I recently was infected with the XP 2008 virus. I installed and ran SPyhunter and it succesfully removed it. I then had another problem more serious. After reading your site it appeared similar to another members problem. I was being redirected, my task manager was dosabled, my desktop and the controls disappeared and all sites that had anti spyware were blocked.

I doenlaoded combofix to another computer copied it to a jump drive, installed ait and ran it and it appeared to clear me up.

So far so good. Then XP 2008 reappeared. I have run Spyhunter aginf and removed it but don't know where to go from Here.

Bill Barr

Please note the message text in blue at the top of this forum.

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Quietman 7,

Thank you for the prompt reply. I read the the instructions before I ran combofix. I had run other scans thta did not reveal any problems in the operating sysstem so I took a chance. I am all backed up.

I'll down load as sugested and get back.

Thanks again.

Bill

Quietman 7,

I ran the scan here is my log file:

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

5:40:43 PM 8/17/2008
mbam-log-08-17-2008 (17-40-15).txt

Scan type: Quick Scan
Objects scanned: 43648
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 12
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcgqbj0e34r (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcgqbj0e34r (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcgqbj0e34r (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphclqbj0e34r (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\backupwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\rhcgqbj0e34r (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\HKCU (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\HKLM (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\BrowserObjects (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Packages (Rogue.Multiple) -> No action taken.

Files Infected:
C:\WINDOWS\ateqoflr.efg.exe (Trojan.Vapsup) -> No action taken.
C:\WINDOWS\edpw.efg.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\wbqxfpgl.efg (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe (Rogue.Installer) -> No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe (Rogue.Installer) -> No action taken.
C:\WINDOWS\SYSTEM32\ddcbyyv.dll.vir (Trojan.Vundo) -> No action taken.
C:\Program Files\rhcgqbj0e34r\database.dat (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcgqbj0e34r\license.txt (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcgqbj0e34r\MFC71.dll (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcgqbj0e34r\MFC71ENU.DLL (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcgqbj0e34r\msvcp71.dll (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcgqbj0e34r\msvcr71.dll (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcgqbj0e34r\rhcgqbj0e34r.exe (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcgqbj0e34r\rhcgqbj0e34r.exe.local (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcgqbj0e34r\Uninstall.exe (Rogue.Multiple) -> No action taken.
C:\WINDOWS\SYSTEM32\blphclqbj0e34r.scr (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\SYSTEM32\lphclqbj0e34r.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\SYSTEM32\phclqbj0e34r.bmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\SYSTEM32\pphclqbj0e34r.exe (Trojan.FakeAlert) -> No action taken.



Bill Barr

Wrong log file. The one I sent was before I his remove.

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

5:43:31 PM 8/17/2008
mbam-log-08-17-2008 (17-43-31).txt

Scan type: Quick Scan
Objects scanned: 43648
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 12
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcgqbj0e34r (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcgqbj0e34r (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcgqbj0e34r (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphclqbj0e34r (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\backupwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\rhcgqbj0e34r (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Barr\Application Data\rhcgqbj0e34r\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\ateqoflr.efg.exe (Trojan.Vapsup) -> Quarantined and deleted successfully.
C:\WINDOWS\edpw.efg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\wbqxfpgl.efg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ddcbyyv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\rhcgqbj0e34r\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcgqbj0e34r\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcgqbj0e34r\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcgqbj0e34r\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcgqbj0e34r\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcgqbj0e34r\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcgqbj0e34r\rhcgqbj0e34r.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcgqbj0e34r\rhcgqbj0e34r.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcgqbj0e34r\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphclqbj0e34r.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lphclqbj0e34r.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\phclqbj0e34r.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pphclqbj0e34r.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Quietman 7,

I am now getting a message that I do not have a firewall installed. The message looks like an official MS message. When I clik to clock it sends me to Smart Soft website to down load software.

Bill

Reboot your computer, update and scan again with Malwarebytes. Post the new log back here.

Attacheds are two log files a complete scan I ran before reboot and a scan after the reboot. After the completet can and reboot there were no infections.
1. Completet scan:
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

9:47:59 PM 8/17/2008
mbam-log-08-17-2008 (21-47-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 116640
Time elapsed: 1 hour(s), 10 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1560OinUninstaller.exe.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\Program Files\Common Files\AVSystemCare\bm.exe.vir (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\blhohxja.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\dmupqp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\qomjkhh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\khfEVMGy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\nakxurld.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\trbbnrpn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\wecmhl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\xiclwtuu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\xxyywutQ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\g2\caws83122.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000066.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000067.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000068.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000069.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000070.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000071.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000073.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000074.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000072.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002357.exe (Trojan.Vapsup) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002358.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

2. quick scan afeter reboot:

Malwarebytes' Anti-Malware 1.25
Database version: 1064
Windows 5.1.2600 Service Pack 2

9:57:44 PM 8/17/2008
mbam-log-08-17-2008 (21-57-44).txt

Scan type: Quick Scan
Objects scanned: 44742
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Are you still experiencing problems?

I do not appear to,

Thanks,

Bill Barr

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok"
• Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" Tab.
• Click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

I am still getting a pop up that looks like a legit Windows Security Alert informing me that I am infected with a Trojan.

When I click Enable it diverts me to WWW.antispywarereview/ etc.

It is annoying but does not happen that often. I am just concerned that it is a carryover from my original problem.

I have not created the restore point yet.

Bill Barr

Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

• Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
• When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
• If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
• Please copy and paste the contents of Report.txt in your next reply.
• Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.

Then rescan again with MBAM (Quick Scan) in normal mode, check all items found for removal, reboot normally and post a new log.

It is still ther as described previously.

SDFix Log :

SDFix: Version 1.218
Run by Bill Barr on Tue 08/19/2008 at 06:30 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\BILLBA~1\LOCALS~1\Temp\.tt104.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 18:38:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="dmupqp.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 26 Mar 2006 1,789,952 A.SH. --- "C:\My Pictures\Colin's Camera NY Oct 2007\100CASIO\SIV26.tmp"
Sun 26 Mar 2006 1,585,152 A.SH. --- "C:\My Pictures\Colin's Camera NY Oct 2007\100CASIO\SIV27.tmp"
Sun 16 Sep 2007 261,120 ...H. --- "C:\WSB\BUM\Law Office Policy and Procedure Manual 5th Ed\BUM Office Policy and Porcedures\~WRL2350.tmp"
Sun 3 Oct 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sun 3 Oct 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 16 Jan 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sun 16 Jan 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!

Mbam log:
Malwarebytes' Anti-Malware 1.25
Database version: 1064
Windows 5.1.2600 Service Pack 2

7:08:00 PM 8/19/2008
mbam-log-08-19-2008 (19-08-00).txt

Scan type: Quick Scan
Objects scanned: 44453
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Bill

Sometimes another piece of malware which has not been detected protects other files (which have been detected) so they cannot be permanently deleted. Others are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. This infection will require further investigation and probably the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In Step 9 there are instructions for downloading the HijackThis Installer and creating a log. This is an automatic setup version which will install the program in the proper location.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

Quietman 7

Got your message. I have a rather old version of Hijack this. When I tried to downlaod it says it is not a valid WIN32 application?

Bill Barr

The link I provided for the Prep Guide in Post #15 contains the most current version so use that.

Some types of malware will specifically attack and disable HijackThis and other security tools. If HijackThis will not run, try renaming it.

• Open My Computer or Windows Explorer and navigate to the HijackThis Folder.
• Inside the folder, right-click on the HijackThis.exe file and change the .exe extension to .bat, .com, .pif, or .scr.
• Then double-click on it to run.

If you cannot see the file extension, then it's hidden and you will have to Reconfigure Windows XP to show it. Double-click on My Computer, go to Tools > Folder Options and click on the View tab. Under Advanced settings > Files and Folders > check "Show hidden files and Folders" and uncheck "Hide file extensions for known file types", then click Apply > OK.

QUietman 7,

I was finally able to download Hijackthis. I ran Malwarebytes again and found the the XP 2008 had returned. I deleted it and then was able to download the progaram normally. I posted the Hijackthis log last night as directed.

Bill Barr

Your hijackthis log is posted here.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.