984 C:\Program Files\Java\JRE6\BIN\JQS.EXE
144 C:\Program Files\Common Files\Motive\McciCMService.exe
172 C:\WINDOWS\System32\svchost.exe
188 C:\WINDOWS\System32\svchost.exe
272 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
316 C:\WINDOWS\System32\svchost.exe
564 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
1672 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
1808 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1816 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1744 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
2104 C:\WINDOWS\Bbstore\DSS\dssagent.exe
2156 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
2172 C:\WINDOWS\System32\ctfmon.exe
2400 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
2508 C:\Program Files\Messenger\msmsgs.exe
2680 alg.exe
2792 C:\Program Files\HP\Digital Imaging\BIN\hpqtra08.exe
3000 C:\WINDOWS\System32\svchost.exe
3152 C:\Program Files\HP\Digital Imaging\BIN\hpqste08.exe
304 C:\Documents and Settings\OWNER\Desktop\MBRCheck.exe

\.\C: → \.\PhysicalDrive0 at offset 0x00000000c8073000 (FAT32) \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000004e51df800 (FAT32)

PhysicalDrive0 Model Number: ST9402112A, Rev: 3.06

  Size  Device Name          MBR Status

 37 GB  \\.\PhysicalDrive0   Unknown MBR code
        SHA1: 6A37CCD118436B688B51F6BD4C2B47A895EBDF7F

Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:

Done!

13
You said for me to download OTL next. Where do I find OTL
You click the red " OTL " in Essexboy`s post, and the download will start

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. )

14

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

In the Extras report there are several errors. I would imagine one is from where we have 2 printers installed but only one hooked up at this time.

15

Hello everyone! After having beat my head against this very same problem for three days, I have joined this forum for the express purpose of telling you how to resolve it. I would like to take credit for it, but I’d have to admit that I failed to resolve it and had to sit here this morning while my IT department worked my PC remotely to do it.
I’m sorry, but I didn’t catch the names of the assorted things that they found but I DID catch the name of the sharware programs they used:
Hitman Pro 3.5 (This is the program that found the damned thing!)
SuperAntiSpyware Free Edition

All of the following failed to find or resolve the issue:

  • Symantec Corp edition
  • MalwareBytes (This really surprised me as I love this program and
    it’s saved me a lot in the past)
  • Spyware Doctor from PC Tools
  • Spybot S & D

I’ve looked in the history for the program (Which I convinced them to leave with me) and it shows that it found and deleted the following:
“C:\Windows\System32\wmiapi.Dll”
I’m not positive that this was “the” problem but offer you the information as an FYI.

Again, they were moving pretty fast so I didn’t get all the details I know you would like, but my IT folks confirmed that it was the Hitman Pro software that found and killed the virus itself.
One of these two programs (Hitman Pro 3.5 and SuperAntiSpyware Free Edition) also found and removed a trojan downloader on my removable external drive. Sorry but I didn’t catch which program found that downloader.

Clearly I’m not a IT expert and I’m not going to be able to provide any more details than this, but I can tell you for sure that I had exactly the same problem described here and my IT folks used Hitman Pro 3.5 and SuperAntiSpyware Free Edition to find and resolve. I think they are both shareware.

Good luck!

16
"C:\Windows\System32\wmiapi.Dll"
This is a legitimate file, unfortunately I have had to repair a few non booting systems that Hitmanpro fixed

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O20 - AppInit_DLLs: (wlanprov.dll) - C:\WINDOWS\System32\wlanprov.dll () O20 - AppInit_DLLs: (catext.dll) - C:\WINDOWS\System32\catext.dll () [2010/12/10 13:25:10 | 000,477,184 | -HS- | M] () -- C:\WINDOWS\System32\wlanprov.dll [2010/12/10 12:24:06 | 000,063,488 | ---- | M] () -- C:\WINDOWS\System32\catext.dll [2008/02/15 21:42:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft [2008/04/09 20:53:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\owner\Application Data\Grisoft

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

17

[quote author=essexboy link=topic=67485.msg569097#msg569097 date=1292274442]

"C:\Windows\System32\wmiapi.Dll"
This is a legitimate file, unfortunately I have had to repair a few non booting systems that Hitmanpro fixed

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

] button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Fxing to download ComboFix, I apparently am unable to turn off the Malwarebytes

18

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
[/quote]
Attached is the combofix log file. Also, now I am getting a Rootkit Blocked message from Avast.

19

Well, after running the ComboFix and posting the file here, I was checking email and my facebook. All of a sudden the screen went blue with lots of writing that was to much to read and the computer did an automatic shut down and restart. Of course that was a “Blue Screen Error” I was prompted, once the computer loaded after doing the automatic scan, I did follow the prompts and sent a report to MS. The MS site suggested I remove recent programs that have been installed. I figure I need to wait untill we know this is resovled for sure before I remove ComboFix, MBR check and OTL. The only thing I have noticed is that my “gmail” link on my favorites bar quit working so I went ahead and deleted it. So far we have not had any more pop ups. But we will see. Over the weekend there would be times that for several hours we would not get any of the pop ups.

I want to say that I appreciate each and every one of you and your helping me with this issue. I wish I had thought to check the Avast Forum with the Desktop before it got to bad, but alas, I can not even conncet to the internet with it. So it will eventually make it to the local shop.

20

can you go into safe mode Busymama62