TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Toranekohime27 on May 29, 2009, 08:06:25 PM

Title: Win32:JunkPoly [Cryp]
Post by: Toranekohime27 on May 29, 2009, 08:06:25 PM

[color=\"#4169e1\"]Hi,
Today my Avast! software popped up with a notification that the virus Win32:JunkPoly [Cryp] was found on one of my files (it happened to be a file that is part of the PCtools Spyware Doctor program).  I immediately put it into the virus chest, and when it could not be repaired, I deleted it.  I then ran full scans with the following programs:
Ad-Aware, Dr.Web Anti-Virus, Trend Micro Rootkit Buster, Malwarebytes' Anti-Malware, SUPER AntiSpyware Free, and Avast!
I then re-booted my PC and re-ran scans with Dr.Web, Rootkit Buster, and Malwarebyte.  Everything is coming up clean.  The problem is I read on a few forums that this particular virus can still be infecting my PC even though scans come up clean.  Here is my HijackThis scan log:[/color]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:44 PM, on 5/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\ApcMain.exe -m
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6464 bytes

[color=\"#4169e1\"]
Is my PC really clean or should I still be worried?
Thanks.
[/color]

Title: Win32:JunkPoly [Cryp]
Post by: guestolo on May 30, 2009, 12:15:16 AM

Download and Save to your desktop
[color=\"#FF0000\"]OTS.exe[/color] (http://\"http://oldtimer.geekstogo.com/OTS.exe\") by OldTimer

Double click on OTS.exe to run it
Under Additional Scans click the button labelled "Extras"
Also, put a tick beside>> Reg - Disabled MS Config Items
So now all the following will be ticked

Reg - Disabled MS Config Items
Reg - File Associations
Reg - Protocol Filters
Reg - Protocol Handlers
Reg - Security Center Settings
Reg - Winsock2 Catalogs
Reg - Uninstall List
Evnt - EventViewer Logs (Last 10 Errors)

Afterwards: Click the button [color=\"#0000FF\"]Run Scan[/color]

Let this scan finish, when done, it will open a log
Can you copy and paste that log back here please
A copy of the log will also be on your desktop>>OTS.txt

NOTE: If you do get an error posting this log, please Upload it in a reply
Simply using the UPLOAD>Browse.. buttons on the bottom right of the reply box

Title: Win32:JunkPoly [Cryp]
Post by: Toranekohime27 on May 30, 2009, 03:52:11 PM

[attachment=5014:OTS.Txt]  [color=\"#4169e1\"]OTS log attatched[/color]

Title: Win32:JunkPoly [Cryp]
Post by: guestolo on May 30, 2009, 04:11:03 PM

Are you experiencing any problems?
The log looks clean
I see you ran ComboFix as well, can I see the log
C:\Combofix.txt

Title: Win32:JunkPoly [Cryp]
Post by: Toranekohime27 on May 30, 2009, 04:13:21 PM

[attachment=5015:combolog52909.txt] [color=\"#4169e1\"]Combofix log (from last night before I shut down)
How did I know you would ask for that /wink.gif\' class=\'bbc_emoticon\' alt=\';)\' /> [/color]

Title: Win32:JunkPoly [Cryp]
Post by: guestolo on May 30, 2009, 04:23:09 PM

Looks good,
Can you just verify, yesterday, you installed or used all the following

Installed>>AdAware, Malwarebytes Anti-malware, Super Anti-spyware,

Downloaded>>Dr. Web and ran

Also, can i see the contents of the next file>>ComboFix-quarantined-files.txt
Located either in C: or C:\combofix or qoobox folder

Title: Win32:JunkPoly [Cryp]
Post by: Toranekohime27 on May 30, 2009, 04:27:48 PM

[color=\"#4169e1\"]Ad-Aware was already installed, but I did run it.  I also downloaded and ran the other programs you mentioned.[/color]

2009-05-30 01:51:23 . 2009-05-30 01:51:23               51 ----a-w  C:\Qoobox\Quarantine\catchme.log
2009-01-02 22:19:00 . 2009-01-02 22:19:00           87,608 -c--a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Morgan\Application Data\inst.exe.vir
2009-05-30 01:54:51 . 2009-05-30 01:54:51              198 ----a-w  C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}.reg.dat
2009-05-30 01:54:51 . 2009-05-30 01:54:51              168 ----a-w  C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Performance Center.reg.dat
2009-05-30 01:54:51 . 2009-05-30 01:54:51              152 ----a-w  C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-TomTomHOME.exe.reg.dat
2009-05-30 01:55:05 . 2009-05-30 01:55:05              562 ----a-w  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-procexp90.Sys.reg.dat
2009-05-30 01:53:59 . 2009-05-30 01:53:59            6,524 ----a-w  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

Title: Win32:JunkPoly [Cryp]
Post by: guestolo on May 30, 2009, 04:33:11 PM

Looks good, I see that AdAware modifications were just updates to the program
 do you know how to remove ComboFix properly?

Title: Win32:JunkPoly [Cryp]
Post by: Toranekohime27 on May 30, 2009, 04:50:06 PM

[color=\"#4169e1\"]No I don't...is there also a proper way to remove OTS?
[/color]

Title: Win32:JunkPoly [Cryp]
Post by: guestolo on May 30, 2009, 05:07:40 PM

Go to START>>RUN>>copy and paste the following in RED then hit OK

[color=\"#FF0000\"]combofix /u[/color]

This will uninstall ComboFix and it's components

Open OTS.exe and click on the CLEANUP button
Select YES to reboot when prompted
That should do it

Title: Win32:JunkPoly [Cryp]
Post by: Toranekohime27 on May 30, 2009, 05:18:10 PM

[color=\"#4169e1\"]Awesome!
Thanks *so* much for the quick response and for taking the time to look over my logs.[/color]

Title: Win32:JunkPoly [Cryp]
Post by: guestolo on May 30, 2009, 05:29:54 PM

No problem, I'll lock this topic as your problems appear resolved
Take care Toranekohime27  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />