Internet Speed Monitor Popup / Updated Scan Logs

[JPB]

Programs I have run and have still not gotten rid of it is....

Spybot
Combofix
AdAware SE
Nod32
HiJack This
and several others.

I have found others online that had this spyware and they have seemed to have gotten rid of it. I went into Windows directory, and deleted and uninstalled everything pertaining to this exe. like others online has, and nothing is working. There is nothing in Add/Remove Programs about this.

It seem's to popup ( full screen ) and everytime it pop's up IE with a new add but titled the same as Internet Speed Monitor.

Anyone know how to perm get rid of this ? Other than a format ?


John

 

[mechBgon]

Try these steps and see if they'll address it. The last time I encountered that infection, I seem to recall it being part of a much larger infection that included rootkit-protected stuff, so work through this and see how it goes:

1. REMOVE ROOTKITS

Scan for rootkits using Panda AntiRootkit and McAfee Rootkit Detective, which are both free:
http://www.majorgeeks.com/Panda_Anti-Rootkit_d5457.html
http://vil.nai.com/vil/stinger/rkstinger.aspx


2. REMOVE VIRUSES, WORMS, AND TROJANS

Update your antivirus software's virus definitions/DATs, then run a full antivirus scan. Besides your own antivirus software, also get a "second opinion" from some additional online antivirus scanners, such as these, for increased coverage (no single company detects all malware):

http://support.f-secure.com/enu/home/ols.shtml
http://safety.live.com
http://www.pandasoftware.com/products/activescan.htm
http://housecall.trendmicro.com


3. REMOVE SPYWARE AND ADWARE

Scan for spyware using SUPERAntiSpyware's free version:
http://www.superantispyware.com

Scan for spyware using Spybot Search & Destroy, which is also free:
http://www.safer-networking.org


4. ADVANCED TECHNIQUES

After the other steps, run HijackThis in Safe Mode. If you get an error when you run HJT, rename it to something random and run it again (some malware will block it by name):

http://www.spywareinfo.com/~merijn/programs.php
http://hijackthis.de/en (online HJT logfile analyzer)

Run SmitFraudFix, following the instructions carefully. http://siri.urz.free.fr/Fix/SmitfraudFix_En.php It?s not unusual for this download to be detected by antivirus software because some of the files it contains could be used for malicious purposes. In this case, however, it?s OK.


Results?

 

[JPB]

Originally posted by: mechBgon
Try these steps and see if they'll address it. The last time I encountered that infection, I seem to recall it being part of a much larger infection that included rootkit-protected stuff, so work through this and see how it goes:

1. REMOVE ROOTKITS

Scan for rootkits using Panda AntiRootkit and McAfee Rootkit Detective, which are both free:
http://www.majorgeeks.com/Panda_Anti-Rootkit_d5457.html
http://vil.nai.com/vil/stinger/rkstinger.aspx

Ran both of those programs. And no rootkits found.

2. REMOVE VIRUSES, WORMS, AND TROJANS

Update your antivirus software's virus definitions/DATs, then run a full antivirus scan. Besides your own antivirus software, also get a "second opinion" from some additional online antivirus scanners, such as these, for increased coverage (no single company detects all malware):

http://support.f-secure.com/enu/home/ols.shtml
http://safety.live.com
http://www.pandasoftware.com/products/activescan.htm
http://housecall.trendmicro.com

Ok, I ran Housecall, and a few of those others listed here, found quite a few worms, trojans etc: and got rid of those.

3. REMOVE SPYWARE AND ADWARE

Scan for spyware using SUPERAntiSpyware's free version:
http://www.superantispyware.com

Scan for spyware using Spybot Search & Destroy, which is also free:
http://www.safer-networking.org

I ran Superantispyware and it found alot of things, One was an ISM file. Which according to others online, is Internet Speed Monitot. And ran Spybot and cleaned also.

4. ADVANCED TECHNIQUES

After the other steps, run HijackThis in Safe Mode. If you get an error when you run HJT, rename it to something random and run it again (some malware will block it by name):

http://www.spywareinfo.com/~merijn/programs.php
http://hijackthis.de/en (online HJT logfile analyzer)

Run SmitFraudFix, following the instructions carefully. http://siri.urz.free.fr/Fix/SmitfraudFix_En.php It?s not unusual for this download to be detected by antivirus software because some of the files it contains could be used for malicious purposes. In this case, however, it?s OK.

Did both of these options also. And after several reboots. It looked like everything was OK. But all a sudden, it popped up again.


Results?

After all of those tests and cleaning, it still exists.

 

[mechBgon]

Post a HJT log, maybe something will come to light. Also, remember any of the specific malware that was discovered (worms, trojans)?

 

[JPB]

Logfile of HijackThis v1.99.1
Scan saved at 10:41:06 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\RivaTuner v2.02\RivaTuner.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\calc.exe
C:\Documents and Settings\X1900GT Crossfire\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {297811e0-c76a-c339-c974-8d67445e05ea} - {ae50e544-76d8-479c-933c-a67c0e118792} - C:\WINDOWS\system32\ludgiodw.dll (file missing)
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /T
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\X1900GT Crossfire\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Visualware CallerIP (CallerIP) - Unknown owner - D:\Program Files\CallerIP\cip-nt.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - D:\Program Files\ReaConverter 5.0 Pro\rcp_scheduler.exe

 

[mechBgon]

Kill that Qdrpack stuff (C:\Program Files\QdrPack\QdrPack9.exe
and O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe" ) and the O15 DriveCleaner, those are definitely bad.

Results?

Also, did you run the F-Secure online scanner in particular, which uses the Kaspersky engine? Because I sent them (Kaspersky) a sample of that Qdrpack stuff recently and they added detection. Of course, the malware could now be changed...

 

[mechBgon]

BTW also try either the Secunia online checkup at http://secunia.com/software_inspector or the installable one from https://psi.secunia.com to eliminate vulnerabilities that can let this stuff get onto the system.

 

[JPB]

I left the Qdrpack stuff on there before..not now, deleted it all. Because I thought it had to do with my Qarls Texture Mod for Oblivion. Names are similar. But its gone now

Already ran Secunia...and these are the items...

Adobe
Quicktime
Infranview
Dreamweaver
Net Framework
Realplayer 10
Java
Winrar
Winzip
Yahoo
Flash Player

End Of Life Software
_________________

Jasc Animation Shop
Flash Player
Mozilla Thunderbird

F-secure Online Scanner running now

 

[JPB]

Ok, here is what the F-Secure online scanner found and fixed...

Scanning Report
Sunday, November 04, 2007 09:12:37 - 10:05:54
Computer name: EVGA
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 14 malware found
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Rootkit.AWP (virus)
D:\DOWNLOAD'S\EXECS\LABYSETUP(2).EXE (Submitted)
D:\DOWNLOAD'S\EXECS\PBUDYSETUP.EXE (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
Vundo.gen38 (virus)
C:\WINDOWS\SYSTEM32\DVVDBNCG.INI (Submitted)
C:\WINDOWS\SYSTEM32\HJDHQEHA.INI (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 32057
System: 4618
Not scanned: 3
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
None: 12
Submitted: 4
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{79A4053B-E3A4-4E0E-981B-0A01AA1C00A5}.BIN

 

[John]

Are you still seeing the ISM popup?

[*]Did you run the latest combofix? PM me for the link if you're interested so you can compare the md5
[*]Did you disable system restore?
[*]Are you running these scans in safe mode?

With F-Secure picking up vundo infection(s) you probably still have more crap that is going undetected.

1. Download, install, and run CCleaner
2. Disable NOD32 and install Antivir. Go into the config, enable expert mode, look under scanner > click the + next to scan > check all files and everything under additional settings. Now look under Heuristic and set to high. General > extended threat categories > select all > ok. Make sure you run the updater and that it actually updates.
3. Download, install, and update CounterSpy
4. Download roguefix to c:
5. Reboot to safe mode: Run roguefix first, then CounterSpy, now do a full scan with Antivir.

 

[mechBgon]

Originally posted by: JPB
I left the Qdrpack stuff on there before..not now, deleted it all. Because I thought it had to do with my Qarls Texture Mod for Oblivion. Names are similar. But its gone now

Already ran Secunia...and these are the items...

Adobe
Quicktime
Infranview
Dreamweaver
Net Framework
Realplayer 10
Java
Winrar
Winzip
Yahoo
Flash Player

End Of Life Software
_________________

Jasc Animation Shop
Flash Player
Mozilla Thunderbird

F-secure Online Scanner running now

There are exploits for a lot of your vulnerable & EOL software listed, too, so consider getting those addressed.

 

[JPB]

Originally posted by: John
Are you still seeing the ISM popup?

[*]Did you run the latest combofix? PM me for the link if you're interested so you can compare the md5
[*]Did you disable system restore?
[*]Are you running these scans in safe mode?

With F-Secure picking up vundo infection(s) you probably still have more crap that is going undetected.

1. Download, install, and run CCleaner
2. Disable NOD32 and install Antivir. Go into the config, enable expert mode, look under scanner > click the + next to scan > check all files and everything under additional settings. Now look under Heuristic and set to high. General > extended threat categories > select all > ok. Make sure you run the updater and that it actually updates.
3. Download, install, and update CounterSpy
4. Download roguefix to c:
5. Reboot to safe mode: Run roguefix first, then CounterSpy, now do a full scan with Antivir.

Yea, I did run the latest Combofix
How do you disable system restore? I have before, but forget now.
Yes, running all tests in safe mode.

I already have CCleaner installed. Been using it a year now.
Is Antivir better than Nod32 ?

 

[JPB]

Since boot up this morning, I have not had the ISM popup at all. Usually I would have seen it by now. Hopefully it is gone. By the way, can you guy's recommend the BEST spyware and antivirus ? I plan on buying the full retail versions from Newegg.

 

[mechBgon]

Is Antivir better than Nod32 ?

If you want a SERIOUS upgrade to your security: http://www.mechbgon.com/build/Limited.html This stops stuff that nothing detects yet. It comes at the cost of some convenience, and still requires risk avoidance (no warez/cracks/serials or other likely Trojan Horses) but basically deprives the bad guys of the Admin powers that they currently depend upon to do a considerable amount of their dirty work.


I do think AntiVir's detection rates are better than NOD32 on the stuff that'll matter most*, especially if you enable Expert Mode and max out all options, including heuristics and archive scanning. The Premium version is under $30 at Avira's store and enables the spyware detection, email scanning, and autonomous disposal of threats that the real-time scanner discovers (instead of you having to answer prompts for the detected items yourself, as is the case on the free version).


*to elaborate, I'm thinking of exploits and first-stage dropper/downloader attack files which the exploits deliver and launch. Kill the seed first, and there's no need to kill the full-grown weed later. With heuristics at maximum, AntiVir is pretty good on these.

 

[JPB]

mechBgon, I cannot thank you enough for all the help you've given me besides just saying THANK YOU !

I am reading your pages you linked me to now, and I will follow them to the letter. Thanks man...

Btw, it seems the Internet Speed Monitor is GONE !!!!!!!!!!!!!!!!

 

[mechBgon]

that's good news :thumbsup: