WinPCDefender then Win32RootKit then..

Viruses and worms
1

okay so yesterday i got hit by the WinPCDefender crap with all those popups. Today with System restore off I ran Ad-Aware in safemode and then when i restarted the WinPC icon was gone, but things are still acting fishy… SybotSearch a destroy and SuperAnti Spyware won’t work.

when i get virus alerts from avast i try moving them to chest and dekleting, but i keep getting virus alerts from avast

i tried to stop the pcdefender process but couldnt locate it, i deleted files like instructions said, but i’m still infected

2

I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster.
  8. Check if you have insecure applications with Secunia Software Inspector.
3

The most effective against what appears to be a fake security alert is the MBAM application in line 3. of Tech’s list.

Try downloading it and install and run it from safe mode.

4

hey TECH… i tried what you wrote
here is my hijack this log
btw my SUPERANTISPYware, sybot, and mbam programs wont operate nor will doinng a system scan … thanks. it is getting better

atleasyt it stopped constantly turning off

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:06 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
********end part 1 james t

5

Did you try running them from safe mode as I suggested ?

It would seem that you have more than just this fake security alert issue if it is also blocking/disabling other security programs.

Exactly what do you mean by “btw my SUPERANTISPYware, sybot, and mbam programs wont operate” ?
Presumably there would be errors rather than simply they don’t run - What were these errors ?

6

jthomson3rd, this is a very short part of the log.
I hope some other expert could take a look into your full log (when you post it…).

7

sorry… i tried splitting my log into three parts because it was too many words…

what i was trying to write earlier was that SuperAntiSpyware, the anyti-spyware software on my machine wouldn’t run

but i got it to run Again…

i’m going to se if Spybot S&D and MBAM work yet
but the SuperntiSpyware, running now, found 3 trojan.dropper

8

Didn’t avast detect them?
Send to quarantine, do not direct delete the files, as could be false positive.

9

If you can’t install, mbam,rename the install/set up file.( then double click on renamed file to install ) Then go to C/ program files / malwarebytes antimalware / open that folder and rename mbam.exe ( eg milk.exe ) then double click on the renamed file to run program.Same with Superantispyware. Looked at your log ( 3 parts ) very briefly, lots of suspicious entries that have been deactivated, maybe by Ad aware scan

10

from James’s other two topics.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60076
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60076
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60076
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60076
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60076
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&prodOS=011&gwCountry=US&language=EN&PURCH_DT_MONTH=05&PURCH_DT_DAY=11&PURCH_DT_YEAR=2004&PROD_SERIAL_ID=MXM4130D81&modelID=DW248A&LF=blue
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

11

and

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {03CDFA15-CBD6-4F8F-A92A-752FDEEA8589} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A12ACCD-20BB-4433-A9B3-FF6F4AFCF4B3} - (no file)
O2 - BHO: {0e92c433-b0c9-8e5b-45a4-d5d4d07b0774} - {4770b70d-4d5d-4a54-b5e8-9c0b334c29e0} - (no file)
O2 - BHO: (no name) - {4AEDE78B-D19A-48AB-84AD-1AE9D8DFE892} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEocx Class - {96ad72e4-2e2b-4ffc-a5bb-279c2714af12} - C:\WINDOWS\ieocx.dll (file missing)
O2 - BHO: (no name) - {979EA9E4-FB7D-430C-852D-89072CC27CEF} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: (no name) - {B9830499-DD2F-42ED-980D-1AFE3502295d} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [sysldtray] C:\windows\ld02.exe
O4 - HKLM..\Run: [SpywareTerminator] “C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\RunOnce: C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.26&build=Symantec&a=00000082.0000006f.00000148&b=00000082.00000096.000001da&c=00000082.000000d4.00000264
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209230647312
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mindshifttech.webex.com/client/T26L/nbr/ieatgpc.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: qomnkll - qomnkll.dll (file missing)
O20 - Winlogon Notify: rasps - C:\WINDOWS\Web\rasps.dll (file missing)
O20 - Winlogon Notify: ywdrjmpr - ywdrjmpr.dll (file missing)
O20 - Winlogon Notify: zgiphpmh - zgiphpmh.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

End of file - 11771 bytes

12

An analysis of your HJT log shows the below :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

These were the questionable and/or bad entries :

O2 - BHO: (no name) - {03CDFA15-CBD6-4F8F-A92A-752FDEEA8589} - (no file)
I found no results for this entry. Unknown application. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {0A12ACCD-20BB-4433-A9B3-FF6F4AFCF4B3} - (no file)
I found no results for this entry. Unknown application. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: {0e92c433-b0c9-8e5b-45a4-d5d4d07b0774} - {4770b70d-4d5d-4a54-b5e8-9c0b334c29e0} - (no file)
I found no results for this entry. Unknown application. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {4AEDE78B-D19A-48AB-84AD-1AE9D8DFE892} - (no file)
I found no results for this entry. Unknown application. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: IEocx Class - {96ad72e4-2e2b-4ffc-a5bb-279c2714af12} - C:\WINDOWS\ieocx.dll (file missing)
http://www.bleepingcomputer.com/virus-removal/remove-winpc-defender
Remains of WinPC Defender. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {979EA9E4-FB7D-430C-852D-89072CC27CEF} - (no file)
I found no results for this entry. Unknown application. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {B9830499-DD2F-42ED-980D-1AFE3502295d} - (no file)
I found no results for this entry. Unknown application. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
http://www.fileresearchcenter.com/M/MNYVIEWER.DLL-883.html
Belongs to Microsoft Money Application. Unnecessary (deactivated) entry that can be fixed.

O4 - HKCU..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&lan guage=en&product=SymNRT&version=2009.0.5.26&build=Symantec&a=00000082.0000006f.0 0000148&b=00000082.00000096.000001da&c=00000082.000000d4.00000264
Remains of Symantec/NAV that needs to be fixed by using the appropriate removal tool from Symantec since there are also other Symantec entries present.

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
http://www.bleepingcomputer.com/startups/WEATHER.EXE-7446.html
BAD entry that should be fixed. Unnecessary (deactivated) entry that can be fixed.

[b]O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab[/b]
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.

O20 - Winlogon Notify: qomnkll - qomnkll.dll (file missing)
O20 - Winlogon Notify: rasps - C:\WINDOWS\Web\rasps.dll (file missing)
O20 - Winlogon Notify: ywdrjmpr - ywdrjmpr.dll (file missing)
O20 - Winlogon Notify: zgiphpmh - zgiphpmh.dll (file missing)
The above 4 a possibly related to a Vundo infection or other malware.
Unnecessary (deactivated) entries that can be fixed.

13

TECH, and CharlyO,

AFTer running Ad-Aware in safe mode and gettting rid of the task bar WINPCDefender icon, then i

deleted pcdefender in the registry but DID NOT DELETE the default folder above it---- was this bad…?

then i followded some of your instructions and ran AVAST during a boot up, did some other

stuff…don’t recall now, …then my anti-spyware software started working again…then in safe mode i

ran MBAM, SPYBOT S&D, AD-AWARE and SUPER ANTISPYWARE and removed what they found…

BUT IT is running much better now… so thanks
i got an email from COMAST supposedl saying that my computer is infected and i need to change ports

just to click on the link they provode…i didn’t click.

i just rAn MBAM in regular mode and found nothing… so thats great

ALSO one more thing i was wondering about, when my computers starts up in either regular or safe mode

the ‘my documents’ folder appears on the screen open. Do you know what i cn do about this?
thanks for helping me get rid of highjackers…
james

i’m running avast currently in re mode
but hopefully it will all be cool

14

Avast did return a clean scan (Woo HOO)but suring a scan SUPERANTI-SPYWARE found TrojanAGENT…AND told me to reboot,i’m going to run avast again i guess… it is better

but my documents sytill appears open when the computer starts up