[sam988]

I have this problem with this window that keéps popping up that says that my computer is infected and that i must download the latest anti spyware program or whatever... well you guys must know this problem.


Anyways, I downloaded the Hijack This program to wipe this **** out of my computer but somehow IT DOESN'T RUN! I install it, and then when i double click on the icon to execute the program, nothing happens! So i don't know how to uninstall this crap ultimate defender thing, i'm getting crazy with rage, already lost almost 2 hours surfing through the web looking for help but nothing worked yet. What do i do other than finding the s*ckers who created this ultimate defender spyware and killing them, after torturing them and making them make my computer be clean again?

[sam988]

Ok some update.


I read that it's probable some Cool Web Search program that's making me unable to open the HijackThis program. I did the following:

Renamed the HijackThis program to analyse.exe as i read somewhere in the web it could help. it didn't.

I run cwshredder and it didn't find any Cool Web Search. I downloaded also the PepiMK's CoolWWWSearch.Smartsearch killer but it didn't find anything either.


And i'm still unable to open the HijackThis. Goddamn, what do i do? I'm getting crazy, i didn't want to go to sleep before solving this problem but it's 5:24am and i must go sleep.




I hope when i wake up someone will have given me the magic fix.

[dvk01]

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[sam988]

Alright i already managed to run HijackThis, turns out my mind was too tired and wasn't working very well yesterday; i just had to open hijackthis by a different icon and it worked. Anyways, here's the log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40:37, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\BitTorrent\bittorrent.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Trend Micro\analyseo\analyseo.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Arquivos de programas\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Arquivos de programas\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Comrade.exe] C:\Arquivos de programas\GameSpy\Comrade\Comrade.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: .protected
O4 - Startup: BitTorrent.lnk = C:\Arquivos de programas\BitTorrent\bittorrent.exe
O4 - Global Startup: .protected
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5273 bytes

[sam988]

Please guys.. now i just need someone to see the log and tell me what i must delete.

[dvk01]

I have told you what to do


run combofix & post its log here

we need to use combofix to fix this one

[sam988]

ComboFix doesn't run. Just like Spybot SD, my avast antivirus, Killbox, and a load of other programs, they all just don't run. When i click on the exe icons, nothing happens.

[dvk01]

That sounds like new bagle that blocks most security programs

delete combofix & redownload it

BUT as you download it you MUST rename it before saving it to desktop

call it sam988.exe
then when it is on desktop
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Remember to re enable the protection again afterwards before connecting to the net

--------------------------------------------------------------------
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

• WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
• Please do not re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Double click on sam988.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

[sam988]

I appreciate the help, but after i when i click on it to run (yes i renamed it before starting the download), a small box appears reading "Combo Fix" in it, and then soon after it disappears again. And that's it, Combo Fix doesn't open still (before i used this renaming technique, not even this small box would open, so renaming it had an effect, but not the expected obviously).


By the way, if this info helps in you understanding the problem, ever since this malware got into my PC, my avast antivirus is already disabled against my will, i can't turn it on anymore, as with virtually all anti-virus/malware/spyware programs that i tried. My computer is completely defenseless.

[dvk01]

lets see if this will work

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the quote box below including the " Files to delete:" line, to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\WINDOWS\SYSTEM32\crypts.dll
c:\windows\system32\msvcrtd.exe
c:\windows\system32\cru629.dat
C:\WINDOWS\system32\braviax.exe

Drivers to unload:
msupdate

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

then try combofix

[sam988]

It was all going as you said in your post, Pc rebooted twice, black window opened at reboot, etc. But something appearently went wrong. Tried to run ComboFix then but, as before, it didn't work. Here's Avenger's log:



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ljtayvyr

*******************


Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!

[sam988]

I appreciated the help a lot, dvk01. But i just lost my patience with this ultimate defender s*cker and formatted my pc. I wanna see this sh*t get into my pc again now.... it's more fortified than the government's pcs hehe.

[dvk01]

I think that was the best solution with this one