Solved

Virus and spyware attack causing pop ups hjthis finds l?ass.exe

Posted on 2008-10-29
12
369 Views
Last Modified: 2013-12-06
Looks like an infection of a l?ass.exe I have ran combofix and HJthis logs are attached pc is running better but is still not right yet. I have not attempted to fix anything yet except what combofix did in the scan process. Any help is greatly appreciated!
combo-fix.txt
hijackthis.logb.txt
0
Comment
Question by:walkman48
12 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 22830963
Have you tried running any virus/spyware scanners on it. I reccomend running spyware terminator and malwarebytes antimalware.

Run these two clean up what they find and then post the HiJacktThis log.
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 500 total points
ID: 22831077
Hi,

Yes, still infected. Combofix script should help...you, or whoever owns this PC should really watch what gets downloaded. A whole lot of garbage is getting downloaded willingly on here it seems. That's why it's so infected. And I agree with xxdcmast here, run MBAM on here after the manual cleanup is done. I'm sure there is more.


1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------

File::
C:\WINDOWS\system32\wpv213.cpx
C:\WINDOWS\system32\wpv853.cpx
C:\Documents and Settings\Owner.Laptop\~.exe
C:\WINDOWS\system32\tbstrvim.dll

Folder::
C:\Documents and Settings\Owner.Laptop\Application Data\GetModule
C:\Documents and Settings\Owner.Laptop\Application Data\Facegame
C:\Documents and Settings\All Users\Application Data\PopCap
C:\Program Files\OINAnalytics
C:\Program Files\F?nts
C:\Documents and Settings\Owner.Laptop\Application Data\Gool
C:\WINDOWS\system32\TSKS~1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B221E01-F517-4959-8C41-81948E7F2F17}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EA4E818-258C-7C2D-8E3D-50C002548DC6}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Blwi"=-
"Facegame"=-
"Gool"=-
"Ealb"=-

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log


0
 
LVL 4

Expert Comment

by:smittyboom
ID: 22832000
C:\Program Files\F?nts\l?ass.exe
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Make sure you run MBAM as suggested and www.spybot.com
you may also want to run Trojan remover from www.simplysup.com
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22836816

These folders below are also bad, add them to the script under --> Folder::
Folder::
C:\Program Files\iCheck
C:\Program Files\GetPack
C:\Program Files\Mjcore

0
 
LVL 8

Expert Comment

by:-Mystique-
ID: 22839449
Here is what probably is the best database on the web for looking up windows processes to find out what they are and what they do.
From the site:
TaskList.org is the ultimate resource to help you determine if your computer is infected with spyware, adware or viruses.
http://www.tasklist.org/

I have used this site many times to look up processes that I saw in task manager and didn't recognize, to see if they were legitimate or not.

Here's some info on some of your findings.
Facegame
http://www.bleepingcomputer.com/startups/Facegame-24137.html
Name: Facegame
Filename: Facegame.exe
Command: "%AppData%\Facegame\Facegame.exe" *
Description: Identified as a variant of the Trojan.Agent.AKPW malware. The *s in the command line represent random numbers.
File Location: %AppData%\Facegame\Facegame.exe
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry  
Note: %AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\\Application Data for Windows 2000/XP.

Gool
http://www.bleepingcomputer.com/startups/Gool-24079.html
Filename: Gool.exe
Command: %AppData%\Gool\Gool.exe
Description: Unknown malware.
File Location: %AppData%\Gool\Gool.exe
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry  
Note: %AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\\Application Data for Windows 2000/XP.


Bleeping Computers excellent database of startups
http://www.bleepingcomputer.com/startups/

This site gives much info on startups and guides you through tracking down malware processes on your pc., gives links to free resources as it tells you the steps for using them.
http://www.pacs-portal.co.uk/startup_content.php

http://www.sysinfo.org/startupinfo.html

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
AutoRuns for Windows v9.35
By Mark Russinovich and Bryce Cogswell
Published: October 16, 2008
Introduction
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
0
 
LVL 4

Author Comment

by:walkman48
ID: 22876673
Ok have done some removal sorry it has take so long to get back.


ComboFix.txt
hijackthis.log2.txt
mbam-log-2008-10-29--10-49-18-.txt
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 20

Expert Comment

by:IndiGenus
ID: 22876973
A couple of things. That combofix log is from the 29th, several days ago. It was also not run with the script. Did you do that? Let us know if you have questions on it.

Also, MBAM did not remove anything. At the end of the scan you need to tell it to Remove Selected. I would advise you run it again.
0
 
LVL 4

Author Comment

by:walkman48
ID: 22901772
I am working on it My friend has gone for a while I will post back as soon as I can get in front of the pc.

0
 
LVL 4

Author Comment

by:walkman48
ID: 22936355
Ok here you go something is alot better as no popups for now. Thanks for your time on this sorry for long delay!

 
log.txtcombonov10.txt
hijackthis.lognov10.txt
mbam-log-2008-11-10--19-49-52-.txt
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22942037
OK that last HJT appears clean and MBAM was clean, so you should be good to go if it's running well. You should uninstall combofix.

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.


0
 
LVL 4

Author Closing Comment

by:walkman48
ID: 31511152
Thanks for all of your help!!
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22945085
You're welcome and thank you for the grade and points.

Regards,
Dave
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now