Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vitumonde


  • Please log in to reply
26 replies to this topic

#1 norpacmiami

norpacmiami

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 September 2008 - 12:15 PM

Hello everyone,

I am new to this forum (any computer forum) and not very knowledgeable about computers. Nonetheless, I follow instructions and constantly keep computer updated and clean. The system is a Dell Dimension 8400 and its purpose is mostly for work and home use. Internet provider is Comcast.

Processor IntelŪ PentiumŪ 4 CPU 3.00GHz
Processor Speed 2.92 GHz
Memory (RAM) 1024 MB
Operating System Microsoft Windows XP Professional
Operating System Version 5.1.2600

Two days ago, a virus infected my system. Pop-ups gallore, music videos, unable to surf the net, system restore (my hope) lost all previous restore points, and everything is slow........aaargh !!

Worst, this thing just won't leave.
I've got AVG 8, SpyBot, and Adware, all of which recognize and supposedly cleans it, but upon start-up, it all comes back up. I am scared my files will be lost.

Spybot continues to pop up messages, for example:
Category: System Startup user entry
Change: Value deleted
Entry: VnrBlock20
Old data: "C:\Program Files\VnrBlock20.exe"

Since my present antispy/virus programs have been unable to completely disinfect the system, I have read many of the "Vitumonde" forum topics, and have proceeded to download and run the "Malwarebytes" program and obtained a log which I pasted in my "notepad" file. Don't know exactly how to paste it here, but will try.

Any help will be greatly appreciated.

Lost in Florida,

Andy

Malwarebytes' Anti-Malware 1.28
Database version: 1160
Windows 5.1.2600 Service Pack 3

9/16/2008 9:57:01 AM
mbam-log-2008-09-16 (09-57-01).txt

Scan type: Quick Scan
Objects scanned: 101397
Time elapsed: 25 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\ptgbvy.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\OINAnalytics\OINAnalytics.dll (Adware.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0afff021-3bca-4efc-af3f-ff5e6c35e949} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oincs.oinanalytics (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6b221e01-f517-4959-8c41-81948e7f2f17} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6b221e01-f517-4959-8c41-81948e7f2f17} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oincs.oinanalytics.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f7fa36a4-3177-4b57-b9c1-e9c5b2e0d3a9} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oinanalytics (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\OINAnalytics.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getpack21 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VnrBlock20 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm8b39ab54 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\OINAnalytics (Trojan.Agent) -> Delete on reboot.
C:\Program Files\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\jiivnepf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fpenviij.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ptgbvy.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\OINAnalytics\OINAnalytics.dll (Adware.BHO) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\lsnxdofu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\utdskkrs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ksbmjo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\OINAnalytics\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VnrBlock\xtarga.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8b39ab54.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8b39ab54.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Attached Files


Edited by rigel, 16 September 2008 - 06:45 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:08 PM

Posted 16 September 2008 - 06:46 PM

Hi Andy - we almost lost you...

Let's continue your path and scan with the following procedure:
Lets see if anything is left out there.

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 norpacmiami

norpacmiami
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 September 2008 - 10:00 PM

Thank you very much Rigel.

Please find included log created by Superantispyware, after following your instructions:



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/16/2008 at 10:35 PM

Application Version : 4.21.1004


Core Rules Database Version : 3569
Trace Rules Database Version: 1557

Scan type : Complete Scan
Total Scan Time : 01:50:11

Memory items scanned : 185
Memory threats detected : 0
Registry items scanned : 7153
Registry threats detected : 0
File items scanned : 153055
File threats detected : 2

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP610\A0074726.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP610\A0074727.DLL

#4 norpacmiami

norpacmiami
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 September 2008 - 10:09 PM

Rigel, almost forgot, also received the following "spybot" pop-up message:

Spybot - Search & Destroy has detected an important registry entgry that has been changed.

Category: System Startup user entry
Change: Value deleted
Entry: SUPERAntiSpyware
Old data: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Should I allow or deny change ?


Thanks again,

Andy

#5 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:08 PM

Posted 17 September 2008 - 06:08 AM

You can allow it. Please Update and rerun MalwareBytes, and the post a new log. Also run this procedure:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 norpacmiami

norpacmiami
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 17 September 2008 - 09:41 AM

Yeap, a lot is infected, specially the Java files.

How bad is it?

Andy


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 17, 2008 08:34:29
Records in database: 1245338
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 156002
Threat name: 5
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 02:09:31


File name / Threat name / Threats count
C:\Documents and Settings\Adriana de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\51\4278fa73-4210b2e8 Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Adriana de la Torre\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-185c9f27.zip Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Andres de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\10\5a1f6d8a-464b2827 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Andres de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\10\77714c0a-1e4c3a5e Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Andres de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\17\2f7fa3d1-7d17a47b Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Andres de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\20\75f23b14-5d414dfa Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Andres de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-628b3d96 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Andres de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-69e38f29 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Andres de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\45\2bbf6c6d-21ddf1e7 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Andres de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\5\622ec405-65cbd239 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP608\A0070733.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP608\A0072569.dll Infected: Trojan.Win32.Monder.oaf 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP610\A0074749.dll Infected: Trojan.Win32.Monder.oaf 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP610\A0074759.sys Infected: Hoax.Win32.Agent.fu 1

The selected area was scanned.

#7 norpacmiami

norpacmiami
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 17 September 2008 - 09:46 AM

Almost forgot, this time I had a "spybot" pop-up message with the following:

Spybot - Search & Destroy has detected an important registry entry that has been changed.

Category: system Startup global entry
Change: Value deleted
Entry: BM8b39ab54
Old data: Ruindll32.exe"C:\WIDOWS\sstem32\qjmreeuv.dll",s


Should I deny or allow change ?

Thanks again,

Andy

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:08 PM

Posted 17 September 2008 - 12:34 PM

Welcome back,

I cannot find anything listed for qjmreeuv.dll. At this point, I would deny the change.

The majority of things SuperAntispyware found were files in your Java cache. Let's get those cleared...

To clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    - The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    - The Temporary Files Settings dialog box appears.
  • Click "Delete Files" at the bottom.
    - The Delete Temporary Files dialog box appears with options to delete:
    • Applications and Applets
    • Trace and Log Files
  • Click "OK".
  • Click "OK" on the Temporary Files Settings window.
  • Close the Java Control Panel.
Please visit www.java.com and update your current version of Java. You can remove the older versions of Java via your Control Panel - Add/Remove programs.

I need you to download and run Sdfix. Here is the guide for it: How to use SDFix I suggest printing this guide for reference when you run the program.

Let me know if you have an problems. Thanks :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 norpacmiami

norpacmiami
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 17 September 2008 - 01:31 PM

Thanks Rigel, I denied the change, but at the moment I denied it, another spybot pop-up message stated a similar allow/deny change request:

Category: System Startup global entry
Change: Value deleted
Entry: Spybot - Search_Destroy
Old data: "C:\ProgramFiles\Spybot - Search_Destroy\SpybotSD.exe" /autocheck

Should I deny it?

In the meanwhile, I'll work with the Java files as you have instructed.
Checked with Java.com and found that the Java files in my system are the latest available. Applications and trace/log fileswere deleted as instructed.

Thanks,

Andy


Done running SDFix, report log as follows:



SDFix: Version 1.226
Run by Andres de la Torre on Wed 09/17/2008 at 03:44 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 15:55:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\Andres de la Torre\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe"="C:\\Documents and Settings\\Andres de la Torre\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe:*:Enabled:Symantec Removal Utility"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Westwood\\SUN\\PATCHGET.DAT"="C:\\Westwood\\SUN\\PATCHGET.DAT:*:Enabled:patchgrabber"
"C:\\Westwood\\Dune2000\\DUNE2000.DAT"="C:\\Westwood\\Dune2000\\DUNE2000.DAT:*:Enabled:Dune2000"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Sat 9 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Sat 9 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Sat 9 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Sat 9 Aug 2003 233,553 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 20 Sep 2007 24,576 ...H. --- "C:\Documents and Settings\Adriana de la Torre\My Documents\~WRL0197.tmp"
Wed 9 Apr 2008 25,088 ...H. --- "C:\Documents and Settings\Adriana de la Torre\My Documents\~WRL1608.tmp"
Sun 25 Nov 2007 52,736 ...H. --- "C:\Documents and Settings\Gabriela de la Torre\My Documents\~WRL0362.tmp"
Sun 25 Nov 2007 55,808 ...H. --- "C:\Documents and Settings\Gabriela de la Torre\My Documents\~WRL3001.tmp"
Sat 24 Nov 2007 50,688 ...H. --- "C:\Documents and Settings\Gabriela de la Torre\My Documents\~WRL3120.tmp"
Sun 25 Nov 2007 53,248 ...H. --- "C:\Documents and Settings\Gabriela de la Torre\My Documents\~WRL3209.tmp"
Sun 25 Nov 2007 55,296 ...H. --- "C:\Documents and Settings\Gabriela de la Torre\My Documents\~WRL3465.tmp"
Sun 6 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 9 Aug 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"

Finished!


Rigel, also got the following message:
RUNDLL
Error loading C:\WINDOWS\system32\qjmreeuv.dll
The specified module could not be found.


Any suggestions?

Thanks,
Andy : )

Edited by norpacmiami, 17 September 2008 - 03:22 PM.


#10 norpacmiami

norpacmiami
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 17 September 2008 - 05:50 PM

Just re-booted system again to see if both mesages would disappear.

Upon startup, the RUNDLL pop-up appeared again.

As to the spybot message, it changed to:

Spybot - Search & Destroy has detected an important registry entry that has been changed.

Category: System Startup global entry
Change: Value deleted
Entry: "blank"
Old data: "blank"


Weird, never had seen blank areas in this message before.

Other than this, the system is operating quite well thus far. Perhaps even quicker.

Andy

#11 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:08 PM

Posted 17 September 2008 - 06:58 PM

That is great news Andy. I am consulting with a malware expert to see what is happening with the "Error loading C:\WINDOWS\system32\qjmreeuv.dll The specified module could not be found." message. I will let you know when I hear.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:08 PM

Posted 17 September 2008 - 09:40 PM

It's not unusual to receive "boot up" errors after using anti-virus and other security scanning tools to remove malware infection.

RunDLL32.exe is a legit Windows file that loads .dll files which too can be legit or malware related. A RunDLL "Error loading..." or "specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup has been deleted and it becomes an orphaned registry entry. Windows is trying to load this file(s) but cannot locate it since the file was removed during an anti-virus or anti-malware scan. However, the associated registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
With Spybot's TeaTimer, whenever there is a registry change to the system, it pops up a notification to allow or deny. If you selected deny change but keep getting the alert, then something is attempting to alter the registry and the pop-up notifications will continue.

TeaTimer alerts which show allowed or denied values are intended to remind you which registry changes are blocked. Spybot-S&D creates logs of TeaTimer's activity and stores them in the C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\ folder. See here. To stop the alerts, follow the instructions in How to Disable TeaTimer.

If you are going to use Spybot S&D, you need to learn how to use it and how it works.
Spybot Tutorial
Using Spybot S&D
Spybot S&D Features explained
Advanced Mode, Tools, HOSTS file viewer, TeaTimer, SDHelper, System Startup
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 norpacmiami

norpacmiami
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 18 September 2008 - 07:09 AM

Rigel, thanks for your support and assistance in helping me getting rid of this vivous "Vitumonde" virus. I will run another scan to see if it properly gone today.

Quietman, thanks for stepping in regarding these pop-ups. There is no doubt I have to learn about computer's inner works, and most importnatly, using the available anti spy/virus programs. It will be a long and slow voyage, specially at my age.

Will let you know the outcome after followig your instructions.

Thank you both,

Andy

#14 norpacmiami

norpacmiami
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 18 September 2008 - 08:33 PM

Rigel,
Just ran Kaspersky again, and virues/trojans still there. Is this thing ever ending ??? WOW

Looks like Java, Monder, Downloaders still causing problems. What can I do now?

Andy


KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 18, 2008 19:42:06
Records in database: 1248249
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 168093
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:17:59


File name / Threat name / Threats count
C:\Documents and Settings\Adriana de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\51\4278fa73-4210b2e8 Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Adriana de la Torre\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-185c9f27.zip Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Andres de la Torre\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-628b3d96 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP608\A0070733.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP610\A0074749.dll Infected: Trojan.Win32.Monder.oaf 1

#15 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:08 PM

Posted 18 September 2008 - 10:34 PM

Welcome back Andy. We still have some work to do. Hang tough :thumbsup: Some of these infections can be very stubborn.

When you cleared the java cache, did you have any issues? Please clear it again using the earlier instructions. Also, let's get a fresh Malwarebytes log Please be sure to update before running Malwarebytes. Post a new log please.

I also need to do a little research on your infection.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users