Jump to content

Recommended Posts

Original post below. Additional info since then: message comes up when shutting down about jgp.exe. Other symptoms remain the same.

Followed directions for posting here, please see attachments plus cut & pasted DDS and Anti-Malware log file. One note: GMER ran for around 3 - 4 hours, hope that's in the expected range.

ark.zipattach.zip

Thank you very much for offering this valuable public service. Hope you can help!

- Jeff/Aronaya

---- Original post follows, then DDS, then Anti-Malware log ----

In the past 2 weeks, I've been struggling to find out how to get some apparent spyware off my PC. Malwarebytes doesn't catch it, and there is little showing up on Google about it. Seems to be something new. I looked at the "new spyware" forum, and I don't have the skills to post samples -- wouldn't have a clue where to start to do that.

Under Windows XP, I get the following, frequently:

- loss of focus so that I have to hit Alt-tab to get back to my typing.

- a small dialog box that says: error, ~pete19c/x.php

- in the past day, a message that asks to verify if I want to navigate away from an IE page (I don't use IE, use Firefox)

One website says this ~pete19c/x.php file lives at cix.sytes.net. It also cites resultnemo.com. I have not visited either site. At a guess, I might have picked this thing up from Facebook.

I don't have the technical skills to dig further into this on my own. Is it on the radar for a Malwarebytes update? Any suggestions for other resources? Assuming somehow I can clean it off, what precautions should I take to ensure security going forward?

Thanks for any help,

aronaya

---- DDS file follows --------

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24

Run by Owner at 17:31:48 on 2011-05-28

.

============== Running Processes ===============

.

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Documents and Settings\Owner\Application Data\jqp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Owner\Application Data\jqp.exe

C:\Program Files\Iomega\Tools\imgicon.exe

C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\System32\alg.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.ask.com?o=15083&l=dis

uDefault_Search_URL = hxxp://ie.search.msn.com

mStart Page = about:blank

uInternet Settings,ProxyOverride = localhost

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: : {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: N/A: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"

mRun: [VTTimer] VTTimer.exe

mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [jqp] c:\documents and settings\owner\application data\jqp.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [RunNarrator] Narrator.exe

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/b/e/5/be592e3e-4442-4588-b01e-8fe3a2e104ac/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159883473171

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\pdt6az32.default\

FF - prefs.js: browser.search.selectedEngine - Ask.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ARS&o=15080&locale=en_US&apn_uid=A33A631B-5E87-4041-9BD7-08137C6FC82B&apn_ptnrs=AB&apn_sauid=C2EFC8A1-7E61-4D0C-A779-3598168113B3&apn_dtid=&q=

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll

FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll

FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

.

============= SERVICES / DRIVERS ===============

.

R? McAfee HackerWatch Service;McAfee HackerWatch Service

R? McLogManagerService;McAfee Log Manager

R? mcpromgr;McAfee Protection Manager

R? McRedirector;McAfee Redirector Service

R? McShield;McAfee Real-time Scanner

R? McSysmon;McAfee SystemGuards

R? McTskshd.exe;McAfee Task Scheduler

R? mcusrmgr;McAfee User Manager

R? mfeavfk;McAfee Inc.

R? mfebopk;McAfee Inc.

R? mfehidk;McAfee Inc.

R? mferkdk;McAfee Inc.

R? mfesmfk;McAfee Inc.

R? NaiAvFilter1;NaiAvFilter1

R? NB762_XP;NB 802.11g XG762 1211B Driver

S? avg8emc;AVG8 E-mail Scanner

S? avg8wd;AVG8 WatchDog

S? AvgLdx86;AVG AVI Loader Driver x86

S? AvgMfx86;AVG On-access Scanner Minifilter Driver x86

S? AvgTdiX;AVG8 Network Redirector

S? ppa;Iomega Parallel Port Filter Driver

S? WinDefend;Windows Defender

.

=============== Created Last 30 ================

.

2011-05-27 19:09:56 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{4b6cbde0-39ae-4ce6-bb70-7aab98a8726d}\mpengine.dll

2011-05-18 20:57:53 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes

2011-05-18 20:57:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-18 20:57:35 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-18 20:57:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-18 20:57:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-13 20:54:44 90624 ----a-w- c:\documents and settings\owner\application data\jqp.exe

2011-05-11 20:52:14 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-05-11 20:52:13 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-05-11 20:52:13 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-05-11 20:52:13 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-05-11 20:52:13 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-05-11 20:52:12 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-05-11 20:52:12 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-05-11 20:52:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 17:33:11.35 ===============

---- Anti-Malware log (latest) follows -------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6688

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/28/2011 11:29:00 AM

mbam-log-2011-05-28 (11-29-00).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 277571

Time elapsed: 1 hour(s), 56 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

A snag with ComboFix -- appears not to like AVG. Get a message saying "ComboFix cannot run when AVG is installed. This is due to AVG's targeting of ComboFix's files/processes. It would be dangerous to continue."

I assume I would uninstall AVG via the usual Control Panel Add/Remove Programs. I have AVG Free 8.5 I also assume I could re-download and re-install AVG after getting through all the cleanup.

Please confirm, and then I'll continue with uninstalling AVG and restarting ComboFix.

Thanks,

Jeff/Aronaya

Link to post
Share on other sites

  • Staff

Hi,

I notice that you are using more than one antivirus program (AVG and McAfee). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

If you keep AVG (fyi your version of AVG is very out of date), uninstall it before running ComboFix.

We'll set you up with security after the malware is gone.

Link to post
Share on other sites

Thanks, I'll look into it. I used to run McAfee but that was replaced (I thought!) years ago by a technician who cleaned up my system. Will uninstall any existing anti-virus software, continue with ComboFix, and post back with the logs. May take a day or two.

BTW, AVG updated yesterday, detected jgp.exe as a threat this morning, but when I re-updated and ran a full scan, it detected nothing. So, yes, I'll be interested in your recommendation for security, post-malware cleanup.

Thanks a bunch for all your work and attention to this issue!

- Jeff

Link to post
Share on other sites

Chris, thank you so much for the help thus far. I had to bail out, unplug my tower and take it to a specialist, just got overwhelmed with viruses downloading themselves on Sunday, somehow broke through the firewall. I was trying to de-install Malwarebytes so I could then deinstall AVG, and then run Combofix, when the screen filled up with IE windows, then Windows Scan fired up (or was it really Windows???), and by Monday I had 50 viruses including Wormblaster on my hard drive. So, I threw in the towel, especially considering my car and phone died around the same time, and I was out of work time to do it myself.

Thanks for everything, and I will strongly consider Malwarebytes in the future.

Thanks,

Jeff

Link to post
Share on other sites

  • Staff

Thanks for letting me know.

Here's my standard prevention speech for the future:

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

Hi,

I also have the same issue as Aronaya with the.... /~pete19c/r.php .....small window error which appears on boot up.

I have read the advice given Aronaya and ran the Secunia inspector program which indicated 9 programs that needed "updating." But all the links for update are of very little help as it takes you basically to the main page of the program. Programs like Adobe, Flash, Winamp, Apple iTunes have many selections for download and it is very confusing.

I also looked at the instructions for running combo-fix and they concern me as someone who is not more than slightly knowledgeable about computers. It really sounds a little scary to me to run that program.

I ran your complete system MB scan as well as Kaspersky 2010 Security Suite and neither showed any defects in my system.

It popped up only recently and it doesn't preclude me from using my computer normally as it minimizes itself and just stays in my task bar but it comes up every time on boot up, I very seldom frequent any sites that would/should contain viruses. I also use WOT.

Are you hearing anything about this /~pete19c/r.php?

Thanks

Link to post
Share on other sites

According to my technician, having old versions of Java lying around creates a security vulnerability that many virus creators exploit.

I just paid the guy a reasonable fee to clean up my computer, got it back in two days, like new. When I can afford it, I'll buy his protection service. He said there are whole companies in Eastern Europe that just create viruses and collect fees to clean them up, over and over again. He charges a lot less, and my computer runs clean now (for now!).

Find a knowledgeable friend, or if you can afford it, pay someone to fix it. I have some technicial skills, but not the right ones, and not enough time to learn them.

Link to post
Share on other sites

According to my technician, having old versions of Java lying around creates a security vulnerability that many virus creators exploit.

I just paid the guy a reasonable fee to clean up my computer, got it back in two days, like new. When I can afford it, I'll buy his protection service. He said there are whole companies in Eastern Europe that just create viruses and collect fees to clean them up, over and over again. He charges a lot less, and my computer runs clean now (for now!).

Find a knowledgeable friend, or if you can afford it, pay someone to fix it. I have some technicial skills, but not the right ones, and not enough time to learn them.

Java updates are supposed to remove and overwrite old platforms. I believe I have the latest. It's funny that Google doesn't produce more hits on this error--usually Google has many hits on any similar search term. I'm going to be transferring from an old Dell XP to a new HP computer with Windows 7 and I want to try and have the cleanest new setup I can.

I would like to know a good trustworthy and reasonably priced service that can come into the computer remotely and take control. That would be a good thing to have for problems. Even this site is hard to navigate with so many forums and comments.

Glad you got yours clean and working again. That little error window is a pesky and well hid devil from virus scans.

Link to post
Share on other sites

My technician mentioned the issue with the Java updates, he said something had changed when Oracle bought out Sun, I don't remember exactly, or whether that was exactly to blame for the virus I got.

This guy is local in my area, met him in person and trust his handshake. His ongoing service is quite reasonable, especially if you're entrusting a business to your computer. It's his fulltime job, so he's good at it.

I think this particular virus was pretty new, none of the scanners I used detected it, until it invited more nasties on board.

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.