Infected -- Followed 15 steps. Results Attached

[sballard]

Hi,

I started receiving the following pop-up error mesages:

! System Alert: Trojan-Spy.win32@mx
! Security Alert: Network-i.virus@fp
! System Performance MOnitor: Warning
X Critical System Warning! - Your system is probably infected w/ latest version of spyware.cyberlog-x
! Security Alert: Spyware Found - PSW.X-Vir Trojan
! System Alert: Malware Threats

I also have two desktop shortcuts that keep appearing:

"online security guide" and "live safety center"

I tried to follow the steps as best I could. I apologize in advance if I missed anything. Three logfiles are attached.

Thanks in advance!...Shawn

I also forgot to mention that the Panda tool found No Rootkits.

Thanks...Shawn

 

[howard_hopkinso]

Hello and welcome to Techspot.

The only result you didn`t post was the Panda Antirootkit scan result. Please let me know in your next reply. EDIT: forget the Panda scan, just seen your other post.

Delete all files in AVG Antispyware quarantine.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\plite731.exe
C:\WINDOWS\system32\dirpwvvg.dll
C:\WINDOWS\system32\jpmnpklm.dll
C:\WINDOWS\SYSTEM32\yssvtian.dll
C:\WINDOWS\SYSTEM32\kquedawg.dll.vir
C:\WINDOWS\frexup2.exe
C:\WINDOWS\SYSTEM32\opnomji.dll.vir
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\Documents and Settings\Shawn Ballard\Start Menu\Programs\Startup\
PowerReg Scheduler.exe
C:\WINDOWS\system32\geebb.dll
:\WINDOWS\system32\dirpwvvg.dllbox

Folder::
C:\VundoFix Backups
C:\Qoobox

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dirpwvvg]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sballard]

Thanks for the help. I ran the script as indicated. However, after doing so and restarting my system, I had trouble logging in. The "Windows is starting up..." window would sit there for a long time. Then It would go to the screen with the accounts. It wanted a password to log in, but I don't have passwords set. When I clicked on my account to log in, it gave me some kind of privileges error.

So, I re-booted under safe mode and chose the "boot under last known config to work" option. That lets me in. However, when my desktop loads I get the following error: Error loading c:\windows\system32\pmpklm.dll

The good news is that the security pop-ups seem to have stopped. My message is too long to include both combo and HJT logs. So, I have included them as attachments. Let me know if that isn't ok.

Thanks...SHawn

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

plite731.exe
PowerReg Scheduler.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe

O4 - HKLM\..\Run: [147a915c] rundll32.exe "C:\WINDOWS\system32\jpmnpklm.dll",b

O4 - Startup: PowerReg Scheduler.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Documents and Settings\Shawn Ballard\Start Menu\Programs\Startup\PowerReg Scheduler.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\system32\jpmnpklm.dll
C:\Documents and Settings\Shawn Ballard\SI.bin

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs.

Regards Howard

This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sballard]

Thanks, that seemed to do the trick. Fresh Combo and HTJ logs attached.

Thanks Again!...Shawn

 

[howard_hopkinso]

Your log files look clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

Go HERE, download and install the latest version of Java.

Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sballard]

Thanks!

I have two quick questions for you.

First, there is another account on my system. I've done everything so far under my own account. Will that have taken care of any files that were under the other account as well? I think the other user is who actually infected the computer in the first place.

Also, I do have virus protection, etc. installed. Apparently it didn't catch these malware/trojans. What can I do to make sure I don't get them again? Will AVG-Antispyware take care of it now?

Thanks Again!...Shawn

 

[howard_hopkinso]

It doesn`t matter what AV/AS programmes you have, if someone is downloading the wrong stuff, your system will just become reinfected again.

Please feel free to post a HJT log from the other account.

See this thread HERE for info on how to keep your system more secure.

Regards Howard

This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sballard]

Thanks. Attached is the HJT log from the other account.

Thanks...Shawn

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

ISM2

Close control panel.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ISMPack6.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"

O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Program Files\ISM2

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as well as a Combofix log.

Regards Howard

This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sballard]

Did as instructed while connected as the other user. Updated logs run while connected as the other user are attached.

Thanks!...Shawn

 

[howard_hopkinso]

Can`t see any problems now.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of sballard only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sballard]

Everything looks good. Thanks so much for all of your help!

...Shawn