JjJames

le 26 décembre 2006

Hi everyone,

and merry xmas to you all.

offcourse i am willing to wait. I know i havent had an answer yet, but if they are working on it, it might offcourse take a while before they find something.

when i first posted here, typing "curepcsolutions" in google gave 2 pages of results, now, it finds 11 pages. so it is defently spreading, and maybe someone will find some way to decrypt the files. so i'll keep them on backup for now.

Thanks for the help so far, and i wish you a happy start to the new year. (and may it be malware free )

JjJames

le 24 décembre 2006

Nope havent received anything from them. i sent them a mail with the file, and an explenation of the problem.

I still have some of the infected files, but offcourse they are still useless.

No more problems with the pc, but i havent had problems with it since i deleted that dll and some reg keys.

le 17 décembre 2006

Hi Qc001,ipl_001,JjJames

...

Hi,

you're right, I tried in too on my old pc, and indeed, although it also recognises the files it changed.

and i'm mailing Dr.web right now

I'll post any reply they give here.

JjJames

le 16 décembre 2006

Hi JjJames,

...

I'll keep looking on the net. Since it seems pretty new, maybe some more cases will show up.

This is the adress they give:

Visit our Support section for answers to frequently asked questions. Technical Support hours are 8:30am - 5:30pm PST, Monday - Friday
Cure Lab Inc. 121 Street Surrey BC V3X 2K8 Canada

Something tells me the adress wont be correct

Thx,

JjJames

le 16 décembre 2006

Hi JjJames,

...

Hi,

Thx a milion for searching.

Unfortunatly i have already tried Spyware doctor, but it didnt recover my files.

And again, unfortunatly, i have already deleted the dll. I did this to stop the annoying popup, tis was before i found out my files were changed.

But, maybe the dll file of one of the other victims of the adware here can help, they have a different name but since they do the same thing, maybe they are the same dll's, just with a different name.

And about the other pc, i'll give it a try tomorrow, i have to install windows on it. afterwards I'm also going to try with the CurePCsolutions software(on that old pc). there is nothing on that pc, so it doest have anyting to break.

le 16 décembre 2006

JjJames,

...

Oke, thanks for looking.

I think that its a new adware/virus. because everything i can find via Google, is posts about the same problem, and all this month. So maybe some antivirus company wil come with a fix or something. <crosses fingers>

And if not, then i'll just have to retype/remake the documents.

And this is yet another wake up call for me to take backups more often.

Luckely i didnt forget to backup my most important files (Bachelor thesis files), because the adware/virus also changed the original files.

JjJames

le 16 décembre 2006

Hi JjJames,

....

Hi

The files are the same size they were before they were renamed. For example an Xvid episode xxxxxxx.avi that was 350mb, is now still 350mb. But when i rename it back to .avi i can no longer play it. Not even in a program like avipreview (which can play incomplete, corrupt, avi files.

So i think, that the file had been completely encoded or something.

They all used to have the same icon, an when i opened them, it would open the eror message "possible virus warning" and then go to the CurePCsolutions site.

But now that i have deleted the .dll file, they no longer have an icon, and it just says that i have "no acces to the file"

This is a screenshot from the CurePCsolutions site, about the files that were renamed.

(i dont want to post the link, because of the risc of infections)

EDIT: The problem is, that the other files are 350MB, and that is a lot to upload

EDIT2: just tried one of those avi files, it also says 0 bytes, but on my pc it is 350mb

EDIT3: I renamed the file that was lijstduits.doc.exe back to .doc, and now it says

File size: 43008 bytes

MD5: f04fd1821ae0fd1ae871dbc3a27058c5

SHA1: 754030b18b33ae2482c6eaf399d81cfd94abf90b

AND

DrWeb 4.33 12.16.2006 Trojan.Encoder.10

Norman 5.80.02 12.15.2006 W32/Cups.A

Panda 9.0.0.4 12.16.2006 Adware/SpySheriff

le 16 décembre 2006

ok your logs look clean.

Can you please upload one of the files renamed on Virustotal? => http://www.virustotal.com/en/indexf.html

post the result in your next reply please

Always says "no virus found"

and

File size: 0 bytes

MD5: d41d8cd98f00b204e9800998ecf8427e

SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

is it normal that the file size says 0 bytes? because the file is a few kb large.

And when i open "my documents" avg antivirus gives me a warning "warning hidden extension .exe"

Thx by the way for the help sofar

le 16 décembre 2006

Avg found nothing.

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 18:38:10 16/12/2006

+ Scan result:

Nothing found.

::Report end

le 16 décembre 2006

smitfraudfix log

SmitFraudFix v2.130

Scan done at 17:42:14,98, za 16/12/2006

Run from E:\Documents and Settings\Frederick\Bureaublad\SmitfraudFix

OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» E:\

»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\Frederick

»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\Frederick\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\FREDER~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Mijn huidige introductiepagina"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{947254B5-96F3-4A9D-FF34-8466477D897C}"="Printer driver"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

le 16 décembre 2006

uninstall list

µTorrent

Ad-Aware SE Personal

Adobe Bridge 1.0

Adobe Common File Installer

Adobe Download Manager 2.0 (alleen verwijderen)

Adobe Flash Player 9 ActiveX

Adobe Help Center 1.0

Adobe Photoshop CS2

Adobe Reader 7.0.8 - Nederlands

Adobe Stock Photos 1.0

Apple Software Update

Ares 1.9.0

AVG Free Edition

Battlefield 2

BfSV 0.85

Cisco Systems VPN Client 4.8.01.0300

Combined Community Codec Pack 2006-07-28 (Remove Only)

EVEREST Home Edition v2.20

GTA San Andreas

HijackThis 1.99.1

Hotfix for Windows XP (KB909394)

Image Resizer Powertoy for Windows XP

Indeo® Software

Microsoft .NET Framework 1.1

Microsoft ActiveSync 4.0

Microsoft Office FrontPage 2003

Microsoft Office Professional Editie 2003

Mozilla Firefox (1.5.0.

Nero 7 Demo

NVIDIA Drivers

NvMixer

PeerGuardian 2.0

QuickTime

SAS Learning Edition 2.0

SolidConverterPDF

Telemeter 3.5f

VideoLAN VLC media player 0.8.5

Winamp (remove only)

Windows Live Messenger

Windows Media Format Runtime

Windows Media Player 10

Windows Media Player 10 Hotfix - KB894476

WinRAR

Xfire (remove only)

Fresh Hijackthis log:

Logfile of HijackThis v1.99.1

Scan saved at 17:24:25, on 16/12/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\System32\brsvc01a.exe

E:\WINDOWS\system32\spoolsv.exe

E:\WINDOWS\System32\brss01a.exe

E:\WINDOWS\Explorer.EXE

E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

E:\Program Files\Microsoft ActiveSync\wcescomm.exe

E:\PROGRA~1\MICROS~2\rapimgr.exe

E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

E:\WINDOWS\System32\nvsvc32.exe

E:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

E:\Program Files\MSN Messenger\msnmsgr.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Telemeter 3.0\Telemeter3.exe

E:\Program Files\Internet Explorer\iexplore.exe

E:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - E:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - E:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O4 - HKLM\..\Run: [NVMixerTray] "E:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://E:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra 'Tools' menuitem: Mobiele favorieten maken - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{009A856C-37DB-4A4C-B80C-8651986985D2}: NameServer = 198.231.24.102

O17 - HKLM\System\CCS\Services\Tcpip\..\{8804FB52-7789-47B8-9A11-0B689603007D}: NameServer = 198.231.24.102

O17 - HKLM\System\CCS\Services\Tcpip\..\{9C3C5C1B-CE75-4A8C-9291-96D12B200435}: NameServer = 198.231.24.102

O17 - HKLM\System\CCS\Services\Tcpip\..\{D11A5074-21F9-4863-A76F-E0CB00718422}: NameServer = 198.231.24.102

O17 - HKLM\System\CCS\Services\Tcpip\..\{D4C19F45-0E93-45CC-8C80-CD6C64B4FE6D}: NameServer = 198.231.24.102

O17 - HKLM\System\CS1\Services\Tcpip\..\{009A856C-37DB-4A4C-B80C-8651986985D2}: NameServer = 198.231.24.102

O17 - HKLM\System\CS2\Services\Tcpip\..\{009A856C-37DB-4A4C-B80C-8651986985D2}: NameServer = 198.231.24.102

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - E:\WINDOWS\System32\brsvc01a.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - E:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

I have no more problems with that "black.mht" page, ever since i deleted the dll. But the files are still names .exe, and i cant change them.

Maybe i schould not have deleted the .dll file?

le 16 décembre 2006

hello,

Some spyware changed about 3GB of files into .exe, and simply renaming it doesnt help.

i had the same problem as discribed here:

http://forum.zebulon.fr/index.php?showtopic=111010&st=0

J'ai expliquer que j'ai le même probleme que vous. Donc, le changement des fichiers en xls.exe, avi.exe, etc... et la probleme de la page "blank.mht" en Internet Explorer.

J'ai trouver un .dll (1A9BDAF.dll) dans c:/windows/system32 (c'etait cache), c'est come le F9428.ddl de vous. J'ai changer le nom ce dll en "xxx1A9BDAF.dll" et apres que j'ai fait ca, j'ai effacer "black.mht" dans c:/windows/. J'ai changer mon page d'accueil, et maintenant, je n'ai plus de problemes avec ca.

Here is the hijackthis log:

Logfile of HijackThis v1.99.1

Scan saved at 16:44:51, on 16/12/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\System32\brsvc01a.exe

E:\WINDOWS\system32\spoolsv.exe

E:\WINDOWS\System32\brss01a.exe

E:\WINDOWS\Explorer.EXE

E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

E:\Program Files\Microsoft ActiveSync\wcescomm.exe

E:\PROGRA~1\MICROS~2\rapimgr.exe

E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

E:\WINDOWS\System32\nvsvc32.exe

E:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

E:\Program Files\MSN Messenger\msnmsgr.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Internet Explorer\iexplore.exe

E:\Program Files\Mozilla Firefox\firefox.exe

E:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = E:\WINDOWS\blank.mht

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = E:\WINDOWS\blank.mht

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = E:\WINDOWS\blank.mht

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - E:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O2 - BHO: E:\WINDOWS\System32\1A9BDAF.dll - {947254B5-96F3-4A9D-FF34-8466477D897C} - E:\WINDOWS\System32\1A9BDAF.dll (file missing)