This topic is locked
Also ran Spybot and Adaware multiple times. Reported the infection, but didn't clean it.
In this forum, I followed the sticky describing the self-help method of cleaning Virtumonde. It seemed to get most of the infection, but I think parts are still there. VundoFix didn't find or fix anything, and didn't create a log file. VirtumondeBeGone created a log file:
[05/27/2008, 20:48:23] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Homebody\Desktop\VirtumundoBeGone.exe" )
[05/27/2008, 20:48:27] - Detected System Information:
[05/27/2008, 20:48:27] - Windows Version: 5.1.2600, Service Pack 2
[05/27/2008, 20:48:27] - Current Username: Homebody (Admin)
[05/27/2008, 20:48:27] - Windows is in NORMAL mode.
[05/27/2008, 20:48:27] - Searching for Browser Helper Objects:
[05/27/2008, 20:48:27] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/27/2008, 20:48:27] - BHO 2: {089FD14D-132B-48FC-8861-0048AE113215} ()
[05/27/2008, 20:48:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:27] - Checking for HKLM\...\Winlogon\Notify\SiteAdv
[05/27/2008, 20:48:27] - Key not found: HKLM\...\Winlogon\Notify\SiteAdv, continuing.
[05/27/2008, 20:48:27] - BHO 3: {1C888B55-6366-4CFD-9F79-9261AE9E196B} ()
[05/27/2008, 20:48:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:27] - Checking for HKLM\...\Winlogon\Notify\wvUmjKCr
[05/27/2008, 20:48:27] - Key not found: HKLM\...\Winlogon\Notify\wvUmjKCr, continuing.
[05/27/2008, 20:48:27] - BHO 4: {20DFECFC-8255-4AA1-B0A9-465C09440EBA} ()
[05/27/2008, 20:48:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:27] - Checking for HKLM\...\Winlogon\Notify\wvUlkLee
[05/27/2008, 20:48:27] - Key not found: HKLM\...\Winlogon\Notify\wvUlkLee, continuing.
[05/27/2008, 20:48:27] - BHO 5: {234EB091-BA6D-4568-849A-9C5FF72DD066} ()
[05/27/2008, 20:48:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:27] - Checking for HKLM\...\Winlogon\Notify\ssqPgDuv
[05/27/2008, 20:48:27] - Key not found: HKLM\...\Winlogon\Notify\ssqPgDuv, continuing.
[05/27/2008, 20:48:27] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/27/2008, 20:48:27] - BHO 7: {70F5DFE3-7AFD-413E-A03C-AE416CC36FBA} ()
[05/27/2008, 20:48:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:28] - Checking for HKLM\...\Winlogon\Notify\byXpPFWN
[05/27/2008, 20:48:28] - Key not found: HKLM\...\Winlogon\Notify\byXpPFWN, continuing.
[05/27/2008, 20:48:28] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/27/2008, 20:48:28] - BHO 9: {7B4FBDC1-F90E-428F-9C16-119BF113079D} ()
[05/27/2008, 20:48:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:28] - Checking for HKLM\...\Winlogon\Notify\efcBturP
[05/27/2008, 20:48:28] - Found: HKLM\...\Winlogon\Notify\efcBturP - This is probably Virtumundo.
[05/27/2008, 20:48:28] - Assigning {7B4FBDC1-F90E-428F-9C16-119BF113079D} MSEvents Object
[05/27/2008, 20:48:28] - BHO list has been changed! Starting over...
[05/27/2008, 20:48:28] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/27/2008, 20:48:28] - BHO 2: {089FD14D-132B-48FC-8861-0048AE113215} ()
[05/27/2008, 20:48:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:28] - Checking for HKLM\...\Winlogon\Notify\SiteAdv
[05/27/2008, 20:48:28] - Key not found: HKLM\...\Winlogon\Notify\SiteAdv, continuing.
[05/27/2008, 20:48:28] - BHO 3: {1C888B55-6366-4CFD-9F79-9261AE9E196B} ()
[05/27/2008, 20:48:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:28] - Checking for HKLM\...\Winlogon\Notify\wvUmjKCr
[05/27/2008, 20:48:28] - Key not found: HKLM\...\Winlogon\Notify\wvUmjKCr, continuing.
[05/27/2008, 20:48:28] - BHO 4: {20DFECFC-8255-4AA1-B0A9-465C09440EBA} ()
[05/27/2008, 20:48:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:28] - Checking for HKLM\...\Winlogon\Notify\wvUlkLee
[05/27/2008, 20:48:28] - Key not found: HKLM\...\Winlogon\Notify\wvUlkLee, continuing.
[05/27/2008, 20:48:28] - BHO 5: {234EB091-BA6D-4568-849A-9C5FF72DD066} ()
[05/27/2008, 20:48:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:28] - Checking for HKLM\...\Winlogon\Notify\ssqPgDuv
[05/27/2008, 20:48:28] - Key not found: HKLM\...\Winlogon\Notify\ssqPgDuv, continuing.
[05/27/2008, 20:48:28] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/27/2008, 20:48:28] - BHO 7: {70F5DFE3-7AFD-413E-A03C-AE416CC36FBA} ()
[05/27/2008, 20:48:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:28] - Checking for HKLM\...\Winlogon\Notify\byXpPFWN
[05/27/2008, 20:48:28] - Key not found: HKLM\...\Winlogon\Notify\byXpPFWN, continuing.
[05/27/2008, 20:48:28] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/27/2008, 20:48:28] - BHO 9: {7B4FBDC1-F90E-428F-9C16-119BF113079D} (MSEvents Object)
[05/27/2008, 20:48:28] - ALERT: Found MSEvents Object!
[05/27/2008, 20:48:28] - BHO 10: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[05/27/2008, 20:48:28] - BHO 11: {83B6B7B4-8457-4C4E-A7D5-05E819824DDD} ()
[05/27/2008, 20:48:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:28] - Checking for HKLM\...\Winlogon\Notify\rqRLefGw
[05/27/2008, 20:48:28] - Key not found: HKLM\...\Winlogon\Notify\rqRLefGw, continuing.
[05/27/2008, 20:48:28] - Finished Searching Browser Helper Objects
[05/27/2008, 20:48:28] - *** Detected MSEvents Object
[05/27/2008, 20:48:28] - Trying to remove MSEvents Object...
[05/27/2008, 20:48:29] - Terminating Process: IEXPLORE.EXE
[05/27/2008, 20:48:29] - Terminating Process: RUNDLL32.EXE
[05/27/2008, 20:48:30] - Disabling Automatic Shell Restart
[05/27/2008, 20:48:30] - Terminating Process: EXPLORER.EXE
[05/27/2008, 20:48:30] - Suspending the NT Session Manager System Service
[05/27/2008, 20:48:30] - Terminating Windows NT Logon/Logoff Manager
[05/27/2008, 20:48:31] - Re-enabling Automatic Shell Restart
[05/27/2008, 20:48:31] - File to disable: C:\WINDOWS\system32\efcBturP.dll
[05/27/2008, 20:48:31] - Renaming C:\WINDOWS\system32\efcBturP.dll -> C:\WINDOWS\system32\efcBturP.dll.vir
[05/27/2008, 20:48:31] - File successfully renamed!
[05/27/2008, 20:48:31] - Removing HKLM\...\Browser Helper Objects\{7B4FBDC1-F90E-428F-9C16-119BF113079D}
[05/27/2008, 20:48:32] - Removing HKCR\CLSID\{7B4FBDC1-F90E-428F-9C16-119BF113079D}
[05/27/2008, 20:48:32] - Adding Kill Bit for ActiveX for GUID: {7B4FBDC1-F90E-428F-9C16-119BF113079D}
[05/27/2008, 20:48:32] - Deleting ATLEvents/MSEvents Registry entries
[05/27/2008, 20:48:32] - Removing HKLM\...\Winlogon\Notify\efcBturP
[05/27/2008, 20:48:32] - Searching for Browser Helper Objects:
[05/27/2008, 20:48:32] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/27/2008, 20:48:32] - BHO 2: {089FD14D-132B-48FC-8861-0048AE113215} ()
[05/27/2008, 20:48:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:32] - Checking for HKLM\...\Winlogon\Notify\SiteAdv
[05/27/2008, 20:48:32] - Key not found: HKLM\...\Winlogon\Notify\SiteAdv, continuing.
[05/27/2008, 20:48:32] - BHO 3: {1C888B55-6366-4CFD-9F79-9261AE9E196B} ()
[05/27/2008, 20:48:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:32] - Checking for HKLM\...\Winlogon\Notify\wvUmjKCr
[05/27/2008, 20:48:32] - Key not found: HKLM\...\Winlogon\Notify\wvUmjKCr, continuing.
[05/27/2008, 20:48:32] - BHO 4: {20DFECFC-8255-4AA1-B0A9-465C09440EBA} ()
[05/27/2008, 20:48:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:32] - Checking for HKLM\...\Winlogon\Notify\wvUlkLee
[05/27/2008, 20:48:32] - Key not found: HKLM\...\Winlogon\Notify\wvUlkLee, continuing.
[05/27/2008, 20:48:33] - BHO 5: {234EB091-BA6D-4568-849A-9C5FF72DD066} ()
[05/27/2008, 20:48:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:33] - Checking for HKLM\...\Winlogon\Notify\ssqPgDuv
[05/27/2008, 20:48:33] - Key not found: HKLM\...\Winlogon\Notify\ssqPgDuv, continuing.
[05/27/2008, 20:48:33] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/27/2008, 20:48:33] - BHO 7: {70F5DFE3-7AFD-413E-A03C-AE416CC36FBA} ()
[05/27/2008, 20:48:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:33] - Checking for HKLM\...\Winlogon\Notify\byXpPFWN
[05/27/2008, 20:48:33] - Key not found: HKLM\...\Winlogon\Notify\byXpPFWN, continuing.
[05/27/2008, 20:48:33] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/27/2008, 20:48:33] - BHO 9: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[05/27/2008, 20:48:33] - BHO 10: {83B6B7B4-8457-4C4E-A7D5-05E819824DDD} ()
[05/27/2008, 20:48:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 20:48:33] - Checking for HKLM\...\Winlogon\Notify\rqRLefGw
[05/27/2008, 20:48:33] - Key not found: HKLM\...\Winlogon\Notify\rqRLefGw, continuing.
[05/27/2008, 20:48:33] - Finished Searching Browser Helper Objects
[05/27/2008, 20:48:33] - Finishing up...
[05/27/2008, 20:48:33] - A restart is needed.
[05/27/2008, 20:48:40] - Attempting to Restart via STOP error (Blue Screen!)
So, in preparation for posting a HijackThis log, I followed the instructions in the "You must read this....." thread:
Used ATF to clean all.
==========================
Created system restore point.
==========================
Checked to see no startups were disabled in MSConfig.
=====================================
RAn Anti-Malware
got log file
got message that some registry entries can't be removed; need to reboot
Malwarebytes' Anti-Malware 1.12
Database version: 793
Scan type: Quick Scan
Objects scanned: 38751
Time elapsed: 17 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\rqRLefGw.dll (Trojan.Vundo) -> No action taken.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25e40a4d-57b8-46ab-adec-07ae8b520612} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{25e40a4d-57b8-46ab-adec-07ae8b520612} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7b4fbdc1-f90e-428f-9c16-119bf113079d} (Trojan.Vundo) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrlefgw -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrlefgw -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\rqRLefGw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wGfeLRqr.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wGfeLRqr.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\uhcwnggg.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gggnwchu.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\efcBturP.dll.vir (Trojan.Vundo) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\mpfanvqg.dll (Trojan.FakeAlert) -> No action taken.
==========================================
Ran Superantispyware
didn't ask to reboot
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 05/27/2008 at 10:22 PM
Application Version : 4.0.1154
Core Rules Database Version : 3469
Trace Rules Database Version: 1460
Scan type : Complete Scan
Total Scan Time : 00:30:42
Memory items scanned : 480
Memory threats detected : 0
Registry items scanned : 6116
Registry threats detected : 0
File items scanned : 12788
File threats detected : 6
Adware.Tracking Cookie
C:\Documents and Settings\Homebody\Cookies\homebody@adtech[1].txt
C:\Documents and Settings\Homebody\Cookies\homebody@revsci[2].txt
C:\Documents and Settings\Homebody\Cookies\homebody@mediaplex[1].txt
C:\Documents and Settings\Homebody\Cookies\homebody@doubleclick[1].txt
C:\Documents and Settings\Homebody\Cookies\homebody@atdmt[1].txt
C:\Documents and Settings\Homebody\Cookies\[email protected][2].txt
==============================================
Ran online PandaScan - did not mark anything to be fixed.
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-28 07:17:26
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 0
;*******************************************************************************
**********************************************************************
******************************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=====================================
===============================================================
McAfee VirusScan Yes Yes
;===============================================================================
======================================
==============================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
======================================
==============================================================
00139535 Application/Processor HackTools No 0 No No C:\Program Files\Safe Computing Stuff\Spring 08 Mess\VirtumundoBeGone.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\Safe Computing Stuff\SmitFraudFix\SmitfraudFix\SmitfraudFix\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Homebody\Local Settings\Temp\nsb60.tmp
00139535 Application/Processor HackTools No 0 No No C:\Program Files\Safe Computing Stuff\Fall 07 Mess\VirtumundoBeGone.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Homebody\Desktop\VirtumundoBeGone.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\Homebody\Cookies\[email protected][2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Homebody\Cookies\homebody@com[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Homebody\Cookies\homebody@statcounter[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Homebody\Cookies\homebody@questionmarket[2].txt
00519333 Application/Processor HackTools No 0 Yes No C:\Program Files\Safe Computing Stuff\Fall 07 Mess\VirtumundoBeGone.exe
00519333 Application/Processor HackTools No 0 Yes No C:\Program Files\Safe Computing Stuff\Spring 08 Mess\VirtumundoBeGone.exe
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Homebody\Desktop\VirtumundoBeGone.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Program Files\Safe Computing Stuff\SmitFraudFix\SmitfraudFix\SmitfraudFix\SmitfraudFix\Reboot.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Program Files\Safe Computing Stuff\SmitFraudFix\SmitfraudFix\SmitfraudFix\Reboot.exe
;===============================================================================
=====================================
===============================================================
SUSPECTS
Sent Location
;===============================================================================
======================================
==============================================================
;===============================================================================
======================================
==============================================================
VULNERABILITIES
Id Severity Description
;===============================================================================
======================================
==============================================================
;===============================================================================
=======================================
=============================================================
Windows updates were disabled, and I struggle to get them running again. Things are starting to run together in my brain cuz I've been working on this for quite a while now,
but I think the last thing I did before working on the auto updates was the PandaScan. No, wait....I rebooted today and SuperAntispyware wanted to update itself, so I let it run again.
After that, I was able to get auto updates working again.
So, after all that, here is the HijackThis logfile:
(Oh, I also renamed the Hijackthis.exe so Virtumonde couldn't hide from it. I read that somewhere...couldn't tell you where anymore.)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:18 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Safe Computing Stuff\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Safe Computing Stuff\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Safe Computing Stuff\Spring 08 Mess\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Safe Computing Stuff\Spring 08 Mess\HijackThis_latest\HiJackThis\AnotherName.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...o&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...o&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {1C888B55-6366-4CFD-9F79-9261AE9E196B} - C:\WINDOWS\system32\wvUmjKCr.dll (file missing)
O2 - BHO: (no name) - {20DFECFC-8255-4AA1-B0A9-465C09440EBA} - C:\WINDOWS\system32\wvUlkLee.dll (file missing)
O2 - BHO: (no name) - {234EB091-BA6D-4568-849A-9C5FF72DD066} - C:\WINDOWS\system32\ssqPgDuv.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {70F5DFE3-7AFD-413E-A03C-AE416CC36FBA} - C:\WINDOWS\system32\byXpPFWN.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Safe Computing Stuff\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\Safe Computing Stuff\Spring 08 Mess\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120234556000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131106179093
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92241BCC-10E5-4A44-B49E-CAE9B6B37B91}: NameServer = 66.98.138.56,66.98.138.207
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Safe Computing Stuff\Spring 08 Mess\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Safe Computing Stuff\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
--
End of file - 11998 bytes
==================================
I have the HijackThis uninstall list, but the instructions seemed to imply NOT including it in this original post, but rather replying to this post or starting a new topic.
I'll do the former in just a minute.
========================================================
Where I am now: I'm no longer getting pop-ups...that seemed to stop yesterday after first time I ran superantispyware. However, I am still suspicious,
as I see some of those funky dll files in some of the logs.
Thank you in advance for any help you can offer.
Sign In
Create Account
