Stubbornly infected

[Shaba]

Hi

"Here's what I do see. SpyBot is showing only one item after S&D: "MicrosoftWindowsSecurityCenter_Disabled.""

That's ok, no worries.

"Also in SpyBot under Startup, there are three entries that will not go away:

Windows/System32/awtqq.dll
opnmkii
Windows/System32/pmnlk.dll

If I toggle them off, they reset to ON, and if I remove them they reappear."

Try to uninstall & re-install spybot. Now success?

[tomoneal]

Hi Shaba,

I removed SpyBot and reinstalled, updated, etc. Things seem to be the same as they were before doing so.

After S&D "MicrosoftWindowsSecurityCenter_Disabled" was initially the only item, but on a later scan AdRevolver, DoubleClick, and Zeda appeared.

These three startup entries still won't go away:

Windows/System32/awtqq.dll
opnmkii
Windows/System32/pmnlk.dll


But we're closer!

Thanks,
Tom

[Shaba]

Hi

"After S&D "MicrosoftWindowsSecurityCenter_Disabled" was initially the only item, but on a later scan AdRevolver, DoubleClick, and Zeda appeared."

Those are tracking cookies, nothing to worry about.

Please post then a list from Spybot startup items, please

[tomoneal]

Hi Shaba,

--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2006-01-11 unins000.exe (51.41.0.0)
2007-10-23 unins001.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-10-17 Includes\Cookies.sbi
2007-07-25 Includes\Dialer.sbi
2007-10-17 Includes\DialerC.sbi
2007-08-29 Includes\Hijackers.sbi
2007-10-17 Includes\HijackersC.sbi
2007-10-04 Includes\Keyloggers.sbi
2007-10-17 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2007-10-04 Includes\Malware.sbi
2007-10-17 Includes\MalwareC.sbi
2007-09-05 Includes\PUPS.sbi
2007-10-17 Includes\PUPSC.sbi
2007-10-17 Includes\Revision.sbi
2007-05-30 Includes\Security.sbi
2007-10-17 Includes\SecurityC.sbi
2007-10-10 Includes\Spybots.sbi
2007-10-17 Includes\SpybotsC.sbi
2007-08-21 Includes\Tracks.uti
2007-10-17 Includes\Trojans.sbi
2007-10-17 Includes\TrojansC.sbi
2008-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, ccApp
command: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 115816
MD5: 25BE770865658CB79100117112819A7C

Located: HK_LM:Run, DSL Connection Manager
command: C:\Program Files\INTEL\DSLSetup\ProDsl.exe /P
file: C:\Program Files\INTEL\DSLSetup\ProDsl.exe
size: 77824
MD5: 383541CF3E0B7389729722AD90BCC107

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, Symantec NetDriver Monitor
command: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, iTunesHelper (DISABLED)
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 256576
MD5: D2ED7AF383AAB672CB7E135040967954

Located: HK_LM:Run, NvCplDaemon (DISABLED)
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, nwiz (DISABLED)
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 1495040
MD5: 6ED177A150C92D4FE54A577B48076D45

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: 7FBE43046EFDF24FC9375024E4D02AC9

Located: HK_LM:Run, VTTimer (DISABLED)
command: VTTimer.exe
file: C:\WINDOWS\system32\VTTimer.exe
size: 53248
MD5: 09F1A97848BFAB3F36EB216681465B85

Located: HK_CU:Run, MSMSGS
where: S-1-5-21-4245448509-3298122358-4095065038-1009...
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259

Located: HK_CU:Run, ResChanger2004
where: S-1-5-21-4245448509-3298122358-4095065038-1009...
command: C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
file: C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
size: 882688
MD5: 5F01B6722BF4EFF2825BD1D12DB6AFC6

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-4245448509-3298122358-4095065038-1009...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1460560
MD5: B7D4586BFC0DD6C3BE7DCCC252A3E97E

Located: HK_CU:Run, Aim6 (DISABLED)
where: S-1-5-21-4245448509-3298122358-4095065038-1009...
command: "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (common), Adobe Reader Speed Launch.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: DEB88AEF013DD1EEFB462D7CAD642166

Located: Startup (common), Device Detector 3.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
file: C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
size: 118784
MD5: 90E0700BD59A4A9780243F986B25FFAA

Located: Startup (common), HotSync Manager.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\palmOne\Hotsync.exe
file: C:\Program Files\palmOne\Hotsync.exe
size: 471040
MD5: F8FB2CA91F25D3EAA2CAE2F0B55FEC54

Located: Startup (user), palmOne Registration.lnk (DISABLED)
where: C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup...
command: C:\Program Files\palmOne\register.exe
file: C:\Program Files\palmOne\register.exe
size: 2301952
MD5: D2E6E6DE236C2C3D1C8D929776BDD8A9

Located: Startup (disabled), Microsoft Office (DISABLED)
command: C:\PROGRA~1\MI1933~1\Office\OSA9.EXE -b -l
file: C:\PROGRA~1\MI1933~1\Office\OSA9.EXE
size: 65588
MD5: F51F9E10D937A8EDD58D2D456FF49468

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, awtqq
command: C:\WINDOWS\system32\awtqq.dll
file: C:\WINDOWS\system32\awtqq.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, opnmkii
command: opnmkii.dll
file: opnmkii.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, pmnlk
command: C:\WINDOWS\system32\pmnlk.dll
file: C:\WINDOWS\system32\pmnlk.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

(Oh, for the simple days of DOS.......)

Tom

[Shaba]

Hi

Can you find/delete these files?

C:\Windows\System32\awtqq.dll
opnmkii.dll
C:\Windows\System32\pmnlk.dll

[tomoneal]

Hi Shaba,

When I search for them I don't find anything, other than:

c:\documents and settings\all users\application data\spybot - search and destroy\recovery\virtumonde9.zip

The date on this file is 8/25/07.

Thanks,
Tom

[Shaba]

Hi

That's backup folder for spybot.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

And try again, please

[tomoneal]

Hi Shaba,

--Under the Hidden files and folders heading select Show hidden files and folders.

--Uncheck the Hide protected operating system files (recommended) option.

That's how it was set. I double checked and searched again, but other than the one occurence in the backup folder they don't appear.

But whenever I delete those lines from startup they reappear, and if I uncheck them they check is restored.

Thanks,
Tom

[Shaba]

Hi

Well then that's likely spybot bug as those files doesn't seem to exist

[tomoneal]

Hello Shaba,

"spybot bug " All bugs should be so benign!

Well, it's been running with no apparent problems. S&D only picks up a few tracking cookies, as does Norton.

Lazarus appears to have risen; do we call it a cure or is there anything nore to be done?

Thanks,
Tom