antivirus xp 2008, win32.agent and other viruses!

  sandmartin 20:44 03 Jul 2008
Locked

Think I'm infected with trojans and viruses! Back from holiday and unwisely (in hindsight) left pc at mercy of my teenage sons - now have a stubborn message on screen saying 'warning - your PC is infected with spyware, please install antispyware programme'

Have scoured the forums for advice, run various spyware programs including AVG, spybot, sdfix, smitfraudfix and still the pop ups continue. Also I get the dreaded blue screen with messages like - 'bad pool header', 'bogus driver', systinternals_great site', 'no more irp stack locations', 'panick stack switch' etc etc which seem to appear after a few mins and run in the background.

worryingly persistent spyware which keep appearing is antivirus xp 2008 icons which keep directing me to remove spyware and win32.agent.pz .. also had virtumonde, zlob.downloader & pws-ldpinchIE amongst others coming up on scans.

Can anyone help? or is my PC wrecked!

  rdave13 20:48 03 Jul 2008

Try downloading rogueremover; click here , and superantispyware. Update both progs. Boot to safemode and run rogeremover first then superantispyware.

  rdave13 20:56 03 Jul 2008

Also run your antivirus in safemode.

  sandmartin 06:10 04 Jul 2008

thanks - rogueremover seems to have cleared the spyware message and blue screens have stopped. On booting up this morning evrything worked fine except an error message saying -

'error loading c:\WINDOWS\system32\dmqndsfb\dll
the specified module could not be loaded'

no other symtoms so far but what is this message? I just clicked it off.

  Mac70 08:13 04 Jul 2008

is it a rundll error?

  rdave13 16:41 04 Jul 2008

Now you have, at least, an usable PC may I suggest you join a malware removal specialist forum. Someone that can check the PC if any remnants of malware are left. Explain what you've used, and how, just to get you going.
Have a look at this thread; click here and see Mac70's recommendations in the 22:31 post.

  sandmartin 12:08 05 Jul 2008

Hi - yes I think its a run dll error but not sure. Same message again this morning but pc works ok if i just close the message. Ran spybot just now and it picked up just the one virus - virtumonde.px with 4 entries that changed the registry.

  DieSse 16:17 05 Jul 2008

"...but what is this message?"

It's a left over command to try and load some malware when your system starts. The malware is no longer there, but the entry in the startup list still tries to load it (but can't find it).

From the start button select Run and enter msconfig in the run box. Press enter.

Look in the startup tab for the command that tries to load dmqndsfb.dll and untick the box at the front of it's line.

Reboot - tick the box in the popup that appears (to say don't show the msconfig change notifier again - and all should be OK.

  sandmartin 19:40 08 Jul 2008

Thanks for all your help guys but still having some probs - on start up i still have a rundll error message even after i've unticked using msconfig it just reappears. Item is bcddmxgq Command is Rundll.exe C\win .. and Location is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion...

I just did AVG scan with following results

C:\Documents and Settings\User\Desktop\SDFix\backups_old3\backups.zip/backups/jzcom32.dll -> Downloader.BHO.kr : No action taken.
C:\Program Files\iWin.com\Big City Adventure Sydney Australia\GameLauncher.exe -> Dropper.Irsd.c : No action taken.
C:\Program Files\iWin.com\Cooking Academy\GameLauncher.exe -> Dropper.Irsd.c : No action taken.
C:\Documents and Settings\User\Desktop\SDFix\backups_old3\catchme.zip/ntos.exe -> Logger.Zbot.crv : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\User\Cookies\[email protected]ite[1].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\User\Cookies\[email protected]volver[1].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\User\Cookies\[email protected]khype[1].txt -> TrackingCookie.Clickhype : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][3].txt -> TrackingCookie.Connextra : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\User\Cookies\[email protected]click[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Findwhat : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Hotlog : No action taken.
C:\Documents and Settings\User\Cookies\[email protected]person[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\User\Cookies\[email protected]ptraffic[2].txt -> TrackingCookie.Popuptraffic : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Realmedia : No action taken.
C:\Documents and Settings\User\Cookies\[email protected]ing-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\User\Cookies\[email protected]rends[1].txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\User\Cookies\[email protected]rendslive[2].txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Yadro : No action taken.
C:\Documents and Settings\User\Cookies\[email protected]dmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : No action taken.
C:\Documents and Settings\User\Desktop\SDFix\backups\catchme.zip/sysrest.sys -> Worm.Zhelatin.vl : No action taken.

anything suspect?

  sandmartin 19:43 08 Jul 2008

I see many folk use Hijackthis to diagnose problems so here is my log ..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15:50, on 08/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {66F5EF0A-7D90-4655-BDD2-F7074F070405} - (no file)
O2 - BHO: (no name) - {AB0D3CDD-C378-4B2A-98B7-49058FF9C174} - (no file)
O2 - BHO: {7bcea662-4f77-4e5a-1fe4-1c2a5c4b61bc} - {cb16b4c5-a2c1-4ef1-a5e4-77f4266aecb7} - C:\WINDOWS\system32\ukgkor.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BMefc75c61] Rundll32.exe "C:\WINDOWS\system32\bcddmxgq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - click here
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?3e2dc9817f0f48d7986c76f8b473e4ba
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?3e2dc9817f0f48d7986c76f8b473e4ba
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - click here
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - click here
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - click here
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - click here
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - click here
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: JTFGYMRNY (jtfgymrny) - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\JTFGYMRNY.exe (file missing)

--
End of file - 4111 bytes

  mfletch 20:17 08 Jul 2008

This look suspicious,

O4 - HKLM\..\Run: [BMefc75c61] Rundll32.exe "C:\WINDOWS\system32\bcddmxgq.dll",s

Have a look in your startup entries and stop it from starting at startup,

Click>start>Run>type in the box msconfig then click OK>startup

Then delete all temp Internet files and cookies

Ccleaner will do this,

click here

Download Malwarebytes Antimalware and up date it,

click here

Restart your computer into safe mode and do a full scan with Malwarebytes,

SAFE MODE

Reboot into SAFE MODE

1/Click Start and then click Turn Off Computer.
2/In the Turn Off Windows dialog box, click Restart, and then click OK.
3/As your computer restarts but before Windows launches, press F8 repeatedly.
4/Use the arrow keys to highlight Safe Mode, and then press ENTER.
5/If you have a dual-boot or multiple-boot system, choose the installation that you need to access using the arrow keys, and then press ENTER.
Note: If Windows launches before you can choose a safe mode, restart your computer and try again
PS/ Sometimes it maybe the F5 key

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

WPA2 hack: How secure is your Wi-Fi?

Microsoft Surface Book 2 hands-on review – bigger and 5x faster

Best kids apps for iPhone & iPad

Que faire si son iPhone ou iPad est tombé dans de l'eau ?