ALTEvents trouble

Which version of symantec virtumonde tool do you have?

And have you run ALL the steps from: READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

 

I have no idea what you are talking about and please start your own thread. Provide proper details on what you are talking about and what you are running. Give full error messages.

 

You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Make sure you have HJT Version 1.98.2 and follow the guideline on where to install it and how to post a log as an attachment.

Becareful with spelling the malware names. You said,


Still, the /Windows/Registration/olebd.exe file runs even in Safe Mode and I cannot seem to get rid of it. It shows up in HJT as a "rerun" item and even runs in Safe Mode. Setting HJT to delete it upon reboot does nothing. There is at least one companion file, bdelo.dat, in a .../Local settings/Temp directory.

Either olebd.exe or bdelo.dat is not correct. One of them has the bd inverted.

 

Are the below URLs all something you know and use? Which is your expected start & Search page?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafton.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/

Let's try this via a simple approach first. I not sure why the Symantec Tool did not fix it.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
oledb.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Owner\LOCALS~1\Temp\bdelo.dat
O4 - HKLM\..\RunOnce: [*oledb] C:\WINDOWS\Registration\oledb.exe rerun
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/313c75cac7a2a28d2522/netzip/RdxIE601.cab


Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\Registration\oledb.exe
C:\Documents and Settings\Owner\Local Settings\Temp\bdelo.dat <--- make sure you delete this and to be really safe it would be better to delete all files in this temp folder. They should not be needed anyway.


Make sure you are physically disconnected (unplug cable) from the internet and that you exit all programs.
Run the Symantec removal tool again. Tell me if it finds anything.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to the folder of your choice.

Print these instructions or save locally. You must not be connected (unplug cable) to the internet during this.

Close all open programs, windows and browsers and run killbox and paste each of the filenames below into the box, select delete on reboot and end explorer shell before deleting. Then press the red X button, when it says reboot now, say no and continue to paste the lines in in turn and follow the above procedure every time, DO NOT let it reboot yet.

C:\WINDOWS\Registration\oledb.exe
C:\Documents and Settings\Owner\Local Settings\Temp\bdelo.dat


Then click Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder. Also, empty the contents of your Recycle bin and c:\windows\Prefetch folder.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Owner\LOCALS~1\Temp\bdelo.dat
O4 - HKLM\..\RunOnce: [*oledb] C:\WINDOWS\Registration\oledb.exe rerun


Now reboot and after your PC comes back up (note: you should still be disconnected from the internet)
Run HijackThis and double check to make sure the lines are still fixed and also that they have not mutated into another form.
Also use Windows Explorer to double check to make sure those two files actually were deleted.

If clean, reconnect your cable and get a new HJT log before running IE (call it before.log). Then run IE and come back here and post your log. Now exit IE and get a new log (call it after.log) Then run IE again and come back here and post your second log.

If not clean, repeat all the above but this time do everything while in safe mode and disconnected from the internet.

 

Wise arse!

Hey PP! Notice that Symantec's too does not always work.


Jnylund,

You're welcome.