Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spybot Reg Change


  • This topic is locked This topic is locked
14 replies to this topic

#1 geasy

geasy

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:06:17 AM

Posted 19 February 2008 - 07:08 PM

hi

Each time I open IE I receive a Spybot registry entry notification for ITBarLayout. i have to deny it every time.

ialso have a message keep pooping up saying ..... notice , if your computor has been running slower than normal, it may be infected with viruses, adaware or spyware. maleware alarm will perform a quick and compleatly free scan. please click on link...and so on...

i would be greatful if somebody would be able to help with

many thanks

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:17 AM

Posted 23 February 2008 - 01:21 AM

Hello geasy,

What is your operating system: Windows XP, Vista, etc.?

What security programs, besides Spybot, do you have on your computer?

Also, please verify: Does the pop up say maleware alarm or malware alarm? Exact spelling is crucial for proper identification.

At this point, I would suggest running a scan with SUPERAntiSpyware in Safe Mode. You will, of course, install it in Normal Mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 geasy

geasy
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:06:17 AM

Posted 25 February 2008 - 01:57 PM

hi and thanks for replying.

im running xp with service pack 2.

the spelling is malwarealarm.

and im having all kinds of probs with pc at the mo, from running realy slow to hundreds of pop ups and avg keeps finding trojains

#4 geasy

geasy
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:06:17 AM

Posted 25 February 2008 - 04:36 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/25/2008 at 02:57 AM

Application Version : 3.9.1008

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 02:08:00

Memory items scanned : 169
Memory threats detected : 2
Registry items scanned : 4549
Registry threats detected : 15
File items scanned : 60811
File threats detected : 33

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\JKKJKII.DLL
C:\WINDOWS\SYSTEM32\JKKJKII.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\jkkjkii
C:\WINDOWS\SYSTEM32\KHFFFED.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\JKHFF.DLL
C:\WINDOWS\SYSTEM32\JKHFF.DLL
HKLM\Software\Classes\CLSID\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}
HKCR\CLSID\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}
HKCR\CLSID\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}\InprocServer32
HKCR\CLSID\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{EF7B6076-F5FE-49CA-BE56-17E3EC3652CC}
HKCR\CLSID\{EF7B6076-F5FE-49CA-BE56-17E3EC3652CC}
HKCR\CLSID\{EF7B6076-F5FE-49CA-BE56-17E3EC3652CC}\InprocServer32
HKCR\CLSID\{EF7B6076-F5FE-49CA-BE56-17E3EC3652CC}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF7B6076-F5FE-49CA-BE56-17E3EC3652CC}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}
HKCR\CLSID\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}

Adware.Tracking Cookie
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@tribalfusion[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@ad.yieldmanager[3].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@yadro[2].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@www.admedia365[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@antispywaresuite[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@clicksor[2].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@edge.ru4[3].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@bestsellerantivirus[2].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@3.adbrite[2].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@ad.yieldmanager[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@ad.zanox[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@ad2networks.advertserve[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@adopt.euroclick[2].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@banner[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@bizadverts[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@clicktorrent[2].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@edge.ru4[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@overture[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@prospect.adbureau[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@questionmarket[2].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@realmedia[1].txt
C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@tribalfusion[2].txt

Trojan.Unknown Origin
C:\WINDOWS\system32\nGpxx01
HKLM\Software\xpre
HKLM\Software\xpre#execount

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\ADEEG.INI
C:\WINDOWS\SYSTEM32\CFHKJ.INI
C:\WINDOWS\SYSTEM32\FFHKJ.INI
C:\WINDOWS\SYSTEM32\FFHKJ.INI2

Trace.Known Threat Sources
C:\Documents and Settings\geasy.BADASS-E8537735\Local Settings\Temporary Internet Files\Content.IE5\IV2HM1U7\CA8XSP0V.htm
C:\Documents and Settings\geasy.BADASS-E8537735\Local Settings\Temporary Internet Files\Content.IE5\EHOV8VW3\window[1].js
C:\Documents and Settings\geasy.BADASS-E8537735\Local Settings\Temporary Internet Files\Content.IE5\EHOV8VW3\errorhandler[1].htm

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:17 AM

Posted 25 February 2008 - 07:17 PM

Hello geasy,

Thanks for posting the log. Your computer has been infected, among other things, with Vundo. Please follow the directions in this guide: http://www.bleepingcomputer.com/forums/t/18610/how-to-remove-winfixer-virtumonde-msevents-trojanvundob/

If you have any questions as you go through the guide, please ask them as a reply in this thread. When you have finished the guide, please post the Vundo log as a reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 geasy

geasy
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:06:17 AM

Posted 26 February 2008 - 07:54 AM

scaned my pc with vundofix and it found 4 infected files.
i fixed them and 3 where fixed right away and the other one was fixed on rebote.

i cant find how you get the log .

spybot no longer asking to change reg and pc runing a lot faster. is there anything else i need to do.

really appreciate your help with this


VundoFix V6.7.9

Checking Java version...

Scan started at 16:22:15 25/02/2008

Listing files found while scanning....

C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkkjkii.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\ffhkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkhff.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkjkii.dll
C:\WINDOWS\system32\jkkjkii.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkjkii.dll
C:\WINDOWS\system32\jkkjkii.dll Has been deleted!

Performing Repairs to the registry.
Done!

Edited by geasy, 26 February 2008 - 01:06 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 AM

Posted 26 February 2008 - 01:32 PM

Lets do one more scan.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
  • Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    Posted Image
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 geasy

geasy
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:06:17 AM

Posted 26 February 2008 - 03:58 PM

i have done the quick scan .

here is the log

Malwarebytes' Anti-Malware 1.05
Database version: 410

Scan type: Quick Scan
Objects scanned: 29412
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\acespy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


im now running the indepth scan and will post log as soon as complete


Malwarebytes' Anti-Malware 1.05
Database version: 410

Scan type: Quick Scan
Objects scanned: 29412
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\acespy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)



this is the log of the full scan

Edited by geasy, 26 February 2008 - 04:32 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 AM

Posted 27 February 2008 - 08:02 AM

Ok. Let me know how it goes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 geasy

geasy
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:06:17 AM

Posted 27 February 2008 - 11:18 AM

i have already posted the full scan log under the quick scan log on my other post.

im still getting loads of trojan alerts from avg, some of which will not allow me to heal or quarantine.

pc is alot faster now and spybot has stopped asking to change reg.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 AM

Posted 27 February 2008 - 11:30 AM

im still getting loads of trojan alerts from avg

What do the alerts say? Are they providing a specific file name and location (full path) for any of these files?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 geasy

geasy
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:06:17 AM

Posted 27 February 2008 - 01:58 PM

they are saying c drive documents and setting geasy local settings temp packet

but when i go to open geasy file a box comes up saying access denied.


in my documents and settings there are 6 folder. 3 have blue writing and 3 have black writing. the folders with blue writing say All Users.WINDOWS Default User.WINDOWS geasy.BADASS-E8537735 the 3 with black writing say All Users Default User geasy ...... i can open all of them expect the geasy one

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 AM

Posted 27 February 2008 - 02:57 PM

This issue will require further investigation. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 geasy

geasy
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:06:17 AM

Posted 29 February 2008 - 08:29 AM

just a quick thank you and to let you know someone is going through my hijack this log at the moment.

as soon as it has been done ill post the outcome on this thread.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 AM

Posted 29 February 2008 - 08:36 AM

Your hijackthis log is posted here and I see that you are getting assistance from teacup61 so your in good hands.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic and will monitor your other thread.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users