Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unwanted Pop-ups, Adware, Ie Freeze-ups


  • Please log in to reply
18 replies to this topic

#1 gwj5035

gwj5035

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:04:53 PM

Posted 28 February 2008 - 11:59 PM

Hi, My name is George and I am infected!

When I go online I keep getting unwanted pop-ups. (Additionally, computer is running slow, and sometimes IE freezes and in checking the Task Manager message, I get "IE NOT RESPONDING" message. I'm running Windows XP (SP1) with IE6. Real quick as to why SP1. Upgraded to SP2 a while back and the restart would not boot Windows. Tried a lot of fixes on my own and had to start in safe mode and revert back to SP1 each time. Will try to fix that problem after I get rid of my infection.

I run with Windows XP home, IE 6.0, Avast 4.7 as my AntiVirus, and ZoneAlarm 6.5.737 as my Firewall. I installed System Mechanic7 Pro this week to try and fix my problem. Results were ok in fixing all the problems that it found but one. Could not remove (4) files that it
reported as spyware/malware problems. Now the bad part. After installing SystMech7Pro I noticed that the Performance Window in Task Mgr was pegged at 100%. In checking the processes that were running there were about 21 devldr.exe files listed and total processes files in use varying from 47 to 60. My normal number of processes was 39 before I installed SystMech7Pro. I have removed SystMech7Pro and quieted down the process problem but still have the unwanted pop ups and system freezes.

I could use all the help needed to fix this problem, please.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:53 PM

Posted 29 February 2008 - 01:56 AM

Hello gwj5035 and welcome to BC :flowers:

Can you describe the pop-ups? What do they say? What shape, color, etc. are they?

Have you tried running your security programs in Safe Mode

At this point, I would like you to run a scan with SUPERAntiSpyware in Safe Mode. You will, of course, install it in Normal Mode. You may want to print out these directions or copy them to notepad so you will have them available in safe mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:04:53 PM

Posted 29 February 2008 - 07:56 PM

Hi Orange Blossom.

Thank You for the quick response to my problem. Everything you asked for went very smooth. The copy of the "SCAN LOG" is at the end of this post. To answer your questions regarding the pop-ups this is the best I can do. Most of them are full page web sites like: EBay full page (not sure what it refers to because I have never encountered anything like it in my normal use of EBay; there are three other web pages that are regulars but I never noticed what they were related to. I participate in a photo forum that have pop-ups of there own which is mostly camera adverts and it is a strip about 1/8th of the page. When the unwanted pop-up adverts show up they are an advert other than the cameras and most of the time it is naked woman. I am not sure
what adware comes to visit me when IE freezes up and makes me shut down IE and then restart it. There have been no more than 3 times when the entire computer freezes and causes me to power down and reboot. That is the best I can do for you. If it continues I will take notes now that I know what you are looking for.

I forgot to mention about an error message I recvd. when booting up from the SuperAntiSpyware run. Message was "ERROR LOADING C:\WINNT\SYSTEM32\SYFOGYFOA.DLL". I checked the OK button and the booting continued with no more hitches. I wanted to surf my normals before I posted this note to you. Have been surfing for almost 2 hrs. with no unwanted spyware/malware pages showing up. If this problem of mine is gone all I can say is THANK YOU for all your help.



SUPERAntiSpyware Scan Log http://www.superantispyware.com

Generated 02/29/2008 at 05:41 PM

Application Version : 4.0.1152

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 04:28:43

Memory items scanned : 183
Memory threats detected : 2
Registry items scanned : 6340
Registry threats detected : 17
File items scanned : 159035
File threats detected : 72

Adware.Vundo-Variant/PolyMorph-A
C:\WINNT\SYSTEM32\NNNOPPQ.DLL
C:\WINNT\SYSTEM32\NNNOPPQ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{182C7

ED7-E56D-4509-9D9B-AC49318D9895}
HKCR\CLSID\{182C7ED7-E56D-4509-9D9B-AC49318D9895}
HKCR\CLSID\{182C7ED7-E56D-4509-9D9B-AC49318D9895}\InprocServer32
HKCR\CLSID\{182C7ED7-E56D-4509-9D9B-AC49318D9895}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{182C7ED7-E

56D-4509-9D9B-AC49318D9895}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\nnnoppq
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1520\A

0349140.DLL

Adware.Vundo Variant/Resident
C:\WINNT\SYSTEM32\YABXW.DLL
C:\WINNT\SYSTEM32\YABXW.DLL

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{fc810d86-a75e-4b13-833b-ae689c53aea4}
HKCR\CLSID\{FC810D86-A75E-4B13-833B-AE689C53AEA4}
HKCR\CLSID\{FC810D86-A75E-4B13-833B-AE689C53AEA4}\InprocServer32
HKCR\CLSID\{FC810D86-A75E-4B13-833B-AE689C53AEA4}\InprocServer32#ThreadingModel
C:\WINNT\SYSTEM32\CQWVXQSM.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc810d86-a75e-4b13-833b-ae689c53aea4}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1520\A0348999.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1520\A0349000.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1522\A0351491.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1522\A0351708.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1524\A0351740.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1524\A0351741.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1525\A0351828.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1525\A0351829.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1526\A0351916.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1526\A0351917.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1528\A0352062.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1528\A0352063.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1529\A0352150.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1529\A0352151.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1530\A0352241.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1530\A0352242.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1531\A0352333.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1531\A0352334.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1532\A0352426.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1532\A0352427.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1533\A0352518.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1533\A0352519.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1534\A0352609.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1534\A0352610.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1535\A0352700.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1535\A0352701.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1536\A0352791.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1536\A0352792.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1537\A0352882.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1537\A0352883.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1538\A0354067.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1538\A0354099.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1539\A0354249.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1541\A0354700.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1541\A0354778.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1651\A0370763.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1651\A0370764.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1651\A0371087.DLL
C:\WINNT\SYSTEM32\CROKLUXO.DLL
C:\WINNT\SYSTEM32\CYVKQWEH.DLL
C:\WINNT\SYSTEM32\MWQVSFOK.DLL
C:\WINNT\SYSTEM32\NRCYBYOH.DLL
C:\WINNT\SYSTEM32\SFOGYFOA.DLL
C:\WINNT\SYSTEM32\XBETPDCH.DLL

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3CC301D-0A93-4339-B200-6BDBFDDC3BEB}
HKCR\CLSID\{E3CC301D-0A93-4339-B200-6BDBFDDC3BEB}
HKCR\CLSID\{E3CC301D-0A93-4339-B200-6BDBFDDC3BEB}\InprocServer32
HKCR\CLSID\{E3CC301D-0A93-4339-B200-6BDBFDDC3BEB}\InprocServer32#ThreadingModel
C:\SYSTEM VOLUME INFORMATION\_RESTORE{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1520\A0349136.DLL

Adware.Tracking Cookie
C:\Documents and Settings\George\Cookies\george@oasc02.247realmedia[1].txt
C:\Documents and Settings\George\Cookies\george@anad.tacoda[1].txt
C:\Documents and Settings\George\Cookies\george@ad.yieldmanager[2].txt
C:\Documents and Settings\George\Cookies\george@atdmt[2].txt
C:\Documents and Settings\George\Cookies\george@oasc09.247realmedia[1].txt
C:\Documents and Settings\George\Cookies\george@ads.cnn[1].txt
C:\Documents and Settings\George\Cookies\george@247realmedia[2].txt
C:\Documents and Settings\George\Cookies\george@www.burstnet[1].txt
C:\Documents and Settings\George\Cookies\george@bs.serving-sys[1].txt
C:\Documents and Settings\George\Cookies\george@clickbank[1].txt
C:\Documents and Settings\George\Cookies\george@partner2profit[1].txt
C:\Documents and Settings\George\Cookies\george@specificclick[2].txt
C:\Documents and Settings\George\Cookies\george@cgi-bin[2].txt
C:\Documents and Settings\George\Cookies\george@tacoda[2].txt
C:\Documents and Settings\George\Cookies\george@mediaplex[2].txt
C:\Documents and Settings\George\Cookies\george@ad2.fotki[1].txt
C:\Documents and Settings\George\Cookies\george@serving-sys[2].txt
C:\Documents and Settings\George\Cookies\george@2o7[2].txt
C:\Documents and Settings\George\Cookies\george@advertising[1].txt
C:\Documents and Settings\George\Cookies\george@msnportal.112.2o7[1].txt
C:\Documents and Settings\George\Cookies\george@questionmarket[2].txt
C:\Documents and Settings\George\Cookies\george@adinterax[2].txt

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount

Adware.Vundo Variant/Rel
C:\WINNT\SYSTEM32\MCRH.TMP


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:53 PM

Posted 01 March 2008 - 02:10 AM

Hello gwj5035,

Among other things, you have a Vundo infection. Please follow the directions in this guide. If you have any questions as you go through it, please post them as a reply to this thread. When you have completed the guide, please post the Vundo log as a reply to this thread.

The message you got when booting up is caused by a left over registry key. SuperAntiSpyware removed the file referenced by that key. We can take care of the left over key later.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:04:53 PM

Posted 01 March 2008 - 05:39 PM

Hi Orange Blossom:

Ran the Vundo program and it found two files (amlqrqma.dll -- atmpvcn.dll) and deleted them. Now after booting get message that registry editing has been disabled and task manager has been disabled by the administrator when I try to use it. Still getting the error message not being able to load the C:\WINNT\SYSTEM32 file it can't find which you said we would take care of latrer. The other thing that happend is that two requests are blocked by ZoneAlarm. MRMONEY.EXE and MSICONF.EXE request to acess the internet and I deny both requests. Looking forward to your next step in fixing my virus problem. Why I am typing this, a pop-up just appeared.

Malware Alert!

Warning! Trojan Adware, W32.ExpDwnldr spyware detected. This Trojan allows attackers to access your computer from remote locatiions, stealing passwords, Internetnet banking and personal data. This also prompts advertising popups. This process is a security risk and should be removed from your system.

Type: Trojan Horse
System Affected Windows 98, 2000, NT4, ME, XP
Security Risk (0-5): 4
Recommendations: Click 'Yes' to get all available antispyware software

A Yes & No button at the bottom of the warning

I hit the no button and it dissapeared.

Not sure if this means we still have a problem.

P.S. Just read you last post again and noticed that you asked for the log from the Vundo run. There was no log generated.


#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:53 PM

Posted 01 March 2008 - 09:20 PM

Hello gwj5035,

You will find the Vundofix log here: C:\vundofix.txt To get there, go to My Computer. Open it, then open Local Disk. You will find the file listed in there. Open the file. It will open in notepad. Select all --> Copy then paste into the text screen in your reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 PM

Posted 01 March 2008 - 10:27 PM

Hello after running Orange Blossom's suggestion and copying the log. Follow the instructions in the BC tutorial on using SDFiix. Copy?paste that log also .Instructions are in the a tutorial. In case you miss it, SDFix report will save into the SDFix folder as Report.txt.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:04:53 PM

Posted 02 March 2008 - 03:06 AM

Hi Orange Blossom:

The two logs that you and boopme requested:



VundoFix V6.7.10Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:22:02 PM 3/1/2008

Listing files found while scanning....

C:\WINNT\system32\amlqrqma.dll
C:\WINNT\system32\djsdstpu.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\amlqrqma.dll
C:\WINNT\system32\amlqrqma.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\djsdstpu.dll
C:\WINNT\system32\djsdstpu.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\amlqrqma.dll
C:\WINNT\system32\amlqrqma.dll Has been deleted!

Performing Repairs to the registry.
Done!

****************************************

SDFix: Version 1.150

Run by George on Sun 03/02/2008 at 02:31 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\SYSTEM32\ATMPVCN.DLL - Deleted
C:\WINNT\system32\msiconf.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 02:37:56
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\9O8J990X\search[1].: 17550 bytes hidden from API
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\GOBBD3Z5\ShowFolder[1].: 45615 bytes hidden from API
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\ORDJUMFP\ShowFolder[1].: 38988 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


Remaining Services :



Authorized Application Key Export:

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 6 Aug 2007 24 ..SH. --- "C:\WINNT\SAA008252.tmp"
Wed 27 Feb 2008 692,581 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1541\A0356844.exe"
Wed 27 Feb 2008 692,581 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1541\A0358841.exe"
Thu 28 Feb 2008 692,581 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP1652\A0376487.exe"
Sat 21 Jun 2003 377,344 A..H. --- "C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe"
Mon 28 Jan 2008 121,616 A..H. --- "C:\WINNT\SoftwareDistribution\Download\0077a7fa5d15590d526d63a5048a5445\BIT14.tmp"
Fri 1 Jun 2007 104,090 A..H. --- "C:\WINNT\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\BIT20.tmp"
Fri 1 Sep 2006 563,000 A..H. --- "C:\WINNT\SoftwareDistribution\Download\0f8a5d0d09e527fa35dec9e085d4b802\BIT7.tmp"
Mon 30 Apr 2007 154,875 A..H. --- "C:\WINNT\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\BITE.tmp"
Mon 6 Aug 2007 101,992 A..H. --- "C:\WINNT\SoftwareDistribution\Download\1950380ad27a186ad7b25c1e483494eb\BIT23.tmp"
Fri 30 Mar 2007 155,539 A..H. --- "C:\WINNT\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\BIT1C.tmp"
Tue 20 Nov 2007 102,217 A..H. --- "C:\WINNT\SoftwareDistribution\Download\30afadc4c35db2f5d8b4c076a49edc7b\BIT11.tmp"
Fri 1 Dec 2006 150,954 A..H. --- "C:\WINNT\SoftwareDistribution\Download\33831624a2e810dc854ea2f820d0dd53\BIT17.tmp"
Fri 29 Jun 2007 797,088 A..H. --- "C:\WINNT\SoftwareDistribution\Download\379c3e87f4016899bd06cdf1184d31ce\BIT22.tmp"
Thu 24 Jan 2008 102,287 A..H. --- "C:\WINNT\SoftwareDistribution\Download\37fefde58a963f27982e5f97ce053f7f\BIT24.tmp"
Fri 1 Jun 2007 101,807 A..H. --- "C:\WINNT\SoftwareDistribution\Download\393673217fc83f2b990ca70aa98f1df8\BIT12.tmp"
Mon 5 Feb 2007 905,077 A..H. --- "C:\WINNT\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT2C.tmp"
Fri 1 Feb 2008 15,452,536 A..H. --- "C:\WINNT\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT8.tmp"
Sat 4 Nov 2006 152,128 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4387300ca1dcf29784a47c30e67cb637\BIT13.tmp"
Tue 2 Oct 2007 101,939 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4b6ccd5ccf72ffca11e7f7e0165f2082\BIT19.tmp"
Tue 20 Nov 2007 102,191 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4bc27de79804b640a2e67eda87fe6cda\BIT16.tmp"
Mon 13 Dec 2004 393,448 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4e28cc4378cd0807778e1b0917bd6312\BIT10.tmp"
Fri 11 May 2007 2,391,944 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4f686eb18ed8be61735e890e67439840\BITD.tmp"
Fri 29 Jun 2007 155,642 A..H. --- "C:\WINNT\SoftwareDistribution\Download\50d0c9ff929a7477233edd0771ffdb01\BIT2E.tmp"
Sat 4 Nov 2006 151,852 A..H. --- "C:\WINNT\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\BIT2A.tmp"
Fri 11 May 2007 1,266,056 A..H. --- "C:\WINNT\SoftwareDistribution\Download\582374c56f566bb2a83a59d0c2cd7d87\BIT27.tmp"
Fri 30 Nov 2007 2,166,832 A..H. --- "C:\WINNT\SoftwareDistribution\Download\58bdbebf00a24cdeedc76ed657f83982\BIT1B.tmp"
Mon 5 Feb 2007 98,851 A..H. --- "C:\WINNT\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\BIT37.tmp"
Fri 22 Sep 2006 1,035,576 A..H. --- "C:\WINNT\SoftwareDistribution\Download\766381a942932b57d990db792db86b6e\BIT31.tmp"
Mon 7 Feb 2005 332,520 A..H. --- "C:\WINNT\SoftwareDistribution\Download\86c1313b3b7233a513215d577f5db5c4\BIT25.tmp"
Mon 6 Aug 2007 154,933 A..H. --- "C:\WINNT\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\BIT2D.tmp"
Wed 6 Sep 2006 151,127 A..H. --- "C:\WINNT\SoftwareDistribution\Download\8a10de02595aa748279afc6c628f49a8\BIT1E.tmp"
Sat 31 Mar 2007 103,538 A..H. --- "C:\WINNT\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\BIT21.tmp"
Tue 20 Nov 2007 104,775 A..H. --- "C:\WINNT\SoftwareDistribution\Download\a0d1667f129d439fad31a81898b17830\BIT1D.tmp"
Fri 1 Dec 2006 151,441 A..H. --- "C:\WINNT\SoftwareDistribution\Download\aa19f15378aa75d2b2c7ba5771e0c521\BIT18.tmp"
Fri 2 Nov 2007 3,109,928 A..H. --- "C:\WINNT\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT35.tmp"
Tue 2 Oct 2007 875,912 A..H. --- "C:\WINNT\SoftwareDistribution\Download\ac396c0c2d53942a12157d0ad3c4135a\BIT30.tmp"
Tue 20 Nov 2007 102,476 A..H. --- "C:\WINNT\SoftwareDistribution\Download\b6bef673c2e4e242a39946c4931e8a98\BIT32.tmp"
Fri 30 Mar 2007 101,875 A..H. --- "C:\WINNT\SoftwareDistribution\Download\b79f0480d592be3a8c6db381ffc0c693\BIT29.tmp"
Fri 24 Sep 2004 4,548,840 A..H. --- "C:\WINNT\SoftwareDistribution\Download\bc7d0f6ab3aa3bf7be4e2f411369f85d\BIT6.tmp"
Fri 30 Mar 2007 102,508 A..H. --- "C:\WINNT\SoftwareDistribution\Download\c1b0851ac9312d2f7e1ab716c11967b5\BIT1A.tmp"
Fri 1 Dec 2006 151,050 A..H. --- "C:\WINNT\SoftwareDistribution\Download\c3c3c6d9de8be474641d4bbceb22a36f\BIT1F.tmp"
Mon 6 Aug 2007 155,625 A..H. --- "C:\WINNT\SoftwareDistribution\Download\c87932aedce288373d0b6a6c23f00c8a\BIT15.tmp"
Thu 20 Dec 2007 101,803 A..H. --- "C:\WINNT\SoftwareDistribution\Download\ca6c24ab62fe8433c5d63bb11a2e5a2c\BIT28.tmp"
Fri 30 Jun 2006 150,147 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d1c98689cdcd0ea9312780ffc77a2cbe\BITF.tmp"
Mon 17 Apr 2006 149,979 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d378d94379aa314a2f8a03df7faef1bc\BIT2B.tmp"
Fri 30 Mar 2007 157,600 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d820fbd6e1527bc9c51d0c3b240b96fd\BIT33.tmp"
Mon 5 Feb 2007 98,994 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d8816d09f86abbe0c321ddc90d5c0948\BIT34.tmp"
Sat 4 Nov 2006 152,048 A..H. --- "C:\WINNT\SoftwareDistribution\Download\e7d26e5776f9930c6ad9dff351940707\BIT2F.tmp"
Mon 5 Feb 2007 151,147 A..H. --- "C:\WINNT\SoftwareDistribution\Download\ee52836d5c671146809a1dc54498be1f\BIT36.tmp"
Fri 29 Jun 2007 102,501 A..H. --- "C:\WINNT\SoftwareDistribution\Download\f1717a50ad70787e0b2e37537d202992\BIT26.tmp"
Fri 1 Jun 2007 154,945 A..H. --- "C:\WINNT\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\BITC.tmp"
Mon 5 Feb 2007 5,662 A..H. --- "C:\WINNT\SoftwareDistribution\Download\299966e551b4462ae94e39e251e277b6\download\BITB.tmp"
Tue 20 Nov 2007 18,846 A..H. --- "C:\WINNT\SoftwareDistribution\Download\304c19f1612f37ffa8967147d3cb7464\download\BIT38.tmp"
Fri 25 Jan 2008 128,112 A..H. --- "C:\WINNT\SoftwareDistribution\Download\ed6cff8bccff865b52b93292e144ada6\download\BIT39.tmp"

Finished!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 PM

Posted 02 March 2008 - 11:04 AM

Hi George, you have removed a lot of malware,how is the PC running now? Is it faster and are the popups gone.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:04:53 PM

Posted 02 March 2008 - 02:52 PM

Hey boopme:

I took care of the java files and now only have one installed. I have been surfing for about 12 hours since my last fix and have not had one pop-up/spyware/trojan or malware message on the system. I also do notice a speed improvement in system operations. Once again I want to say thank you to you and Orange Blossom for all the help in ridding my system of all the problems. Now just one last thing to bring to your attention. After the computer boots to my desktop I get two messages. 1st message RUNDLL ERROR - Error loading C:\WINNT\SYSTEM32\sjlbuunf.dll and 2nd message same for the file amlqrma.dll. There doesn't seem to be any operation problem, just sort of a pain having to deletye both after each boot. Thanks to both of you for all of the help and advice.


#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:53 PM

Posted 02 March 2008 - 02:59 PM

Hello gwj5035,

I'm glad things are working better for you now. The error messages you are getting is the result of the registry saying, "Load this file" and the computer says, "It's not there." In your case, these files are deleted malware files. To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
Let us know if that solves the problem for you.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 PM

Posted 02 March 2008 - 03:02 PM

Hello things are looking good. After running Auturuns ,clear out anything else with this...
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Edited by boopme, 02 March 2008 - 03:06 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:04:53 PM

Posted 03 March 2008 - 12:18 PM

Hey boopme, Orange Blossom:

Did all that both of you asked me to do. No more error message "RUNDD ERROR". It seems that SuperAntiSpyware and Avast are both running in the background and monitoring the system. Do I need both? If not which one to turn off. I know this sounds like a broken record but I can't help it. The speed and everything else that has been done by the both of you to help me in getting rid of my problem has been ..... what can I say? Thanks again to both of you.


#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:53 PM

Posted 03 March 2008 - 12:28 PM

Hello gwj5035,

I'm glad we could help.

It seems that SuperAntiSpyware and Avast are both running in the background and monitoring the system. Do I need both?


Having both run in the background is fine as AVAST is an Anti-Virus, and SUPERAntiSpyware is an Anti-Spyware program. They look for different things. The free version of SAS will cease to run in the background after 30 days, so if you wish to turn it off now you may do so. Make sure you keep it up to date and run a scan at least once a week.
-------
There's still a couple more things:

Some of the malware may have been saved in System Restore. To prevent possible reinfection, lets flush the restore points.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Let us know when you've done that, and we'll give you some additional pointers for staying malware free. There are always new ways found to protect your computer.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:04:53 PM

Posted 03 March 2008 - 03:59 PM

Hi Orange Blossom:

Not sure of what was happening so I terminated the running of Cleanmgr. This is what happened. Created a new restore point. Went to run and started cleanmgr.

Instead of getting the "More Options" Tab, I got a pop-up window that said" Disk Cleanup is calculating how much space you will be able to free on (C:). This may take a few minutes to complete. Scanning: Compress old files.

So I left it run for 15 Mins. and figured something wasn't correct because the bar that shows progress wasn't updating. When I hit the Cancel button the pop-up dissapeared but the Task Mgr still showed that cleanmgr.exe was @98% in the CPU column. I also noticed that when I first started cleanmgr that it registered as an application running and when I hit the cancel button it no longer showed up as an application running. Waited about 5 more mins and this condition did not change. Highlighted the cleanmgr.exe process and ended process. Everything seemed to return to normal. So this is where I am now as I post this note.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users