Win32:trojan-gen and Win32:adware-gen?

Ahhhh help, please! This virus/trojan combo is driving me bonkers.

I’m running Win XP. Here is a snippet from my Avast log:

2/24/2007 7:23:43 PM Jill 1872 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\dtqmaxxh.exe" file. 2/24/2007 7:50:10 PM Jill 1872 Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\biqgjewg.dll" file. 2/24/2007 11:26:03 PM Jill 1788 Sign of "Win32:Winfixer-C [Tool]" has been found in "c:\windows\downloaded program files\uwfx5lp_0001_0715netinstaller.exe" file. 2/25/2007 7:24:00 PM Jill 1896 Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\yrcwueyo.dll" file. 2/25/2007 7:24:18 PM Jill 1896 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\ymvteunl.exe" file. 2/26/2007 7:24:07 PM SYSTEM 1924 Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\ulndcqhk.dll" file. 2/26/2007 7:33:01 PM SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\panvqerx.exe" file. 2/27/2007 9:03:04 PM Jill 1912 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\ucbmdsnm.exe" file. 2/27/2007 9:03:28 PM Jill 1912 Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\nuyvvsuu.dll" file. 2/28/2007 9:19:30 PM Jill 1920 Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\jkvkqxru.dll" file. 2/28/2007 9:21:09 PM Jill 1920 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\gxjtylxd.exe" file. 3/1/2007 9:19:36 PM SYSTEM 1912 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\aakmncfp.exe" file. 3/1/2007 9:29:37 PM SYSTEM 1912 Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\bhhgtlhx.dll" file. 3/2/2007 9:19:41 PM SYSTEM 1904 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\ghaplgwo.exe" file. 3/2/2007 9:19:50 PM SYSTEM 1904 Sign of "Win32:BHO-BG [Trj]" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\ewutgvcr.dll" file. 3/2/2007 9:19:58 PM SYSTEM 1904 Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\wqomjdkc.dll" file.

And here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:48:56 PM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\PCLEScheduler.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jill\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM..\Run: [Adobe Version Cue CS2] “C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM..\Run: [HPHUPD04] “C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe”
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [ChrisTV Agent] “C:\Program Files\ChrisTV Lite\ChrisTV_Agent.exe”
O4 - HKLM..\Run: [RoxioEngineUtility] “C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe”
O4 - HKLM..\Run: [RoxioDragToDisc] “C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe”
O4 - HKLM..\Run: [RoxioAudioCentral] “C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe”
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O4 - Global Startup: Pinnacle PCTV Scheduler.lnk = ?
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra ‘Tools’ menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

Any help would be appreciated! Thanks!!! :slight_smile:

Hi GoRoush. Welcome to the forum.

Is the malware avast! detected recurring? Are you getting any popups on your desktop?

I don’t see anything in your hijackthis log that looks terribly suspicious. I will say if you did not have the notepad open when you ran hjt you could have Jotti or Virus Total check C:\WINDOWS\system32\NOTEPAD.EXE

http://virusscan.jotti.org/

http://www.virustotal.com/en/indexf.html

Since avast! detected Winfixer I suggest you scan with VundoFix to see if anything is found. The download and instructions are here

http://www.atribune.org/content/view/24/2/

Follow this with AVG AntiSpyware and A-Squared scans

http://free.grisoft.com/doc/20/lng/us/tpl/v5

http://www.emsisoft.com/en/software/free/

putting anything detected in quarantine.

Let us know if VundoFix removed anything or if the latter 2 programs put anything in quarantine.

EDIT:

You may want to think about whether you need AIM. It can be a problem with trojans and there are safer alternatives. And there is a newer version of Java available

http://www.filehippo.com/download_java_runtime/

Hello mauserme,

Yes, this is a recurring problem. I get multiple popups and things trying to download. I already went and “fixed” some suspicious stuff in HJT so maybe that’s why it looks clean. I’m still getting the popups, though.

Thank you very much for your help. I will take all of that advice.

As for AIM, well, every single person I know is on it, so I suppose I need it, eh? I try to practice safe IMing at least. :wink:

I know how I got this malware. Bad decision! I usually keep my computer clean.

Thanks!!

Trillian, Gaim, or AIM Lite would work.

Can you post a screen shot of the pop ups?

Notepad.exe could just be a sign of the Gromozon rootkit infection:

http://forum.avast.com/index.php?topic=24523.0

There’s a removal tool. Don’t know if it still works.

:slight_smile: Hi GoRoush ( Jill ? ) :

 Your HJT log did not show the presence of ANY antiSPYWARE/antiTROJAN
 program(s); is this true ? If yes, you should have these types of programs
 on your computer and I recommend the Good & FREE "AVG Antispyware"
 from www.ewido.net and/or the FREE ver of "SUPERantispyware" from
 www.superantispyware.com .

 And some Malware Experts on some antiSPYWARE Support forum(s) may
 ask you if you want the Adware Dell's "MyWayBiz" on your machine !?

 And your Sun Java is seriously outdated and should be uninstalled ASAP;
 however, the latest ver for your Win XP SP2 OS is at
 www.majorgeeks.com/download4648.html , not the site Mauserme
 recommended .

I actually can’t figure out Sun’s version numbering system. If you look at my FileHippo link above Environment 6 was released 12 Dec 06 while Environment 5.11 was released 25 Fed 07. The Sun Microsystem site lists 5.11 as the current version

http://www.java.com/en/download/manual.jsp

I have Environment 6 installed on my computer and several web sites have recently advised I am out of date, so I believe 5.11 is the correct version.

Edit: There is a conspicuous absence of a third party firewall in the hjt log. Sorry I didn’t mention it before but you should consider installing one.

I have version 6 and Secunia inspector says I’m up-to-date…
http://secunia.com/software_inspector/

I know - that’s part of what makes it confusing (to me, anyway). If you go by release date its the opposite, but then why the backwards number system?

EDIT:
I either just rolled back or just updated to 5.11 from 6, depending on your point of view. Secunia reports 5.11 as the current version too


http://img48.imageshack.us/img48/2898/javaqg5.png

I’m going to stick with release date.

OK. I’m going to start taking more steps, but in the meantime…

I just got a notification of a new bug on my system that I hadn’t recognized before:

3/3/2007 7:49:14 PM SYSTEM 1904 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\mtmnjrrr.dll" file.

I haven’t been home at all today and haven’t opened any webpages. So this being new is, well, odd.

I will try to get some screenshots of the popups, but they are mostly all different…

One important question. Is it safe to go into my online banking with this infection on my computer? Thanks!

I haven’t had much chance to look into this but I wanted to respond while you and I are both online.

In short, no it is not safe to do any online banking if WIN32:VBStat-C [Trj] is on your computer. You may, in fact, need to change your passwords, etc. I’ll do a bit more research and post again later.

EDIT: Have you had time to install a firewall?

Here’s some information on Win32:VBStat-C [Trj]

http://research.spysweeper.com/search.php?serialnumber=3H2OSZAJ

I still think this is related to Vundo and suggest you run VundoFix as soon as you are able. A log named C:\Vundofix.txt will be generated that can post.

After VundoFix boot into safe mode and scan with AVG Antispyware and post the results.

Then boot into normal mode, rename HijackThis.exe to HijackThat.exe and post another log.

Also, here are links for a couple free firewalls (use only one, of course)

http://www.personalfirewall.comodo.com/

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

OK. Ran through the steps.

Ran VundoFix before and after the safe mode steps. Log is as follows

C:\WINDOWS\system32\xbadd.ini

Beginning removal…

Attempting to delete C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddabx.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kqyddisi.dll
C:\WINDOWS\SYSTEM32\kqyddisi.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rqroppm.dll
C:\WINDOWS\SYSTEM32\rqroppm.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\vjqrdwjr.dll
C:\WINDOWS\SYSTEM32\vjqrdwjr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbadd.bak1
C:\WINDOWS\system32\xbadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbadd.bak2
C:\WINDOWS\system32\xbadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\xbadd.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.12

Checking Java version…

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:16:25 PM 3/3/2007

Listing files found while scanning…

C:\WINDOWS\SYSTEM32\fhhkj.bak1
C:\WINDOWS\system32\fhhkj.ini
C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\ralbgfut.dll

Beginning removal…

Attempting to delete C:\WINDOWS\SYSTEM32\fhhkj.bak1
C:\WINDOWS\SYSTEM32\fhhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\fhhkj.ini
C:\WINDOWS\system32\fhhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\jkhhf.dll Has been deleted!

Performing Repairs to the registry.
Done!

I ran AVG-AntiSpyware in Safe Mode. Did not know where to find the log for this, so I am posting a screenshot of what is in quarantine.

I ran A Squared under Safe Mode. Here is the log.

a-squared Free - Version 2.1

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS, C:\Program Files
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 3/3/2007 10:32:37 PM

C:\Program Files\Common Files\winsoftware detected: Trace.Directory.WinFixer_2005
C:\Documents and Settings\Jill\trace.log detected: Trace.File.ErrorSafe
Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls → c:\program files\common files\winsoftware\prcheck.dll detected: Trace.Registry.WinFixer_2005
C:\Documents and Settings\Jill\Cookies\jill@1901.nordstrom[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@adknowledge[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@adserver[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@adsremote.scripps[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@advertising[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@atdmt[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@belointeractive[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@bfast[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@bizrate[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@cgi-bin[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@count.exitexchange[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@count1.exitexchange[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@count2.exitexchange[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@count3.exitexchange[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@count4.exitexchange[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@link.mercent[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@links2love[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@link[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@media303[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@mediatraffic[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@netster[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@pricegrabber[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@realmedia[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@rubylane[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@sexysims2[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@superstats[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@www.netster[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Application Data\Mozilla\Firefox\Profiles\yf751vsp.default\cookies.txt:14 detected: Trace.TrackingCookie
C:\Documents and Settings\Jill\Application Data\Mozilla\Firefox\Profiles\yf751vsp.default\cookies.txt:111 detected: Trace.TrackingCookie
C:\WINDOWS\SYSTEM32\cafgugbx.exe detected: Adware.Win32.Agent.at
C:\WINDOWS\SYSTEM32\gdxusjwe.dll detected: Adware.Win32.Virtumonde.gf
C:\WINDOWS\SYSTEM32\njygygna.dll detected: Trojan-Spy.Win32.VBStat.h
C:\WINDOWS\SYSTEM32\ralbgfut.dll detected: Trojan.Win32.BHO.g
C:\WINDOWS\SYSTEM32\xclpuimj.dll detected: Adware.Win32.Virtumonde.gf
C:\Program Files\BitTorrent\uninstall.exe detected: Riskware.RiskTool.Win32.Processor.1001
C:\Program Files\EA GAMES\The Sims 2 Pets\TSBin\Sims2EP4.exe detected: Heuristic.Dialer

Scanned

Files: 101247
Traces: 100074
Cookies: 1185
Processes: 13

Found

Files: 7
Traces: 3
Cookies: 30
Processes: 0
Registry keys: 0

Scan end: 3/3/2007 11:13:51 PM
Scan time: 12:41:14 AM

C:\WINDOWS\SYSTEM32\ralbgfut.dll Quarantined Trojan.Win32.BHO.g
C:\WINDOWS\SYSTEM32\njygygna.dll Quarantined Trojan-Spy.Win32.VBStat.h
C:\WINDOWS\SYSTEM32\gdxusjwe.dll Quarantined Adware.Win32.Virtumonde.gf
C:\WINDOWS\SYSTEM32\xclpuimj.dll Quarantined Adware.Win32.Virtumonde.gf
C:\WINDOWS\SYSTEM32\cafgugbx.exe Quarantined Adware.Win32.Agent.at
C:\Documents and Settings\Jill\Cookies\jill@1901.nordstrom[2].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@adknowledge[2].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@adserver[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@adsremote.scripps[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@advertising[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@atdmt[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@belointeractive[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@bfast[2].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@bizrate[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@cgi-bin[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@count.exitexchange[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@count1.exitexchange[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@count2.exitexchange[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@count3.exitexchange[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@count4.exitexchange[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@doubleclick[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@link.mercent[2].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@links2love[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@link[2].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@media303[2].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@mediatraffic[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@netster[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@pricegrabber[2].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@realmedia[2].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@rubylane[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@sexysims2[2].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@superstats[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Cookies\jill@www.netster[1].txt Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Application Data\Mozilla\Firefox\Profiles\yf751vsp.default\cookies.txt:14 Quarantined Trace.TrackingCookie
C:\Documents and Settings\Jill\Application Data\Mozilla\Firefox\Profiles\yf751vsp.default\cookies.txt:111 Quarantined Trace.TrackingCookie
Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls → c:\program files\common files\winsoftware\prcheck.dll Quarantined Trace.Registry.WinFixer_2005
C:\Documents and Settings\Jill\trace.log Quarantined Trace.File.ErrorSafe
C:\Program Files\Common Files\winsoftware Quarantined Trace.Directory.WinFixer_2005

Quarantined

Files: 5
Traces: 3
Cookies: 30

Installed personal firewall. Fixing to update Java shortly. Investigating alternatives to AIM.

Here’s my latest HijackThis log, run under the name HijackThat:

[EDIT: Hijack This log too long, attached as txt]

Which program gave you this warning

3/3/2007 7:49:14 PM SYSTEM 1904 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\Jill\LOCALS~1\Temp\mtmnjrrr.dll" file.
I don't see that its been removed yet.

Download and install CleanUp. We will need it shortly.

http://www.stevengould.org/software/cleanup/download.html

Make sure you uninstall all older versions.

Break it into pieces and use multiple posts.

Edit: Never mind - I’ve got the log.

Which program gave you this warning

Quote
3/3/2007 7:49:14 PM SYSTEM 1904 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\DOCUME~1\Jill\LOCALS~1\Temp\mtmnjrrr.dll” file.
I don’t see that its been removed yet.

Avast, before I ran all of those scans.

Downloaded CleanUp. I won’t run it until you tell me to. :wink:

Make sure you uninstall all older versions.

I already updated Java because it was in my systray with a notification to update. I can uninstall and reinstall, though.

Break it into pieces and use multiple posts.

Noted for future reference.

Updating doesn’t remove the old versions - it only adds another version. Open Add/Remove programs and uninstall anything older than the current version if you haven’t already done so.

These lines can be fixed in hijackthis

O2 - BHO: (no name) - {0B148E8C-D169-4F43-A6FE-A20F41CEA316} - C:\WINDOWS\system32\jkhhf.dll (file missing)

O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\rqroppm.dll (file missing)

O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\kqyddisi.dll (file missing)

After that run CleanUp, disable system restore (you can turn it back on later), make sure your avast! definitions are updated and schedule a boot time scan. Reboot and quarantine anything found.

Since we’ve been dealing with some stealthy malware I would also like you to run AVG AntiRootKit and F-Secure Blacklight just in case. These can be run after the boot scan is finished.

http://www.antirootkit.com/software/AVG-Antirootkit.htm

http://www.f-secure.com/blacklight/

When you run these make sure you are not surfing and there are no other programs running. Your computer should be as static as possible.

One more question before I go to bed - Have you installed PC Anywhere and Intel(R) Network Configuration Services on purpose? These are programs allowing remote control of your computer that do have legitimate uses if you are aware of them.

EDIT: Spiritsongs mentioned MyWayBiz and we can figure that out if you want to later on. Here’s what Dell said about it

http://www.theregister.co.uk/2005/07/15/dell_my_way_controversy/

Maybe disabling it in the options menu is enough.