Spyware/Malware in the system

[sjd00d]

My computer is infected with some spyware. Every so often i'd get a pop-up warning saying "your computer has been attacked, you must use an anti-spyware to clean it up......", addiontally i get a warning message in the system tray with a message similar to this. My system also slows down considerably. I observed that when it slows down, explorer.exe eats up lot of CPU cycles.

I did what was suggested here...
techspot.com/vb/topic58138.html

it helps for a little while (few hours) but than the damn thing comes back again. I am attaching required log files (AVG, combofix, HJT)

 

[howard_hopkinso]

Hello and welcome to Techspot.

I have removed your log files as they are in the .doc format and this is not acceptable, due to the risk of viruses. It clearly states this in step15 of the instructions HERE.

Please reattach the requested log files with either a .txt of .log extension.

See HERE for instructions on how to attach log files.

Regards Howard :wave: :wave:

This thread is for the use of sjd00d only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sjd00d]

Log files

I apologize for not attaching the correct files. I actually misread the post. Anyways, attached zip file contains files with .txt extension.

 

[howard_hopkinso]

It would be nice if you just attached your log files, rather than zipping them up.

Delete all files in AVG Antispyware quarantine.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Bodog Poker

Close control panel.


Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

ISM Portmapper (portmap)
ISM Local Execution (nsrexecd)
ISM Server (nsrd)

Close the services window.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

nsrexecd.exe
BPGame.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

O2 - BHO: MSVPS System - {F675EED8-4A4B-4A11-801B-08297749B83D} - C:\WINDOWS\oprevnpx.dll

O3 - Toolbar: The bonsws - {05E9894E-9C5F-454B-A6E1-7BEF518EC87E} - C:\WINDOWS\bonsws.dll

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

O20 - Winlogon Notify: PAStates - C:\WINDOWS\SYSTEM32\PAStates.dll

O21 - SSODL: ddkret - {02BD989A-6F25-49E8-8295-1A797BDFFC3B} - C:\WINDOWS\ddkret.dll

O21 - SSODL: nopctrl - {FC6BF518-2BA2-4EC8-BCD7-70157218AF38} - C:\WINDOWS\nopctrl.dll

O23 - Service: ISM Server (nsrd) - Unknown owner - C:\ISM\2.20\bin\nsrd (file missing)

O23 - Service: ISM Local Execution (nsrexecd) - Unknown owner - C:\ISM\2.20\bin\nsrexecd (file missing)

O23 - Service: ISM Portmapper (portmap) - Unknown owner - C:\ISM\2.20\bin\portmap (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\ISM
C:\WINDOWS\ddkret.dll
C:\WINDOWS\nopctrl.dll

C:\WINDOWS\SYSTEM32\PAStates.dll
C:\Program Files\Bodog Poker
C:\WINDOWS\oprevnpx.dll

C:\WINDOWS\bonsws.dll
C:\VundoFix Backups
C:\WINDOWS\sawkip.exe

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs as attachments. Let me know how your system is running.

Regards Howard

This thread is for the use of sjd00d only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sjd00d]

Problem solved, What solved it though?

Hi Howard,

Thanks much for your help. My apologies for the zip attachment but since the AVG logs were more than your file size limit, i had to zip'em up.

Your instructions seems to have worked. Its been close to 36 hrs. and haven't seen the dreaded spyware. I tried everything you had in your original instructions but none worked. Seems like the HJT log scan results and your instructions to remove those were the most valuable. Just out of curiosity, could you point 2-3 things that could have been the cause for concern so that in future i am more prepared to handle it myself. I had downloaded bodog poker myself so not sure if that was the issue or not (have removed it per your instructions).

 

[howard_hopkinso]

I still require fresh HJT and Combofix logs, so I can check to make sure your system is clean.

These were the main nasties on your system.

C:\WINDOWS\ddkret.dll
C:\WINDOWS\nopctrl.dll

C:\WINDOWS\SYSTEM32\PAStates.dll
C:\WINDOWS\oprevnpx.dll

C:\WINDOWS\bonsws.dll
C:\WINDOWS\sawkip.exe

Regards Howard

This thread is for the use of sjd00d only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sjd00d]

HJT logs

Hi howard,

Per your instructions, i am attaching the HJT logs again having done the scan few mins. ago. No spyware for last 4 days BUT my anti-virus (mcafee) has warned me thrice of trojan alerts since then. It automatically deletes the trojan so i really don't see anything but i am guessing that somehow the spyware/virus whatever affected my system had made it more vulnerable as i never ever received those before.

Here's what its reporting on both the alerts.

1. C:\System Volume Information\_restore{29EBA355-0517-407C-8CAE-B77C28D2396F}\RP375\A0194936.dll
2. C:\System Volume Information\_restore{29EBA355-0517-407C-8CAE-B77C28D2396F}\RP375\A0194875.dll

On both it says, detected as "AdClicker-FC", detection type -> "Trojan", Application "svchost.exe"

 

[howard_hopkinso]

Those nasties are in your system restore points and are not dangerous, unless you use a restore point. We will deal with those, after the rest of your system is cleaned.

I did ask you for a fresh Combofix log.

Your HJT log appears to be clean.

Please post a fresh Combofix log.

Regards Howard

This thread is for the use of sjd00d only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sjd00d]

Combofix logs

Here you go (my apologies again for not reading through your post carefully).

thank you so much for all the help you've provided.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

PWMBTHLP.EXE

Close task manager.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\PWMBTHLP.EXE
C:\Documents and Settings\ankushah\USER.DAT
C:\WINDOWS\bonsws.dll

Click start/run and type regedit into the run box and hit the enter key.

Navigate to the following reg keys and delete the bold portions(if there).

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{05E9894E-9C5F-454B-A6E1-7BEF518EC87E}

HKEY_CLASSES_ROOT\clsid\{05e9894e-9c5f-454b-a6e1-7bef518ec87e}

HKEY_CLASSES_ROOT\bonsws.ToolBar.1

HKEY_CLASSES_ROOT\TypeLib\{B3A2A04F-E4B3-4E16-B7AD-555E8DD3DBBA}

HKEY_CLASSES_ROOT\bonsws.ToolBar

Close regedit.

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs.

Regards Howard

This thread is for the use of sjd00d only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sjd00d]

Combofix and HJT logs

Here you go. Thanks again for looking into this and helping out.