Tricky Virus i need help with

My laptop recently got a virus from some bad flash game site. I have scanned the whole computer with Spy-bot Search and destroy, AVG Free Edition, and Malaware Bytes. They picked up a few things and I removed them. I re-scanned just to be sure and they all came up clean, so i thought I was done with it. Now my AVG Free edition keeps on popping up every 15 minutes saying virus removed. Apparently my something keeps on putting some svchost.exe file in my WINDOWS/ Temp file, also my Google searches are messing up, if i search ebay.com and click onto it from Google it takes me to some advertising site. Any ideas? Thanks in advance.

Hello here are some things to try that may help with your problem

1. download and install SuperAntiSpyware and make sure to let it update
2. turn off system restore (control panel/system)
3. boot into safe mode (F8 on startup)
4. run SuperAntiSpyware in safe mode

then post back and let's see what happens next

go away spammer

How am I a spammer?

I am talking about the bluevonda spaming he has on other posts also

oh, sorry my bad. And i'm installing SuperAntiSpyware on it right now.

no problem man

remember turn of system restore and go to safe mode to scan after SAS update this should really help when you run SAS run full scan mode also

Little problem, I can't get into safe mode. I installed it and updated it, I then went to restart it and open up on safe mode but when i click safe mode it try's to load it and then i get the blue screen of death. Can I run it in normal mode?

Yes, you may run it in Normal Mode.

I scanned it and it detected 3 virus's and i removed them. But the computer is still getting the blue screen of death when i try to go into safe mode. I scanned again with spybot and super anti spyware and they came up clean. I went to scan it with Malaware Bytes but it won't open, it says it's missing a .dll File and i should try to re-install it, but i did and i am still getting the same error. Any things i can try?

Could you please post your SAS log?

SUPERAntiSpyware Scan Log

http://www.superantispyware.com



Generated 12/06/2009 at 09:27 PM



Application Version : 4.31.1000



Core Rules Database Version : 4340

Trace Rules Database Version: 2191



Scan type : Complete Scan

Total Scan Time : 00:57:45



Memory items scanned : 446

Memory threats detected : 0

Registry items scanned : 6567

Registry threats detected : 0

File items scanned : 11211

File threats detected : 167



Adware.Tracking Cookie

C:\Documents and Settings\Richie-1\Cookies\richie-1@trvlnet.adbureau[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@blockbuster.112.2o7[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@adserver.adtechus[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@traveladvertising[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@mediatraffic[2].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@pro-market[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@revsci[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@iacas.adbureau[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@specificclick[2].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@interclick[2].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@2o7[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@ad.zanox[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@content.yieldmanager[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@questionmarket[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@xml.trafficengine[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@collective-media[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@cdn.atwola[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt

C:\Documents and Settings\John\Cookies\john@ad1.clickhype[1].txt

C:\Documents and Settings\John\Cookies\john@ads.soft32[1].txt

C:\Documents and Settings\John\Cookies\john@adrevolver[3].txt

C:\Documents and Settings\John\Cookies\john@ads.adbrite[2].txt

C:\Documents and Settings\John\Cookies\john@edge.ru4[1].txt

C:\Documents and Settings\John\Cookies\john@msnaccountservices.112.2o7[1].txt

C:\Documents and Settings\John\Cookies\john@specificclick[1].txt

C:\Documents and Settings\John\Cookies\john@adinterax[1].txt

C:\Documents and Settings\John\Cookies\john@ehg-bestbuy.hitbox[2].txt

C:\Documents and Settings\John\Cookies\john@superstats[1].txt

C:\Documents and Settings\John\Cookies\john@screensavers[1].txt

C:\Documents and Settings\John\Cookies\john@ads.pointroll[1].txt

C:\Documents and Settings\John\Cookies\john@interclick[1].txt

C:\Documents and Settings\John\Cookies\john@i.screensavers[1].txt

C:\Documents and Settings\John\Cookies\john@atwola[1].txt

C:\Documents and Settings\John\Cookies\john@rotator.adjuggler[1].txt

C:\Documents and Settings\John\Cookies\john@ad.interclick[2].txt

C:\Documents and Settings\John\Cookies\john@adopt.specificclick[2].txt

C:\Documents and Settings\John\Cookies\john@adultadworld[2].txt

C:\Documents and Settings\John\Cookies\john@msnservices.112.2o7[1].txt

C:\Documents and Settings\John\Cookies\john@ad.xplusone[2].txt

C:\Documents and Settings\John\Cookies\john@media.xbox360.ign[2].txt

C:\Documents and Settings\John\Cookies\john@media1.break[1].txt

C:\Documents and Settings\John\Cookies\john@4.adbrite[1].txt

C:\Documents and Settings\John\Cookies\john@bizrate[2].txt

C:\Documents and Settings\John\Cookies\john@cf-db01.clickfacts[1].txt

C:\Documents and Settings\John\Cookies\john@ehg-linksys.hitbox[1].txt

C:\Documents and Settings\John\Cookies\john@insightexpressai[1].txt

C:\Documents and Settings\John\Cookies\john@itxt.vibrantmedia[1].txt

C:\Documents and Settings\John\Cookies\john@partner2profit[2].txt

C:\Documents and Settings\John\Cookies\john@qnsr[1].txt

C:\Documents and Settings\John\Cookies\john@track.bestbuy[1].txt

C:\Documents and Settings\John\Cookies\john@try.screensavers[1].txt

C:\Documents and Settings\Mom\Cookies\mom@adopt.specificclick[2].txt

C:\Documents and Settings\Mom\Cookies\mom@adinterax[2].txt

C:\Documents and Settings\Mom\Cookies\mom@adlegend[2].txt

C:\Documents and Settings\Mom\Cookies\mom@apmebf[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ads.bridgetrack[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ads.buddy4u[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ads.pointroll[1].txt

C:\Documents and Settings\Mom\Cookies\mom@atwola[1].txt

C:\Documents and Settings\Mom\Cookies\mom@data.coremetrics[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ge.112.2o7[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ehg-bestbuy.hitbox[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ehg-jigsaw.hitbox[1].txt

C:\Documents and Settings\Mom\Cookies\mom@eyewonder[2].txt

C:\Documents and Settings\Mom\Cookies\mom@insightexpressai[1].txt

C:\Documents and Settings\Mom\Cookies\mom@interclick[2].txt

C:\Documents and Settings\Mom\Cookies\mom@paypal.112.2o7[1].txt

C:\Documents and Settings\Mom\Cookies\mom@server.iad.liveperson[1].txt

C:\Documents and Settings\Mom\Cookies\mom@specificclick[1].txt

C:\Documents and Settings\Mom\Cookies\mom@track.bestbuy[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@overture[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@casalemedia[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@insightexpressai[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@c7.zedo[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@fastclick[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@serving-sys[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@content.yieldmanager[3].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@realmedia[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@tracking.foxnews[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@tribalfusion[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@www8.addfreestats[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@travel.hotels-and-discounts[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ehg-autozone.hitbox[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@media6degrees[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@statse.webtrendslive[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@dynamic.media.adrevolver[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@media.adrevolver[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@mediaplex[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@harpo.122.2o7[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@oasn04.247realmedia[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@collective-media[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@atdmt[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@roiservice[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@cgm.adbureau[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@media.adrevolver[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@bs.serving-sys[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ads.bluelithium[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@a1.interclick[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@doubleclick[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@hotels-and-discounts[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@interclick[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@microsoftwindows.112.2o7[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adinterax[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@cdn.atwola[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@indextools[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ads.pointroll[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@cdn4.specificclick[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adlegend[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@imrworldwide[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@zedo[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@questionmarket[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ad.yieldmanager[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@chitika[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@www.googleadservices[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@www.googleadservices[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adbrite[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@2o7[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ad.wsod[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@tacoda[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@revsci[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@specificmedia[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adrevolver[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@specificclick[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ads.monster[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@sales.liveperson[3].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@sales.liveperson[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@server.iad.liveperson[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@at.atwola[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@server.iad.liveperson[3].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@burstnet[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@www.burstnet[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@247realmedia[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ads.undertone[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@atwola[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@www.burstbeacon[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@hotels.112.2o7[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adserver.adtechus[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@advertising[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@burstbeacon[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ads.cnn[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adcentriconline[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@yellowpages.112.2o7[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@dc.tremormedia[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@d.mediaforceads[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@avgtechnologies.112.2o7[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@richmedia.yahoo[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@onrampadvertising[2].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@xml.trafficengine[2].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@bravenet[2].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@edge.ru4[1].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@insightexpressai[1].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@specificclick[1].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@e-2dj6wjmiekajoao.stats.esomniture[2].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@ad.interclick[2].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@adopt.specificclick[2].txt



Adware.Vundo/Variant-TDay

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0173386.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0173387.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0174409.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0174410.DLL



Adware.Vundo/Variant-[Fixed]

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0174408.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0175394.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0175395.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0175399.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0175400.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0175401.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP456\A0175402.DLL



Adware.Vundo/Variant-WinMM

C:\SYSTEM VOLUME INFORMATION\_RESTORE{AE2247DA-CC00-43AC-AAC7-91D1A213EEA9}\RP457\A0176407.DLL

Ok, lets scan with Dr. Web:

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
• Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
• Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
• The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
• If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
• When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
• Now put a check next to Complete scan to scan all local disks and removable media.
• In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
• When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
• Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
• In the top menu, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

I think the computer is fixed now because i got Malaware bytes to scan and it found i think 7 things, after i removed those it seems to work fine. I am not getting anymore windows/Temp files anymore and i can google search. Thanks! But I still did scan with Super antispyware and here is the report. And sorry it took so long, one time the automatic updates restarted the computer and another it just frooze for some reason.

VNCHooks.dll;C:\Program Files\TightVNC;Program.RemoteAdmin;Incurable.Moved.;
WinVNC.exe;C:\Program Files\TightVNC;Program.RemoteAdmin;Incurable.Moved.;

Can you please post the Malwarebytes file? It can be found under the "Logs" tab of the program.

Malwarebytes' Anti-Malware 1.42
Database version: 3325
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/8/2009 5:48:13 PM
mbam-log-2009-12-08 (17-48-13).txt

Scan type: Quick Scan
Objects scanned: 158822
Time elapsed: 28 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hovofizo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kohuhoro.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tukibazi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zuwupima.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.