After I ran my own scans and tried scans listed in the forums- it has gotten a little better. I do not have the popups that I know of, I haven't stayed on the computer very long at a time. My desktop is still all screwy- I can't change my background- it's just solid white and all icons are highlighted in blue, but do not open all at once when one is clicked.
Hopefully this is the info you need to help, and thanks in advance!
I am running Windows XP.
First I ran Super Anti Spyware and it found 211 items, removed.
Ran Nortons it found one, removed.
I have ran them several times again. Norton doesn't find anything, Super Anti Spyware will pick up a few here and there.
After reading posts here, I ran Vundofix and it found nothing.
I ran Virtumundo- it produces a log, but I didn't see anything. Will attach.
I ran ATF Cleaner.
I set a restore point.
I ran Malwarebytes- 22 files were detected and deleted.
I ran Super Anti Spyware again- it found nothing.
I ran Panda Active Scan- it says it found 16, but without paying I could only see 8?
I did a Windows Update and it installed SP3, which I didn't know about, don't know that I should have installed it, because it said not to download SP2.
Ran HiJack This, log to follow.
Still have desktop issues and I just know my computer is not safe.
Here are my logs:
HiJack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:31 PM, on 5/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CE\nmFlt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocaching.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3635230E-DC32-4261-A852-90721B39EAA4} - (no file)
O2 - BHO: (no name) - {38AD5C7F-4390-4F08-A560-2267F79DA9A2} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {DAB56605-0F19-4F3A-9B0F-19B417F76525} - C:\WINDOWS\system32\xxyWPJAQ.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?6feaf82f31e84c35b791910e8bd80cfe
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?6feaf82f31e84c35b791910e8bd80cfe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smart...oad/cscmv5X.cab
O16 - DPF: {596AF4AC-40A0-474A-9F86-33F0A90F0FD6} (PictureItLauncher Class) - http://photos.msn.co...ls/DigWebX2.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189658127625
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/...tg.1.0.0.37.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...0.16/ttinst.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
--
End of file - 8049 bytes
Virtumundo:
[05/12/2008, 19:21:48] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[05/12/2008, 19:21:53] - Detected System Information:
[05/12/2008, 19:21:53] - Windows Version: 5.1.2600, Service Pack 2
[05/12/2008, 19:21:53] - Current Username: Owner (Admin)
[05/12/2008, 19:21:53] - Windows is in NORMAL mode.
[05/12/2008, 19:21:53] - Searching for Browser Helper Objects:
[05/12/2008, 19:21:53] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/12/2008, 19:21:53] - BHO 2: {3635230E-DC32-4261-A852-90721B39EAA4} ()
[05/12/2008, 19:21:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:53] - No filename found. Continuing.
[05/12/2008, 19:21:53] - BHO 3: {38AD5C7F-4390-4F08-A560-2267F79DA9A2} ()
[05/12/2008, 19:21:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:53] - No filename found. Continuing.
[05/12/2008, 19:21:53] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/12/2008, 19:21:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:53] - No filename found. Continuing.
[05/12/2008, 19:21:53] - BHO 5: {84FEBFF8-945B-4F9A-B9B8-B68EC5020770} ()
[05/12/2008, 19:21:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:53] - Checking for HKLM\...\Winlogon\Notify\vtUnoLBs
[05/12/2008, 19:21:53] - Found: HKLM\...\Winlogon\Notify\vtUnoLBs - This is probably Virtumundo.
[05/12/2008, 19:21:53] - Assigning {84FEBFF8-945B-4F9A-B9B8-B68EC5020770} MSEvents Object
[05/12/2008, 19:21:53] - BHO list has been changed! Starting over...
[05/12/2008, 19:21:53] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/12/2008, 19:21:53] - BHO 2: {3635230E-DC32-4261-A852-90721B39EAA4} ()
[05/12/2008, 19:21:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:53] - No filename found. Continuing.
[05/12/2008, 19:21:53] - BHO 3: {38AD5C7F-4390-4F08-A560-2267F79DA9A2} ()
[05/12/2008, 19:21:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:53] - No filename found. Continuing.
[05/12/2008, 19:21:53] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/12/2008, 19:21:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:53] - No filename found. Continuing.
[05/12/2008, 19:21:53] - BHO 5: {84FEBFF8-945B-4F9A-B9B8-B68EC5020770} (MSEvents Object)
[05/12/2008, 19:21:53] - ALERT: Found MSEvents Object!
[05/12/2008, 19:21:53] - BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/12/2008, 19:21:53] - BHO 7: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[05/12/2008, 19:21:53] - BHO 8: {DAB56605-0F19-4F3A-9B0F-19B417F76525} ()
[05/12/2008, 19:21:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:53] - Checking for HKLM\...\Winlogon\Notify\xxyWPJAQ
[05/12/2008, 19:21:53] - Key not found: HKLM\...\Winlogon\Notify\xxyWPJAQ, continuing.
[05/12/2008, 19:21:53] - Finished Searching Browser Helper Objects
[05/12/2008, 19:21:53] - *** Detected MSEvents Object
[05/12/2008, 19:21:53] - Trying to remove MSEvents Object...
[05/12/2008, 19:21:54] - Terminating Process: IEXPLORE.EXE
[05/12/2008, 19:21:55] - Terminating Process: RUNDLL32.EXE
[05/12/2008, 19:21:55] - Disabling Automatic Shell Restart
[05/12/2008, 19:21:55] - Terminating Process: EXPLORER.EXE
[05/12/2008, 19:21:55] - Suspending the NT Session Manager System Service
[05/12/2008, 19:21:55] - Terminating Windows NT Logon/Logoff Manager
[05/12/2008, 19:21:56] - Re-enabling Automatic Shell Restart
[05/12/2008, 19:21:56] - File to disable: C:\WINDOWS\system32\vtUnoLBs.dll
[05/12/2008, 19:21:56] - Renaming C:\WINDOWS\system32\vtUnoLBs.dll -> C:\WINDOWS\system32\vtUnoLBs.dll.vir
[05/12/2008, 19:21:56] - File successfully renamed!
[05/12/2008, 19:21:56] - Removing HKLM\...\Browser Helper Objects\{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}
[05/12/2008, 19:21:56] - Removing HKCR\CLSID\{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}
[05/12/2008, 19:21:56] - Adding Kill Bit for ActiveX for GUID: {84FEBFF8-945B-4F9A-B9B8-B68EC5020770}
[05/12/2008, 19:21:56] - Deleting ATLEvents/MSEvents Registry entries
[05/12/2008, 19:21:56] - Removing HKLM\...\Winlogon\Notify\vtUnoLBs
[05/12/2008, 19:21:56] - Searching for Browser Helper Objects:
[05/12/2008, 19:21:56] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/12/2008, 19:21:56] - BHO 2: {3635230E-DC32-4261-A852-90721B39EAA4} ()
[05/12/2008, 19:21:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:56] - No filename found. Continuing.
[05/12/2008, 19:21:56] - BHO 3: {38AD5C7F-4390-4F08-A560-2267F79DA9A2} ()
[05/12/2008, 19:21:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:56] - No filename found. Continuing.
[05/12/2008, 19:21:56] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/12/2008, 19:21:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:56] - No filename found. Continuing.
[05/12/2008, 19:21:56] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/12/2008, 19:21:56] - BHO 6: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[05/12/2008, 19:21:56] - BHO 7: {DAB56605-0F19-4F3A-9B0F-19B417F76525} ()
[05/12/2008, 19:21:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 19:21:56] - Checking for HKLM\...\Winlogon\Notify\xxyWPJAQ
[05/12/2008, 19:21:56] - Key not found: HKLM\...\Winlogon\Notify\xxyWPJAQ, continuing.
[05/12/2008, 19:21:56] - Finished Searching Browser Helper Objects
[05/12/2008, 19:21:56] - Finishing up...
[05/12/2008, 19:21:56] - A restart is needed.
[05/12/2008, 19:21:56] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[05/12/2008, 19:22:09] - Attempting to Restart via STOP error (Blue Screen!)
Malwarebytes:
Malwarebytes' Anti-Malware 1.12
Database version: 743
Scan type: Quick Scan
Objects scanned: 42274
Time elapsed: 8 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\rvrgspqb.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{95e554e1-04f3-4d9b-a4e9-881dc420882b} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5269d0c0-572b-445a-88ac-8c8843b6d42b} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{69c1ef64-a396-4490-8849-52af7f7ec6e5} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c34cf78 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0\Source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mpfanvqg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vbksrofa (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\hcgmctmh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hmtcmgch.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rvrgspqb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bqpsgrvr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
Panda Activescan;
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-12 23:21:24
PROTECTIONS: 2
MALWARE: 16
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Symantec Antivirus Corporate Edition 7.6 No Yes
Norton Antivirus Edition 7.5 No No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00065327 adware/coolsavings Adware No 0 Yes No c:\windows\downloaded program files\cpnmgr.dll
00065327 adware/coolsavings Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/cpnmgr.dll
00065327 adware/coolsavings Adware No 0 Yes No hkey_classes_root\clsid\{549f957e-2f89-11d6-8cfe-00c04f52b225}
00065327 adware/coolsavings Adware No 0 Yes No hkey_classes_root\cpnmgr.cmv5
00065327 adware/coolsavings Adware No 0 Yes No hkey_classes_root\cpnmgr.cmv5.3
00065327 adware/coolsavings Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{549f957e-2f89-11d6-8cfe-00c04f52b225}
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe[²ƒÇ]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.mediaplex.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.apmebf.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[statse.webtrendslive.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.ads.pointroll.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.questionmarket.com/]
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.bluestreak.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\98qyfyzy.default\cookies.txt[.atwola.com/]
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe
02910981 Adware/iWinArcade Adware No 0 Yes No C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location |
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description |
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
I'll wait patiently,
Thanks
Kerri