Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispyware Master :o(


  • Please log in to reply
12 replies to this topic

#1 jakkijax

jakkijax

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 23 April 2008 - 04:07 AM

I really hope someone can help me - we've definitely been infected. It's a nightmare!

But I am a real computer novice and have no idea what to do now. I've backed up all our files on external hard drive and disconnected from the internet for now, but I have no idea what to do next, and I keep getting conflicting information, or information I don't really understand! What are the first steps I should take to sort this out?

Thank you so much for any help anyone can give me!!

Jax

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 PM

Posted 23 April 2008 - 08:52 AM

Welcome to BC jakkijax

Please download RogueRemover and save to you Desktop. (compatible with Windows 2000, NT, XP, Vista)
  • Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover and follow the prompts.
  • During installation an icon will automatically be created on your Desktop.
  • If the program does not open after installation, double-click on the RogueRemover icon to launch.
  • Select "Check for Updates" and click Download if any are found.
  • Wait for the updates to finish downloading, then Close the update window.
  • Select "Scan" and follow the onscreen directions to remove anything found.
  • If nothing is found, exit RogueRemover.
  • If RogueRemover finds something, it will present a list of detected items.
  • Click on Save log, then Ok at the prompt.
  • Click "Remove selected", then Yes at the prompt.
  • Wait for the removal to complete and then close RogueRemover.
  • A file will be created and saved at C:\Program Files\RogueRemover\RRLog******.txt
  • Post the contents of the RRLog file in your next reply.
If using Windows Vista, be sure to Run As Administrator.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jakkijax

jakkijax
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 24 April 2008 - 04:02 AM

Thank you so much! I'll print that all out and try it tonight. :thumbsup:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 PM

Posted 24 April 2008 - 07:39 AM

Ok. Don't forget to post the results of your scans and let me know how your computer is running when done.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jakkijax

jakkijax
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 27 April 2008 - 05:50 AM

Hooray!! I finally got a chance to do it (it took ages - we had a LOT of things for the scan to pick up!) and everything seems to be running ok now. *touch wood*

I'll post the logs below:

Rouge Remover logs

Malwarebytes' RogueRemover
Malwarebytes 2007 http://www.malwarebytes.org
6213 total fingerprints loaded.

Loading database ...
Expanding environmental variables ...

Scanning files ... [ 100% ].
Scanning folders ... [ 100% ].
Scanning registry keys ... [ 100% ].
Scanning registry values ... [ 100% ].

RogueRemover has detected rogue antispyware components! Results below...

Type: File
Vendor: Rogue.Misc
Location: C:\Documents and Settings\Jon Whysall\Desktop\Privacy Protector.url
Selected for removal: Yes

Type: File
Vendor: Rogue.Misc
Location: C:\Documents and Settings\Jon Whysall\Desktop\Spyware&Malware Protection.url
Selected for removal: Yes

Type: File
Vendor: Rogue.Misc
Location: C:\Documents and Settings\Jon Whysall\Desktop\Error Cleaner.url
Selected for removal: Yes

Type: Folder
Vendor: Rogue.Misc
Location: C:\WINDOWS\privacy_danger
Selected for removal: Yes

Type: Folder
Vendor: VirusIsolator
Location: C:\Program Files\VirusIsolator
Selected for removal: Yes

Type: Registry Key
Vendor: Registry Doc 2006
Location: HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Selected for removal: Yes

Type: Registry Key
Vendor: Rogue.Misc
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp
Selected for removal: Yes

Type: Registry Key
Vendor: Rogue.Misc
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin
Selected for removal: Yes

Type: Registry Key
Vendor: Rogue.Misc
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo
Selected for removal: Yes

Type: Registry Key
Vendor: VirusIsolator
Location: HKEY_CURRENT_USER\Software\VirusIsolator
Selected for removal: Yes

RogueRemover has found the objects above.


Malwarebytes' RogueRemover
Malwarebytes 2007 http://www.malwarebytes.org
6213 total fingerprints loaded.

Loading database ...
Expanding environmental variables ...

Scanning files ... [ 100% ].
Scanning folders ... [ 100% ].
Scanning registry keys ... [ 100% ].
Scanning registry values ... [ 100% ].

RogueRemover has detected rogue antispyware components! Results below...

Type: Folder
Vendor: VirusIsolator
Location: C:\Program Files\VirusIsolator
Selected for removal: Yes

RogueRemover has found the objects above.

The SUPERAntispyware logs

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2008 at 02:28 PM

Application Version : 4.0.1154

Core Rules Database Version : 3448
Trace Rules Database Version: 1440

Scan type : Complete Scan
Total Scan Time : 02:57:15

Memory items scanned : 183
Memory threats detected : 2
Registry items scanned : 5315
Registry threats detected : 67
File items scanned : 83233
File threats detected : 77

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\PMNNKHBS.DLL
C:\WINDOWS\SYSTEM32\PMNNKHBS.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pmnnkHBS

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\WVUKLDST.DLL
C:\WINDOWS\SYSTEM32\WVUKLDST.DLL

Trojan.Downloader-AntiViirus
[antiviirus] C:\PROGRAM FILES\ANTIVIIRUS.EXE
C:\PROGRAM FILES\ANTIVIIRUS.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#antiviirus [ C:\Program Files\antiviirus.exe ]

Rogue.VirusIsolator
[VirusIsolator.exe] C:\PROGRAM FILES\VIRUSISOLATOR\VIRUSISOLATOR.EXE
C:\PROGRAM FILES\VIRUSISOLATOR\VIRUSISOLATOR.EXE
HKU\S-1-5-21-3781788454-3278028730-757414161-1006\Software\Microsoft\Windows\CurrentVersion\Run#VirusIsolator.exe [ C:\Program Files\VirusIsolator\VirusIsolator.exe ]
C:\Program Files\VirusIsolator\Infected
C:\Program Files\VirusIsolator\Suspicious
C:\Program Files\VirusIsolator\vscan.tsi
C:\Program Files\VirusIsolator\zlib.dll
C:\Program Files\VirusIsolator
C:\Documents and Settings\Jon Whysall\Application Data\Microsoft\Internet Explorer\Quick Launch\virusisolator.lnk
C:\DOCUMENTS AND SETTINGS\JON WHYSALL\LOCAL SETTINGS\TEMPMJIWEP0.EXE

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}
HKCR\CLSID\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}
HKCR\CLSID\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}\InprocServer32
HKCR\CLSID\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\BRSIUHJV.DLL
HKLM\Software\Classes\CLSID\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}
HKCR\CLSID\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}
HKCR\CLSID\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}\InprocServer32
HKCR\CLSID\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}
HKCR\CLSID\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}
HKCR\CLSID\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}
HKCR\CLSID\{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}
HKCR\CLSID\{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}
HKCR\CLSID\{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}\InprocServer32
HKCR\CLSID\{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}\InprocServer32#ThreadingModel
HKCR\CLSID\{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}\ProgID
HKCR\CLSID\{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}\Programmable
HKCR\CLSID\{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}\TypeLib
HKCR\CLSID\{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}\VersionIndependentProgID
C:\WINDOWS\QTVGLPED.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}
HKCR\qtvglped.1
HKCR\qtvglped
HKCR\TypeLib\{5A457828-B0A0-44DF-B5DE-373DFDD87ACC}
HKCR\TypeLib\{5A457828-B0A0-44DF-B5DE-373DFDD87ACC}\1.0
HKCR\TypeLib\{5A457828-B0A0-44DF-B5DE-373DFDD87ACC}\1.0\0
HKCR\TypeLib\{5A457828-B0A0-44DF-B5DE-373DFDD87ACC}\1.0\0\win32
HKCR\TypeLib\{5A457828-B0A0-44DF-B5DE-373DFDD87ACC}\1.0\FLAGS
HKCR\TypeLib\{5A457828-B0A0-44DF-B5DE-373DFDD87ACC}\1.0\HELPDIR
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#zip [ {d687103b-2741-4fba-aaa8-1ec6f9d8b77e} ]

MyWay Search Assistant Computers
HKLM\Software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\Programmable
C:\PROGRAM FILES\MYWAYSA\SRCHASDE\1.BIN\DESRCAS.DLL
HKLM\Software\Classes\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\Programmable
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKU\S-1-5-21-3781788454-3278028730-757414161-1006\Software\Microsoft\Internet Explorer\URLSearchHooks#{4D25F926-B9FE-4682-BF72-8AB8210D6D75}

Adware.SXGAdvisor-A
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C9C9447-3658-44C9-8490-D96B0AB57C88}
HKCR\CLSID\{4C9C9447-3658-44C9-8490-D96B0AB57C88}
HKCR\CLSID\{4C9C9447-3658-44C9-8490-D96B0AB57C88}
HKCR\CLSID\{4C9C9447-3658-44C9-8490-D96B0AB57C88}\InprocServer32
HKCR\CLSID\{4C9C9447-3658-44C9-8490-D96B0AB57C88}\InprocServer32#ThreadingModel
HKCR\CLSID\{4C9C9447-3658-44C9-8490-D96B0AB57C88}\ProgID
HKCR\CLSID\{4C9C9447-3658-44C9-8490-D96B0AB57C88}\Programmable
HKCR\CLSID\{4C9C9447-3658-44C9-8490-D96B0AB57C88}\TypeLib
HKCR\CLSID\{4C9C9447-3658-44C9-8490-D96B0AB57C88}\VersionIndependentProgID
C:\WINDOWS\LGMXVPATGBN.DLL

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D856E0E4-8F55-4FDE-991A-A80CE3B1D357}
HKCR\CLSID\{D856E0E4-8F55-4FDE-991A-A80CE3B1D357}
HKCR\CLSID\{D856E0E4-8F55-4FDE-991A-A80CE3B1D357}\InprocServer32
HKCR\CLSID\{D856E0E4-8F55-4FDE-991A-A80CE3B1D357}\InprocServer32#ThreadingModel

Adware.Starware
C:\Documents and Settings\Jon Whysall\Application Data\Starware\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\BrowserSearch
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ErrorSearch
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Games\GamesOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Games\GamesOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Games
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Layouts\PreferencesLayout.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Layouts\PreferencesLayout.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Layouts
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Manager\ManagerOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Manager
C:\Documents and Settings\Jon Whysall\Application Data\Starware\PopupBlocker\PopupBlockerOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\PopupBlocker\PopupBlockerOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\PopupBlocker
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Reference\ReferenceOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Reference
C:\Documents and Settings\Jon Whysall\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\RelatedSearch
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ScreenSavers\ScreenSaversOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ScreenSavers\ScreenSaversOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ScreenSavers
C:\Documents and Settings\Jon Whysall\Application Data\Starware\SearchMatch\SearchMatchOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\SearchMatch\SearchMatchOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\SearchMatch
C:\Documents and Settings\Jon Whysall\Application Data\Starware\SmileyTown\SmileyTownOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\SmileyTown\SmileyTownOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\SmileyTown
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\Toolbar
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ToolbarLogo
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\ToolbarSearch
C:\Documents and Settings\Jon Whysall\Application Data\Starware\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Jon Whysall\Application Data\Starware\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Jon Whysall\Application Data\Starware\TravelSearch
C:\Documents and Settings\Jon Whysall\Application Data\Starware
HKU\S-1-5-21-3781788454-3278028730-757414161-1006\Software\Starware

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#pmsoarbf [ {DDA1D1A2-3541-459B-B1E4-D3993B3ED488} ]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#omlbpkaw [ {575318CC-582C-4CB0-B658-DCF8C7442876} ]

Desktop Hijacker.AboutYourPrivacy
C:\Documents and Settings\Jon Whysall\Favorites\Error Cleaner.url
C:\Documents and Settings\Jon Whysall\Favorites\Privacy Protector.url
C:\Documents and Settings\Jon Whysall\Favorites\Spyware&Malware Protection.url

Trojan.Unclassified/Tmp-Gen
C:\PROGRAM FILES\TMP0.EXE
C:\PROGRAM FILES\TMP1.EXE
C:\PROGRAM FILES\TMP2.EXE
C:\PROGRAM FILES\TMP3.EXE

Trojan.Unclassified/Loader-Service
C:\WINDOWS\INSTALLER\{D687103B-2741-4FBA-AAA8-1EC6F9D8B77E}\ZIP.DLL

Trojan.Multi-Dropper/Gen
C:\WINDOWS\NPQTSRAK.EXE
C:\WINDOWS\RTQMEKWG.EXE

Adware.Vundo-Variant/J
C:\WINDOWS\OMLBPKAW.DLL
C:\WINDOWS\PMSOARBF.DLL

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\ICBNIEQC.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2008 at 09:42 PM

Application Version : 4.0.1154

Core Rules Database Version : 3448
Trace Rules Database Version: 1440

Scan type : Complete Scan
Total Scan Time : 00:53:19

Memory items scanned : 517
Memory threats detected : 0
Registry items scanned : 5302
Registry threats detected : 0
File items scanned : 87350
File threats detected : 0

A friend of mine started using the computer halfway through the first scan - so after I told him off I ran it again, just to be on the safe side.

Everything does seem to be working well now though - I had to reset the screen settings because the desktop wallpaper was still being overridden by the evil Antispyware picture although because that had gone it was pointing it towards nothing. Other than that I have exactly what you said and nothing else!

Thank you SO much - is there anything I should do to finish the process off?

#6 jakkijax

jakkijax
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 27 April 2008 - 07:04 AM

just restarted the computer and got this new error box:

RUNDLL

Error loading C:\windows\system32\icbnieqc.dll

I don't know if that means anything significant?

Cheers :thumbsup:

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 PM

Posted 27 April 2008 - 07:29 AM

It's not unusual to receive such an error after using tools to remove malware infection.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 jakkijax

jakkijax
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 28 April 2008 - 12:14 PM

The start-up prompt has gone and everything is running great :thumbsup:

This is the log from the MBAM scan:

Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Quick Scan
Objects scanned: 34765
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qtvglped.bwom (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qtvglped.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWebSearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 PM

Posted 28 April 2008 - 12:21 PM

Good job.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 jakkijax

jakkijax
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 28 April 2008 - 12:28 PM

Thank you quietman7 - I am really very very grateful for your help. :thumbsup:

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 PM

Posted 28 April 2008 - 12:30 PM

You're welcome.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 jakkijax

jakkijax
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 01 May 2008 - 03:09 PM

Ugh. I think I spoke too soon. I haven't pressed anything at all on the error box - am afraid of letting something else nasty in in case it's another fake windows message! Message is:

Microsoft Visual C++ Runtime Library

Assertion failed!

Program: C:\WINDOWS\Explorer.EXE
File: ../external/boost_1_31_0\boost/shared_ptr.hpp
Line: 254

Expression: px != 0

For information on how your program can acuse an asertion failure, see the Visual C++ documentation on asserts

(Presss Retry to debug the application - JIT must be enabled)

Abort Retry Ignore

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:54 PM

Posted 03 May 2008 - 09:00 PM

Hello again,sorry to hear of your troubles.
A few suggestions. Run the Superantispyware scan again from safe mode.

A bit of searching the Google led me to this post

This is infact not a Visual C++ problem, but a problem of Explorer which has been made with Visual C++.
Uninstall all applications or drivers which you have recently installed, search for spyware, remove BHOs (Browser Helper Objects) and additional third-party toolbars, install service packs and updates, if this will not help format the system.

HERE POST #2

ANd perhaps the only other pre format option is to post a HiJack This log in that forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users