Sooo Embarrased

Malekin · Feb 14, 2007

I'm always harping on my friends to update and check if there spyware and anti virus programs are up to date and running and now what do I do but succumb to complacency and forget to reactivate everything after a recent upgrade session ........ DUH !!

well it seems like I've gotten Smitfraud, Smitfraud-C 888 toolbar, AZT and a host of other nasties running around in my system and I have to shop for a new Firewall cause Sygate was bought out ....... I went through the procedures on your Malware removal thread and will upload my logs on this and the next post. I had to reboot several times and may have left some junk in my recycle bin ...... sorry ....... I'm not used to asking others for help but hav'nt had my puter hooked up for almost 3 months, bought a house, and I'm a little out of date . I'll catch up, but till I do I could use a hand getting this crap outta my system .... thanks .

Malekin · Feb 14, 2007

These are the rest of my logs from my scan, thanks.

Oops forgot a log ....... added it from Edit.

TimW · Feb 15, 2007

* Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
* On the page that opens, scroll down to COM+ Messages
* then right click the entry, select Properties and press Stop Service.
* When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
* Click OK until you get back to Windows.

* Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste COM+ Messages into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
* Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Right click start / explore and scroll down until you find these files:
C:\WINDOWS\SYSTEM32\vturron.dll
C:\WINDOWS\SYSTEM32\winvtv32.dll
C:\WINDOWS\system32\ssqpm.dll

Delete them!

Now

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run this Virtumonde aka Trojan Vundo Removal
Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: (no name) - {1DDD5194-12A8-8845-CBD4-06DF4FB2E863} - C:\WINDOWS\System32\qzmnwig.dll (file missing)
O2 - BHO: (no name) - {413668CB-D0B2-B0EE-BD6E-0389A9005D24} - C:\WINDOWS\system32\cybltvj.dll (file missing)
O2 - BHO: (no name) - {75EE78F9-7527-147C-C2DF-06AE7347B906} - C:\WINDOWS\system32\sxrtxxk.dll (file missing)
O2 - BHO: (no name) - {A22BEDA9-E441-44DD-8007-8FC47C451237} - C:\WINDOWS\system32\vturron.dll
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgip.dll,startup
O4 - HKCU\..\Run: [Jpmg] "C:\WINDOWS\??pPatch\m?iexec.exe" 99001162 G
O4 - Startup: .protected
O4 - Global Startup: .protected
O16 - DPF: {00000005-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/b40787083ed94a08b5d85236a03f8577_35.exe
O20 - Winlogon Notify: vturron - C:\WINDOWS\SYSTEM32\vturron.dll
O20 - Winlogon Notify: winvtv32 - C:\WINDOWS\SYSTEM32\winvtv32.dll
O20 - Winlogon Notify: ssqpm - C:\WINDOWS\system32\ssqpm.dll

After clicking Fix, exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"Ooum"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"Jpmg"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\vturron]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\winvtv32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000]

Click to expand...

Now attach the below logs and tell me how the above steps went.

1. Combofix log
2. VundoFix log
3. new GetRunKey log
4. new ShowNew log
5. new HJT

Malekin · Feb 15, 2007

OK got half way through and nothing was working so I stopped and am giving you messages and results so far

while trying to right click COM+messages I get this message with and " OK " button

"Configuration Manager: A required entry in the registry is missing or an attempt to write to the registry failed."

I click ok to clear the message and I get

"The system cannot find the specified file."

When I try to go into HJT and Delete the NT service, after I cut and paste and click OK I get

"COM+Messages was not found in the registry. Make sure you entered the short name of the service. ,vbExclamation."

and since I can't stop stop the service I can't delete the dll files because they are still in use. I'm assuming that the other fixes won't work till this is taken care of. If I'm wrong, I'll smack my own forehead .....

Malekin · Feb 15, 2007

just used "End it All" to kill some suspicious processes and still no luck deleting those files . Must be in use by a windows system file ........ or not

TimW · Feb 15, 2007

Uninstall thru add/remove programs:
OIN
Outerinfo

Run Process Explorer 10.21

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of vturron.dll once and then click the kill button. After you have killed all of the vturron.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
winvtv32.dll
ssqpm.dll

Next double click on explorer.exe and again click once on each instance of vturron.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
winvtv32.dll
ssqpm.dll

Next double click on iexplore.exe and again click once on each instance of vturron.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
winvtv32.dll
ssqpm.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: (no name) - {E42BABF3-146D-415F-B524-DAAF81363DD4} - C:\WINDOWS\system32\ssqpm.dll
O2 - BHO: (no name) - {1DDD5194-12A8-8845-CBD4-06DF4FB2E863} - C:\WINDOWS\System32\qzmnwig.dll (file missing)
O2 - BHO: (no name) - {413668CB-D0B2-B0EE-BD6E-0389A9005D24} - C:\WINDOWS\system32\cybltvj.dll (file missing)
O2 - BHO: (no name) - {75EE78F9-7527-147C-C2DF-06AE7347B906} - C:\WINDOWS\system32\sxrtxxk.dll (file missing)
O2 - BHO: (no name) - {A22BEDA9-E441-44DD-8007-8FC47C451237} - C:\WINDOWS\system32\vturron.dll
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgip.dll,startup
O4 - HKCU\..\Run: [Jpmg] "C:\WINDOWS\??pPatch\m?iexec.exe" 99001162 G
O4 - Startup: .protected
O4 - Global Startup: .protected
O16 - DPF: {00000005-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/b407...03f8577_35.exe
O20 - Winlogon Notify: vturron - C:\WINDOWS\SYSTEM32\vturron.dll
O20 - Winlogon Notify: winvtv32 - C:\WINDOWS\SYSTEM32\winvtv32.dll
O20 - Winlogon Notify: ssqpm - C:\WINDOWS\system32\ssqpm.dll

After clicking Fix, exit HJT.

Now run KillBox and delete:
C:\WINDOWS\SYSTEM32\vturron.dll
C:\WINDOWS\SYSTEM32\winvtv32.dll
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\drvgip.dll
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\SYSTEM32\wintsvcc.exe
C:\WINDOWS\SYSTEM32\migicons.exe
C:\WINDOWS\SYSTEM32\opnmkhh.dll
C:\WINDOWS\SYSTEM32\drvpew.dll
C:\WINDOWS\SYSTEM32\stp68_2007.dll
C:\WINDOWS\SYSTEM32\drvxob.dll
C:\WINDOWS\SYSTEM32\xxyxvvs.dll
C:\WINDOWS\SYSTEM32\drvrur.dll
C:\WINDOWS\SYSTEM32\tuvwurr.dll
C:\WINDOWS\SYSTEM32\drvwun.dll
C:\WINDOWS\SYSTEM32\drvbet.dll
C:\WINDOWS\SYSTEM32\drvgip.dll
C:\WINDOWS\SYSTEM32\uudpxyqh.ini
C:\WINDOWS\SYSTEM32\mpqss.ini
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Documents and Settings\Ronel Tascione\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
C:\WINDOWS\SYSTEM32\DRIVERS\etc\.protected
C:\Program Files\Common Files\umqw
C:\Program Files\Common Files\{126E1ED5-089C-1033-0804-040116040001}
C:\Program Files\Common Files\{126E1ED5-089D-1033-0804-040116040001}

Now boot back to normal mode and:
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run this Virtumonde aka Trojan Vundo Removal
Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Please download HOSTER and then follow the below steps.

Unzip HOSTER to a convenient folder such as C:\Hoster

Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.

Click the X to exit the program.

Please attach new logs for:
ShowNew
GetRun
HJT
Combo Fix
Vundo

TimW · Feb 15, 2007

If KillBox does not delete these folders:
C:\Program Files\Common Files\umqw
C:\Program Files\Common Files\{126E1ED5-089C-1033-0804-040116040001}
C:\Program Files\Common Files\{126E1ED5-089D-1033-0804-040116040001}

Please use windows explorer to find them and delete them.

Make sure you tell us how things are running.

Malekin · Feb 15, 2007

OK, did all that ...

Some files weren't there to be deleted, I hope this is a good thing. Combofix won't run.... says something about an infected root kit and not to run it on my system.

logs are attached on this and next post ....... and Killbox got rid of those 3 files. Supposedly ........

Malekin · Feb 15, 2007

Vundo log ....... didn't find anything after all that deleting ..... I hope that's a good thing also ....

Malekin · Feb 15, 2007

just dble checked ......... winvtv32.dll wouldn't let me delete it ......... grrrrrrrrr

TimW · Feb 15, 2007

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Noterocess.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm
Click to expand...

IMPORTANT: Do NOT run any other options until you are asked to do so!
ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
Click to expand...

Now reboot into normal mode and attach this new rapport.txt log here.
Now attach new logs from:

* GetRunKey
* ShowNew
* HJT

How are things working now?

Malekin · Feb 15, 2007

ok here's the first Smitfraudfix log.

Malekin · Feb 15, 2007

OK new Smitfix log after cleaning and others.

Malekin · Feb 15, 2007

last log .

Things were speeding up there for a bit, now I'm bogging down again ...... speedwise ...... also somewhere along the line I lost the ability to "Open Folder" from a download box after the download finishes . Also can't "find target" from a properties search. and this last reboot after the smitfraud fix I'm still getting virus notifications from Avast and Counterspy and it won't let me Quarantine them.

I've attached a copy of the warning lines from Avast on my last boot. hope they help.

TimW · Feb 15, 2007

Please boot into safe mode.

Please copy the text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Ooum"=-
"rzvcsdh.dll"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\winvtv32]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
Click to expand...

Now reboot to normal mode and see if you can run Combofix.

Attach logs for:
ComboFix
GetRun
ShowNew
HJT

Malekin · Feb 15, 2007

Still Cannot run combofix.exe all I get is this message,

"The tool, ComboFix has been temporarily withdrawn.

The author discovered a rootkit infection that will intefere with ComboFix's running.

This will cause Combofix to be UNSAFE FOR USE on your machine.

Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL

Apologies for any inconvenience caused"

Sigh .....

do you want the logs anyway ........ I assumed not since the program didn't run. But I've been wrong before and i'm sure I will be again .......

TimW · Feb 15, 2007

It has temporarily been withdrawn ....attach the other logs, please.

Malekin · Feb 15, 2007

Ok, Here they are ...

TimW · Feb 16, 2007

Sophos Anti-Rootkit will scan your computer for files that have been hidden using rootkit technology.

Many of the newer malware infections use this technology to hide themselves and to make them more difficult to remove.

Installation
Download Sophos Anti-Rootkit 1.1 and save to a location you will be able to find such as your desktop

Run sarsfx.exe by double clicking on it.

Click Accept to agree to the EULA

Click Install (if you wish to change the default installation location do so here but remember where you install to, the default is C:\SOPHTEMP)

Once it finishes copying files, exit the installer
Running the scan
Navigate to the location that you installed the software to (Default: C:\SOPHTEMP)

Run sargui.exe by double clicking on it.

Ensure that all three of the options are checked

Click Start Scan

Once the scan is complete, close Sophos Anti-Rootkit by closing the scan window and clicking Exit in the main window

DO NOT CLICK 'CLEAN UP CHECKED ITEMS' OR ATTEMPT TO HAVE SOPHOS ANTI-ROOTKIT FIX ANYTHING UNLESS SPECIFICALLY INSTRUCTED TO IN THE THREAD YOU ARE WORKING ON
Finding the logsClick on Start --> Run

Type in %TEMP%\sarscan.log and press enter

The log file will open in the default editor (probably Notepad)

Click File --> Save As and save the file to your desktop or other location for easy retrieval.

Also attach new logs for:
GetRun
ShowNew
HJT

Malekin · Feb 17, 2007

Sorry I took so long I had to move the hard drive to another box, old one was failing.

Malekin · Feb 17, 2007

and last but not least the HJT log.

TimW · Feb 17, 2007

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\avaawjm.dll
C:\WINDOWS\system32\wpwljnc.dll
C:\WINDOWS\system32\dhidoe.dll
C:\WINDOWS\SYSTEM32\pmnoppm.dll
C:\WINDOWS\SYSTEM32\winvtv32.dll
C:\WINDOWS\system32\mcrh.tmp

Return to Killbox, go to the File menu, and choose Paste from Clipboard. Choose the box for unregister .dll's before deleting.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {5D93EA23-D155-4067-A3E9-5175AA73E7C0} - C:\WINDOWS\system32\mllji.dll
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} -
O20 - Winlogon Notify: mllji - C:\WINDOWS\system32\mllji.dll
O20 - Winlogon Notify: pmnoppm - C:\WINDOWS\SYSTEM32\pmnoppm.dll
O20 - Winlogon Notify: winvtv32 - C:\WINDOWS\SYSTEM32\winvtv32.dll

After clicking Fix, exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\OfflineDetectionPending]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\winvtv32]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\pmnoppm]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000]

Click to expand...

Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now attach new logs for:
GetRun
ShowNew
HJT

Malekin · Mar 7, 2007

Sorry I wasn't able to get back to you till now but, just to let you know the worm I had finally got to too many system files and my system would no longer boot. tried using the repair feature on the windows disc and was a no go, system was dead ...
I was in the process of updating my rig anyway so i just waited till I had all the parts popped it together and did a clean reinstall on a new hard drive. I'm glad I partition things the way I do cause all of my saved info except my favorites and email settings were on other partitions of the old drive. after the new system was up and running I kinda snuck in and picked out the info I wanted from my old C: drive and just had to clone the other partitions to the new drive.
All I lost was some saved mail, which I didn't remember till I had deleted the old partitions. So I'm back up and running with my new rig and a new CLEAN operating system . Thanks for the help in trying to get me back up but sometimes the virus' and the malware win, but like I said , thanks for trying

Sooo Embarrased

Malekin Private E-2

Attached Files:

Malekin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Malekin Private E-2

Malekin Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Malekin Private E-2

Attached Files:

Malekin Private E-2

Attached Files:

Malekin Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Malekin Private E-2

Attached Files:

Malekin Private E-2

Attached Files:

Malekin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Malekin Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Malekin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Malekin Private E-2

Attached Files:

Malekin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Malekin Private E-2

Useful Searches