suspicious message popups

I keep getting loads of popups every couple of seconds with suspicious message alerts and avast doesn’t seem to be able to find the source.
Don’t know whether it matters but i had a virus yesterday through msn (this is when it started) and managed to get rid of it but I am still getting the alerts

I have attached the hijackthis log file, please look and help me

I think I may have found the virus by acccidently killing the program shown here, not sure though

O4 - HKLM..\Run: [mapouquoo] C:\WINDOWS\system32\hojyr.exe

After this i have not had the popups

Please tell me how to get rid of this it is really annoying!

thanks

I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

did a boot time scan and nothing was found, dr webcureit failed

Pretty sure I know what the file is that is causing it. When I start the computer up the program mentioned above is active and constantly taking up more and more memory but once killed it all stops and no more alerts

C:\WINDOWS\system32\hojyr.exe is the file

apparently virustotal.com has heard of it with sophos and CAT-quickheal spoting it as being bad:

-http://www.virustotal.com/analisis/86d203a4bc5050a71929ccecbe7ffd7c#

CAT-QuickHeal 9.50 2008.10.01 (Suspicious) - DNAScan

Sophos 4.34.0 2008.10.02 Mal/EncPk-CK

I will try SAS and the other ones but will also send it to alwil so they can look at it

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, search for and upload the files below to VirusTotal for analysis. Post the results here.

C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe
C:\Program Files\Task Killer\TaskKiller.exe
C:\WINDOWS\system32\luconnuj.exe
C:\Documents and Settings\Administrator\Desktop\ie6.dll

EDIT: Added instructions for viewing files.

This too:

C:\Documents and Settings\All Users\Application Data\Xtraveller\xRun.exe

[quote author=FreewheelinFrank link=topic=39243.msg329279#msg329279 date=1223671583]
Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, search for and upload the files below to VirusTotal for analysis. Post the results here.

C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe

Couldn’t Find the windows folder in common files so couldn’t find file even with options taken into account

-C:\Program Files\Task Killer\TaskKiller.exe

F-secure 8.0.14332.0 suspicious:w32/kolweb!gemini
(not sure about this one had it before trouble started and It is actually the program i talked about above to kill the other file i think is the virus, interesting though)

C:\WINDOWS\system32\luconnuj.exe

Can’t find this one now my system32 folder is empty??? (even after restart) ??? is this bad?

C:\Documents and Settings\Administrator\Desktop\ie6.dll

0% problems with this one

C:\Documents and Settings\All Users\Application Data\Xtraveller\xRun.exe

VBA32 – suspected of trojan-psw.game.43 (paranoid heuristics)
webwasher-gateway – win32.malware.gen (suspicious)

superantispyware seems to have removed the original offending virus - don’t have the alert problem anymore ;D

Thanks Tech and Freewheelinfrank

Well… the other steps could bring sure that you’re clean :wink:

nice work

yes- work through tech’s list has you have time
especially MBAM
update - scan and put a checkmark next to any baddies and click REMOVE SELECTED
post the whole log if anything found

an on line AV and the trend micro anti rootkit will let you sleep better

run Secunia software inspector and get up to date
remove ALL old Java

Firewall?
real time anti-spyware-malware installed?

:frowning: It’s Back

As soon as my sister went on the comouter it came back and avast went into overdrive

Not sure if it’s related but the system32 folder appeears to be empty but i know there are things running from it ???

I’ll keep working through the list and report back

MBAM results are in

Malwarebytes’ Anti-Malware 1.28
Database version: 1253
Windows 5.1.2600 Service Pack 2

11/10/2008 12:11:59
mbam-log-2008-10-11 (12-11-59).txt

Scan type: Full Scan (C:|)
Objects scanned: 133609
Time elapsed: 48 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 38
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\retro64_loader.r64loader (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\retro64_loader.r64loader.1 (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{339d8aff-0b42-4260-ad82-78ce605a9543} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{450b9e4d-4014-4de3-b34e-014a81468293} (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{7b178417-3cda-444f-94ff-312c0a3a78a8} (Adware.180Solutions) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{a36a5936-cfd9-4b41-86bd-319a1931887f} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{aa4939c3-deca-4a48-a454-97cd587c0ef5} (Adware.NetOptimizer) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{eee4a2e5-9f56-432f-a6ed-f6f625b551e0} (Adware.NetOptimizer) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{e282c728-189d-419e-8ee2-1601f4b39ba5} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{e1a63484-a022-4d42-830a-fbd411514440} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{dc3a04ee-cdd7-4407-915c-a5502f97eecd} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{db8cce99-59c6-4552-8bfc-058feb38d6ce} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{d17726cc-d4dd-4c4a-9671-471d56e413b5} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{bb187c0d-6f53-4f3e-9590-98fd3a7364a2} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{ad5915ea-b61a-4dba-b5c8-ef4b2df0a3c7} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{ad0a3058-fd49-4f98-a514-fd055201835e} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{a58c497b-3ee2-45e7-9594-daca6be2a0d0} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{a3d06987-c35e-49e4-8fe2-ac67b9fbfb4c} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{9856e2d8-ffb2-4fe5-8cad-d5ad6a35a804} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{8f6a82a2-d7b1-443e-bb9f-f7dc887dd618} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{88d6cf0e-cf70-4c24-bf6e-e4e414bc649c} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{83dfb6ee-ab18-41b5-86d4-b544a141d67e} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{5c29c7e4-5321-4cad-be2e-877666bed5df} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{3f91eb90-ef62-44ee-a685-fac29af111cd} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{1a8642f1-dc80-4edc-a39d-0fb62a58b455} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{168dc258-1455-4e61-8590-9dac2f27b675} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{288c5f13-7e52-4ada-a32e-f5bf9d125f99} (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7} (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{288c5f13-7e52-4ada-a32e-f5bf9d125f99} (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\VideoEgg (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IMAdvertiser (Adware.SearchTwo) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mapouquoo (Trojan.FakeAlert.H) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hojyr.exe (Trojan.FakeAlert.H) → Delete on reboot.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\system32\cmd.com (Worm.Alcra) → Quarantined and deleted successfully.
C:\WINDOWS\system32\netstat.com (Worm.Alcra) → Quarantined and deleted successfully.
C:\WINDOWS\system32\ping.com (Worm.Alcra) → Quarantined and deleted successfully.
C:\WINDOWS\system32\regedit.com (Worm.Alcra) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tasklist.com (Worm.Alcra) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tracert.com (Worm.Alcra) → Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_Intl.ico (Malware.Trace) → Quarantined and deleted successfully.
C:\Documents and Settings\martin keohane\Desktop\Internet Security Suite.url (Rogue.Link) → Quarantined and deleted successfully.

One file could not be quarantined, don’t know why but will be deleted on reboot

C:\WINDOWS\system32\hojyr.exe

It is the file I originally thought was the virus

I can now see the contents of the system32 folder so somethings going right

Good call on MBAM wyrmrider Thanks!!

just out of curiosity which is the better of the two?

spoke way too soon guys guess what it’s back

C:\WINDOWS\system32\hojyr.exe seems to keep coming back and being regenerated after being deleted by numerous programs

something has been missed that keeps regerating it

It seems to come back when my sister signs into windows live messenger and I don’t know where it is please help guys i’m getting desperate here

Looks Like it’s polymorphic.

Download and run ComboFix. Be sure to post the CFix log. Don’t forget to rename ComboFix before you run it.

They won’t conflict. The list of SpywareBlaster works fine, but AWC has other features then just immunization.

Spywareblaster is a little more obvious to use and it works on windows 98-ME
AWC requires going through the menus and finding three places to immunize
on xp systems I’m going to use both
setting an active x kill bit - who cares who does it

We need to do some research on IM infections
do you have IM protection turned on with avast?

MBAM and SAS and Spybot and a-squared all come through on occasion
even ad-aware found a bunch of crap recently go figure

also run the trend micro anti rootkit scan

Ok heres the thing, in desperation and anger i ‘fixed’ the offending file with hijackthis, it is still there but the change is it doesn’t seem to be running on startup anymore and haven’t had any warnings since.
obviously it’s still there but I am not sure what to so with it. I fear deleting it will just cause a new version of the file to be created and the whole process starts again.

Definately all parts are on at the highest sensitivity

Also in the file transfer part settings in live messenger there is an option to scan inbound files but you need to specify which program to to use – which one in C:\Program Files\Alwil Software\Avast4 – do I use for this

Why do you need to rename it?

You need to rename combofix as there are some malware programs that are on the lookout for that file name to negate its use, etc. devious sods out there. spgScottFix.exe, etc. would be fine.

:slight_smile: Hi Scott :

It appears you have reached the point where you should have some certified
Volunteer “Malware Removal Specialist” provide assistance !? I recommend
you ask the “Microsoft Most Valuable Professional(s)” on the Forums at
http://aumha.net .

Results from combofix are attached

Just before the scan and after upon startup and login I get an avast behaiviour blocker event (see attached 1st one) popup and the virus file is being questioned (I have changed the on-access protection to the highest possible with alerts for everthing) and giving me the option to allow or deny. every time I click deny and it just pops up again. Also notice that the file name is different ??? but the program name is the familiar one that is haunting me

Now as I post this i get another message in the bottom of the screen – scanning multiple outbound emails, and then the suspicious message alert – back where I started AGAIN >:( >:( >:(

I have thought about using a system disk as a last resort to wipe the system but am not sure for two reasons:

  1. Will it work?

  2. This pc was not originally mine (reason for the different user name to mine in the log) so therefore a system disk was not made, but I made one for my laptop a while ago

The laptop ran Windows media center edition not xp home so can I even use this disk???