Hi, My name is George and I am infected!

When I go online I keep getting unwanted pop-ups. (Additionally, computer is running slow, and sometimes IE freezes and in checking the Task Manager message, I get "IE NOT RESPONDING" message. I'm running Windows XP (SP1) with IE6. Real quick as to why SP1. Upgraded to SP2 a while back and the restart would not boot Windows. Tried a lot of fixes on my own and had to start in safe mode and revert back to SP1 each time. Will try to fix that problem after I get rid of my infection.

I run with Windows XP home, IE 6.0, Avast 4.7 as my AntiVirus, and ZoneAlarm 6.5.737 as my Firewall. I installed System Mechanic7 Pro this week to try and fix my problem. Results were ok in fixing all the problems that it found but one. Could not remove (4) files that it
reported as spyware/malware problems. Now the bad part. After installing SystMech7Pro I noticed that the Performance Window in Task Mgr was pegged at 100%. In checking the processes that were running there were about 21 devldr.exe files listed and total processes files in use varying from 47 to 60. My normal number of processes was 39 before I installed SystMech7Pro. I have removed SystMech7Pro and quieted down the process problem but still have the unwanted pop ups and system freezes.

I could use all the help needed to fix this problem, please.

Hello gwj5035 and welcome to BC

Can you describe the pop-ups? What do they say? What shape, color, etc. are they?

Have you tried running your security programs in Safe Mode

At this point, I would like you to run a scan with SUPERAntiSpyware in Safe Mode. You will, of course, install it in Normal Mode. You may want to print out these directions or copy them to notepad so you will have them available in safe mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:

1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.

o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom

Hi Orange Blossom.

Thank You for the quick response to my problem. Everything you asked for went very smooth. The copy of the "SCAN LOG" is at the end of this post. To answer your questions regarding the pop-ups this is the best I can do. Most of them are full page web sites like: EBay full page (not sure what it refers to because I have never encountered anything like it in my normal use of EBay; there are three other web pages that are regulars but I never noticed what they were related to. I participate in a photo forum that have pop-ups of there own which is mostly camera adverts and it is a strip about 1/8th of the page. When the unwanted pop-up adverts show up they are an advert other than the cameras and most of the time it is naked woman. I am not sure
what adware comes to visit me when IE freezes up and makes me shut down IE and then restart it. There have been no more than 3 times when the entire computer freezes and causes me to power down and reboot. That is the best I can do for you. If it continues I will take notes now that I know what you are looking for.

I forgot to mention about an error message I recvd. when booting up from the SuperAntiSpyware run. Message was "ERROR LOADING C:\WINNT\SYSTEM32\SYFOGYFOA.DLL". I checked the OK button and the booting continued with no more hitches. I wanted to surf my normals before I posted this note to you. Have been surfing for almost 2 hrs. with no unwanted spyware/malware pages showing up. If this problem of mine is gone all I can say is THANK YOU for all your help.


SUPERAntiSpyware Scan Log http://www.superantispyware.com

Generated 02/29/2008 at 05:41 PM

Application Version : 4.0.1152

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 04:28:43

Memory items scanned : 183
Memory threats detected : 2
Registry items scanned : 6340
Registry threats detected : 17
File items scanned : 159035
File threats detected : 72

Adware.Vundo-Variant/PolyMorph-A
C:\WINNT\SYSTEM32\NNNOPPQ.DLL
C:\WINNT\SYSTEM32\NNNOPPQ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{182C7

ED7-E56D-4509-9D9B-AC49318D9895}
HKCR\CLSID\{182C7ED7-E56D-4509-9D9B-AC49318D9895}
HKCR\CLSID\{182C7ED7-E56D-4509-9D9B-AC49318D9895}\InprocServer32
HKCR\CLSID\{182C7ED7-E56D-4509-9D9B-AC49318D9895}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{182C7ED7-E

56D-4509-9D9B-AC49318D9895}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\nnnoppq
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1520\A

0349140.DLL

Adware.Vundo Variant/Resident
C:\WINNT\SYSTEM32\YABXW.DLL
C:\WINNT\SYSTEM32\YABXW.DLL

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{fc810d86-a75e-4b13-833b-ae689c53aea4}
HKCR\CLSID\{FC810D86-A75E-4B13-833B-AE689C53AEA4}
HKCR\CLSID\{FC810D86-A75E-4B13-833B-AE689C53AEA4}\InprocServer32
HKCR\CLSID\{FC810D86-A75E-4B13-833B-AE689C53AEA4}\InprocServer32#ThreadingModel
C:\WINNT\SYSTEM32\CQWVXQSM.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc810d86-a75e-4b13-833b-ae689c53aea4}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1520\A0348999.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1520\A0349000.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1522\A0351491.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1522\A0351708.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1524\A0351740.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1524\A0351741.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1525\A0351828.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1525\A0351829.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1526\A0351916.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1526\A0351917.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1528\A0352062.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1528\A0352063.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1529\A0352150.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1529\A0352151.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1530\A0352241.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1530\A0352242.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1531\A0352333.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1531\A0352334.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1532\A0352426.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1532\A0352427.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1533\A0352518.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1533\A0352519.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1534\A0352609.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1534\A0352610.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1535\A0352700.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1535\A0352701.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1536\A0352791.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1536\A0352792.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1537\A0352882.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1537\A0352883.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1538\A0354067.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1538\A0354099.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1539\A0354249.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1541\A0354700.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1541\A0354778.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1651\A0370763.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1651\A0370764.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1651\A0371087.DLL
C:\WINNT\SYSTEM32\CROKLUXO.DLL
C:\WINNT\SYSTEM32\CYVKQWEH.DLL
C:\WINNT\SYSTEM32\MWQVSFOK.DLL
C:\WINNT\SYSTEM32\NRCYBYOH.DLL
C:\WINNT\SYSTEM32\SFOGYFOA.DLL
C:\WINNT\SYSTEM32\XBETPDCH.DLL

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3CC301D-0A93-4339-B200-6BDBFDDC3BEB}
HKCR\CLSID\{E3CC301D-0A93-4339-B200-6BDBFDDC3BEB}
HKCR\CLSID\{E3CC301D-0A93-4339-B200-6BDBFDDC3BEB}\InprocServer32
HKCR\CLSID\{E3CC301D-0A93-4339-B200-6BDBFDDC3BEB}\InprocServer32#ThreadingModel
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1520\A0349136.DLL

Adware.Tracking Cookie
C:\Documents and Settings\George\Cookies\george@oasc02.247realmedia[1].txt
C:\Documents and Settings\George\Cookies\george@anad.tacoda[1].txt
C:\Documents and Settings\George\Cookies\george@ad.yieldmanager[2].txt
C:\Documents and Settings\George\Cookies\george@atdmt[2].txt
C:\Documents and Settings\George\Cookies\george@oasc09.247realmedia[1].txt
C:\Documents and Settings\George\Cookies\george@ads.cnn[1].txt
C:\Documents and Settings\George\Cookies\george@247realmedia[2].txt
C:\Documents and Settings\George\Cookies\george@www.burstnet[1].txt
C:\Documents and Settings\George\Cookies\george@bs.serving-sys[1].txt
C:\Documents and Settings\George\Cookies\george@clickbank[1].txt
C:\Documents and Settings\George\Cookies\george@partner2profit[1].txt
C:\Documents and Settings\George\Cookies\george@specificclick[2].txt
C:\Documents and Settings\George\Cookies\george@cgi-bin[2].txt
C:\Documents and Settings\George\Cookies\george@tacoda[2].txt
C:\Documents and Settings\George\Cookies\george@mediaplex[2].txt
C:\Documents and Settings\George\Cookies\george@ad2.fotki[1].txt
C:\Documents and Settings\George\Cookies\george@serving-sys[2].txt
C:\Documents and Settings\George\Cookies\george@2o7[2].txt
C:\Documents and Settings\George\Cookies\george@advertising[1].txt
C:\Documents and Settings\George\Cookies\george@msnportal.112.2o7[1].txt
C:\Documents and Settings\George\Cookies\george@questionmarket[2].txt
C:\Documents and Settings\George\Cookies\george@adinterax[2].txt

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount

Adware.Vundo Variant/Rel
C:\WINNT\SYSTEM32\MCRH.TMP

Hello gwj5035,

Among other things, you have a Vundo infection. Please follow the directions in this guide. If you have any questions as you go through it, please post them as a reply to this thread. When you have completed the guide, please post the Vundo log as a reply to this thread.

The message you got when booting up is caused by a left over registry key. SuperAntiSpyware removed the file referenced by that key. We can take care of the left over key later.

Orange Blossom

Hi Orange Blossom:

Ran the Vundo program and it found two files (amlqrqma.dll -- atmpvcn.dll) and deleted them. Now after booting get message that registry editing has been disabled and task manager has been disabled by the administrator when I try to use it. Still getting the error message not being able to load the C:\WINNT\SYSTEM32 file it can't find which you said we would take care of latrer. The other thing that happend is that two requests are blocked by ZoneAlarm. MRMONEY.EXE and MSICONF.EXE request to acess the internet and I deny both requests. Looking forward to your next step in fixing my virus problem. Why I am typing this, a pop-up just appeared.

Malware Alert!

Warning! Trojan Adware, W32.ExpDwnldr spyware detected. This Trojan allows attackers to access your computer from remote locatiions, stealing passwords, Internetnet banking and personal data. This also prompts advertising popups. This process is a security risk and should be removed from your system.

Type: Trojan Horse
System Affected Windows 98, 2000, NT4, ME, XP
Security Risk (0-5): 4
Recommendations: Click 'Yes' to get all available antispyware software

A Yes & No button at the bottom of the warning

I hit the no button and it dissapeared.

Not sure if this means we still have a problem.

P.S. Just read you last post again and noticed that you asked for the log from the Vundo run. There was no log generated.

Hello gwj5035,

You will find the Vundofix log here: C:\vundofix.txt To get there, go to My Computer. Open it, then open Local Disk. You will find the file listed in there. Open the file. It will open in notepad. Select all --> Copy then paste into the text screen in your reply.

Orange Blossom

Hello after running Orange Blossom's suggestion and copying the log. Follow the instructions in the BC tutorial on using SDFiix. Copy?paste that log also .Instructions are in the a tutorial. In case you miss it, SDFix report will save into the SDFix folder as Report.txt.

Hi Orange Blossom:

The two logs that you and boopme requested:


VundoFix V6.7.10Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:22:02 PM 3/1/2008

Listing files found while scanning....

C:\WINNT\system32\amlqrqma.dll
C:\WINNT\system32\djsdstpu.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\amlqrqma.dll
C:\WINNT\system32\amlqrqma.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\djsdstpu.dll
C:\WINNT\system32\djsdstpu.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\amlqrqma.dll
C:\WINNT\system32\amlqrqma.dll Has been deleted!

Performing Repairs to the registry.
Done!

****************************************

SDFix: Version 1.150

Run by George on Sun 03/02/2008 at 02:31 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\SYSTEM32\ATMPVCN.DLL - Deleted
C:\WINNT\system32\msiconf.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 02:37:56
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\9O8J990X\search[1].:
17550 bytes hidden from API
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\GOBBD3Z5\ShowFolder[1].:
45615 bytes hidden from API
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\ORDJUMFP\ShowFolder[1].:
38988 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


Remaining Services :



Authorized Application Key Export:

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 6 Aug 2007 24 ..SH. --- "C:\WINNT\SAA008252.tmp"
Wed 27 Feb 2008 692,581 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1541\A0356844.exe"
Wed 27 Feb 2008 692,581 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1541\A0358841.exe"
Thu 28 Feb 2008 692,581 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1652\A0376487.exe"
Sat 21 Jun 2003 377,344 A..H. --- "C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe"
Mon 28 Jan 2008 121,616 A..H. --- "C:\WINNT\SoftwareDistribution\Download\0077a7fa5d15590d526d63a5048a5445\BIT14.tmp"
Fri 1 Jun 2007 104,090 A..H. --- "C:\WINNT\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\BIT20.tmp"
Fri 1 Sep 2006 563,000 A..H. --- "C:\WINNT\SoftwareDistribution\Download\0f8a5d0d09e527fa35dec9e085d4b802\BIT7.tmp"
Mon 30 Apr 2007 154,875 A..H. --- "C:\WINNT\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\BITE.tmp"
Mon 6 Aug 2007 101,992 A..H. --- "C:\WINNT\SoftwareDistribution\Download\1950380ad27a186ad7b25c1e483494eb\BIT23.tmp"
Fri 30 Mar 2007 155,539 A..H. --- "C:\WINNT\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\BIT1C.tmp"
Tue 20 Nov 2007 102,217 A..H. --- "C:\WINNT\SoftwareDistribution\Download\30afadc4c35db2f5d8b4c076a49edc7b\BIT11.tmp"
Fri 1 Dec 2006 150,954 A..H. --- "C:\WINNT\SoftwareDistribution\Download\33831624a2e810dc854ea2f820d0dd53\BIT17.tmp"
Fri 29 Jun 2007 797,088 A..H. --- "C:\WINNT\SoftwareDistribution\Download\379c3e87f4016899bd06cdf1184d31ce\BIT22.tmp"
Thu 24 Jan 2008 102,287 A..H. --- "C:\WINNT\SoftwareDistribution\Download\37fefde58a963f27982e5f97ce053f7f\BIT24.tmp"
Fri 1 Jun 2007 101,807 A..H. --- "C:\WINNT\SoftwareDistribution\Download\393673217fc83f2b990ca70aa98f1df8\BIT12.tmp"
Mon 5 Feb 2007 905,077 A..H. --- "C:\WINNT\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT2C.tmp"
Fri 1 Feb 2008 15,452,536 A..H. --- "C:\WINNT\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT8.tmp"
Sat 4 Nov 2006 152,128 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4387300ca1dcf29784a47c30e67cb637\BIT13.tmp"
Tue 2 Oct 2007 101,939 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4b6ccd5ccf72ffca11e7f7e0165f2082\BIT19.tmp"
Tue 20 Nov 2007 102,191 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4bc27de79804b640a2e67eda87fe6cda\BIT16.tmp"
Mon 13 Dec 2004 393,448 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4e28cc4378cd0807778e1b0917bd6312\BIT10.tmp"
Fri 11 May 2007 2,391,944 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4f686eb18ed8be61735e890e67439840\BITD.tmp"
Fri 29 Jun 2007 155,642 A..H. --- "C:\WINNT\SoftwareDistribution\Download\50d0c9ff929a7477233edd0771ffdb01\BIT2E.tmp"
Sat 4 Nov 2006 151,852 A..H. --- "C:\WINNT\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\BIT2A.tmp"
Fri 11 May 2007 1,266,056 A..H. --- "C:\WINNT\SoftwareDistribution\Download\582374c56f566bb2a83a59d0c2cd7d87\BIT27.tmp"
Fri 30 Nov 2007 2,166,832 A..H. --- "C:\WINNT\SoftwareDistribution\Download\58bdbebf00a24cdeedc76ed657f83982\BIT1B.tmp"
Mon 5 Feb 2007 98,851 A..H. --- "C:\WINNT\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\BIT37.tmp"
Fri 22 Sep 2006 1,035,576 A..H. --- "C:\WINNT\SoftwareDistribution\Download\766381a942932b57d990db792db86b6e\BIT31.tmp"
Mon 7 Feb 2005 332,520 A..H. --- "C:\WINNT\SoftwareDistribution\Download\86c1313b3b7233a513215d577f5db5c4\BIT25.tmp"
Mon 6 Aug 2007 154,933 A..H. --- "C:\WINNT\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\BIT2D.tmp"
Wed 6 Sep 2006 151,127 A..H. --- "C:\WINNT\SoftwareDistribution\Download\8a10de02595aa748279afc6c628f49a8\BIT1E.tmp"
Sat 31 Mar 2007 103,538 A..H. --- "C:\WINNT\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\BIT21.tmp"
Tue 20 Nov 2007 104,775 A..H. --- "C:\WINNT\SoftwareDistribution\Download\a0d1667f129d439fad31a81898b17830\BIT1D.tmp"
Fri 1 Dec 2006 151,441 A..H. --- "C:\WINNT\SoftwareDistribution\Download\aa19f15378aa75d2b2c7ba5771e0c521\BIT18.tmp"
Fri 2 Nov 2007 3,109,928 A..H. --- "C:\WINNT\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT35.tmp"
Tue 2 Oct 2007 875,912 A..H. --- "C:\WINNT\SoftwareDistribution\Download\ac396c0c2d53942a12157d0ad3c4135a\BIT30.tmp"
Tue 20 Nov 2007 102,476 A..H. --- "C:\WINNT\SoftwareDistribution\Download\b6bef673c2e4e242a39946c4931e8a98\BIT32.tmp"
Fri 30 Mar 2007 101,875 A..H. --- "C:\WINNT\SoftwareDistribution\Download\b79f0480d592be3a8c6db381ffc0c693\BIT29.tmp"
Fri 24 Sep 2004 4,548,840 A..H. --- "C:\WINNT\SoftwareDistribution\Download\bc7d0f6ab3aa3bf7be4e2f411369f85d\BIT6.tmp"
Fri 30 Mar 2007 102,508 A..H. --- "C:\WINNT\SoftwareDistribution\Download\c1b0851ac9312d2f7e1ab716c11967b5\BIT1A.tmp"
Fri 1 Dec 2006 151,050 A..H. --- "C:\WINNT\SoftwareDistribution\Download\c3c3c6d9de8be474641d4bbceb22a36f\BIT1F.tmp"
Mon 6 Aug 2007 155,625 A..H. --- "C:\WINNT\SoftwareDistribution\Download\c87932aedce288373d0b6a6c23f00c8a\BIT15.tmp"
Thu 20 Dec 2007 101,803 A..H. --- "C:\WINNT\SoftwareDistribution\Download\ca6c24ab62fe8433c5d63bb11a2e5a2c\BIT28.tmp"
Fri 30 Jun 2006 150,147 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d1c98689cdcd0ea9312780ffc77a2cbe\BITF.tmp"
Mon 17 Apr 2006 149,979 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d378d94379aa314a2f8a03df7faef1bc\BIT2B.tmp"
Fri 30 Mar 2007 157,600 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d820fbd6e1527bc9c51d0c3b240b96fd\BIT33.tmp"
Mon 5 Feb 2007 98,994 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d8816d09f86abbe0c321ddc90d5c0948\BIT34.tmp"
Sat 4 Nov 2006 152,048 A..H. --- "C:\WINNT\SoftwareDistribution\Download\e7d26e5776f9930c6ad9dff351940707\BIT2F.tmp"
Mon 5 Feb 2007 151,147 A..H. --- "C:\WINNT\SoftwareDistribution\Download\ee52836d5c671146809a1dc54498be1f\BIT36.tmp"
Fri 29 Jun 2007 102,501 A..H. --- "C:\WINNT\SoftwareDistribution\Download\f1717a50ad70787e0b2e37537d202992\BIT26.tmp"
Fri 1 Jun 2007 154,945 A..H. --- "C:\WINNT\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\BITC.tmp"
Mon 5 Feb 2007 5,662 A..H. --- "C:\WINNT\SoftwareDistribution\Download\299966e551b4462ae94e39e251e277b6\download\BITB.tmp"
Tue 20 Nov 2007 18,846 A..H. --- "C:\WINNT\SoftwareDistribution\Download\304c19f1612f37ffa8967147d3cb7464\download\BIT38.tmp"
Fri 25 Jan 2008 128,112 A..H. --- "C:\WINNT\SoftwareDistribution\Download\ed6cff8bccff865b52b93292e144ada6\download\BIT39.tmp"

Finished!

Hi George, you have removed a lot of malware,how is the PC running now? Is it faster and are the popups gone.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
• Click the "Download" button to the right.
• Select your Plattform: "Windows".
• Select your Language: "English".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

Hey boopme:

I took care of the java files and now only have one installed. I have been surfing for about 12 hours since my last fix and have not had one pop-up/spyware/trojan or malware message on the system. I also do notice a speed improvement in system operations. Once again I want to say thank you to you and Orange Blossom for all the help in ridding my system of all the problems. Now just one last thing to bring to your attention. After the computer boots to my desktop I get two messages. 1st message RUNDLL ERROR - Error loading C:\WINNT\SYSTEM32\sjlbuunf.dll and 2nd message same for the file amlqrma.dll. There doesn't seem to be any operation problem, just sort of a pain having to deletye both after each boot. Thanks to both of you for all of the help and advice.

Hello gwj5035,

I'm glad things are working better for you now. The error messages you are getting is the result of the registry saying, "Load this file" and the computer says, "It's not there." In your case, these files are deleted malware files. To resolve this, download Autoruns, search for the related entry and then delete it.

• Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
• Open the folder and double-click on autoruns.exe to launch it.
• Please be patient as it scans and populates the entries.
• When done scanning, it will say Ready at the bottom.
• Scroll through the list and look for a startup entry related to the file(s) in the error message.
• Right-click on the entry and choose delete.
• Reboot your computer and see if the startup error returns.

Let us know if that solves the problem for you.

Orange Blossom

Hello things are looking good. After running Auturuns ,clear out anything else with this...
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Hey boopme, Orange Blossom:

Did all that both of you asked me to do. No more error message "RUNDD ERROR". It seems that SuperAntiSpyware and Avast are both running in the background and monitoring the system. Do I need both? If not which one to turn off. I know this sounds like a broken record but I can't help it. The speed and everything else that has been done by the both of you to help me in getting rid of my problem has been ..... what can I say? Thanks again to both of you.

Hello gwj5035,

I'm glad we could help.



Having both run in the background is fine as AVAST is an Anti-Virus, and SUPERAntiSpyware is an Anti-Spyware program. They look for different things. The free version of SAS will cease to run in the background after 30 days, so if you wish to turn it off now you may do so. Make sure you keep it up to date and run a scan at least once a week.
-------
There's still a couple more things:

Some of the malware may have been saved in System Restore. To prevent possible reinfection, lets flush the restore points.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok".
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Let us know when you've done that, and we'll give you some additional pointers for staying malware free. There are always new ways found to protect your computer.

Orange Blossom

Hi Orange Blossom:

Not sure of what was happening so I terminated the running of Cleanmgr. This is what happened. Created a new restore point. Went to run and started cleanmgr.

Instead of getting the "More Options" Tab, I got a pop-up window that said" Disk Cleanup is calculating how much space you will be able to free on (C:). This may take a few minutes to complete. Scanning: Compress old files.

So I left it run for 15 Mins. and figured something wasn't correct because the bar that shows progress wasn't updating. When I hit the Cancel button the pop-up dissapeared but the Task Mgr still showed that cleanmgr.exe was @98% in the CPU column. I also noticed that when I first started cleanmgr that it registered as an application running and when I hit the cancel button it no longer showed up as an application running. Waited about 5 more mins and this condition did not change. Highlighted the cleanmgr.exe process and ended process. Everything seemed to return to normal. So this is where I am now as I post this note.

Hi Orange Blossom:

I hope you read this post before the one before it. I edited the registery key that was causing this problem with cleanmgr compressing old files. I was able to run cleanmgr so now there are no restore points except the new one I created.

Hello gwj5035,

I'm glad you got it to work. I just became aware within the past two hours that the link in the directions are for Windows XP Pro and that it is different with Windows XP Home, which is what I use.

What it was doing initially was calculating the space you could save by deleting files and compressing files. It wasn't actually compressing them at that point, you would have to tell it to.

Now that you are clean to protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1".
• "Hardening Windows Security - Part 2".
• "IE Recommended Minimal Security Settings".

Good luck with everything and see you around BC.

Orange Blossom

Hi Orange Blossom:

Well, I didn't last long with no computer troubles. I don't seem to be having problems with pop-ups this time. My new symptons are dealing with a loss of the desktop when ever it wants to lock up. It seems to be happening more when I am on line then when I am using the computer with zone alarm blocking my access in both directions from the internet. When it happens all of the icons on the desktop vanish and I get the hour glass and have no access to the bottom tray. I am able to call up taskmanager and reboot the computer. While the computer is closing down I get the message that explorer is not responding and I have to close it down myself. Computer reboots and I can go along for a while (I am going to guess about 2 hours or less) and a repeat of the above. I am not sure that this has anything to do with my problem but week before last I upgraded Windows XP to SP2. The next morning after booting I got an Update message from MS with a list of 54 files to be updated. Followed the instructions and when completed and booted I could no longer access the internet or my lap top, and the lap top could not get out to the internet. After about 4 hours of trying to restore my home intranet set up I gave up and restored back to the point before the 54 file update. So, at this point I am running XP SP2 where as with our last problem I was running XP SP1.

I did everything that we did with my last problem but can't seem to remove the XXWTQ.DLL file that SuperAntiSpyware is listing in it's log. So I did a little more reading and read about the Hijackthis log being a help to who ever is going to help me with this problem. So, I have included the logs from the Spyware Scan, the VirtumundoBegone run the SDFix run and Hijackthis. I might add that the Vundo Fix run states that it finds no Vundo files. I have been running the SuperAntiSpyware bi-weekly and this run showed this vundo file for the first time. Let me know of anything more you need to help with the diagnosis.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/23/2008 at 06:24 PM

Application Version : 4.0.1154

Core Rules Database Version : 3417
Trace Rules Database Version: 1415

Scan type : Complete Scan
Total Scan Time : 01:51:59

Memory items scanned : 190
Memory threats detected : 1
Registry items scanned : 6602
Registry threats detected : 0
File items scanned : 130677
File threats detected : 35

Adware.Vundo Variant/Resident
C:\WINNT\SYSTEM32\XXWTQ.DLL
C:\WINNT\SYSTEM32\XXWTQ.DLL

Adware.Tracking Cookie
C:\Documents and Settings\George\Cookies\george@sonyelectronicssupportus.112.2o7[2].txt
C:\Documents and Settings\George\Cookies\george@casalemedia[2].txt
C:\Documents and Settings\George\Cookies\george@hitbox[2].txt
C:\Documents and Settings\George\Cookies\george@atwola[1].txt
C:\Documents and Settings\George\Cookies\george@ad.yieldmanager[1].txt
C:\Documents and Settings\George\Cookies\george@atdmt[2].txt
C:\Documents and Settings\George\Cookies\george@ads.pointroll[2].txt
C:\Documents and Settings\George\Cookies\george@adopt.specificclick[2].txt
C:\Documents and Settings\George\Cookies\george@ig[1].txt
C:\Documents and Settings\George\Cookies\george@adopt.euroclick[1].txt
C:\Documents and Settings\George\Cookies\george@tribalfusion[2].txt
C:\Documents and Settings\George\Cookies\george@247realmedia[1].txt
C:\Documents and Settings\George\Cookies\george@bs.serving-sys[1].txt
C:\Documents and Settings\George\Cookies\george@zedo[2].txt
C:\Documents and Settings\George\Cookies\george@rotator.adjuggler[2].txt
C:\Documents and Settings\George\Cookies\george@adrevolver[2].txt
C:\Documents and Settings\George\Cookies\george@specificclick[2].txt
C:\Documents and Settings\George\Cookies\george@doubleclick[1].txt
C:\Documents and Settings\George\Cookies\george@mediaplex[1].txt
C:\Documents and Settings\George\Cookies\george@tacoda[1].txt
C:\Documents and Settings\George\Cookies\george@bp.specificclick[1].txt
C:\Documents and Settings\George\Cookies\george@clickshift[1].txt
C:\Documents and Settings\George\Cookies\george@comcast.112.2o7[1].txt
C:\Documents and Settings\George\Cookies\george@fastclick[2].txt
C:\Documents and Settings\George\Cookies\george@apmebf[1].txt
C:\Documents and Settings\George\Cookies\george@revsci[2].txt
C:\Documents and Settings\George\Cookies\george@serving-sys[2].txt
C:\Documents and Settings\George\Cookies\george@advertising[2].txt
C:\Documents and Settings\George\Cookies\george@2o7[1].txt
C:\Documents and Settings\George\Cookies\george@ehg-camcorderinfo.hitbox[2].txt
C:\Documents and Settings\George\Cookies\george@msnportal.112.2o7[1].txt
C:\Documents and Settings\George\Cookies\george@questionmarket[2].txt
C:\Documents and Settings\George\Cookies\george@media.adrevolver[1].txt
C:\Documents and Settings\George\Cookies\george@html[1].txt
********************************************************************************

VundoFix V6.7.10

Checking Java version...

Scan started at 3:09:35 AM 3/24/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...
********************************************************************************



[03/23/2008, 14:01:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\George\Desktop\Anti Spyware__AdAware\VirtumundoBeGone.exe" )
[03/23/2008, 14:01:30] - Detected System Information:
[03/23/2008, 14:01:30] - Windows Version: 5.1.2600, Service Pack 2
[03/23/2008, 14:01:30] - Current Username: George (Admin)
[03/23/2008, 14:01:30] - Windows is in SAFE mode with Networking.
[03/23/2008, 14:01:30] - Searching for Browser Helper Objects:
[03/23/2008, 14:01:30] - BHO 1: AutorunsDisabled ()
[03/23/2008, 14:01:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 14:01:30] - No filename found. Continuing.
[03/23/2008, 14:01:30] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/23/2008, 14:01:30] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[03/23/2008, 14:01:30] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/23/2008, 14:01:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 14:01:30] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/23/2008, 14:01:30] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/23/2008, 14:01:30] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/23/2008, 14:01:30] - BHO 6: {FC9F68DA-8485-41AA-9EA3-FA7C639DC486} ()
[03/23/2008, 14:01:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 14:01:30] - Checking for HKLM\...\Winlogon\Notify\fccbyyw
[03/23/2008, 14:01:30] - Key not found: HKLM\...\Winlogon\Notify\fccbyyw, continuing.
[03/23/2008, 14:01:30] - BHO 7: {FD497859-CB88-49FA-97D9-53F6F1832DD9} ()
[03/23/2008, 14:01:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 14:01:30] - Checking for HKLM\...\Winlogon\Notify\xxwtq
[03/23/2008, 14:01:30] - Key not found: HKLM\...\Winlogon\Notify\xxwtq, continuing.
[03/23/2008, 14:01:30] - Finished Searching Browser Helper Objects
[03/23/2008, 14:01:30] - Finishing up...
[03/23/2008, 14:01:30] - Nothing found! Exiting...
********************************************************************************


SDFix: Version 1.150

Run by George on Sun 03/23/2008 at 03:01 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 15:10:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\9O8J990X\search[1].:
17550 bytes hidden from API
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\GOBBD3Z5\ShowFolder[1].:
45615 bytes hidden from API
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\ORDJUMFP\ShowFolder[1].:
38988 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DiskTrix\\UltimateDefrag\\UDefrag.exe"="C:\\Program Files\\DiskTrix\\UltimateDefrag\\UDefrag.exe:*:Enabled:UltimateDefrag V1 90 Day License"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Mon 6 Aug 2007 24 ..SH. --- "C:\WINNT\SAA008252.tmp"
Sat 21 Jun 2003 377,344 A..H. --- "C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe"

Finished!

Hello gwj5035,

I'm sorry to hear that you are having problems again. I have edited out the HJT log from the previous post to keep it from being moved to the Misplaced Log forum. HiJack This logs are worked only in the HiJack This forum where you get one-on-one assistance.

I think it is time for a deeper look at the issues on your computer. Please follow the steps in this guide. If you can't do a step, skip it and go on to the next. I realize that you may have done some of it, but it won't hurt to do it again. Then create an HJT log, you will find the directions in step 9 of the guide.

Create a new topic in this forum, not here and give it a good descriptive title. Briefly summarize what the problems are, what you have done to try to solve it, and what worked and didn't work and paste in your HJT log. Also, include the link to this thread and say that we sent you there.

After you post your log, DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

Please be patient as the HJT team is very busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response in five days, add a response to the five days no response topic and paste in the link to your thread.

When you have posted your log, please paste in the URL to your new thread so we know the HJT Team is helping you.

Orange Blossom