TechSpot

Infected -- Followed 15 steps. Results Attached

By sballard
Oct 28, 2007
  1. Hi,

    I started receiving the following pop-up error mesages:

    ! System Alert: Trojan-Spy.win32@mx
    ! Security Alert: Network-i.virus@fp
    ! System Performance MOnitor: Warning
    X Critical System Warning! - Your system is probably infected w/ latest version of spyware.cyberlog-x
    ! Security Alert: Spyware Found - PSW.X-Vir Trojan
    ! System Alert: Malware Threats

    I also have two desktop shortcuts that keep appearing:

    "online security guide" and "live safety center"

    I tried to follow the steps as best I could. I apologize in advance if I missed anything. Three logfiles are attached.

    Thanks in advance!...Shawn

    I also forgot to mention that the Panda tool found No Rootkits.

    Thanks...Shawn
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    The only result you didn`t post was the Panda Antirootkit scan result. Please let me know in your next reply. EDIT: forget the Panda scan, just seen your other post.

    Delete all files in AVG Antispyware quarantine.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:

    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :wave: :wave:

    This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. sballard

    sballard TS Rookie Topic Starter Posts: 32

    Thanks for the help. I ran the script as indicated. However, after doing so and restarting my system, I had trouble logging in. The "Windows is starting up..." window would sit there for a long time. Then It would go to the screen with the accounts. It wanted a password to log in, but I don't have passwords set. When I clicked on my account to log in, it gave me some kind of privileges error.

    So, I re-booted under safe mode and chose the "boot under last known config to work" option. That lets me in. However, when my desktop loads I get the following error: Error loading c:\windows\system32\pmpklm.dll

    The good news is that the security pop-ups seem to have stopped. My message is too long to include both combo and HJT logs. So, I have included them as attachments. Let me know if that isn't ok.

    Thanks...SHawn
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    plite731.exe
    PowerReg Scheduler.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe

    O4 - HKLM\..\Run: [147a915c] rundll32.exe "C:\WINDOWS\system32\jpmnpklm.dll",b

    O4 - Startup: PowerReg Scheduler.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\Documents and Settings\Shawn Ballard\Start Menu\Programs\Startup\PowerReg Scheduler.exe
    C:\WINDOWS\plite731.exe
    C:\WINDOWS\system32\jpmnpklm.dll
    C:\Documents and Settings\Shawn Ballard\SI.bin

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. sballard

    sballard TS Rookie Topic Starter Posts: 32

    Thanks, that seemed to do the trick. Fresh Combo and HTJ logs attached.

    Thanks Again!...Shawn
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your log files look clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    Go HERE, download and install the latest version of Java.

    Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. sballard

    sballard TS Rookie Topic Starter Posts: 32

    Thanks!

    I have two quick questions for you.

    First, there is another account on my system. I've done everything so far under my own account. Will that have taken care of any files that were under the other account as well? I think the other user is who actually infected the computer in the first place.

    Also, I do have virus protection, etc. installed. Apparently it didn't catch these malware/trojans. What can I do to make sure I don't get them again? Will AVG-Antispyware take care of it now?

    Thanks Again!...Shawn
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It doesn`t matter what AV/AS programmes you have, if someone is downloading the wrong stuff, your system will just become reinfected again.

    Please feel free to post a HJT log from the other account.

    See this thread HERE for info on how to keep your system more secure.

    Regards Howard :)

    This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. sballard

    sballard TS Rookie Topic Starter Posts: 32

    Thanks. Attached is the HJT log from the other account.

    Thanks...Shawn
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    ISM2

    Close control panel.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ISMPack6.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz

    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

    O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"

    O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\Program Files\ISM2

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as a Combofix log.

    Regards Howard :)

    This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. sballard

    sballard TS Rookie Topic Starter Posts: 32

    Did as instructed while connected as the other user. Updated logs run while connected as the other user are attached.

    Thanks!...Shawn
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Can`t see any problems now.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. sballard

    sballard TS Rookie Topic Starter Posts: 32

    Everything looks good. Thanks so much for all of your help!

    ...Shawn
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...