Options

Spyware. I can not delete it.

Unknown
edited March 2007 in Spyware & Virus Removal
My two computers have been infected by spyware since Wednesday. When I browse internet, new IE windows keep popping up. I followed the instruction before posting this, and I even knew (90% sure) it was one DLL file that caused this, but I just cann't delete it. The HJT cannot fix it, even under Safe Mode.

Here is the HJT log. I think the problematic file is mpr592.dll under O2 and O20.


Logfile of HijackThis v1.99.1
Scan saved at 10:12:30 PM, on 3/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {faa95669-20ef-45c9-8b24-98b4dddd6458} - C:\WINNT\system32\mpr592.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\jkhede.dll",setvm
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172893610937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: mpr592 - C:\WINNT\SYSTEM32\mpr592.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe


Here is the Panda online scan report file:


Incident Status Location
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@as-eu.falkag[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@belnk[1].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@data.coremetrics[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@targetnet[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@winantivirus[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt

Please help. Thank you very much.

Comments

  • muulimuuli Finland
    edited March 2007
    Hi bravep and Welcome to Short-Media. I'll check your log, please wait.
  • muulimuuli Finland
    edited March 2007
    Hi,

    Rename HijackThis.exe to Scanner.exe.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Put a check next to Run VundoFix as a task.
    • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    • When VundoFix re-opens, click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  • bravep
    edited March 2007
    Here is vundofix.txt

    VundoFix V6.3.17
    Checking Java version...
    Java version is 1.5.0.11
    Scan started at 6:22:42 PM 3/24/2007
    Listing files found while scanning....
    C:\WINNT\system32\tmpA0.tmp.dll
    Beginning removal...
    Performing Repairs to the registry.
    Done!

    Please note there wan an error after I hit "Remove Vundo". The error says "Cannot import C:\Vundofix.reg: Error opening the file. There may be a disk or file system error". Also note I did not see a checkbox to check for this step
    Put a check next to Run VundoFix as a task.


    Here is the new hijackthis log.

    Logfile of HijackThis v1.99.1
    Scan saved at 6:38:11 PM, on 3/24/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\BHODemon 2\BHODemon.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijackthis\Scanner.exe
    O2 - BHO: (no name) - {faa95669-20ef-45c9-8b24-98b4dddd6458} - C:\WINNT\system32\mpr592.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\dddayy.dll",setvm
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172893610937
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: mpr592 - C:\WINNT\SYSTEM32\mpr592.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
  • muulimuuli Finland
    edited March 2007
    • Double-click VundoFix.exe to run it.
    • Put a check next to Run VundoFix as a task.
    • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    • When VundoFix re-opens,Click Scan for Vundo button.
    • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
    • Copy&Paste the 2 entries below into the top 2 boxes
      • C:\WINNT\system32\mpr592.dll
      • C:\WINNT\system32\295rpm.*
    • Click Add Files and Click Close Window
    • Click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    Reboot your computer and take a new HijackThis log and post here. Note. Don't reboot your computer before I say, because in your computer is ''malware'' which change name.
  • bravep
    edited March 2007
    Thanks. It worked.
  • muulimuuli Finland
    edited March 2007
    Please post the contents of C:\vundofix.txt and a new HiJackThis log :)
Sign In or Register to comment.