Well to follow trend, I went out this afternoon for some refreshments. When I came back I had a BSoD on my screen. I pressed 'esc' though and it returned me to my desktop. My desktop had been changed to this though:

http://img353.imageshack.us/img353/6708/malwaresucksxy1.th.jpg (http://img353.imageshack.us/my.php?image=malwaresucksxy1.jpg)

My internet connection was extremely slow and it wouldn't let me uplaod anything. I ran Malwarebyte's Anti-Malware software and the log is attached here.

As you can see I deleted them. Should I reboot in safemode and run my AV + the Anti-malware scanner again?

ps - and either this site isn't running too smoothly or I didn't actually fix the problems. :P

I ran the stuff in safemode and after 2hours+ it returned back that I had sorte dout the trojans. Next time I won't tick "ignore" as opposed to "deny access".

This one is going around big time - I seen a few of those files that MBAM removed on a daily basis

http://i10.photobucket.com/albums/a117/justinlutzfl/hjt_spy.jpgHighjackthis Instructions

Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe)
Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
After installing, the program launches automatically, select Scan now and save a log
After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.

Thanks, done.

looks like you are safe

just to be sure though rename hijackthis.exe to steff.exe

and scan again to see if any hidden 02 or 20 entries pop up

And done again.

Looks like you got it all

having any symptoms? if so we can look deeper in the registry

Na it seems fine now.Cheers.

Anytime http://forum.oddthought.com/images/icons/icon14.gif

RD.. Steff is gonna be a regular :P

You mean we should start charging? lol

He means I occasionally PM him after forgetting to install drivers :hidey:

You mean we should start charging? lol
LOL definitely!

The problem is back lol...

http://img291.imageshack.us/img291/3930/malwaresucksrk2.th.jpg (http://img291.imageshack.us/my.php?image=malwaresucksrk2.jpg)

Deleted them all and here is the log.

http://i10.photobucket.com/albums/a117/justinlutzfl/avatar62338_1.gifCombofix

Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop. Don't run it yet!
Right click Avira in your system tray and uncheck enable system guard
Right click Comodo and disable that as well
Double click combofix.exe & follow the prompts.
A window will open with a warning.
When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

After it is complete and the log is open turn your firewall and real time protection back on

Done. I had to split it in 2 due to the gay upload rules.

Download and Install SDFix

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.
Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Attach Report.txt back here

Should I go into "Steven" or "Administrator"? I'll do it later though... 5am... bedtime.

Go under your normal account

:bye:We got it too,,,,,,


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aldd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SysUpd
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F7813 A-AF74-4474-B1DC-7EE6FB6C43C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39D2FC9 B-041C-470E-AE72-F8C001247626}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB 5-BD7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC 7-AAFC-4362-B103-868B0683C697}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DD0BC0 6-4719-4BA3-BEBC-FBAE6A448152}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BF451A C-2010-4804-B256-DB2F0A8D9EB6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{827DC83 6-DD9F-4A68-A602-5812EB50A834}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DBF02D A-4360-4A7E-BEA1-347B87816327}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF7FCAF B-9FDB-4F5E-BAC6-68BDEE61D6C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC14822 8-87E1-4D00-AC06-58DCAA52A4D1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B5527 4-0F9A-41E5-9067-A3539BD9E860}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBE0D59 D-F985-4AC6-8826- FEE957065D42}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AEFF96 5-B1A9-4675-966A-26C2E812AD51}
HKEY_CLASSES_ROOT\MSEvents.MSEvents
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1
HKEY_CLASSES_ROOT\psapianalyzer.psapianalyzer.1
HKEY_CLASSES_ROOT\psapianalyzer.psapianalyzer
HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClas s.1
HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClas s
HKEY_CLASSES_ROOT\RawExecAction.RawExecAction
HKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1
HKEY_CLASSES_ROOT\iepl.iepl.1
HKEY_CLASSES_ROOT\iepl.iepl
HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1
HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib
HKEY_CLASSES_ROOT\WTLHelper.WTLHelper
HKEY_CLASSES_ROOT\WTLHelper.WTLHelper.1
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1
HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1
HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater
HKEY_CLASSES_ROOT\ADOUsefulNet.ADOUsefulNet
HKEY_CLASSES_ROOT\ADOUsefulNet.ADOUsefulNet.1
HKEY_CLASSES_ROOT\InfoDocReader.InfoDocReader
HKEY_CLASSES_ROOT\InfoDocReader.InfoDocReader.1
HKEY_CLASSES_ROOT\ATLEvents.ATLEvents.1
HKEY_CLASSES_ROOT\ATLEvents.ATLEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\psapianalyzer. psapianalyzer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\psapianalyzer. psapianalyzer.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MFCOptimizeCla ss.MFCOptimizeClass
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MFCOptimizeCla ss.MFCOptimizeClass.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RawExecAction. RawExecAction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RawExecAction. RawExecAction.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iepl.iepl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iepl.iepl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATL Distrib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATL Distrib.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WTLHelper.WTLH elper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WTLHelper.WTLH elper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder. DosSpecFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder. DosSpecFolder.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPCUpdater.DPC Updater
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPCUpdater.DPC Updater.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.A DOUsefulNet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.A DOUsefulNet.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InfoDocReader. InfoDocReader
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InfoDocReader. InfoDocReader.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLE vents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLE vents.1
Presence of the mutex 'SysUpdIsRunningMutex' .
Technical Information
Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.
Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.

Please see our detailed Win32/Vundo family analysis elsewhere in this encyclopedia for additional information.
Steps
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
To turn on the Windows Firewall in Windows Vista
Click Start, and click Control Panel.
Click Security.
Click Turn Windows Firewall on or off.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see Windows Vista Antivirus Software - Windows Live OneCare - Microsoft (http://www.microsoft.com/protect/computer/viruses/vista.mspx).
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Recovery Steps
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (Windows Live OneCare (http://safety.live.com)). For more information, see Windows Vista Antivirus Software - Windows Live OneCare - Microsoft (http://www.microsoft.com/protect/computer/viruses/vista.mspx).


Search the Encyclopedia
Go



Latest Definition Updates
Windows Defender
Antispyware: v1.41.689.0
32 bit
64 bit
Information on updating Windows Defender
Microsoft Forefront Client Security
Antivirus: v1.41.689.0
Antispyware: v1.41.689.0
32 bit
64 bit
Information on updating Microsoft Forefront Client Security



Severity
High
Medium
Low


Glossary
View the Glossary

XXX you guys can follow the preliminary removal instructions then start your own thread in this section

That way I don't get the 2 different computers mixed up

http://forum.oddthought.com/tutorial-section/12283-guide-removing-malware.html

use[code] [/code ]

without the space of course to compress this stuff.

Rd how much do i need to increase the upload limits to help on this side?

well steff's log was 22KB and that is an average log I would say 50KB should be good, the other site I help at has 100KB limit and it usually good unless I ask for a otscanit log then I just have them email it to me

:duffman:this shit is way over our heads,

:bye:we gona toss this lap top and go down to the mall and get another one...

:duffman:this shit is way over our heads,

:bye:we gona toss this lap top and go down to the mall and get another one...


LOL put it in a box and send it to me, I'll put it to good use :-)

RD have I mentioned how glad I am you came aboard?

Thanks Dy

Steff where is your log from SDFix?

I was a bit busy. Here's the log.

I dunno if this is Malware, I've had no trouble since my last post but...

http://img370.imageshack.us/img370/2241/malwaresr5.jpg (http://imageshack.us)

Google turns up nothing on it which leads me to believe it's malware. I blocked its access though.

looks like vundo

malwarebytes should pick it up. update MBAM and run full scan

lets clean out your temp files again with ATF cleaner

Then I want you to run kaspersky online scanner - I am at work so I don't have my instructions saved on here - needs to be run through IE.

show me the mbam log and the kaspersky log and we will start manually removing these

Heh, my browser is broke too. Any google link I click on redirects me to a malware site. That was AFTER I removed all the malware in safemode. :( My PC fails. Don't worry I'll rescan etc...

don't use google - try yahoo or msn - I have actually seen that before

Let me look through some change logs for your infection - I actually see it back in the combofix log and thought sdfix would have killed it but it didn't

Dy wasn't kidding when he said I was a handful.

MBAM log 1 - quick scan in safemode
MBAM log 2 - full scan in safemode
MBAM log 3 - quick scan in regular mode
Misc file - the file that got created when the online Kaspersky virus scanner wouldn't work

It's also worth mentioning I have a process running called "conime.exe" which sounds bad. I just closed it there just now.

edit - and since I have said process... here's my hijackthis log too

http://i10.photobucket.com/albums/a117/justinlutzfl/75415740545070046c3ec0.gif Run Smitfraudfix

Download Smitfraudfix by S!ri from HERE (http://siri.urz.free.fr/Fix/SmitfraudFix_En.php)
Double-click SmitfraudFix.exe
Select 1 and hit Enter
The report can be found at the root of the system drive, usually at C:\rapport.txt

==============================================

Panda Online Scan

Please visit Panda Online Scanner (http://www.pandasecurity.com/homeusers/solutions/activescan/)
Click on "Scan your PC".
A new browser window will open with Panda ActiveScan.
Click the big "Check Now" button
Enter your Country, State/Province, e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
Note: If this is the first time you scanned your PC, you´ll have to download the ActiveX controls (8 MB). The time it takes to download these can vary depending on your connection
Click on "Local Disks" to start the scan
Save the log file to your desktop


Attach both here - looks like MBAM is finding it but may be having trouble removing some of the files - i have something for that after we see these reports

I wouldn't be so sure. It's easy enough to upload it - and the legit version usually only is seen on Asian versions of windows


Upload a File to Virustotal
Please visit Virustotal found HERE (http://www.virustotal.com/)

Click the Browse... button
Navigate to the file C:\Windows\system32\conime.exe
Click the Open button
Click the Send button
Copy and paste the results back here please.

now I wanna see virustotal, report.txt, and panda log

MD5: abc9002269e569538901109441660dd2
First received: -
Date: 09.01.2008 17:58:45 (CET) [>3D]
Results: 0/36
Permalink: analisis/12c29d9080aa9f7693fa58c74f18af87 (http://www.virustotal.com/analisis/12c29d9080aa9f7693fa58c74f18af87)

So apparently it isn't a virus... strange though since that is the first time I've ever seen that process running.

edit - and the whole google problem was a general "click on a link" problem but MAMB sorted it.