Infected computer...Hijackthis log

Stephm27, Here are two trojans:
C:\WINDOWS\System32\umapldlg.exe
C:\WINDOWS\System32\odpstab.exe

 

Most of the rest of this is adware, look at the link under the VirtualBouncer item, in blue.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: SDWin32 Class - {14E7346D-19D0-4D38-BE72-7D0BC136E14B} - C:\WINDOWS\System32\cdkqw.dll (file missing)
O2 - BHO: SDWin32 Class - {36F3DBBC-1B22-4880-8DD1-FBA825F64A40} - C:\WINDOWS\System32\deqhh.dll (file missing)
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: (no name) - {A1A8E128-9D5A-7614-280C-476EBC608ED5} - C:\WINDOWS\Ntyacelm.dll (file missing)
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
http://computercops.biz/startuplist-4105.html
O4 - HKLM\..\Run: [us5X3mQ] odpstab.exe
O4 - HKCU\..\Run: [fBu7Rgc2j] umapldlg.exe

 

Here is what I would like you to do, first use the big guns to kill as much adware as possible.  Use the tutorials in the  two links posted next to download, and configure exactly as suggested in the tutorials, make sure they are both updated and restart the computer between the programs.  Allow them to remove what they locate, there is a slight glitch in Spybot, if you receive a DSO Exploit notification, ignore it.
Ad-aware:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=48
Spybot:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=43

 

When this is completed, please run these three free online scans, set them to fix or clean and allow them to remove what they locate.  Please write down anything that can't be removed and post it with your next log.
http://www.windowsecurity.com/trojanscan/
http://scan.sygatetech.com/pretrojanscan.html
http://housecall.trendmicro.com/

 

Clean like this: Start, Run type "cleanmgr" without the quotes then ok.  Allow windows to remove anything it locates. Empty the recycle bin and restart the computer. Click on Reply at the top left to stay in this same thread. Post a new log, include information from the scans and any feedback you think I should have.

 

Thanks...pskelley

 

Thank you so much for your help.

 

I followed all your steps and encountered just a few problems...I had run Ad-Aware severeal times prior and it didn't detect anything new.  Spybot could not remove "eXactAdvertising.BargainBuddy."  When I restarted, it scanned again and removed 5 other programs, I don't know if "eXact..." was one of them.  The second virus scan said my computer blocked probes with the spygate personal firewall.  The other scans did not detect anything.  Do you think the two trojans are gone?  Is that it?

 

Thank you very much!

This is the new Hijackthis log file...if it helps

 

Logfile of HijackThis v1.98.2
Scan saved at 4:26:43 PM, on 12/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINDOWS\System32\odpstab.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\umapldlg.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mary Lane\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1.5&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=14400&
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=12944&bcmlcid=1033&curlcid=1033&syslcid=1033&loca=244&of11lcid=1033&bcmver=1.00.2002.01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {14E7346D-19D0-4D38-BE72-7D0BC136E14B} - C:\WINDOWS\System32\cdkqw.dll (file missing)
O2 - BHO: SDWin32 Class - {36F3DBBC-1B22-4880-8DD1-FBA825F64A40} - C:\WINDOWS\System32\deqhh.dll (file missing)
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A1A8E128-9D5A-7614-280C-476EBC608ED5} - C:\WINDOWS\Ntyacelm.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [us5X3mQ] odpstab.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [fBu7Rgc2j] umapldlg.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

Tea Timer is a very good program (part of Spybot as you know) and it's nature is not to allow the bad stuff to change your computer. But, it also prevented the changes we wanted to make, and stopped the trojan scan from removing the trojans.  Please go to the system tray near the clock, right click on the TeaTimer icon, then exit the program.  Please run all of the scans again.  Then post a new log.  TT will start again when you resart the computer.  You probably saw a lot of messages from TT.  Thanks...pskelley

That is no problem, you take your time as you have some nasty stuff on the computer and we want it off.  Follow the directions carefully, and sorry I did not think that you would activate the TeaTimer. I receive an email any time you post and will respond as soon as possible after that.  Enjoy the holidays...pskelley

Hello Stephm27, We do have a problem, something is blocking the attempts to remove the malware.  What do you mean by this?

 

Sygate still says I have a firewall against it that blocks the probes.

 

Are you sure you do not have a little icon for TeaTimer in the system tray near the clock.  That is where it is on the computer I have it installed on.  I can't understand how the firewall (Sygate) could be stopping the fix we are trying to make.

If you have to, look for TeaTimer in MSCONFIG and uncheck it from  there. I am going to attempt to remove this stuff in the Safe Mode, we must get it off of your computer.

TURN OFF TEATIMER AND ANY OTHER PROGRAM YOU HAVE RUNNING THAT WILL STOP YOU FROM MAKING CHANGES

Open Task Manager (Ctrl, Alt, Delete at the same time) Then click on the Processes tab, look for and end process on any of these items that are there:

odpstab.exe
umapldlg.exe
VBouncer

 

 

Enable Hidden files: http://www.xtra.co.nz/help/0,,4155-1916458,00.html ( for your Operating System)
Or use this manual method
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
MANUAL INSTR FOR ENABLE HIDDEN FILES
* Double-click My Computer.
* Click the Tools menu, and then click Folder Options.
* Click the View tab.
* Clear "Hide file extensions for known file types."
* Under the "Hidden files" folder, select "Show hidden files and folders."
* Clear "Hide protected operating system files."
* Click Apply, and then click OK.

 

 

Then use these instructions to enter Safe Mode:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=61#winxo

 

 

Once in Safe Mode, scan with HijackThis and check each of these lines:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: SDWin32 Class - {14E7346D-19D0-4D38-BE72-7D0BC136E14B} - C:\WINDOWS\System32\cdkqw.dll (file missing)
O2 - BHO: SDWin32 Class - {36F3DBBC-1B22-4880-8DD1-FBA825F64A40} - C:\WINDOWS\System32\deqhh.dll (file missing)
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: (no name) - {A1A8E128-9D5A-7614-280C-476EBC608ED5} - C:\WINDOWS\Ntyacelm.dll (file missing)
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [us5X3mQ] odpstab.exe
O4 - HKCU\..\Run: [fBu7Rgc2j] umapldlg.exe
 
With no other windows open, click on "Fix Checked"

 

RIGHT click on Start then click on Explore.  Locate and delete these files or folders, all may not be there, but be very careful not to miss any:

 

C:\WINDOWS\System32\ odpstab.exe >> file

C:\WINDOWS\System32\ umapldlg.exe >> file

C:\WINDOWS\System32\ cdkqw.dll  >> file

C:\WINDOWS\System32\ deqhh.dll .. file

C:\WINDOWS\DOWNLOads~1\ search3.dll >> file

C:\WINDOWS\ Ntyacelm.dll >> file

C:\PROGRA~1\ VBouncer\ >> folder

 

Clean like this: Start, Run type "cleanmgr" without the quotes then ok.  Allow windows to remove anything it locates.

 

There is a new version of HijackThis, please download it like this: 

"Config"=>"Misc Tools"=>"Check for updates online"
from within the old version.   Empty the recycle bin and restart the computer, use Reply to stay in this same thread and post a new log using version 1.99.  Give us your feedback along with the log.

Thanks...pskelley