HIJACKTHIS log attached - Recently attacked by Trojan.Dropper.. run

[cflannagan]

Well after running HJT and a few other "scanners" I've used in this thread.. the computer runs very slowly.. ie: it takes 2 seconds to write to the drive when I change a value in table in MS SQL 2005.

But rebooting fixed this problem - the computer's at normal speed now. No popup whatsoever other than the strange "Make sure your language is set in IE" popups (about 5 of them) or something of that effect, but I think that is because I left an IE window open at gmail.com while disabling wireless networking overnight and the Gmail page was trying to "call home" or something like that. The dialog popups does not look suspicoius to me.

I will go home lunchtime to see if there are any further popups.. I disabled wireless networking again but this time no IE windows are open.. so I'll see if I'm still getting those strange dialog windows that I saw before, but I'm confident that everything's running ok now.

[cflannagan]

Good news, I can confirm that there are no further popups.. so those earlier popups I saw today are probably from IE with Gmail page open but offline from the networking.

Many thanks for your help in getting me out of this mess.. one of many

[Rawe]

You're welcome

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Other necessary Programs:

• AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
• Firewall <= A firewall is definatley a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs. (Note to only use 1 at-the-time)
• More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.

And also see TonyKlein's good advice;
So how did I get infected in the first place?

[cflannagan]

Sure - I'll be happy to give my story about my experience w/malware -

Do you know what I've been attacked with?

My Norton AV shows the following:
Trojan.Cmapp
Trojan.Popper
Downloader
Trojan Dropper
Trojan.Adclicker
Trojan.Elitebar
Bloodhound Morphine

Anything else I can add to this list before I give my story?

[Rawe]

Sure - I'll be happy to give my story about my experience w/malware -

Do you know what I've been attacked with?

My Norton AV shows the following:
Trojan.Cmapp
Trojan.Popper
Downloader
Trojan Dropper
Trojan.Adclicker
Trojan.Elitebar
Bloodhound Morphine

Anything else I can add to this list before I give my story?

You also had Adware Look2Me, PurityScan aswell as SurfSideKick. It's a safe bet to go with them; the others are a bit more random and not so clearly recognized

[cflannagan]

One more thing I need to ask you (no, no new attack here thank god! )

How do I remove a number of those bad entries from the "Startup" tab in MSCONFIG - files that no longer exist? (see attached image)



Thanks again

[Rawe]

I need to see the entire thing to make you a regfix..

Post more screenshots, the others from the Location part (it got cut off) + all the startup items.

[cflannagan]

here you go







The 2nd part of the list (the unchecked entries).. the location is not cut off - I sized it as small as possible so you can still see the first 2 columns.

[Rawe]

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Configuration Manager]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\eenyseaA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\loaddr]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSCloner]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\septpop06apsept]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ToolbarInstall]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^odduo.exe]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Reboot.

Msconfig still listing stuff?

[cflannagan]

Not anymore, that did the trick.

Computer's still running perfectly.

Once again, thanks