1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Random pop up searches

Discussion in 'Virus & Other Malware Removal' started by Tennisbear, Sep 27, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Tennisbear

    Tennisbear Thread Starter

    Joined:
    Sep 27, 2008
    Messages:
    3
    Hi, just today I somehow picked up a nasty virus. I ran both adaware and AVG and neither seemed to pick up anything. However adaware noticed a suspicious process called "faceback.exe" and advised me to report it to them, however they provided no help as to what it was. I've been getting random pop ups (mostly in IE) for search results of random words like "korn" and books". Two trojan installers were also found on my desktop after the attack so I quickly deleted them. I haven't been able to get IE to load anything at all. Also, this may or may not be related, but when i go to the google homepage there are two search bars with the google logo over there. Like one on top of the other, kindof weird. Here is a copy of my hijack this log and let me know if you need any additional information. (currently running xp)

    [NEW LOG FILE BELOW]

    Any help would be greatly appreciated

    *also it appears that whenever I click a link something called http://interplusclick.com/ opens a new tab then redirects to a random site. I've also got a "server busy" error popup.
    *another update, I downloaded spyware search and destroy and it appeared to fine 70 items and recovered them all. however when windows restarted a bunch of MSDOS windows popped up and started doing things and then closed. After all this the problems persisted and now with spybot running i keep getting detections that an important registry entry has been changed.
    *alright one more update, I guess im infected with some trojan called Virtumonde. I'm not really sure what that means but I've been trying to figure out a fix. Please help!

    I did something right and now my google is back to normal and I can once again load things with internet explorer. When i now run spybot i get two infections everytime, virtumonde.dll and virtumonde.prx. I've rescanned with hijackthis and here is my new log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:55:08 PM, on 9/28/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe"
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O20 - AppInit_DLLs: ogrzjv.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 9888 bytes

    Help plleeeeeeease :)
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
    To disable SpybotSD TeaTimer:

    Open Spybot and click on Mode and check Advanced Mode
    Check yes to next window.
    Click on Tools in bottom left hand corner.
    Click on System Startup icon.
    Uncheck Teatimer box.
    Click Allow Change box.

    You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

    then

    Please download http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe (Malwarebytes' Anti-Malware) to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.
     
  3. Tennisbear

    Tennisbear Thread Starter

    Joined:
    Sep 27, 2008
    Messages:
    3
    Hey thanks a lot! here is my log file

    Malwarebytes' Anti-Malware 1.28
    Database version: 1222
    Windows 5.1.2600 Service Pack 2

    9/30/2008 12:48:18 AM
    mbam-log-2008-09-30 (00-48-18).txt

    Scan type: Quick Scan
    Objects scanned: 46456
    Time elapsed: 4 minute(s), 50 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 6
    Registry Keys Infected: 24
    Registry Values Infected: 6
    Registry Data Items Infected: 2
    Folders Infected: 7
    Files Infected: 38

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\yayvSjkj.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\ydeingev.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\ogrzjv.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\yggimc.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\ijtvypob.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\qfilxz.dll (Trojan.Vundo.H) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453f51e8-fef5-4c54-b136-944bf434360c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccawmlm (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{453f51e8-fef5-4c54-b136-944bf434360c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{914afb5a-ee73-4df0-8dc0-635a00d4bf22} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{914afb5a-ee73-4df0-8dc0-635a00d4bf22} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8930567-1408-450c-9685-90c34a7a5d0b} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{e8930567-1408-450c-9685-90c34a7a5d0b} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{89046018-62c3-45e2-a6e9-07231ab38775} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\oincs.oinanalytics (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{6b221e01-f517-4959-8c41-81948e7f2f17} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6b221e01-f517-4959-8c41-81948e7f2f17} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\oincs.oinanalytics.1 (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{f7fa36a4-3177-4b57-b9c1-e9c5b2e0d3a9} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oinanalytics (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bchanger (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\OINAnalytics.DLL (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cefa9ea (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Products\rdomain (Rogue.PCVirusless) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Products\prodname (Rogue.PCVirusless) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Products\compname (Rogue.PCVirusless) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnrblock21 (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm1fdc9a76 (Trojan.Agent) -> Delete on reboot.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayvsjkj -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayvsjkj -> Delete on reboot.

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\SpyGuardPro (Rogue.SpyGuardPro) -> Quarantined and deleted successfully.
    C:\Program Files\OINAnalytics (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\BChanger (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Application Data\SpyGuardPro (Rogue.SpyGuardPro) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Application Data\SpyGuardPro\Logs (Rogue.SpyGuardPro) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\fccaWmlM.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\qfilxz.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\yayvSjkj.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\jkjSvyay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\jkjSvyay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ydeingev.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\vegniedy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ogrzjv.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\yggimc.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\ijtvypob.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\Program Files\OINAnalytics\OINAnalytics.dll (Adware.BHO) -> Quarantined and deleted successfully.
    C:\WINDOWS\faceback.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\qttcmuwd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\fccaWmlM.dll.bak (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lmpwajpl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sqjcembq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tatoyr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temp\gettpa221.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temp\gettpa421.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\86AHJKD1\upd105320[1] (Trojan.Vundo.H) -> Delete on reboot.
    C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\WJSL6HEB\nd82m0[1] (Trojan.Vundo.H) -> Delete on reboot.
    C:\Program Files\SpyGuardPro\history.db (Rogue.SpyGuardPro) -> Quarantined and deleted successfully.
    C:\Program Files\SpyGuardPro\ResErrors.log (Rogue.SpyGuardPro) -> Quarantined and deleted successfully.
    C:\Program Files\OINAnalytics\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\BChanger\bchanger.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\BChanger\data.dat (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\BChanger\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Application Data\SpyGuardPro\avtasks.dat (Rogue.SpyGuardPro) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Application Data\SpyGuardPro\Logs\av.log (Rogue.SpyGuardPro) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Application Data\SpyGuardPro\Logs\ga6Support.log (Rogue.SpyGuardPro) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Application Data\SpyGuardPro\Logs\update.log (Rogue.SpyGuardPro) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\rpbqoldt.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BM1fdc9a76.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BM1fdc9a76.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    That seems to have found & fixed quite abit

    reboot TWICE

    then run MBAM again and post its new log please
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/754004

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice