[FONT=Arial Black]I'M BAAACK - HELP, PLEASE!!![/FONT]

I have now done everything in the READ ME FIRST message - and I mean EVERYTHING! My laptop is running much faster today - but still a problem. I don't know what I got rid of by running all the scans, fix-its, etc. but must have done some good because at least I can scan w/NAV in less than 4 hours!

1. I just re-ran Adware SE Pro (updated) and it shows the following 4 critical objects "Virtumundes":
HKEY_CLASSES_ROOT: atlevents.atlevents.1 (Reg. Key); HKEY_CLASSES_ROOT: atlevents.atlevents.1*** (Reg. Value); HKEY_CLASSES_ROOT: atlevents.atlevents (Reg. Key);
HKEY_CLASSES_ROOT: atlevents.atlevents*** (Reg. Key); -
(I'm not sure about the '***' - I think there are three)

It also shows the following 2 negligible objects:
HKEY_LOCAL_MACHINE:software\microsoft\directdraw\mostrecentapplication\
Cocuments and Settings\Debbie\recent

It shows 4 and 7 items 'auto-quarantined'

2. I ran Spybot S&D (updated) and it shows:
ATLEvents.ATLEvents - 4 entries
DSO Exploit - 5 entries

I tried to run the 'fix' I found on your site for the DSO deal but nothing happened. I mark them, ask that it fix them, it says '9 problems fixed' but I run it again (after shutting down) and back they come.

3. I Norton 2005 (updated) and it shows 5 items:

iisps.exe (virtumonde);
~519883.tmp Adware.Huntbar;
~838069.tmp Adware.Huntbar;
~907836.tmp Adware.Huntbar;
~932441.tmp Adware.Huntbar.

I've run the Huntbar Removal tool (Norton's) and IT tells me after an eon of scanning that it's not there.

Stinger - shows 156248 clean files
Trend Micro's scan shows clean
Symantec Security Check (no ActiveX) - says it's safe
CCleaner - says it removed 227.8 MB
CWShredder - says it removed CWS.JKSearch and CWS.H____.dll (can't read my writing)
Kill2me - says not infected
HSRemove - says 8 items removed; I do it again - says 8 items removed (?)

4. I am now re-running AVG. Yesterday, it showed SIX "Trojan horses"
PSW.Agent.2.AQ = lldsmw.dat;
PSW.Agent.2.AQ = ofnipxe.dat;
Droppe.Agent.AG = Patch231.exe;
Droppe.Agent AG = Patch261.exe;
Droppe.Small.7.AB = Patch321.exe;
PSW.Agent.2.AQ = siiyalp.dat.

We'll see what it shows today.

When I check the processes - today, instead of infoweb.exe hogging it, it's iisps.exe.

I downloaded BHO Demon and two BHO's are 'benign' and 1 BHO 'spsii.dat' - they are investigating. I tried checking the CLSID in Tony Klein's BHO but it doesn't come up.

I downloaded HijackThis and ran it (from its very own folder).

Anyone want to see my log??

Whew. Sorry for the length of this.

Thanks!

 

lets have it then..

 

Re: I'M BAAACK - HELP, PLEASE!!!

Gosh - is my face red or what? What's the deal with the tags in my title.

Oh well, 2 days ago, I had no idea how I was ever going to be able to figure out how to get a log!

O.K., here goes:



Thanks again.

 

Re: I'M BAAACK - HELP, PLEASE!!!

Debbie. did you perform the alternate scans listed in the tutorial?

I also don't see Rav , trend micro or Symantec online scans in your log.. did you perform those?

 

Re: I'M BAAACK - HELP, PLEASE!!!

Yes - Trend Micro - it came back "clean"
Yes - Symantec Security Check - I couldn't get 'ActiveX' downloaded so did the security check without Active X - came back and told me "safe"
RAV - RavAntivirus - No. I figured I was getting too many 'different' results and thought I'd better stop downloading before it got slow on me again.

I'm running AVG right now - it's taking a while.

I'm at work and my laptop is running in the other room...

Thanks.

 

Re: I'M BAAACK - HELP, PLEASE!!!

O.K., thanks, I'll do it and let you know. If YOU don't recognize something, you can be fairly certain I definitely won't, Captain.

Again, thanks.

 

Re: I'M BAAACK - HELP, PLEASE!!!

O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe

is part of yamaha sound card driver.

but this one looks to be Gaobot worm
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe

 

For what it's worth, re: "DSO Exploit" in Spybot~ had the same problem (always found 5 DSO Exploits), prior to updating to Version 1.3.1 TX. Fixed it with a solution offered here:
www.greymagic.com/security/adv/gm001-ie
(in registry, change key 1004 REG_DWORD to "3"; path=
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0"

 

Hi Debbie, All -

O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\Debbie\LOCALS~1\Temp\spsii.dat
O4 - HKLM\..\Run: [*iisps] C:\WINDOWS\repair\iisps.exe
O4 - HKLM\..\RunOnce: [*iisps] C:\WINDOWS\repair\iisps.exe rerun

C:\WINDOWS\repair\iisps.exe

These all follow the familiar StopGuard-related pattern. If you have trouble deleting them, please take a look at this thread:

StopGuard or WinFirewall Problems?

PP

 

O.K., I'm finally home and getting ready to remove everything I'm supposed to remove - as far as changing registry key - I have to bone up on that - the word registry scares the fire out of me.

I must say - a couple of days - the thought of me getting to this stage was unheard of. I have told everyone at work about your site - and told them FOLLOW the RULES! It seems everyone is being attacked (??) with adware/spyware/malware - thousands and thousands. People are buying new computers to get rid of it!! I must say I bought just a few too many software programs (2) trying to rid my system of this nasty stuff. What a schmuck. Oh well.

Thanks to all for your help - I am working from my laptop and it is just the difference between night and day - I can actually get around!!!

Will let you know the results.

Thanks again.

 

SpyBot 1.3TX fixes this issue with DSO always showing up.

 

You may want to consider playing with FireFox over IE. You will find that it can reduce the malware problem quite a bit.

 

Hello to all - I have finally made it home and removed - or attempted to remove the items everyone has told me to remove - I even made a change to the registry - I backed it up but not sure what I do with the back up (ha) - but did as it said.

I ran HijackThis again and have attached the log:



As you can see - I am not able to remove:
O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\Debbie\LOCALS~1\Temp\spsii.dat

and

O4 - HKLM\..\Run: [*iisps] C:\WINDOWS\repair\iisps.exe
O4 - HKLM\..\RunOnce: [*iisps] C:\WINDOWS\repair\iisps.exe rerun


I have tried, but to no avail. That darned iisps.exe just takes up so much of the % in the 'processes' when I click on Task Manager.

Also, HOW do these things get into my computer when I always thought my AV software protected me (apparently not), I don't download music (fyi - no porn either - different strokes for different folks - but I don't), and I try to only use 'secure sites' when ordering anything. I'm bumfuddled.

Enough of my rambling, whaddya all think of my new log? Thanks.



P.S. Why so many sites (ftp to download) in Texas? Just curious. Thanks!

 

Hi Debbie,

Sorry for the delay in getting back to you - I was a bit tied up

Please attach a fresh HJT log as the bad entries may have mutated.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I will try to check back when I get a chance.

Best
PP

 

if you boot to safe mode, can you remove that "repair " folder ?