Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Tricky Virus i need help with

  • Please log in to reply
16 replies to this topic

#1 rich87


  • Members
  • 9 posts
  • Local time:04:12 AM

Posted 05 December 2009 - 05:12 PM

My laptop recently got a virus from some bad flash game site. I have scanned the whole computer with Spy-bot Search and destroy, AVG Free Edition, and Malaware Bytes. They picked up a few things and I removed them. I re-scanned just to be sure and they all came up clean, so i thought I was done with it. Now my AVG Free edition keeps on popping up every 15 minutes saying virus removed. Apparently my something keeps on putting some svchost.exe file in my WINDOWS/ Temp file, also my Google searches are messing up, if i search ebay.com and click onto it from Google it takes me to some advertising site. Any ideas? Thanks in advance.

BC AdBot (Login to Remove)


#2 Guest_computersplus_*


  • Guests

Posted 05 December 2009 - 06:33 PM

Hello here are some things to try that may help with your problem

1. download and install SuperAntiSpyware and make sure to let it update
2. turn off system restore (control panel/system)
3. boot into safe mode (F8 on startup)
4. run SuperAntiSpyware in safe mode

then post back and let's see what happens next

#3 rich87

  • Topic Starter

  • Members
  • 9 posts

Posted 05 December 2009 - 09:19 PM

go away spammer

How am I a spammer?

#4 Guest_computersplus_*


  • Guests

Posted 05 December 2009 - 09:28 PM

I am talking about the bluevonda spaming he has on other posts also

#5 rich87

  • Topic Starter

  • Members
  • 9 posts
  • Local time:04:12 AM

Posted 05 December 2009 - 09:31 PM

oh, sorry my bad. And i'm installing SuperAntiSpyware on it right now.

#6 Guest_computersplus_*


  • Guests

Posted 05 December 2009 - 09:46 PM

no problem man

remember turn of system restore and go to safe mode to scan after SAS update this should really help when you run SAS run full scan mode also

#7 rich87

  • Topic Starter

  • Members
  • 9 posts

Posted 06 December 2009 - 05:13 PM

Little problem, I can't get into safe mode. I installed it and updated it, I then went to restart it and open up on safe mode but when i click safe mode it try's to load it and then i get the blue screen of death. Can I run it in normal mode?

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • Gender:Male
  • Local time:04:12 AM

Posted 06 December 2009 - 06:05 PM

Yes, you may run it in Normal Mode.
Computer Pro

#9 rich87

  • Topic Starter

  • Members
  • 9 posts

Posted 07 December 2009 - 10:05 PM

I scanned it and it detected 3 virus's and i removed them. But the computer is still getting the blue screen of death when i try to go into safe mode. I scanned again with spybot and super anti spyware and they came up clean. I went to scan it with Malaware Bytes but it won't open, it says it's missing a .dll File and i should try to re-install it, but i did and i am still getting the same error. Any things i can try?

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • Gender:Male
  • Local time:04:12 AM

Posted 07 December 2009 - 10:08 PM

Could you please post your SAS log?
Computer Pro

#11 rich87

  • Topic Starter

  • Members
  • 9 posts
  • Local time:04:12 AM

Posted 08 December 2009 - 04:10 PM

SUPERAntiSpyware Scan Log


Generated 12/06/2009 at 09:27 PM

Application Version : 4.31.1000

Core Rules Database Version : 4340

Trace Rules Database Version: 2191

Scan type : Complete Scan

Total Scan Time : 00:57:45

Memory items scanned : 446

Memory threats detected : 0

Registry items scanned : 6567

Registry threats detected : 0

File items scanned : 11211

File threats detected : 167

Adware.Tracking Cookie

C:\Documents and Settings\Richie-1\Cookies\richie-1@trvlnet.adbureau[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@blockbuster.112.2o7[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@adserver.adtechus[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@traveladvertising[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@mediatraffic[2].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@pro-market[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@revsci[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@iacas.adbureau[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@specificclick[2].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@interclick[2].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@2o7[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@ad.zanox[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@content.yieldmanager[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@questionmarket[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@xml.trafficengine[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@collective-media[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@cdn.atwola[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt

C:\Documents and Settings\John\Cookies\john@ad1.clickhype[1].txt

C:\Documents and Settings\John\Cookies\john@ads.soft32[1].txt

C:\Documents and Settings\John\Cookies\john@adrevolver[3].txt

C:\Documents and Settings\John\Cookies\john@ads.adbrite[2].txt

C:\Documents and Settings\John\Cookies\john@edge.ru4[1].txt

C:\Documents and Settings\John\Cookies\john@msnaccountservices.112.2o7[1].txt

C:\Documents and Settings\John\Cookies\john@specificclick[1].txt

C:\Documents and Settings\John\Cookies\john@adinterax[1].txt

C:\Documents and Settings\John\Cookies\john@ehg-bestbuy.hitbox[2].txt

C:\Documents and Settings\John\Cookies\john@superstats[1].txt

C:\Documents and Settings\John\Cookies\john@screensavers[1].txt

C:\Documents and Settings\John\Cookies\john@ads.pointroll[1].txt

C:\Documents and Settings\John\Cookies\john@interclick[1].txt

C:\Documents and Settings\John\Cookies\john@i.screensavers[1].txt

C:\Documents and Settings\John\Cookies\john@atwola[1].txt

C:\Documents and Settings\John\Cookies\john@rotator.adjuggler[1].txt

C:\Documents and Settings\John\Cookies\john@ad.interclick[2].txt

C:\Documents and Settings\John\Cookies\john@adopt.specificclick[2].txt

C:\Documents and Settings\John\Cookies\john@adultadworld[2].txt

C:\Documents and Settings\John\Cookies\john@msnservices.112.2o7[1].txt

C:\Documents and Settings\John\Cookies\john@ad.xplusone[2].txt

C:\Documents and Settings\John\Cookies\john@media.xbox360.ign[2].txt

C:\Documents and Settings\John\Cookies\john@media1.break[1].txt

C:\Documents and Settings\John\Cookies\john@4.adbrite[1].txt

C:\Documents and Settings\John\Cookies\john@bizrate[2].txt

C:\Documents and Settings\John\Cookies\john@cf-db01.clickfacts[1].txt

C:\Documents and Settings\John\Cookies\john@ehg-linksys.hitbox[1].txt

C:\Documents and Settings\John\Cookies\john@insightexpressai[1].txt

C:\Documents and Settings\John\Cookies\john@itxt.vibrantmedia[1].txt

C:\Documents and Settings\John\Cookies\john@partner2profit[2].txt

C:\Documents and Settings\John\Cookies\john@qnsr[1].txt

C:\Documents and Settings\John\Cookies\john@track.bestbuy[1].txt

C:\Documents and Settings\John\Cookies\john@try.screensavers[1].txt

C:\Documents and Settings\Mom\Cookies\mom@adopt.specificclick[2].txt

C:\Documents and Settings\Mom\Cookies\mom@adinterax[2].txt

C:\Documents and Settings\Mom\Cookies\mom@adlegend[2].txt

C:\Documents and Settings\Mom\Cookies\mom@apmebf[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ads.bridgetrack[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ads.buddy4u[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ads.pointroll[1].txt

C:\Documents and Settings\Mom\Cookies\mom@atwola[1].txt

C:\Documents and Settings\Mom\Cookies\mom@data.coremetrics[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ge.112.2o7[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ehg-bestbuy.hitbox[1].txt

C:\Documents and Settings\Mom\Cookies\mom@ehg-jigsaw.hitbox[1].txt

C:\Documents and Settings\Mom\Cookies\mom@eyewonder[2].txt

C:\Documents and Settings\Mom\Cookies\mom@insightexpressai[1].txt

C:\Documents and Settings\Mom\Cookies\mom@interclick[2].txt

C:\Documents and Settings\Mom\Cookies\mom@paypal.112.2o7[1].txt

C:\Documents and Settings\Mom\Cookies\mom@server.iad.liveperson[1].txt

C:\Documents and Settings\Mom\Cookies\mom@specificclick[1].txt

C:\Documents and Settings\Mom\Cookies\mom@track.bestbuy[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@overture[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@casalemedia[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@insightexpressai[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@c7.zedo[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@fastclick[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@serving-sys[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@content.yieldmanager[3].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@realmedia[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@tracking.foxnews[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@tribalfusion[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@www8.addfreestats[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@travel.hotels-and-discounts[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ehg-autozone.hitbox[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@media6degrees[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@statse.webtrendslive[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@dynamic.media.adrevolver[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@media.adrevolver[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@mediaplex[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@harpo.122.2o7[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@oasn04.247realmedia[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@collective-media[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@atdmt[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@roiservice[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@cgm.adbureau[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@media.adrevolver[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@bs.serving-sys[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ads.bluelithium[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@a1.interclick[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@doubleclick[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@hotels-and-discounts[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@interclick[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@microsoftwindows.112.2o7[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adinterax[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@cdn.atwola[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@indextools[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ads.pointroll[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@cdn4.specificclick[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adlegend[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@imrworldwide[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@zedo[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@questionmarket[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ad.yieldmanager[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@chitika[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@www.googleadservices[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@www.googleadservices[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adbrite[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@2o7[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ad.wsod[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@tacoda[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@revsci[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@specificmedia[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adrevolver[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@specificclick[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ads.monster[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@sales.liveperson[3].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@sales.liveperson[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@server.iad.liveperson[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@at.atwola[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@server.iad.liveperson[3].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@burstnet[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@www.burstnet[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@247realmedia[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ads.undertone[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@atwola[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@www.burstbeacon[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@hotels.112.2o7[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adserver.adtechus[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@advertising[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@burstbeacon[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@ads.cnn[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@adcentriconline[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@yellowpages.112.2o7[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@dc.tremormedia[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@d.mediaforceads[2].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@avgtechnologies.112.2o7[1].txt

C:\Documents and Settings\Mom_2\Cookies\mom_2@richmedia.yahoo[1].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@onrampadvertising[2].txt

C:\Documents and Settings\Richie-1\Cookies\richie-1@xml.trafficengine[2].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@bravenet[2].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@edge.ru4[1].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@insightexpressai[1].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@specificclick[1].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@e-2dj6wjmiekajoao.stats.esomniture[2].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@ad.interclick[2].txt

C:\Documents and Settings\Richie-1\My Documents\Backups from dell\Cookies\owner@adopt.specificclick[2].txt
















#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • Gender:Male
  • Local time:04:12 AM

Posted 08 December 2009 - 05:22 PM

Ok, lets scan with Dr. Web:

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#13 rich87

  • Topic Starter

  • Members
  • 9 posts
  • Local time:04:12 AM

Posted 10 December 2009 - 03:58 PM

I think the computer is fixed now because i got Malaware bytes to scan and it found i think 7 things, after i removed those it seems to work fine. I am not getting anymore windows/Temp files anymore and i can google search. Thanks! But I still did scan with Super antispyware and here is the report. And sorry it took so long, one time the automatic updates restarted the computer and another it just frooze for some reason.

VNCHooks.dll;C:\Program Files\TightVNC;Program.RemoteAdmin;Incurable.Moved.;
WinVNC.exe;C:\Program Files\TightVNC;Program.RemoteAdmin;Incurable.Moved.;

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • Gender:Male
  • Local time:04:12 AM

Posted 10 December 2009 - 04:05 PM

Can you please post the Malwarebytes file? It can be found under the "Logs" tab of the program.
Computer Pro

#15 rich87

  • Topic Starter

  • Members
  • 9 posts
  • Local time:04:12 AM

Posted 10 December 2009 - 06:09 PM

Malwarebytes' Anti-Malware 1.42
Database version: 3325
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/8/2009 5:48:13 PM
mbam-log-2009-12-08 (17-48-13).txt

Scan type: Quick Scan
Objects scanned: 158822
Time elapsed: 28 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hovofizo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kohuhoro.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tukibazi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zuwupima.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users