PDA

View Full Version : Virtumonde, darn it.



cowboyblob
2008-02-07, 18:31
:sick: SpyBot found Virtumonde on the computer this week after McAfee found and quarantined at batch of other nasties (I've quarantined my roommate from the computer too). Thanx in advanx for any help you can give.

The HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:37 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOW4\System32\smss.exe
C:\WINDOW4\system32\winlogon.exe
C:\WINDOW4\system32\services.exe
C:\WINDOW4\system32\lsass.exe
C:\WINDOW4\system32\svchost.exe
C:\WINDOW4\System32\svchost.exe
C:\WINDOW4\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOW4\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOW4\System32\nvsvc32.exe
C:\WINDOW4\System32\svchost.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOW4\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOW4\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Bob\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=C:\WINDOW4\system32\userinit.exe,C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32F04130-62A7-4CB6-85AB-B704F7DA64C0} - C:\WINDOW4\system32\pmkji.dll (file missing)
O2 - BHO: (no name) - {4A935E6E-77FC-4EF0-B75C-7410FEF546D8} - C:\WINDOW4\system32\vtsqn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: {fec79b6e-cf7b-736b-4c94-ab5df65828cc} - {cc82856f-d5ba-49c4-b637-b7fce6b97cef} - C:\WINDOW4\system32\klvmunlf.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [784b1640] rundll32.exe "C:\WINDOW4\system32\sdlbqroq.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOW4\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2007\\Parser.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW4\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW4\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: v2cab - http://18227.searchmiracle.com/cab/v2cab.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159234587265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159234506171
O17 - HKLM\System\CCS\Services\Tcpip\..\{38D382FA-8E5E-462C-A155-D24178CAFACA}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{38D382FA-8E5E-462C-A155-D24178CAFACA}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOW4\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

--
End of file - 6734 bytes

ken545
2008-02-08, 17:06
Hello cowboyblob

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


C:\WINDOW4 <-- I wonder if you can tell me why you have a window4 folder and not windows folder??


You are indeed infected with the Vundo Trojan, along with other malware we need to fix.



Disable the TeaTimer, you can re enable it when were done if you wish

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer. <-- Important




Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {32F04130-62A7-4CB6-85AB-B704F7DA64C0} - C:\WINDOW4\system32\pmkji.dll (file missing)
O2 - BHO: (no name) - {4A935E6E-77FC-4EF0-B75C-7410FEF546D8} - C:\WINDOW4\system32\vtsqn.dll (file missing)
O2 - BHO: {fec79b6e-cf7b-736b-4c94-ab5df65828cc} - {cc82856f-d5ba-49c4-b637-b7fce6b97cef} - C:\WINDOW4\system32\klvmunlf.dll

O4 - HKLM\..\Run: [784b1640] rundll32.exe "C:\WINDOW4\system32\sdlbqroq.dll",b
O4 - Startup: PowerReg Scheduler.exe

O16 - DPF: v2cab - http://18227.searchmiracle.com/cab/v2cab.cab




Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.





Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.



I need to see the Vundofix log, the Combfix log and a New HJT log please

cowboyblob
2008-02-08, 20:38
VundoFix V6.4.1

Checking Java version...

Scan started at 12:39:45 AM 6/1/2007

Listing files found while scanning....

C:\WINDOW4\SYSTEM32\nqstv.bak1
C:\WINDOW4\system32\nqstv.ini
C:\WINDOW4\SYSTEM32\opnkijg.dll
C:\WINDOW4\system32\vtsqn.dll

Beginning removal...

Attempting to delete C:\WINDOW4\SYSTEM32\nqstv.bak1
C:\WINDOW4\SYSTEM32\nqstv.bak1 Has been deleted!

Attempting to delete C:\WINDOW4\system32\nqstv.ini
C:\WINDOW4\system32\nqstv.ini Has been deleted!

Attempting to delete C:\WINDOW4\SYSTEM32\opnkijg.dll
C:\WINDOW4\SYSTEM32\opnkijg.dll Could not be deleted.

Attempting to delete C:\WINDOW4\system32\vtsqn.dll
C:\WINDOW4\system32\vtsqn.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOW4\SYSTEM32\opnkijg.dll
C:\WINDOW4\SYSTEM32\opnkijg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Scan started at 12:56:49 AM 6/1/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Scan started at 7:12:02 AM 6/2/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Scan started at 11:20:06 AM 6/2/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Scan started at 10:39:15 AM 6/3/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Scan started at 8:46:30 PM 6/4/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Scan started at 5:42:27 AM 6/8/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Scan started at 7:11:42 PM 2/6/2008

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.8

Checking Java version...

Scan started at 9:59:49 AM 2/8/2008

Listing files found while scanning....

C:\WINDOW4\SYSTEM32\DivX.dll
C:\WINDOW4\SYSTEM32\qorqblds.ini
C:\WINDOW4\SYSTEM32\sdlbqroq.dll

Beginning removal...

Attempting to delete C:\WINDOW4\SYSTEM32\DivX.dll
C:\WINDOW4\SYSTEM32\DivX.dll Has been deleted!

Attempting to delete C:\WINDOW4\SYSTEM32\qorqblds.ini
C:\WINDOW4\SYSTEM32\qorqblds.ini Has been deleted!

Attempting to delete C:\WINDOW4\SYSTEM32\sdlbqroq.dll
C:\WINDOW4\SYSTEM32\sdlbqroq.dll Has been deleted!

Performing Repairs to the registry.
Done!
============================================

ComboFix 08-02.05.3 - Bob 2008-02-08 10:34:59.1 - NTFSx86
Running from: C:\Documents and Settings\Bob\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOW4\SYSTEM32\ijkmp.ini
C:\window4\SYSTEM32\ijkmp.ini2
C:\WINDOW4\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-08 10:19 . 2008-02-08 10:19 24,576 --a------ C:\window4\SYSTEM32\VundoFixSVC.exe
2008-02-06 14:37 . 2008-02-06 13:34 691,545 --a------ C:\window4\unins000.exe
2008-02-06 14:37 . 2008-02-06 14:37 3,441 --a------ C:\window4\unins000.dat
2008-02-06 12:53 . 2008-02-06 12:54 <DIR> d-------- C:\window4\SYSTEM32\nGpxx01
2008-02-06 12:53 . 2008-02-06 12:53 <DIR> d-------- C:\temp\isgTi19

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 22:13 --------- d-----w C:\Program Files\DOSBox-0.72
2008-02-06 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 21:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-18 22:30 --------- d-----w C:\Program Files\McAfee
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOW4\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"LeechGet"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 17:47 204800]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05 323584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33 582992]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 06:07:03 C:\WINDOW4\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 08:00:00 C:\WINDOW4\Tasks\McDefragTask.job"
- C:\WINDOW4\system32\defrag.exe
"2008-02-01 08:00:00 C:\WINDOW4\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 10:41:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOW4\System32\nvsvc32.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-08 10:46:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 17:46:02
.
2008-02-08 06:01:05 --- E O F ---

============================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:36 AM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOW4\System32\smss.exe
C:\WINDOW4\system32\winlogon.exe
C:\WINDOW4\system32\services.exe
C:\WINDOW4\system32\lsass.exe
C:\WINDOW4\system32\svchost.exe
C:\WINDOW4\System32\svchost.exe
C:\WINDOW4\system32\spoolsv.exe
C:\WINDOW4\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOW4\System32\nvsvc32.exe
C:\WINDOW4\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOW4\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOW4\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Bob\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32F04130-62A7-4CB6-85AB-B704F7DA64C0} - (no file)
O2 - BHO: (no name) - {4A935E6E-77FC-4EF0-B75C-7410FEF546D8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {cc82856f-d5ba-49c4-b637-b7fce6b97cef} - (no file)
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOW4\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2007\\Parser.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW4\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW4\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: v2cab -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159234587265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159234506171
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOW4\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

--
End of file - 5849 bytes
===========================================
I think that did it!
FYI, the WINDOW4 thing happened a couple years ago when I got the BSOD due to a corrupted DLL file. Somebody talked me through the fix which rendered my desktop and all my files invisible (probably something I did wrong). :alien: Finally fixed it but ended up with four boots, the 4th of which worked. :cowboy:

ken545
2008-02-08, 22:26
Things are looking better :bigthumb:

You did not disable the TeaTimer so these did not go. Remove them again, there bad and then check your HJT log yourself to see if there gone.

O2 - BHO: (no name) - {32F04130-62A7-4CB6-85AB-B704F7DA64C0} - (no file)
O2 - BHO: (no name) - {4A935E6E-77FC-4EF0-B75C-7410FEF546D8} - (no file)
O2 - BHO: (no name) - {cc82856f-d5ba-49c4-b637-b7fce6b97cef} - (no file)

O16 - DPF: v2cab -




What I would do at this point is download and run the Free Version of Super Anti Spyware, it will get any leftover entries that are not seen.

Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

Post the report along with a new HJT log and this should hopefully do it.

cowboyblob
2008-02-09, 03:24
I had no prompts to OK after unchecking TeaTimer resident, but I did see that the Process disappeared that first time. Same thing the second time, but it killed the BHOs instead of just the files.

:cowboy:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:03 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOW4\System32\smss.exe
C:\WINDOW4\system32\winlogon.exe
C:\WINDOW4\system32\services.exe
C:\WINDOW4\system32\lsass.exe
C:\WINDOW4\system32\svchost.exe
C:\WINDOW4\System32\svchost.exe
C:\WINDOW4\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOW4\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOW4\System32\nvsvc32.exe
C:\WINDOW4\System32\svchost.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOW4\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOW4\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Bob\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOW4\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2007\\Parser.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW4\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW4\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159234587265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159234506171
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOW4\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

--
End of file - 5426 bytes
=========================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/08/2008 at 06:05 PM

Application Version : 3.9.1008

Core Rules Database Version : 3398
Trace Rules Database Version: 1390

Scan type : Complete Scan
Total Scan Time : 01:06:32

Memory items scanned : 409
Memory threats detected : 0
Registry items scanned : 4785
Registry threats detected : 0
File items scanned : 79024
File threats detected : 115

Adware.Tracking Cookie
C:\Documents and Settings\Bob\Cookies\bob@freeadultgames[1].txt
C:\Documents and Settings\Bob\Cookies\bob@web4.realtracker[1].txt
C:\Documents and Settings\Bob\Cookies\bob@serviceswitching[1].txt
C:\Documents and Settings\Bob\Cookies\bob@image.masterstats[1].txt
C:\Documents and Settings\Bob\Cookies\bob@revsci[1].txt
C:\Documents and Settings\Bob\Cookies\bob@edge.ru4[1].txt
C:\Documents and Settings\Bob\Cookies\bob@toplist[1].txt
C:\Documents and Settings\Bob\Cookies\bob@adinterax[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.pointroll[1].txt
C:\Documents and Settings\Bob\Cookies\bob@adopt.specificclick[1].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.guardian.co[2].txt
C:\Documents and Settings\Bob\Cookies\bob@realmedia[1].txt
C:\Documents and Settings\Bob\Cookies\bob@c2.gostats[1].txt
C:\Documents and Settings\Bob\Cookies\bob@revenue[1].txt
C:\Documents and Settings\Bob\Cookies\bob@adopt.euroclick[2].txt
C:\Documents and Settings\Bob\Cookies\bob@list[1].txt
C:\Documents and Settings\Bob\Cookies\bob@anat.tacoda[1].txt
C:\Documents and Settings\Bob\Cookies\bob@ad.reunion[1].txt
C:\Documents and Settings\Bob\Cookies\bob@ad-indicator[1].txt
C:\Documents and Settings\Bob\Cookies\bob@gostats[2].txt
C:\Documents and Settings\Bob\Cookies\bob@c3.gostats[2].txt
C:\Documents and Settings\Bob\Cookies\bob@stat.onestat[2].txt
C:\Documents and Settings\Bob\Cookies\bob@web-stat[1].txt
C:\Documents and Settings\Bob\Cookies\bob@ad.hankooki[2].txt
C:\Documents and Settings\Bob\Cookies\bob@www.precisioncounter[2].txt
C:\Documents and Settings\Bob\Cookies\bob@anad.tacoda[2].txt
C:\Documents and Settings\Bob\Cookies\bob@webstat[1].txt
C:\Documents and Settings\Bob\Cookies\bob@rightmedia[1].txt
C:\Documents and Settings\Bob\Cookies\bob@rambler[1].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.vnuemedia[1].txt
C:\Documents and Settings\Bob\Cookies\bob@clkhype.adbureau[1].txt
C:\Documents and Settings\Bob\Cookies\bob@birta.stats[2].txt
C:\Documents and Settings\Bob\Cookies\bob@adtech[2].txt
C:\Documents and Settings\Bob\Cookies\bob@atwola[1].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.adbrite[1].txt
C:\Documents and Settings\Bob\Cookies\bob@citi.bridgetrack[1].txt
C:\Documents and Settings\Bob\Cookies\bob@clicksor[2].txt
C:\Documents and Settings\Bob\Cookies\bob@perfettomedia[2].txt
C:\Documents and Settings\Bob\Cookies\bob@server.iad.liveperson[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Bob\Cookies\bob@www.peoplefinders[1].txt
C:\Documents and Settings\Bob\Cookies\bob@richmedia.yahoo[2].txt
C:\Documents and Settings\Bob\Cookies\bob@2[2].txt
C:\Documents and Settings\Bob\Cookies\bob@LPearthlink2[2].txt
C:\Documents and Settings\Bob\Cookies\bob@sales.liveperson[1].txt
C:\Documents and Settings\Bob\Cookies\bob@banners.guns[1].txt
C:\Documents and Settings\Bob\Cookies\bob@yadro[1].txt
C:\Documents and Settings\Bob\Cookies\bob@adlegend[1].txt
C:\Documents and Settings\Bob\Cookies\bob@partners.webmasterplan[1].txt
C:\Documents and Settings\Bob\Cookies\bob@stats.klsoft[1].txt
C:\Documents and Settings\Bob\Cookies\bob@reunion.adbureau[2].txt
C:\Documents and Settings\Bob\Cookies\bob@www.w5awarez[2].txt
C:\Documents and Settings\Bob\Cookies\bob@0[2].txt
C:\Documents and Settings\Bob\Cookies\bob@cgi-bin[4].txt
C:\Documents and Settings\Bob\Cookies\bob@adserver.news.com[2].txt
C:\Documents and Settings\Bob\Cookies\bob@chat[2].txt
C:\Documents and Settings\Bob\Cookies\bob@maxserving[1].txt
C:\Documents and Settings\Bob\Cookies\bob@html[2].txt
C:\Documents and Settings\Bob\Cookies\bob@cgi-bin[7].txt
C:\Documents and Settings\Bob\Cookies\bob@adbrite[1].txt
C:\Documents and Settings\Bob\Cookies\bob@78221172[2].txt
C:\Documents and Settings\Bob\Cookies\bob@cgi-bin[3].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.belointeractive[1].txt
C:\Documents and Settings\Bob\Cookies\bob@komtrack[2].txt
C:\Documents and Settings\Bob\Cookies\bob@483[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.mediaturf[2].txt
C:\Documents and Settings\Bob\Cookies\bob@partner2profit[1].txt
C:\Documents and Settings\Bob\Cookies\bob@a.as-us.falkag[2].txt
C:\Documents and Settings\Bob\Cookies\bob@as-us.falkag[1].txt
C:\Documents and Settings\Bob\Cookies\bob@sexyfuckgames[1].txt
C:\Documents and Settings\Bob\Cookies\bob@media.perfettomedia[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.flooble[2].txt
C:\Documents and Settings\Bob\Cookies\bob@stat.dealtime[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.thestar[1].txt
C:\Documents and Settings\Bob\Cookies\bob@mt.valueclick[1].txt
C:\Documents and Settings\Bob\Cookies\bob@MT[1].txt
C:\Documents and Settings\Bob\Cookies\bob@www.japansexav[1].txt
C:\Documents and Settings\Bob\Cookies\bob@adknowledge[2].txt
C:\Documents and Settings\Bob\Cookies\bob@valueclick[1].txt
C:\Documents and Settings\Bob\Cookies\bob@w5awarez[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ar.atwola[1].txt
C:\Documents and Settings\Bob\Cookies\bob@a[1].txt
C:\Documents and Settings\Bob\Cookies\bob@bannerspace[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ad.iskon[1].txt
C:\Documents and Settings\Bob\Cookies\bob@ad1.dmcmedia.co[1].txt
C:\Documents and Settings\Bob\Cookies\bob@www.123stat[2].txt
C:\Documents and Settings\Bob\Cookies\bob@weborama[1].txt
C:\Documents and Settings\Bob\Cookies\bob@cgi-bin[8].txt
C:\Documents and Settings\Bob\Cookies\bob@tracking.foxnews[1].txt
C:\Documents and Settings\Bob\Cookies\bob@virtualbartendertrack.beer[1].txt
C:\Documents and Settings\Bob\Cookies\bob@paycounter[1].txt
C:\Documents and Settings\Bob\Cookies\bob@superstats[2].txt
C:\Documents and Settings\Bob\Cookies\bob@mediamgr.ugo[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.whizardries[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.mediaiprom[2].txt
C:\Documents and Settings\Bob\Cookies\bob@xiti[1].txt
C:\Documents and Settings\Bob\Cookies\bob@cpvfeed[2].txt
C:\Documents and Settings\Bob\Cookies\bob@cgi-bin[1].txt
C:\Documents and Settings\Bob\Cookies\bob@chat[3].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.itv[1].txt
C:\Documents and Settings\Bob\Cookies\bob@server3.web-stat[2].txt
C:\Documents and Settings\Bob\Cookies\bob@501[1].txt
C:\Documents and Settings\Bob\Cookies\bob@emarketmakers[2].txt
C:\Documents and Settings\Bob\Cookies\bob@LPneimanmarcus[2].txt
C:\Documents and Settings\Bob\Cookies\bob@blp.valueclick[1].txt
C:\Documents and Settings\Bob\Cookies\bob@realmedia.co[1].txt
C:\Documents and Settings\Bob\Cookies\bob@tacoda[1].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.addynamix[1].txt
C:\Documents and Settings\Bob\Cookies\bob@nac.nasmedia.co[2].txt
C:\Documents and Settings\Bob\Cookies\bob@creativeby.viewpoint[2].txt
C:\Documents and Settings\Bob\Cookies\bob@okcounter[1].txt

Adware.Vundo-Variant/Small-A
C:\DOCUMENTS AND SETTINGS\BOB\DESKTOP\BACKUPS\BACKUP-20080208-095749-110.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP626\A0036596.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP626\A0036600.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP611\A0036426.DLL

ken545
2008-02-09, 04:47
Hello,

Thanks for returning the logs, your HJT log looks fine :bigthumb:

Not sure what program saved this backup but it has part of the Vundo infection and if you restore the backup you can get whacked again , I would remove the backup in Red
C:\DOCUMENTS AND SETTINGS\BOB\DESKTOP\BACKUPS\BACKUP-20080208-095749-110.DLL

SAS also found some Vundo entries in your System Restore Program, you can flush it out this way so you won't take the chance of infecting your self again.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Reboot your computer


Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Create a new Restore Point <-- Very Important


Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it


How do you feel your system is running now ??

cowboyblob
2008-02-09, 05:38
It put the Backup Folder on my Desktop, so I Trashcanned it and emptied the bin. Thank you for the help! :cowboy:

ken545
2008-02-09, 05:44
Thats great, glad things are better :bigthumb:


Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.12 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.




Glad we could help

Safe Surfn
Ken