Solved

Virus and spyware attack causing pop ups hjthis finds l?ass.exe

Posted on 2008-10-29
12
379 Views
Last Modified: 2013-12-06
Looks like an infection of a l?ass.exe I have ran combofix and HJthis logs are attached pc is running better but is still not right yet. I have not attempted to fix anything yet except what combofix did in the scan process. Any help is greatly appreciated!
combo-fix.txt
hijackthis.logb.txt
0
Comment
Question by:walkman48
12 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 22830963
Have you tried running any virus/spyware scanners on it. I reccomend running spyware terminator and malwarebytes antimalware.

Run these two clean up what they find and then post the HiJacktThis log.
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 500 total points
ID: 22831077
Hi,

Yes, still infected. Combofix script should help...you, or whoever owns this PC should really watch what gets downloaded. A whole lot of garbage is getting downloaded willingly on here it seems. That's why it's so infected. And I agree with xxdcmast here, run MBAM on here after the manual cleanup is done. I'm sure there is more.


1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------

File::
C:\WINDOWS\system32\wpv213.cpx
C:\WINDOWS\system32\wpv853.cpx
C:\Documents and Settings\Owner.Laptop\~.exe
C:\WINDOWS\system32\tbstrvim.dll

Folder::
C:\Documents and Settings\Owner.Laptop\Application Data\GetModule
C:\Documents and Settings\Owner.Laptop\Application Data\Facegame
C:\Documents and Settings\All Users\Application Data\PopCap
C:\Program Files\OINAnalytics
C:\Program Files\F?nts
C:\Documents and Settings\Owner.Laptop\Application Data\Gool
C:\WINDOWS\system32\TSKS~1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B221E01-F517-4959-8C41-81948E7F2F17}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EA4E818-258C-7C2D-8E3D-50C002548DC6}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Blwi"=-
"Facegame"=-
"Gool"=-
"Ealb"=-

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log


0
 
LVL 4

Expert Comment

by:smittyboom
ID: 22832000
C:\Program Files\F?nts\l?ass.exe
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Make sure you run MBAM as suggested and www.spybot.com
you may also want to run Trojan remover from www.simplysup.com
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22836816

These folders below are also bad, add them to the script under --> Folder::
Folder::
C:\Program Files\iCheck
C:\Program Files\GetPack
C:\Program Files\Mjcore

0
 
LVL 8

Expert Comment

by:-Mystique-
ID: 22839449
Here is what probably is the best database on the web for looking up windows processes to find out what they are and what they do.
From the site:
TaskList.org is the ultimate resource to help you determine if your computer is infected with spyware, adware or viruses.
http://www.tasklist.org/

I have used this site many times to look up processes that I saw in task manager and didn't recognize, to see if they were legitimate or not.

Here's some info on some of your findings.
Facegame
http://www.bleepingcomputer.com/startups/Facegame-24137.html
Name: Facegame
Filename: Facegame.exe
Command: "%AppData%\Facegame\Facegame.exe" *
Description: Identified as a variant of the Trojan.Agent.AKPW malware. The *s in the command line represent random numbers.
File Location: %AppData%\Facegame\Facegame.exe
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry  
Note: %AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\\Application Data for Windows 2000/XP.

Gool
http://www.bleepingcomputer.com/startups/Gool-24079.html
Filename: Gool.exe
Command: %AppData%\Gool\Gool.exe
Description: Unknown malware.
File Location: %AppData%\Gool\Gool.exe
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry  
Note: %AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\\Application Data for Windows 2000/XP.


Bleeping Computers excellent database of startups
http://www.bleepingcomputer.com/startups/

This site gives much info on startups and guides you through tracking down malware processes on your pc., gives links to free resources as it tells you the steps for using them.
http://www.pacs-portal.co.uk/startup_content.php

http://www.sysinfo.org/startupinfo.html

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
AutoRuns for Windows v9.35
By Mark Russinovich and Bryce Cogswell
Published: October 16, 2008
Introduction
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
0
 
LVL 4

Author Comment

by:walkman48
ID: 22876673
Ok have done some removal sorry it has take so long to get back.


ComboFix.txt
hijackthis.log2.txt
mbam-log-2008-10-29--10-49-18-.txt
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22876973
A couple of things. That combofix log is from the 29th, several days ago. It was also not run with the script. Did you do that? Let us know if you have questions on it.

Also, MBAM did not remove anything. At the end of the scan you need to tell it to Remove Selected. I would advise you run it again.
0
 
LVL 4

Author Comment

by:walkman48
ID: 22901772
I am working on it My friend has gone for a while I will post back as soon as I can get in front of the pc.

0
 
LVL 4

Author Comment

by:walkman48
ID: 22936355
Ok here you go something is alot better as no popups for now. Thanks for your time on this sorry for long delay!

 
log.txtcombonov10.txt
hijackthis.lognov10.txt
mbam-log-2008-11-10--19-49-52-.txt
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22942037
OK that last HJT appears clean and MBAM was clean, so you should be good to go if it's running well. You should uninstall combofix.

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.


0
 
LVL 4

Author Closing Comment

by:walkman48
ID: 31511152
Thanks for all of your help!!
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22945085
You're welcome and thank you for the grade and points.

Regards,
Dave
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question