Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help!


  • Please log in to reply
16 replies to this topic

#1 Cheskiz

Cheskiz

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 19 May 2008 - 12:56 AM

Hi,

I contracted this Winspyware protector thing and it keeep telling me that i got so much viruses in my computer, both in registry and memory. I cant find the WinSpyware in the control panel. What should i do, by deleting WinSpyware, will the virus shown by it gone too?

Advice please, i wish to get rid of Winspyware as well as the virus shown by it.

Hope to get some free advice as i am not very rich to have money buy those programes.

Help :thumbsup:

BC AdBot (Login to Remove)

 


#2 Cheskiz

Cheskiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 19 May 2008 - 05:02 AM

Help anyone?

I found the PF file of the winspyware, i deleted it. Do you think it will put an end to all those things?

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:40 PM

Posted 19 May 2008 - 07:53 AM

http://www.bleepingcomputer.com/forums/ind...st&p=827440

would you try these 3 programs? SAS, ATF and MBAM

I am assuming you are using XP or Vista, we need to know that and what other anti-maleware programs you are running

Hold off on trying to install an anti-virus program till we can get your computer cleaned up

Edited by DaChew, 19 May 2008 - 07:54 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#4 Cheskiz

Cheskiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 20 May 2008 - 01:33 AM

I got all three done, in my desktop.

Please advise on nxt step. :thumbsup:

#5 Cheskiz

Cheskiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 20 May 2008 - 02:32 AM

Malwarebytes' Anti-Malware 1.12
Database version: 768

Scan type: Quick Scan
Objects scanned: 49587
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\BASE (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\DELETED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\SAVED (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080519011320734.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080519133310921.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080519133902437.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080519174241562.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:40 PM

Posted 20 May 2008 - 07:49 AM

I asked for a SAS log and your security programs that are installed

Let's take this one step at a time and be thorough
Chewy

No. Try not. Do... or do not. There is no try.

#7 Cheskiz

Cheskiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 20 May 2008 - 07:51 AM

There is always this pop-up everytime i start my comp,

Error load C:\WINDOWS/system32/qhwekvjf.dll

The specific module could not be found. Advise please

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:40 PM

Posted 20 May 2008 - 08:32 AM

that's easy to fix and harmless, let's make sure the infection is gone

that was part of the infection

let's see if we can find the rest of it
Chewy

No. Try not. Do... or do not. There is no try.

#9 Cheskiz

Cheskiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 22 May 2008 - 12:37 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/20/2008 at 02:46 PM

Application Version : 4.0.1154

Core Rules Database Version : 3463
Trace Rules Database Version: 1454

Scan type : Complete Scan
Total Scan Time : 00:24:42

Memory items scanned : 556
Memory threats detected : 3
Registry items scanned : 5514
Registry threats detected : 13
File items scanned : 18891
File threats detected : 58

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\PMNOPNMD.DLL
C:\WINDOWS\SYSTEM32\PMNOPNMD.DLL

Adware.Vundo Variant/Resident
C:\DOCUME~1\~CK~~1\LOCALS~1\TEMP\TUVVOGAP.DLL
C:\DOCUME~1\~CK~~1\LOCALS~1\TEMP\TUVVOGAP.DLL

Trojan.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\QHWEKVJF.DLL
C:\WINDOWS\SYSTEM32\QHWEKVJF.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4660C955-21F1-4A48-AADF-139634A93058}
HKCR\CLSID\{4660C955-21F1-4A48-AADF-139634A93058}
HKCR\CLSID\{4660C955-21F1-4A48-AADF-139634A93058}\InprocServer32
HKCR\CLSID\{4660C955-21F1-4A48-AADF-139634A93058}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47551F98-CC7F-4701-A650-D7231EEA60BD}
HKCR\CLSID\{47551F98-CC7F-4701-A650-D7231EEA60BD}
HKCR\CLSID\{47551F98-CC7F-4701-A650-D7231EEA60BD}\InprocServer32
HKCR\CLSID\{47551F98-CC7F-4701-A650-D7231EEA60BD}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{47551F98-CC7F-4701-A650-D7231EEA60BD}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pmnopnMd
C:\DOCUMENTS AND SETTINGS\~ CK ~\LOCAL SETTINGS\TEMP\TUVVOGAP.DLL

Adware.Tracking Cookie
C:\Documents and Settings\~ CK ~\Cookies\~_ck_~@ad.yieldmanager[1].txt
C:\Documents and Settings\~ CK ~\Cookies\~_ck_~@82.98.235[1].txt
C:\Documents and Settings\~ CK ~\Cookies\~_ck_~@doubleclick[1].txt
C:\Documents and Settings\~ CK ~\Cookies\~_ck_~@ads.viwawa[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@advertising[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@ads.pointroll[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@dealtime.co[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@cnetasiapacific.122.2o7[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@account.live[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@hardwarezone[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@imrworldwide[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@burstnet[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@adtech[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@xiti[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@zedo[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@adbrite[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@casalemedia[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@stat.dealtime[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@specificclick[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@www6.addfreestats[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@serving-sys[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@bravenet[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@www.googleadservices[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@www.googleadservices[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@stat.youku[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@nextag[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@revsci[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@tacoda[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@fastclick[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@edge.ru4[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@adopt.euroclick[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@m1.webstats.motigo[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@mediaplex[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@bs.serving-sys[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@tribalfusion[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@atwola[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@apmebf[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@mediacorp[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@statcounter[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@nextag.co[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@paypal.112.2o7[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@atdmt[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@prospect.adbureau[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@eas.apm.emediate[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@2o7[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@dbs.112.2o7[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@questionmarket[2].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@ads.revsci[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@ad.yieldmanager[1].txt
C:\Documents and Settings\Conny Tan\Cookies\conny_tan@data.coremetrics[1].txt
C:\Documents and Settings\Conny

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:40 PM

Posted 22 May 2008 - 05:04 AM

I am assuming you are using XP or Vista, we need to know that and what other anti-malware programs you are running


each and every question I ask is necessary


It's best to be as thorough as possible when fighting malware


let's update MBAM and have another scan

Edited by DaChew, 22 May 2008 - 05:09 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#11 Cheskiz

Cheskiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 23 May 2008 - 05:24 AM

I am using win XP and i currently only have the 3 anti-virus programe you reccomend me. I use Norman in the past, but it expired. So i uninstall it.

Infection worsen, affect every acct now. Help!

Edited by Cheskiz, 23 May 2008 - 05:25 AM.


#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:40 PM

Posted 23 May 2008 - 05:51 AM

You should be printing up these directions and following them exactly, if you had run atf cleaner and thensuperantispyware, there wouldn't be any cookies found

this next program, SDFix, is very powerful, follow the directions exactly

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
Chewy

No. Try not. Do... or do not. There is no try.

#13 Cheskiz

Cheskiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 30 May 2008 - 04:47 AM

Error load C:\WINDOWS/system32/qhwekvjf.dll

The specific module could not be found.

This pop-up still exist, i run the sdfix, here is the log, no trojan or any virus found.


SDFix: Version 1.186
Run by ~ CK ~ on Fri 05/30/2008 at 01:53 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 17:40:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Disabled:ActiveSync RAPI Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 29 Jul 2007 5,388,088 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sat 22 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 20 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 31 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT1.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT2.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT1.tmp"

Finished!

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:40 PM

Posted 30 May 2008 - 08:29 AM

Error load C:\WINDOWS/system32/qhwekvjf.dll



This is usually the result of using specialized malware removal tools. You have brokr the path for the program to open with. Windows wants to open it and can not...hence the message.

To resolve this, download Autoruns,
http://www.microsoft.com/technet/sysintern...s/Autoruns.mspx
search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click HERE if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.



run the atf cleaner, clean all and immediately run MBAM and post a new log, make sure you update MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#15 Cheskiz

Cheskiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 31 May 2008 - 05:48 AM

Malwarebytes' Anti-Malware 1.12
Database version: 768

Scan type: Full Scan (C:\|)
Objects scanned: 98923
Time elapsed: 16 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users