Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Virtumonde/Wildtangent/Zlob Trojan Help [RESOLVED]

  • This topic is locked This topic is locked




  • Member
  • PipPip
  • 50 posts
Hello i am new to this website and have joined because, a few days ago my computer was infected by a virus i believe to be the vundo/virtumonde virus. After receiving this crippling blow my computer is now slower, the internet explorer toolbar has new ads and tools on it, which leads me to believe it was hijacked, my destop backround has been replaced by a blue screen with a yellow box saying warning spyware detected on your computer, which cannot be changed via the properties, the destop and screensaver tabs are gone i cannot acces or change them, when trying to acces the internet via my wireless WiFi, i get a message saying that my internet may be unsafe and that i should buy a program it suggests, when continuing onto the web to such pages as google looking for help, when searching google, my results come up, but i cannot access the help websites or any website google has brought up, i get redirected to another search engine every time no matter what, never getting me to the page i want to be...which forced me to use another computer to fix my own. I also get Blue Screens Of Death at start up and around every 30-40 mintues which restart my computer or if i press F8 it returns me to my desktop, which im guessing is Safe Mode? I have recorded some of them:

Stop: 0x00000019

Stop: 0x0000002B

Stop: 0x00000099

Stop: 0x0000007F

Stop: 0x00000050

There were more, but i could not record them all, the error codes ect. in time before the computer restarted or these messages just dissapeared (they never stay around long because the computer restarts). All of these errors in the BSOD have eventually started to loop around and i have seen the same error codes again. As well at start up i get another message from the Windows Script Host saying "Can not find script file C:\Documents and Settings\Bob Baker\Local Settings\Temp\.ttA2.tmp.vbs

I have no idea what this message means, i know that it was never there before this virus though...

The program i use to remove spyware is Spysweeper (Latest Version without Virus Protection), which i used immidiatly after seeing the effects of this unknown virus, it found a trojan downloader and a virus: virtumonde, which it catagorized as adware, after quarantining these threats and deleting them, usually that does the job, but my computer was still hijacked, i also used my outdated McAfee Virusscan, which detected only one, again i deleted it and still no improvment. Looking for further help, i found another program which i found to remove Virtumonde (SpyHunter), which i believe is reinstalling itself, even though Spysweeper is not detecting it now and still plaguing my system.

After running SpyHunter, i found 518 Infected files, some files and folders and the majorityy registry keys and values(which some were Trojan Downloaders, others Zlob Trojan, Others Zlob Trojan.Fam, others were SpyDawn, 180Solutions.Zango and 180Solutions, as well as the majority of them being a program named Wildtangent which was installed without my consent and i cannot delete it via the remove programs in the control panel because it says i need administrator access even though i am the sole administrator of my computer...so i went into C:\Program Files and deleted all of Wildtangents files inside its program file folder, then the folder itself, therefore killing the program which i know was playing a part in destroying my computer. I still have no idea why Spysweeper did not pick up on any of those files/folders or registry keys of the 518 found...using the file paths SpyHunter found, I deleted the files, folders and registry keys infected values and keys manually using the registry Editor (After backing up my Registry Keys via the sytem restore by creating a checkpoint), then after running SpyHunter again, SpySweeper and my Outdated McAfee VirusScan, 0 infected files found...but still i am getting BSOD, my internet browser is still the same, my destop and screensavers are still hijacked...

OVERALL: I am not sure whether this is the Vundo/Virtumonde Virus or the Wildtangent program, or the Trojan downloaders, Zlob Trojans or Zlob trojan Fam (Even though all trojans are gone now, as well as Wildtangent and all registry keys and files/folder are now clean, (According to Spysweeper, SpyHunter, McAfee VirusScan and Exterminate-It), or if all of them are one in the same that came in one package, or are a collection of viruses...i am lost here and have no idea how to beat whatever this is infecting my computer, i could use some assistance, i have no idea what to do next. (By The Way I have Cut Off my WiFi Connection to the Internet to Block off any other computers on my Network from being infected and so that there could be no updates to the viruses and what not that is on my computer for many days now)

Thank You.

Edited by jarg1985, 01 July 2008 - 09:22 PM.

  • 0




    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay - so lets see what you have

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 50 posts
Due to the sole fact that I cannot connect to the internet( to not corrupt my wireless network and because it doesnt work even with wifi on now, it says work offline even though i clicked connect again) on the infected computer i am using another one and transfered DSS via flash drive to the infected computer, i ran it and had to use DSS internal scanner, after it ran and was complete, only extra.txt showed on the toolbar for a short minute, and when i clicked it to open it, it disappeared, i tried again with DSS same thing internal scanner and now neither main.txt or extra.txt opens or even shows up, and now i cannot even open the notepad program... did something go wrong? If so the DSS made a system restore point the first time i ran it before it did anything.

Edited by jarg1985, 23 July 2008 - 10:35 AM.

  • 0



    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Take a look in C:\deckard\scanner both reports should be in there.. I will only use small programmes from now on as you are having to transfer the data
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 50 posts
Yes i found main.txt in that location, but not extra.txt, i saw it in one of the two other folders in that location named 20080723122451, is this still the same file? I wouldn't know since for some reason i still cannot open the notepad program now...

Also i just came accross a new BSOD i have never seen before SYSINTRALS_GREAT_SITE. I have no idea where these are coming from, but it seems they are just screensavers made to look like BSODs, when in fact they are not actually. One person Private Messaged me and said that the BSODs were in fact only screensavers, which they seem to be, i have no idea.

Edited by jarg1985, 25 July 2008 - 10:38 AM.

  • 0



    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes they are they are part of the infection which is why I needed the dss text, however lets try combofix now as it will give me similar information and start clearing the problem.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 50 posts
Alright I did everything you said and it seemed to work, ive got control again of my desktop and screensavers, but i dont know if it is all gone yet. It first said 1/100 machines failed to make it through this process, then deleted some stuff, changed my clock, completed up to stage 48, deleted more stuff and restarted my computer, then returned my clock to normal, im guessing it worked? By the way i can still post the DSS files if you need them. Also i am not familiar as to what a HijackThis log is, or if this is it. I appriecate all of your help.

Here is the Combo-Fix.txt file:

ComboFix 08-07-28.4 - Ryan Kelley 2008-07-28 21:01:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.573 [GMT -4:00]
Running from: C:\Documents and Settings\Ryan Kelley\Desktop\Combo-Fix.exe
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Ryan Kelley\Application Data\macromedia\Flash Player\#SharedObjects\8TEBUWZ5\interclick.com
C:\Documents and Settings\Ryan Kelley\Application Data\macromedia\Flash Player\#SharedObjects\8TEBUWZ5\interclick.com\ud.sol
C:\Documents and Settings\Ryan Kelley\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Ryan Kelley\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrModule
C:\WINDOWS\system32\[email protected]@@k.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))

2008-07-23 12:18 . 2008-07-23 12:18 <DIR> d-------- C:\Deckard
2008-06-30 13:57 . 2008-06-30 14:00 <DIR> d-------- C:\Program Files\Exterminate It!
2008-06-30 13:40 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-06-30 13:40 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-06-29 10:50 . 2008-06-29 10:50 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-29 09:53 . 2008-06-29 09:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\ATI
2008-06-29 01:33 . 2004-08-10 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-06-30 01:47 --------- d-----w C:\Program Files\GemMaster
2008-06-29 05:10 --------- d-----w C:\Program Files\Warcraft III
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 07:02 --------- d-----w C:\Documents and Settings\Ryan Kelley\Application Data\uTorrent

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-26 00:10 2321600]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 12:56 602182]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 15:58 1032192]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43 45056]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29 49152]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 16:30 58992]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 17:05 1537696]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 23:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16 1121792]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-26 15:33 169472]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 10:26 110592]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 13:49 163840]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 17:00 1005096]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 05:15 75520]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-26 15:17:59 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"EnableFirewall"= 0 (0x0)

"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

\Shell\AutoRun\command - E:\setup.exe
Contents of the 'Scheduled Tasks' folder

2008-05-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-07-29 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (RYAN-Ryan Kelley).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 18:18]
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcjkrj0e1fe - C:\WINDOWS\system32\lphcjkrj0e1fe.exe
SSODL-pntqkflv-{0BD5147A-CF91-4AB4-8E39-EC763BFC5445} - C:\WINDOWS\pntqkflv.dll

------- Supplementary Scan -------
R0 -: HKCU-Main,Start Page = hxxp://antwrp.gsfc.nasa.gov/apod/archivepix.html
R0 -: HKLM-Main,Start Page = hxxp://www.dell.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan Kelley\Start Menu\Programs\IMVU\Run IMVU.lnk
O17 -: HKLM\CCS\Interface\{8B0F6CA2-3D7D-44AC-9FA0-3C1B785A07ED}: NameServer =,

O16 -: {00000005-0000-0000-0000-100011000004} - hxxp://c.imputati.com/l/0e3ec50449265a06abaaf7af262b94d4_35.exe


catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 21:06:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\PROGRA~1\Google\GOOGLE~1\GOA66E~1.DLL
------------------------ Other Running Processes ------------------------
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\McAfee\SpamKiller\MSKAgent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iPod\bin\iPodService.exe
Completion time: 2008-07-28 21:10:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-29 01:09:56

Pre-Run: 22,892,535,808 bytes free
Post-Run: 22,855,139,328 bytes free

183 --- E O F --- 2008-06-20 19:14:08

Edited by jarg1985, 28 July 2008 - 07:25 PM.

  • 0



    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I will now go for a deep scan to clear any remnants and tidy up. As for the Hijackthis log I will require one later
Here are the instructions for use and downloading, but I will not require it untill after the next fix :)

Download & Run HijackThis.exe

  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

But First

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • Reg - Desktop Components
    • Reg - Disabled MS Config Items
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 50 posts
All right i did all of that, by the way, quick question about the Combo-Fix.txt file i posted, when it says at the begining of it in red text that: Warning-This machine does not have the recovery console installed!! Is that a normal thing, good or bad? Thanks again for all of your help.

Here is the OTScanIt.Txt file:

Attached File  OTScanIt.Txt   210.89KB   110 downloads

Edited by jarg1985, 29 July 2008 - 09:43 PM.

  • 0



    GeekU Moderator

  • Retired Staff
  • 69,964 posts

All right i did all of that, by the way, quick question about the Combo-Fix.txt file i posted, when it says at the begining of it in red text that: Warning-This machine does not have the recovery console installed!! Is that a normal thing, good or bad? Thanks again for all of your help.

Normally I would ask you to install the recovery console but as we were working with USB it would be too large to transfer, it is a handy facility to have on XP as it enables recovery from a badly damaged system

First we will secure your system

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

OK then that log looked OK so we will go for an orphan sweep now and a new Hijackthis log

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : MBAM and a new Hijackthis Plus how is your computer running now
  • 0





  • Topic Starter
  • Member
  • PipPip
  • 50 posts
Hmm, it seems that i have encountered a problem with even finding the java files, i open add/remove programs in the control panel, but see none on the list at all. Then i search for files/folders searching for "Java", then many results and files pop up, i am not sure what to delete so im a bit stuck here. As for the MBAM, i ran that as instructed, and it found 7 things if i remember correctly, then i deleted them with no problems. Next I downloaded and ran Hijackthis for the very first time according to your last post following those instructions on how to install and run Hijackthis, I posted the Hijackthis log as well as the MBAM one below. I am also wondering, would it be safe to turn on my WiFi card in my laptop yet so that i wouldn't need a flash drive to download the programs you are giving me? As I said before I do not want other computers on my network to be infected, so i am wondering now, since my system seems basically back to normal. In addition once I do get back on the internet with my laptop, you said in your last post normally you would ask me to install the recovery console, but as I was working with USB it would be too large to transfer, should I still install it at the end of all of these processes of system cleaning? I think it would be a good idea to help prevent future things like this from ever happening again. You also asked how my computer is running now, Ive got control of the desktop and screensavers again and everything seems to be running smoothly again, but i have yet to try out the speed of the internet, so i do not know how fast internet explorer will load windows, slower or faster than before, I have no idea.

Here is the MBAM Log:

Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2

10:07:26 PM 7/30/2008
mbam-log-7-30-2008 (22-07-26).txt

Scan type: Quick Scan
Objects scanned: 42207
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bndblock4.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d4a714f6-af40-4425-b708-ff03cbbc0a84} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000005-0000-0000-0000-100011000004} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gxvpsafm.bdmn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gxvpsafm.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here is the Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:21 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.n...archivepix.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [Spyhunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan Kelley\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B0F6CA2-3D7D-44AC-9FA0-3C1B785A07ED}: NameServer =,
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

End of file - 10854 bytes

Edited by jarg1985, 30 July 2008 - 08:51 PM.

  • 0



    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK you look good to go online now.

you said in your last post normally you would ask me to install the recovery console, but as I was working with USB it would be too large to transfer, should I still install it at the end of all of these processes of system cleaning? I think it would be a good idea to help prevent future things like this from ever happening again.

Yes I would like you to get it still. If you go to the combofix link below it will show you how to install it. Once installed if you could come back and let me know how things are running. If you are happy I will remove my tools and tidy you up :)

Please visit this web page for instructions for downloading and running ComboFix


This includes installing the Windows XP Recovery Console in case you have not installed it yet. It is imperative that you install this as it will enable a system recovery in the event of problems

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 50 posts
Well this isnt good, i activated my WiFi card, it connected to my home network and works, but i click on internet explorer and it wont display a single webpage, it says i am working offline...I can't download Combo-Fix to Install my recovery console. I have no idea what to do, I don't think this is virial though, could it be something that I did while trying to fix the virus? I am using another computer on my home network at the moment and it works fine online, so it's not the cable provider that i have or the Wireless Router.


What about the Java problem that i ran into should i just install the new one anyways now, or should i delete all files/folders that have anything to do with the old Java, or should I just hold off until I can get back online again?

Thanks for all that you are doing I really appreciate it.

Edited by jarg1985, 31 July 2008 - 09:17 PM.

  • 0



    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Does IE give you the option to go online or does it just state that you are working offline ?

Lets try flushing your dns to see if that helps

Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection services will require them.

These instructions are basically for home users.

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems
Next Go start run type cmd and hit OK
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Remove the old Java by using this tool http://www.majorgeek...wnload5967.html
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 50 posts
Weird, when i started my computer, McAfee said that my computer was in lockdown mode disabling all network traffic, i switched it off, and my Internet seems to be in fine working order and works fast and smoothly, so i guess i dont need to flush my dns after all. Sorry about that, that pop up didnt appear last time though. I will just downloaded your link and removed the old Java Versions, and installed the newest one that you gave to me a few posts back. Also i tried installing the Recovery Console, but it seems that I don't have a Windows XP CD, so is there any other option i have to install the Recovery Console without the CD? By the way do you need a new Combo-Fix log or the ComboFix log from installing the Recovery Console and Hijackthis log as you stated 2 posts back?

Edited by jarg1985, 01 August 2008 - 07:59 PM.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP