trojandownloader.xs, warning spyware detected on your computer, Mal vundo4?

Thank you for the info. We are ready to begin.
MBAM does well on Vista, so let's try that first.

Please download Malwarebytes' Anti-Malware from Here or Here

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• :
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. :(see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.
• Please include a fresh HijackThis log as well.
  Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

thank you for your reply.

 

posted before...NO

cracked software...NO

P2P programs...NO

I am the primary owner and only user of this computer

Have been reading other logs, so NO I have not fixed anything in HijackThis yet.

 

thanks.

Welcome. Thank you for using Dell Community Forums.
I am reviewing your log.
In the meantime, you can help me by doing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you are using any cracked software, please remove it.
Definition of cracked software:
http://en.wikipedia.org/wiki/Software_cracking

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.
The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.
A list of P2P's is here: http://www.castlecops.com/t204179-P2P_programs_we_ask_that_you_remove_first.html


* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.

** We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

I look forward to your reply.

Here is HJT,

But fyi-when i tried to run it this time, an alert came up saying 'system denied access to Hosts files' so I had to run it as an administrator.  here is the log

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:07 AM, on 4/23/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM04Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM04Mon.exe] C:\Windows\OEM04Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Aimee\AppData\Local\Temp\pmnnMgHy.dll,#1
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 10345 bytes

Ok,

First I turned off Windows defender real-time protection (you didnt mention it in this log, but did in other logs, so I did it...but my trend micro spydoctor are running as normal)

 

Then I ran MBAM-

the item - c:\Users\Aimee\AppData\Local\Temp\pmnnMgHy.dll - could not be removed. So my computer restarted and when it did a prompt came up saying windows did not shut down properly...then a RunDLL alert came up saying it could not run c:\Users\Aimee\AppData\Local\Temp\pmnnMgHy.dll

So, i am not sure what that all means...anyway here is the MBAM log

 

Malwarebytes' Anti-Malware 1.11
Database version: 674

Scan type: Quick Scan
Objects scanned: 32220
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 20
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
C:\ProgramData\khbtdjir\lcnwxcde.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\ProgramData\jwdozkns\dwtcvqdi.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
c:\Users\Aimee\AppData\Local\Temp\pmnnMgHy.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khbtdjir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6NwK8XE3BS (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Aimee\AppData\Local\Temp\pmnnMgHy.dll (Trojan.Vundo) -> Delete on reboot.
C:\ProgramData\khbtdjir\lcnwxcde.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ProgramData\jwdozkns\dwtcvqdi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\37770dc1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\6c608ea1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\803f4af2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\f7bb47e5.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\tmp0001d5b5 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\tmp0001dd63 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\tmp000209b0 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\tmp00026c87 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\tmp002e7703 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\tmp01189580 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\tmp0213e079 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Aimee\AppData\Local\Temp\zfe2.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Aimee\Desktopblackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Users\Aimee\DesktopEditorFKWP1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Users\Aimee\DesktopEditorFKWP2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Users\Aimee\Desktopfilemanagerclient.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Users\Aimee\Desktopfkwp1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Users\Aimee\Desktopfkwp2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Users\Aimee\Desktopfwebd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Users\Aimee\DesktopFWebdEditor.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Users\Aimee\DesktopTrojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Yes, Vista has some extra security built in so running as Administrator was a good idea.

For using HijackThis you will need to disable Windows Defender again as well as SpywareDoctor.
To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.
Exit by a right-click on the "Spyware Doctor" icon in the system tray and choose "Exit".
[To enable Spyware Doctor when you are finished, open the program, Settings>Startup Settings> CHECK "Run at Windows Startup">APPLY
Exit. Reboot.]

To disable PCTools Browser Monitor: If you are running Internet Explorer, click Tools > Manage Add-ons. If PCTools Browser Monitor is on the list, click it & select Disable. You will need to restart your browser after making the change.

Please launch hijackthis and place a checkmark next to tis entry:

O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Aimee\AppData\Local\Temp\pmnnMgHy.dll,#1

Close all windows except HijackThis and click "Fix checked". Close HijackThis.

Run DiskCleanup in each user's profile.

1. Open Disk Cleanup by clicking the Start button Picture of the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Cleanup.
2. In the Disk Cleanup Options dialog box, choose whether you want to clean up your own files only or all of the files on the computer. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. If the Disk Cleanup: Drive Selection dialog box appears, select the hard disk drive that you want to clean up, and then click OK.
4. Click the Disk Cleanup tab.
* Please make sure only the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
5. When you finish selecting the files you want to delete, click OK, and then click Delete files to confirm the operation. Disk Cleanup proceeds to remove all unnecessary files from your computer.

http://windowshelp.microsoft.com/Windows/en-US/Help/1264bc24-72a8-48aa-84e3-a355327139d91033.mspx


Following that, REBOOT.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "Java Runtime Environment (JRE) 6u6 allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each of the Java versions.
• 
  
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Official JAVA Installation Instructions if needed.


Finally, please run MBAM again per instructions above, only this time select COMPLETE scan.

Please post your new MBAM log as well as a fresh HJT log. Let me know if the issue has been resolved.

Thanks for the help, I am already seeing an improvment.
I removed the file, performed disk cleanup, and upgraded Java (although I am not sure if it downloaded correctly because it did not go exactly as you described.)  I am still received a warning from trend micro, that Mal-vundo4 was found on my computer when I just restarted it.  I havnt removed those quarentined items yet. Also I am still having a problem with my computer shutdown....windows is taking forever to shutdown and then on restart it states that windows did not shut down properly.  is this related to the trojan virus still?

 

Here is the new MBAM, HJT to follow in next post.

thanx

 

Malwarebytes' Anti-Malware 1.11
Database version: 674

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 120735
Time elapsed: 49 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Also here are problem details that come up under the "windows has recovered from an unexpected shutdown" window that pops up every time I start my computer I told you about in my last post.  it then states that "windows can check online for a solution to the problem".  Not sure if it has anything to do with the virus, but didnt know if I should follow the prompts to check online and wondered if you could help with this also. 

thanks so much.

 

 

 

Problem signature:

Problem Event Name: BlueScreen

OS Version: 6.0.6000.2.0.0.768.3

Locale ID: 1033

Additional information about the problem:

BCCode: 9f

BCP1: 00000003

BCP2: 83F4E1D0

BCP3: 8660D030

BCP4: 8785F148

OS Version: 6_0_6000

Service Pack: 0_0

Product: 768_1

Files that help describe the problem:

C:\Windows\Minidump\Mini042408-01.dmp

C:\Users\Aimee\AppData\Local\Temp\WER-107344-0.sysdata.xml

C:\Users\Aimee\AppData\Local\Temp\WERDE4D.tmp.version.txt

Read our privacy statement:

http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

 

Where is Trend Micro finding Mal-vundo4? It should give you a location.

Download and scan each user profile with CCleaner:
http://www.ccleaner.com/download/builds
** Select to download the SLIM version.

** Because CCleaner removes everything in temp folders, if you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner.

** We will be cleaning cookies as well. Make a note of any passwords, etc. that you want to save.


1. Before first use, select Options > Advanced and UNCHECK
" Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.
In the Windows Tab:
• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.
In the Applications Tab:
• Clean all in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.
3. Click the " Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click " OK" and it will scan and clean your system.
6. Click " exit" when done.
REBOOT.

Please perform this online scan: F-Secure Online Scanner
The online scanner is on the bottom right of the page.
Direct link: http://support.f-secure.com/enu/home/ols.shtml

Follow the directions on the F-Secure page for proper Installation.

* You may receive an alert on the address bar at this point to install the ActiveX control.
* Click on that alert and then click " Install ActiveX component".
* Read the license agreement and click " Accept".
* Click " Custom Scan" and be sure the following are checked:

• Scan whole System
• 
  
• Scan all files
• Scan whole system for rootkits
• Scan whole system for spyware
• Scan inside archives
• Use advanced heuristics

* When the scan completes, click the " I want to decide item by item" button.
* For each item found, Select " Disinfect" and click " Next".

* When done, click the " Show Report" button, then copy and paste the entire report into your next reply.

 ok here is the report.  thank you so much.  things are working great...i havnt had the popup warnings about spyware anymore.

any ideas for "windows has recovered from an unexpected shutdown"?  it happens every time i properly restart or shutdown my computer.

thanks

 

Scanning Report Friday, April 25, 2008 19:10:13 - 20:50:18

Computer name: AIMEE-PC
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\

---

Result: 1 malware found Tracking Cookie (spyware)

• System

---

StatisticsScanned:

• Files: 129588
• System: 3683
• Not scanned: 107

Actions:

• Disinfected: 0
• Renamed: 0
• Deleted: 0
• None: 1
• Submitted: 0

Files not scanned:

• �

---

OptionsScanning engines:

• F-Secure USS: 2.30.0
• F-Secure Hydra: 2.8.8110, 2008-04-25
• F-Secure Pegasus: 1.20.0, 2008-02-28
• F-Secure AVP: 7.0.171, 2008-04-25

Scanning options:

• Scan all files
• Scan inside archives
• Use Advanced heuristics

---

Copyright © 1998-2007 Product support | Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

It appears that your malware is gone. If the only remaining problem is that shutdown message, try disabling automatic restart and see if that helps. Control panel\system ... > advance system settings\start up and recovery\settings > Disable automatic restart

For systems running Vista, some people have had problems like this if drivers needed updating. For information on that, I suggest that you post on the Vista Board. They can tell you how to search for drivers.

After you get that problem fixed, come back here so we can flush System Restore. I'll give you some prevention tips as well. I suggest that you keep MBAM updated and run it as an on-demand scanner every so often.

once again thanks so much for your help. yes i do believe my computer is free of all malware, and i cant thank you enough.  it seems like this shutdown problem is very common with vista so i am working on that, and i think i have it worked out.  it may be an issue with my version of trend micro and vista being incompatible.  do you feel that it is okay to uninstall the trend micro, or should i keep that to help protect my computer?  let me know what you would like me to do next to optimize my security. 

You're welcome.
Yes, you can remove Trend Micro, but you need anti-virus protection. You could install one of the free anti-virus programs once you have uninstalled Trend Micro.

Trend Micro's removal instructions:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1033906&id=EN-1033906

There is a list of free security software here: http://www.dellcommunity.com/supportforums/board/message?board.id=si_virus&thread.id=66825

You are fortunate that you have Vista because it is a more secure operating system than XP.
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

Your antivirus (whichever one you decide on), and MBAM (either your free version or the paid upgrade with realtime protection) along with Vista's firewall or one of the free ones in the list above would be good. If you keep the free MBAM, you will need to manually update it every couple of days. You can use it as an on-demand scanner. Otherwise, it you want it auto-updating and running in realtime to monitor, you will need to upgrade to the paid version.

You might consider installing SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
It will:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Tutorial here: http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates.

Practice Safe Surfing with with TrendProtect by Trendmicro.
TrendProtect is a browser plugin that assigns a safety rating to domains listed in your search engine. TrendProtect also adds a new button to your browser's toolbar area. The icon and color of the button changes to indicate whether the page currently open is safe, unsafe, trusted, or unrated, or whether it contains unwanted content.

The following color codes are used by TrendProtect to indicate the safety of each site.

Red for Warning
Yellow for Use Caution
Green for Safe
Grey for Unknown

If you do not have an alternate browser, you might consider installing Mozilla / Firefox.
http://www.mozilla.org/

Before using or purchasing any Spyware/Malware protection/removal program, always check the following Rogue/Suspect Spyware Lists.
http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.malwarebytes.org/database.php

That's good news.
If everything is running well, it would be good to flush System Restore so you can start fresh. We'll purge the old, infected Restore Points by turning System Restore off and on again.

To turn off Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK


That should do it. Happy and safe surfing! :)