Blackworm / WinFixer 2006 Popup

[computerman45]

Alright, I need some help and decided to turn to this forum. I need an expert for this. I have a very large HijackThis log, and need advice on what needs to be fixed.

I have recently been plagued with a popup saying that I have been infected with the Blackworm virus and then get directed to the WinFixer download page... So, I will post my log and see what you all think. Thanks for the help!

EDIT: I thought I would just upload the log file (It is zipped). Make things much more simpler. I warn you it is long... sorry and thank you whoever help me!

[GX1_Man]

Have you run all of the scans in safe mode?

http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1134123580

Best to make it as clean as you can prior to the Hijack This exercise.

You do have a lot of crappola in there.  

[Fed]

Throw VundoFix into the mix too.
http://www.atribune.org/ccount/click.php?id=4

Download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

[Backdated]

There's a little more to it than that Fed!

Move Hijackthis to it's own unique folder, run it once and close it.
Uninstall Logitech Desktop Messenger and anything else you don't need or want.

Download [highlight]EmpTemp[/highlight] and install it.

Download [highlight]VundoFix[/highlight], place it on your desktop, run it and elect to install to your desktop. You should now see a folder called VUndo.

Empty the Recycle Bin and disable System Restore.

Do nothing else at this point  except reboot to Safe Mode, open the VundoFix folder and run KillVundo.bat. Hit enter to accept  the warning.
Enter the filepath as
C:\WINDOWS\system32\ssttr.dll
Press enter
Enter the next filepath as:
C:\WINDOWS\system32\rttss.*
Press enter
Hijackthis may now run - If it doesn't, launch it manually and fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pldi.net/Main.php?do=Index

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pldi.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/

O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\ssttr.dll

O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} -

O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-ac tivex-2.0.3.1.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_35.cab

O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.fallingrocktaphouse.com/cam/AxisCamControl.ocx

O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.intellishack.com/h263ctrl.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca05.rightnowtech.com/uo/thesimsonline/rnt/rnl/java/RntX.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


Press enter to restart normally.

At this point, do nothing except run EmpTemp. Ensure that  all temp file locations and temporary internet folders are shown in the left hand side of EmpTemps window and hit the "Clean" button.

Visit [highlight]Panda Active Scan[/highlight] and commit to a full scan. Fix anything that's found. Copy the scan results, paste them into Notepad and save as pandascan.log.

Return here and post pandascan.log, vundofix.txt and a fresh Hijackthis log.

[Fed]

Like you (usually) Backdated, I didn't intend to even look at the HJT log until the OP had carried out GX1_Man's instructions and posted a new one.
I also thought ccleaner would have made a reasonable substitute for Emptemp.
Adding vundofix to the GX1_Man mix just 'felt' right.
I just noticed the OPs date stamp.... forget it.

[Backdated]

lol..... It was a little early in the AM for me to assimilate such intricate details!

It might make a useful resource if the Hijackthis entries etc are removed.

[MP1975]

Throw VundoFix into the mix too.
http://www.atribune.org/ccount/click.php?id=4

Download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

This worked like a champ!

I haven't seen one of them *censored* bugs since using this software.

Hats off and again thanks for the info.

[Backdated]

@Fed:
CCleaners default setting is to keep temp files that are newer than 14 days so often, if it is used as a cleaner, the contamination will simply return. It can also interfere with the cleaning process by removing registry entries etc and confusing things. EmpTemp does exactly what it says on the tin - Empty temp folders and nothing else.

@MP1975:
Many of these infections exhibit stealth or pseudo stealth properties which is why it's very important to stick to approved routines regarding Safe Mode, temp folders, Hijackthis and anti virus scans etc.

[Fed]

My ccleaner default is only 2 days but I must have unchecked the box ages ago so it's now 0 days.
Updated ccleaners must carry over the user options unless it's uninstalled.
There's an update for me now so I'll check it out.

<Edit>
The default is only 2 days but that's 2 days too many.
A fresh install rechecked the 2 day box too.

[Backdated]

Sorry about that. I was writing a threatening email at the same time as answering this giving a company 14 days to get their act together and wires must have been crossed somewhere!

As you say, the default is 48 hours, but as you rightly point out, that's 48 hours too long in cases like this.
However, it's because of these little inbuilt safety nets that I feel I can recommend CCleaner for everyday use. It does a good job, but at the same time, it's benign enough to avoid causing any serious damage.