Hello-

Pleaes help!

My PC (FireFox & Chrome - not IE8) is infected with this pop-up virus i.trkjmp.com (firebug shows this site as link destination of the popups). No other noticable symptoms, PC may be runing slower. Avast reported nothing and full scans & boot scan did not detect & clean it off the PC.

I have run & I am attaching scan reports (ANSI) per forum instructions http://forum.avast.com/index.php?topic=53253.0.

Adware- I ran twice in a row (reboot inbetween) and both times it detected & deleted files, fewer on the 2nd run.

• both reports attached

Malwarebytes detected & removed nothing

• report attched

OLT - the first run produced no Extras.txt only th OLT.txt. The picture of OLT interface (associated with the instrucitons) shows the radio button for Extra Registry as “None”, so I re-ran using “Use Safelist”; then the scan generated the extras.txt.

• OLT & Extras atached

aswMBR - report attached

Thank you for your help!

:-[ forgot the attachments!

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.03.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
.* :: WS10 [administrator]

1/3/2013 7:55:42 PM
mbam-log-2013-01-03 (19-55-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 268032
Time elapsed: 42 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

aswMBR.txt attached

Hi let me know how the computer is behaving after this run

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20101113.002\symidsco.sys -- (SYMIDSCO)
[2012/11/16 21:51:05 | 000,000,000 | ---D | M] (Vaudix) -- C:\Documents and Settings\patti.potter\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions\50a6f7bd80fe1@50a6f7bd81019.com
O3 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O20 - AppInit_DLLs: (c:\progra~1\vaudix\sprote~1.dll) - c:\Program Files\VaudiX\sprotector.dll ()
[2013/01/03 19:14:47 | 000,000,536 | -H-- | M] () -- C:\WINDOWS\tasks\VaudiXUpdaterTask{09AB07D1-EC8B-4C80-900A-C8B771AFDAB3}.job
[2013/01/03 19:14:42 | 000,000,536 | -H-- | M] () -- C:\WINDOWS\tasks\VaudiXUpdaterTask{2387C944-C763-4B62-9B99-B14642804909}.job

:Files
c:\Program Files\VaudiX

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

OLT after reboot QuicScan report attached

Could you re-run the previous fix please, on reboot a notepad should open on the desktop could you post that

here is one from end of 1st fix (just after reboot)
is that ok
or do you want the fix rerun + fresh report?

ty!

I would like you to run a stronger programme this time

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

COMBOFIX

COMBOFIX log attached

I notice GMER found no hidden items also in case this helps malwarebytes from Jan-2.

More info- Ahhh-HA! (i wrote this as I thought it out, changed settings and re-tested after combofix & still had pop-ups).
Now I am becoming VERY suspicious of Vaudix, already high on my list of possible entry points.
Its seem to me Vaudix may be the point of entry. It is a video streaming program and I searched the web for malware reports & checked their site with McAfee site adviser before installing it and all seemed OK.
LOL… but now I think this needs to become known as “known associate of i.trkjmp.com” and not to be trusted!

• disabling Vaudix + DviX Plus stops the pop-ups!
• re-enabling DivX Plus does not bring return of the pop-ups!

More History… my path to conclusion above.

• Malwarebytes picked up & deleted one threat, but the issue remained (2-Jan).
• At the time I thought I was dealing with simple adware since the only real symptom was pop-up advertisements, which, to begin with I thought were on the web sites, not conneted to my PC as they seemed very random.
• I thought Avast had cleared the pop-up source, it until I saw it on a site I am developing, on text showing as links, were I had put no links.

To see the pop-ups I had to be using FF or Chrome & cursor over the links.
I use IE for most browsing as text renders better, it is not affected & Vaudix plugin not installed there.
Chrome I just installed to test how my web work displays & functions. I’m not sure as I haven’t really used Chrome, but and I think… Chrome decided to install Vaudix or allow it.

YES… i just rechecked and it is a listed extension + DivXPlus webplayer, neither which I installed, and I thought I had disabled Vaudix when I saw it there on the 2nd… but it was enabled just now when I went to check it.

• Now I have disabled Vaudix & DivX on chrome & FF.
• AND NOW… I HAVE NO POP-UPS!

FYI- I still have Avast logs & virus chest files, 3 threat reports in December & items moved to chest if needed.

Webutation gives Vaudix 100 of 100
http://www.webutation.net/go/review/vaudix.com#

I did not see this one befoe- clearly suspicious
http://camas.comodo.com/cgi-bin/submit?file=24a7aa1af1e7bc34d0722aa091e03ca6a2307a983773990458fd25b1e7a76a68

Even worse - sigh- this site says Vaudix=codec c virus/plug-in & suggestions options to remove it
http://infortecpro.blogspot.com/2012/10/dont-download-unknown-plugins-face-new.html
http://infortecpro.blogspot.com/2012/03/dont-download-unknown-plugins.html
http://forums.malwarebytes.org/index.php?showtopic=107786
http://malware-removal.windowsupdatesonline.com/how-to-remove-codec-c-virus-permanently-from-win-7-vista-or-xp/

Yes that is the one I was using OTL to try and remove

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File:: c:\windows\Tasks\VaudiXUpdaterTask{09AB07D1-EC8B-4C80-900A-C8B771AFDAB3}.job c:\windows\Tasks\VaudiXUpdaterTask{2387C944-C763-4B62-9B99-B14642804909}.job

Folder::
c:\documents and settings\All Users\Application Data\Premium
c:\Program Files\VaudiX
C:\Documents and Settings\patti.potter\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions\50a6f7bd80fe1@50a6f7bd81019.com

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=-

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Combofix- CFScript-fix log attached. ty!

How is the computer behaving now ?

well… the only clear symptom was the pop-ups, and disabling Vaudix stopped them.

Now FF does not show Vaudix in Extension list.
Chrome does still show Vaudix as a disabled Extension…

Vaudix does not show in the Task Manager Processes (but I think before it did not show unless the browser was active w/the extension enabled).

You will need to delete it manually from Chrome as none of my tools can do that

Before I remove my tools are there any further problems ?

PC Seems OK
I removed Vaudix from Chrome & restarted Chrome, Vaudix is gone.
Thank you VERY much!

Upadate-
The pop-ups showed up in IE- but not on all sites esp. not on my own site where FF & Chrome had shown pop-ups… but on a site where I visit frequently. I cleared all history form IE & FF (Chrome had none) rebooted browsers & IE still had pop-ups.

I then re-ran Adware and sprotector was back- but i coudl not see vaudix runing in task manager, and it had shown there before.
So, LOL… I know you will hate this… but I acted on my own (sort of my own… I manually repeated CFSfix- but deleted deeper)
… this “seems” to have worked and may be helpful to you & others

I performed the manual edits, so I could see that the items were removed
1- per the adware report I manually removed these registery entires

• HKCU\Software\AppDataLow\SProtector
• HKLM\Software\SProtector

2- I opened the CFSfix.txt and manually rechecked & completed the steps…and went a bit further,
The tasks were gone/had not reappeared
File::

• c:\windows\Tasks\VaudiXUpdaterTask{09AB07D1-EC8B-4C80-900A-C8B771AFDAB3}.job
• c:\windows\Tasks\VaudiXUpdaterTask{2387C944-C763-4B62-9B99-B14642804909}.job

Folder::

• I opened and explored each folder- where there was an ini file I opened the ini in notepad and deleted all content and saved
  c:\documents and settings\All Users\Application Data\Premium
  • I opend the folder, deleted each file & then the folder
    c:\Program Files\VaudiX
  • I deleted each file, then the folder- I think the ini file was in this folder
  • there was an uninstall.exe- I just deleted it with all other files
    C:\Documents and Settings\patti.potter\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions\50a6f7bd80fe1@50a6f7bd81019.com
• I deleted the entire profile “jy3x0kxd.default”

The following key did not exit.
Registry:: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=-

Then- I ran an Avast boot time scan

• on all drives (C & D-recovery)
• selecting to delete any threats detected during the scan.

After the reboot/boot scan

• Avast reported it deleted 2 Java based threats not picked up by daily quick or full scans
• I noticed that there were no logs of boot time scans when i thought I had run them (mid & late Dec), this is likely my bad memory
• PNG attached
  • I thought I had seen & moved to virus chest these files before,
  • but did not see them in the virus chest, maybe I deleted them, I did not recheck all logs to trace all details of threats found & removed

I re-ran Adware and sprotector enties were gone

• I have re-run it a few time after browsing & at least 1 reboot and it has remained clean.
  • most recent copy attached
• I went back to folders & files that I deleted per CFSfix
  • all were gone after reboot/boot scan
  • I rechecked all now and they are still gone.
• I emptied recycle bin (should have done it before boot scan)

Since I deleted the FF profile, that prevented FF from running,

• so I uninstalled FF & all user history/data & reinstalled fresh.
• I now have a new FF profile with no extensions at this point.

Since then, no pop-ups in IE, FF or Chrome where seen before.
But I remain a bit paranoid, so any hiccup seems odd… but the PC is old and way under resouced for how I use it, so it is hard to tell without giving it more time to observe and see what normal is now and how that compares to what it was before.

I plan to run disk cleanup & defrag. I have 40GB free on 14GB C:
I do have a good backup & restore points prior to Vaudix if needed.

any comments… questions?
(other than to tell me I violated instructions of doing only as told). :-[

I apologize, but I felt it was important to me to step thorugh it manually to confirm what was actually happening and see for myself what was removed, and what does or does not reappear if pop-ups return.

Thank you for your help!! I am very grateful!

FYI- I joined McAfee reviewers and posted comments & links re: Vaudix
Added Avast WebRep vote @ vaudix.com as illeagal as best fit- i wonder why no option for malware/adware/spyware in webrep?

• however he skull & cross bones certainly fits for malware.
  Joined webutation.net to post review- but have not yet received confirmation link to complete registration & post review.

Do you know any other sites where I might post a review to try to help others prevent downloading?

Added warning to webutation.net