Security Popups, Spyware driving me nuts! HJT log

Welcome to MG's!

You have a Vundo infection. Yo must follow standard cleaning procedures in the READ & RUN ME sticky before posting HJT logs. However, try the steps in:

Virtumonde aka Trojan Vundo Fix w/ Tool

Your lines will be slightly different in appearance due to a change in the Vundo type.
Yours are:

O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\vtutu.dll
O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll

 

But you did not run the online scanners in step 6 of the READ & RUN ME and you did not post the two required logs.
But what I was also saying in my previous message is that you need to do the steps in: Virtumonde aka Trojan Vundo Fix w/ Tool

The READ & RUN ME will not fix Virtumonde. Special steps are needed.

 

Your first computer is clean now but you can fix the below minor items using HJT:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

You never did complete ALL of the READ & RUN ME on this first PC.

Now for you second PC you must do ALL of the READ ME. This includes all of step 6 which is the two online scanners and attach the logs from the online scanners. After running completeing ALL of the READ ME also do the below.

Download about:Buster 6.0

Get any updates. Then reboot into safe mode and run About:Buster twice and save the log. Then reboot into normal mode and attach the log from About:Buster and also attach a new HJT log.

 

HijackThis logs must be from normal boot mode unless otherwise specified.

You also must not use msconfig to control what startups load. This is covered in the link for downloading and installing HJT. Please run msconfig and select normal startup. Then do the below:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to SmartFinder Uninstall (or if not found look for SmartFinder_Uninstall) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SmartFinder Uninstall

If that does not work try entering the short name: SmartFinder_Uninstall)

Now exit HJT and but do not reboot if it tells you it is necessary.

For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [syscr.exe] C:\WINDOWS\syscr.exe
O4 - HKLM\..\Run: [9.tmp] C:\DOCUME~1\OWNER~1.COR\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [A.tmp] C:\DOCUME~1\OWNER~1.COR\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [A.tmp.exe] C:\DOCUME~1\OWNER~1.COR\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [9.tmp.exe] C:\DOCUME~1\OWNER~1.COR\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [apiqt.exe] C:\WINDOWS\system32\apiqt.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Owner.CORY\Local Settings\Temporary Internet Files\Content.IE5\0M2XANUP\SFUninstaller[1].exe" service (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Owner.CORY\Local Settings\Temporary Internet Files\Content.IE5\0M2XANUP\SFUninstaller[1].exe
C:\Documents and Settings\Stephanie\Local Settings\Temp\cd_clint.dll <--- actually delete all file you can in this Temp folder
C:\Documents and Settings\Owner.CORY\Local Settings\Temp\9.tmp.exe <--- actually delete all file you can in this Temp folder
C:\Documents and Settings\Owner.CORY\Local Settings\Temp\A.tmp.exe
C:\WINDOWS\system32\yjjvf.dll
C:\WINDOWS\system32\apiqt.exe
C:\WINDOWS\syscr.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.