Possible Viruses

[honeyk]

Hi Oldman,Thank god it is over again for another year.
My PC had been running qiet well, till today while my son was playing puffgames online it started freezing up and crashing again. It came up with a detected viruse window from AVAST a couple days ago, I put it to my chest. What am I surpose to do with it now?
I've attached a HJT log for you to look at for me if you would, and tell me what u see. Apart from the fact that my hard drive is too full again and need to be cleaned out of things again,is there any other problem? Honeyk

[oldman]

Hi

What did avast find? ie: name and path of file and what it was detected as?

Download to your desktop and run this removal utility


http://www.bu.edu/buvs/bumsr.exe
 
Close all browsers and windows first, then double click the program you downloaded. Follow the on screen instructions, reboot when asked.

Please post a DSS log i your next reply.

If you are wondering why I'm having you remove Opinion Square read the following:

What is Marketscore?
In its various versions, Marketscore (www.marketscore.com) claims that they will scan your e-mail for viruses or improve the speed of your Web browsing if you will complete a lengthy questionnaire and install their software on your Windows-based PC. When you install the Marketscore software, it employs various means to intercept and send a copy of your keystrokes to Marketscore. Marketscore thereby gains access to all your account names and passwords, even for otherwise secure connections such as those you make to your bank or to Boston University Web Login prompts.

What is OpinionSquare?
OpinionSquare is an new on-line survey site run by MarketScore. Its URL is different, www.opinionsquare.com, but its unsavory tactics are the same. On this page, we refer to both Marketscore and OpinionSquare under the blanket heading of "Marketscore software."

Why is Marketscore software dangerous?
Marketscore software probably won't increase your Internet speed, but it will certainly invade your privacy and increase your risk of identity theft. Installing the software will have the following effects:

A record of your keystrokes will be sent to Marketscore.

Marketscore will intercept and have clear text access to all confidential information you enter on Web sites, e.g., passwords (including your BU Kerberos password), bank account numbers, credit card numbers, brokerage account information, etc. which normally would be protected by encrypted connections.

The software will download frequent automatic updates to your computer, allowing Marketscore to change its functionality without your knowledge.

Marketscore will sell the statistical data it collects about you to its clients.

[honeyk]

Hi Oldman, The scan said no market score found on PC. The virus I put in my chest was silc_dll.dll c;\windows\systems2win32:Adware.g... ZHoneyk

[oldman]

Okay the tool didn't find it. We'll have to do it manually.

Please post a DSS log.

[honeyk]

Honeyk

[oldman]

If you do any banking, online buying, please use a diferent machine, if possible, and change your passwords. If not do it as soon as this is removed.

Let's try this

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop. don't run it yet!

Open HJT and do a system scan only, place a check markmark next to these

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O4 - HKLM\..\Run: [OpinionSquare] c:\windows\system32\opnsqr.exe -boot
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.opinionsquare.com/Config/CSetup_hooking_xp.cab
O20 - Winlogon Notify: OpinionSquare - C:\WINDOWS\system32\opls.dll


Close all browsers/windows except HJT and click fix. Close HJT.

Go to add/remove programs and uninstall OpinionSquare

Reboot.

If it won't uninstall via add/remove do the following


Click start run and type cmd in the box, click ok

In the window that appears type the following line exactly and hit enter.

note the 1 space between opnsqr.exe and -bootremove there is also 1 space between -bootremove and -uninst:OpinionSquare

C:\WINDOWS\system32\opnsqr.exe -bootremove -uninst:OpinionSquare

When it's done type exit and hit enter, Reboot.


If it uninstalled by either method, continue. If it didn't uninstall STOP and post back.


Open OTMOVEIT and rid yourself of these


C:\WINDOWS\system32\silc.dat
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\LDPackage.dll
C:\WINDOWS\system32\opxf.dll
C:\WINDOWS\system32\opph.dll
C:\WINDOWS\system32\opai.dll
C:\WINDOWS\system32\opnsqr.exe
C:\WINDOWS\system32\opls.dll
C:\Documents and Settings\All Users\Application Data\bumsr

Finally, remove the certificates from your browser.
If you use Internet Explorer:
Open Internet Explorer.
Click on the Tools menu.
Click on Internet Options.
Click on the Content tab.
Click on the Certificates button.
Click on the Trusted Root Certification Authorities tab.
Look in the Issued to column for any MarketScore Inc , OpinionSquare, or Netsetter certificates.
Delete any MarketScore Inc, OpinionSquare, or Netsetter certificates.
Click yes in each confirmation window that appears when you delete a certificate.

If you use Netscape/Mozilla:
Open Netscape or Mozilla.
Click on the Edit menu.
Click on Preferences.
In the Category column click the plus sign (+) next to Privacy and Security.
Click Certificates.
Click the Manage Certificates button.
Click the Authorities tab.
Look for any certificates for MarketScore Inc. , OpinionSquare, or Netsetter
Delete any certificates for MarketScore Inc. , OpinionSquare, or Netsetter
Click yes in each confirmation window that appears when you delete a certificate.

If you use Mozilla Firefox:
Open Mozilla Firefox
Click on the Tools menu
Click on Options
Click on Advanced
Click the Manage Certificates button
Click the Authorities tab
Look for any certificates for MarketScore Inc. , OpinionSquare, or Netsetter
Click yes in each confirmation window that appears when you delete a certificate.
Delete any certificates for MarketScore Inc. , OpinionSquare, or Netsetter
Click yes in each confirmation window that appears when you delete a certificate.
Restart your computer.

Please post the OTMOVEIT results and a new DSS log

[honeyk]

C:\WINDOWS\system32\silc.dat moved successfully.
C:\WINDOWS\system32\model.dat moved successfully.
File/Folder C:\WINDOWS\system32\LDPackage.dll not found.
File/Folder C:\WINDOWS\system32\opxf.dll not found.
File/Folder C:\WINDOWS\system32\opph.dll not found.
File/Folder C:\WINDOWS\system32\opai.dll not found.
C:\WINDOWS\system32\opnsqr.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\opls.dll
C:\WINDOWS\system32\opls.dll NOT unregistered.
C:\WINDOWS\system32\opls.dll moved successfully.
C:\Documents and Settings\All Users\Application Data\bumsr moved successfully.
File/Folder  not found.
 
Created on 12-27-2007 11:51:50
Didnt find any of the certificates in my browser. Uninstalled opinion square no problems.Honeyk

[oldman]

Looks good.    I think avast caught it before it got going. Hang onto OTMOVEIT and DSS, we'll use them to remove the rest of CA and for the others we were going to remove. 


Remember if you've used online banking or buying, or even site you must log onto, you should change your passwords.

Now then, those strange named folders are back. If it's like last time, you will see the name slightly different then me, so I will give you a decription of what I see and the creation date. Try to match them up if you can and rename them AAA and AAAA. Post back and let me know if you where successfull. I have something that should allow us to read the contents.

what I see

C:\Do  created 2007-12-23 16:30:53

C:\DoL?  created 2007-12-12 10:10:49

anything close to those?

[honeyk]

This is what it brought up when I searched for C:\DoL? created 2007-12-12 10:10:49
C:\ DoLv  File Folder  2007-12-12 10:10
C:\WINDOWS\Driver Cache\i38...  dolev.ppd  12KB  XA File   2001-07-21  19:42
sims/SoundData/Sfx  DOLLHOUSE_SOUNDS1.XA  12KB XA File   2000-02-02  12:12

Then another 7 of sims/SoundData/Sfx DOLLHOUSE_SOUNDS...ect. with different size KB
Ive only had this PC the last 4mths or so, but it was secondhand from a shop.
So anyhow is it just the first line I change the name of? And do I need to look manually as well?

When I searched the other C:\Do  created 2007-12-23  16:30:53 I got,
C:\  Do  File Folder  2007-12-23  16:30
C:\  DoLv  File Folder  2007-12-12  10:10
And of course heaps of others.
I just wanted to make sure this is what you ment before I went ahead. Honeyk

[oldman]

I think the two we want are:

C:\ DoLv  File Folder  2007-12-12 10:10

C:\ Do  File Folder  2007-12-23  10:10

remane the first one to AA and the second one to AAA

Do so by right clicking on the folder, selecting rename, then type the new name in the box that appears over the old name. Remember the old name.

When you are done create these two notepad files

copy and paste the following into a new notepad

@echo off
dir "C:\AA" >> look.txt
start look.txt

save it to your desktop, name it look.bat, and set the file type as all files  click ok

in another new notepad copy and paste the following into a new notepad

@echo off
dir "C:\AAA" >> look1.txt
start look1.txt

save it to your desktop, name it look1.bat, and set the file type as all files  click ok

You should now have 2 files on your desktop will the icon shown below. Double click one of them, a note pad will appear, save it to your desktop so you can attach it to your next reply.

Do the same with the other one.

[honeyk]

 Volume in drive C has no label.
 Volume Serial Number is 8844-14DA

 Directory of C:\AA

2007-12-12  10:10    <DIR>          .
2007-12-12  10:10    <DIR>          ..
2007-12-12  10:10    <DIR>          Local Settings
               0 File(s)              0 bytes
               3 Dir(s)   4,566,593,536 bytes free
 Volume in drive C has no label.
 Volume Serial Number is 8844-14DA

 Directory of C:\AAA

2007-12-23  16:30    <DIR>          .
2007-12-23  16:30    <DIR>          ..
2007-12-23  16:30    <DIR>          Local Settings
               0 File(s)              0 bytes
               3 Dir(s)   4,566,507,520 bytes free

[oldman]

Let's go a little further. You can delete the others first

copy and paste this into a notepad.

@echo off
dir "C:\AA\Local Settings" >> look2.txt
start look2.txt

save it to your desktop, name it look2.bat, and set the file type as all files  click ok

copy and paste this into a notepad.

@echo off
dir "C:\AA\Local Settings" >> look3.txt
start look3.txt

save it to your desktop, name it look3.bat, and set the file type as all files  click ok

Post the results.

[honeyk]

@echo off
dir "C:\AA\Local Settings" >> look3.txt
start look3.txt
@echo off
dir "C:\AA\Local Settings" >> look2.txt
start look2.txt

[honeyk]

Hi oldman, did the previous notepad contents tell you what you want to see in those strange files?
Im starting to think i need to take a net safety course. Ive been having pop up windows coming up yesterday, and last night pop ups about antispyware, and registry cleaners required for my PC, I did a few adware scans I got from downloads.com, and they came up with 2344 threats detected. But they were all programs i had to buy to clean up my PC. So Im just running Superantispyware at the moment. I surpose next you will tell me I shouldnt be posting at the same time, hey?
Anyhow while writing this post to you, I've had a AVAST Warning pop up. I havent done anything with it as such as I've noticed your online and can hopefully spare the time to answer me. It saids, Maware found, File name: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\DATA\MOVE
Malware name: Win32:Dialer-gen [tri]
Malware type: Dialer
VPS version: 071223-0, 2007-12-23
Honeyk
P.S The scan has just stopped. The results are as follows,
Memory items
Scanned: 542
Detected: 0
Registry items
Scanned: 5868
Detected: 11
File items
Scanned: 62567
Detected: 161

Threats detected: 172

[oldman]

No, because it looks like when made the notepads, you saved them as .txt files instead of .bat

you should really let SAS run unhindered. But I do believe we will need a new DSS log.