Sign in to follow this  
Followers 0
Arachia

Big Red BioHazard ActiveDesktop Virus

6 posts in this topic

Okay this bug that is putting a BIG RED Biohazard ActiveDesktop with a Bright Red Background Advertising a virus protector that i think is called stopdefender on my media center hp 894c.

Here is what learned so far.

It seems to reoccur and reactivate AppleMobilDeviceService.exe

which came on cd but may have been update from the web.

The big red 'back ground' really isn't. It is a webpage over

laying the background.

If you go to Display Properties - Customize Desktop - web It is

call privacy protection, uncheck that and it will dissappear when

you hit apply until you reboot.

I found it is coming from

file:///C:/WINDOWS/privacy_danger/images/spacer.gif

so I deleted the privacy_danger folder but it comes back in the

next boot

I think that it was connected to a file in C:\WINDOWS\Registration

called

{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC3B39D8-985E-4C67-B930-AE

6669F22FE6}.crmlog

so I tossed that in the recycle bin but it was still being used so

it wouldn't go.

I have a very limited boot up and noticed an 'atuflxto' item

the\at was new so I unchecked it and deleted atuflxto.dll from

C:\WINDOWS\system32 but got an access denied. it's time stamp it

close to when this all started. so I did run regedit and got rid

of it there. only for it to come back 5 minutes later with the

big red and the red biohazard sign advertising a virus remover.

only this time I GOT THE AUDIO OF WHAT SOUNDED LIKE IN ONLINE TV

STATION PLAYING A SEX SHOW!!! AND NOTHING NEW IS IN THE TASKMANAGER!!!

It also seems to cycle through different items that are opened.

CWShredder seems to get rid of some of graphic and the sound for a short time.

Okay that is all I can get anyone got any ideas. here is the logs from CWShredder and Hyjack-This.

**** Run Keys ****

RUN: [sunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_05\bin\jusched.exe"

RUN: [nwiz] nwiz.exe /install

RUN: [soundMan] SOUNDMAN.EXE

RUN: [KBD] C:\HP\KBD\KBD.EXE

RUN: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

/auto

RUN: [ac22098a] rundll32.exe "C:\WINDOWS\system32\atuflxto.dll",b

RUN: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

**** Browser Helper Objects ****

BHO: [QXK Rhythm] C:\WINDOWS\nldfmtapxvt.dll

BHO: [QXK Rhythm] C:\WINDOWS\system32\ssqqNdec.dll

BHO: [shoppingReport] C:\Program

Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll

BHO: [shoppingReport] C:\WINDOWS\system32\vtUmNDWM.dll

BHO: [shoppingReport] C:\WINDOWS\system32\vtUmNDWM.dll

BHO: [DriveLetterAccess] C:\WINDOWS\system32\dla\tfswshx.dll

BHO: [sSVHelper Class] C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll

BHO: [Google Toolbar Helper] c:\program

files\google\googletoolbar2.dll

BHO: [Google Toolbar Notifier BHO] C:\Program

Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

**** IE Toolbars ****

TOOLBAR: [&Google] c:\program files\google\googletoolbar2.dll

TOOLBAR: [gktxaspm] C:\WINDOWS\gktxaspm.dll

**** IE Extensions ****

IEExt: []

IEExt: [shopperReports - Compare product prices]

IEExt: [shopperReports - Compare travel rates]

IEExt: [shopperReports - Compare travel rates]

IEExt: [Messenger] C:\Program Files\Messenger\msmsgs.exe

**** Hosts File Entries ****

HOSTS: 127.0.0.1 localhost

HOSTS: 0.0.0.1 www.facebook.com

HOSTS: 0.0.0.2 facebook.com

HOSTS: 0.0.0.2 facebook.com

**** IE Settings ****

IEBypass: *.local

Default Page: http://go.microsoft.com/fwlink/?LinkId=69157

Default Search: http://go.microsoft.com/fwlink/?LinkId=54896

Local Page: C:\WINDOWS\system32\blank.htm

Search Bar: http://www.google.com/ie

Search Page: http://www.google.com

**** IE Context Menu (Right click) ****

**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]

LSP: MSAFD Tcpip [uDP/IP]

LSP: RSVP UDP Service Provider

LSP: RSVP TCP Service Provider

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{7B378BAD-1A1B-4903-9C98-36D07AC35E60}]

SEQPACKET 5

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{7B378BAD-1A1B-4903-9C98-36D07AC35E60}]

DATAGRAM 5

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{E83D656B-AC52-4F21-889D-4F4A54CEEB3F}]

SEQPACKET 4

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{E83D656B-AC52-4F21-889D-4F4A54CEEB3F}]

DATAGRAM 4

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{B45FF219-2EC9-47D4-AC00-C4AFA4CC7564}]

SEQPACKET 0

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{B45FF219-2EC9-47D4-AC00-C4AFA4CC7564}]

DATAGRAM 0

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{62B049C2-D71E-4404-B114-CE88DBF848D3}]

SEQPACKET 1

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{62B049C2-D71E-4404-B114-CE88DBF848D3}]

DATAGRAM 1

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{D2DA7B32-DAF0-49CA-97E7-0F8EA61B7721}]

SEQPACKET 2

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{D2DA7B32-DAF0-49CA-97E7-0F8EA61B7721}]

DATAGRAM 2

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{9F139041-8C92-40EB-A58B-B9F67AC3F4DD}]

SEQPACKET 3

LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{9F139041-8C92-40EB-A58B-B9F67AC3F4DD}]

DATAGRAM 3

**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No

BLOCKED: [odbccp32.cpl] No

**** Downloaded Program Files ****

{166B1BCA-3F9C-11CF-8075-444553540000}

[http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

]

{17492023-C23A-453E-A040-C7C580BBF700}

[http://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b

89f-c1c34c691085/LegitCheckControl.cab]

C:\WINDOWS\system32\LegitCheckControl.DLL

{3DCEC959-378A-4922-AD7E-FD5C925D927F}

[http://disney.go.com/pirates/online/testActiveX/built/signed/Disn

eyOnlineGames.cab]

{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}

[http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqla

b2.cab]

{6B75345B-AA36-438A-BBE6-4078B4C6984D}

[http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.

cab]

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

[http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/

x86/client/muweb_site.cab?1193939347000]

{6F15128C-E66A-490C-B848-5000B5ABEEAC}

[https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab]

{7FC1B346-83E6-4774-8D20-1A6B09B0E737}

[http://cid-2412d39e051747cb.spaces.live.com/PhotoUpload/MsnPUpld.

cab] C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll

{8AD9C840-044E-11D1-B3E9-00805F499D93}

[http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.c

ab]

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}

[http://fpdownload.macromedia.com/get/flashplayer/current/ultrashi

m.cab]

{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}

[http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-

i586.cab]

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

[http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.c

ab]

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

[http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.c

ab]

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

[http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.c

ab]

{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}

[http://www.popcap.com/webgames/popcaploader_v10.cab]

**** Windows Services ****

[Alerter] %SystemRoot%\system32\svchost.exe -k LocalService

[ALG] %SystemRoot%\System32\alg.exe

[ANIWZCSdService] C:\Program Files\ANI\ANIWZCS2

Service\ANIWZCSdS.exe

[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs

[aspnet_state]

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs

[bITS] %SystemRoot%\system32\svchost.exe -k netsvcs

[browser] %SystemRoot%\system32\svchost.exe -k netsvcs

[CiSvc] %SystemRoot%\system32\cisvc.exe

[ClipSrv] %SystemRoot%\system32\clipsrv.exe

[clr_optimization_v2.0.50727_32]

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

[COMSysApp] C:\WINDOWS\system32\dllhost.exe

/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs

[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch

[Dhcp] %SystemRoot%\system32\svchost.exe -k netsvcs

[dmadmin] %SystemRoot%\System32\dmadmin.exe /com

[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs

[Dnscache] %SystemRoot%\system32\svchost.exe -k NetworkService

[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs

[Eventlog] %SystemRoot%\system32\services.exe

[EventSystem] C:\WINDOWS\system32\svchost.exe -k netsvcs

[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe

-k netsvcs

[gusvc] "C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe"

[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs

[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs

[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter

[imapiService] C:\WINDOWS\system32\imapi.exe

[lanmanserver] %SystemRoot%\system32\svchost.exe -k netsvcs

[lanmanworkstation] %SystemRoot%\system32\svchost.exe -k netsvcs

[LmHosts] %SystemRoot%\system32\svchost.exe -k LocalService

[Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs

[MHN] %SystemRoot%\System32\svchost.exe -k netsvcs

[mnmsrvc] C:\WINDOWS\system32\mnmsrvc.exe

[MSDTC] C:\WINDOWS\system32\msdtc.exe

[MSIServer] C:\WINDOWS\system32\msiexec.exe /V

[NetDDE] %SystemRoot%\system32\netdde.exe

[NetDDEdsdm] %SystemRoot%\system32\netdde.exe

[Netlogon] %SystemRoot%\system32\lsass.exe

[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs

[Nla] %SystemRoot%\system32\svchost.exe -k netsvcs

[NtLmSsp] %SystemRoot%\system32\lsass.exe

[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs

[NVSvc] %SystemRoot%\system32\nvsvc32.exe

[PlugPlay] %SystemRoot%\system32\services.exe

[PolicyAgent] %SystemRoot%\system32\lsass.exe

[ProtectedStorage] %SystemRoot%\system32\lsass.exe

[RasAuto] %SystemRoot%\system32\svchost.exe -k netsvcs

[RasMan] %SystemRoot%\system32\svchost.exe -k netsvcs

[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe

[RemoteAccess] %SystemRoot%\system32\svchost.exe -k netsvcs

[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService

[RpcLocator] %SystemRoot%\system32\locator.exe

[RpcSs] %SystemRoot%\system32\svchost -k rpcss

[RSVP] %SystemRoot%\system32\rsvp.exe

[samSs] %SystemRoot%\system32\lsass.exe

[sCardSvr] %SystemRoot%\System32\SCardSvr.exe

[schedule] %SystemRoot%\System32\svchost.exe -k netsvcs

[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs

[sENS] %SystemRoot%\system32\svchost.exe -k netsvcs

[sharedAccess] %SystemRoot%\system32\svchost.exe -k netsvcs

[shellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs

[spooler] %SystemRoot%\system32\spoolsv.exe

[srservice] %SystemRoot%\system32\svchost.exe -k netsvcs

[sSDPSRV] %SystemRoot%\system32\svchost.exe -k LocalService

[stisvc] %SystemRoot%\system32\svchost.exe -k imgsvc

[swPrv] C:\WINDOWS\system32\dllhost.exe

/Processid:{3647D27E-C3E5-46DA-AD61-429DF5AAE770}

[sysmonLog] %SystemRoot%\system32\smlogsvc.exe

[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs

[TermService] %SystemRoot%\System32\svchost -k DComLaunch

[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs

[TlntSvr] C:\WINDOWS\system32\tlntsvr.exe

[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs

[upnphost] %SystemRoot%\system32\svchost.exe -k LocalService

[uPS] %SystemRoot%\System32\ups.exe

[VSS] %SystemRoot%\System32\vssvc.exe

[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs

[WebClient] %SystemRoot%\system32\svchost.exe -k LocalService

[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs

[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs

[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs

[WmiApSrv] C:\WINDOWS\system32\wbem\wmiapsrv.exe

[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs

[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs

[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs

[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs

**** Custom IE Search Items ****

SEARCH: [searchAssistant] http://www.google.com/ie

SEARCH: [searchAssistant] http://www.google.com/ie

SEARCH: [CustomizeSearch]

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

SEARCH: [Default_Search_URL] http://www.google.com/ie

**** Complete IE Options ****

IEOPT: [NoUpdateCheck]

IEOPT: [NoJITSetup]

IEOPT: [Disable Script Debugger] yes

IEOPT: [show_ChannelBand] No

IEOPT: [Anchor Underline] yes

IEOPT: [Cache_Update_Frequency] Once_Per_Session

IEOPT: [Display Inline Images] yes

IEOPT: [Do404Search]

IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm

IEOPT: [save_Session_History_On_Exit] no

IEOPT: [show_FullURL] no

IEOPT: [show_StatusBar] yes

IEOPT: [show_ToolBar] yes

IEOPT: [show_URLinStatusBar] yes

IEOPT: [show_URLToolBar] yes

IEOPT: [start Page]

http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

IEOPT: [use_DlgBox_Colors] yes

IEOPT: [search Page] http://www.google.com

IEOPT: [NotifyDownloadComplete] no

IEOPT: [FullScreen] no

IEOPT: [Window_Placement] ,

IEOPT: [use FormSuggest] yes

IEOPT: [HistoryViewType]

IEOPT: [AddToFavoritesExpanded]

IEOPT: [use Search Asst] no

IEOPT: [search Bar] http://www.google.com/ie

IEOPT: [Enable Browser Extensions] yes

IEOPT: [xmlHTTP]

IEOPT: [useClearType] yes

IEOPT: [AlwaysShowMenus]

IEOPT: [Play_Background_Sounds] yes

IEOPT: [Play_Animations] yes

IEOPT: [CompatibilityFlags]

IEOPT: [searchMigrated]

IEOPT: [searchMigratedDefaultName] Google

IEOPT: [searchMigratedDefaultURL]

http://www.google.com/search?q={searchTerm...ie7&rls=com.

microsoft:en-US&ie=utf8&oe=utf8

IEOPT: [searchMigratedInstalled]

IEOPT: [RunOnceHasShown]

IEOPT: [RunOnceComplete]

IEOPT: [Error Dlg Displayed On Every Error] no

IEOPT: [statusBarWeb]

IEOPT: [ControlTooltipCount]

IEOPT: [save Directory] C:\Documents and Settings\malachi\My

Documents\

IEOPT: [Expand Alt Text] no

IEOPT: [Move System Caret] no

IEOPT: [NscSingleExpand]

IEOPT: [DisableScriptDebuggerIE] yes

IEOPT: [Page_Transitions]

IEOPT: [FavIntelliMenus] no

IEOPT: [useThemes]

IEOPT: [EnableSearchPane]

IEOPT: [Force Offscreen Composition]

IEOPT: [AllowWindowReuse]

IEOPT: [Friendly http errors] yes

IEOPT: [smoothScroll]

IEOPT: [Enable AutoImageResize] yes

IEOPT: [show image placeholders]

IEOPT: [Print_Background] no

IEOPT: [AutoSearch]

IEOPT: [AutoHide] no

IEOPT: [showedCheckBrowser] Yes

IEOPT: [Check_Associations] no

IEOPT: [Default_Page_URL]

http://go.microsoft.com/fwlink/?LinkId=69157

IEOPT: [Default_Search_URL]

http://go.microsoft.com/fwlink/?LinkId=54896

IEOPT: [search Page] http://go.microsoft.com/fwlink/?LinkId=54896

IEOPT: [Enable_Disk_Cache] yes

IEOPT: [Cache_Percent_of_Disk]

IEOPT: [Delete_Temp_Files_On_Exit] yes

IEOPT: [Local Page] %SystemRoot%\system32\blank.htm

IEOPT: [Anchor_Visitation_Horizon]

IEOPT: [use_Async_DNS] yes

IEOPT: [Placeholder_Width]

IEOPT: [Placeholder_Height]

IEOPT: [start Page] http://go.microsoft.com/fwlink/?LinkId=69157

IEOPT: [CompanyName] Microsoft Corporation

IEOPT: [Custom_Key] MICROSO

IEOPT: [Wizard_Version] 6.0.2600.0000

IEOPT: [FullScreen] no

IEOPT: [Default_Secondary_Page_URL]

IEOPT: [Extensions Off Page] about:NoAdd-ons

IEOPT: [security Risk Page] about:SecurityRisk

IEOPT: [Check_Associations] yes

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:09:04 PM, on 5/21/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O1 - Hosts: 0.0.0.1 www.facebook.com

O1 - Hosts: 0.0.0.2 facebook.com

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: gktxaspm - {9CF47BCD-57A7-4591-BEA0-F37911D9D1EB} - C:\WINDOWS\gktxaspm.dll (file missing)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [ac22098a] rundll32.exe "C:\WINDOWS\system32\atuflxto.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.merriam-webster.com

O15 - Trusted Zone: http://www.runescape.com

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193939347000

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-2412d39e051747cb.spaces.live.co...ad/MsnPUpld.cab

O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab

O21 - SSODL: gnowmebk - {2992B3E3-F03A-43B1-92BC-C5196C6868E0} - C:\WINDOWS\gnowmebk.dll

O21 - SSODL: pxgdslro - {622CA5DB-A778-48E6-907C-E7BD06D3EE02} - C:\WINDOWS\pxgdslro.dll

O21 - SSODL: BootCheck - {621e5d81-1172-4bf0-9c16-6d1bbb1f3b3d} - C:\WINDOWS\Resources\BootCheck.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--

End of file - 5878 bytes

Okay that really is everything any thoughts

0

Share this post


Link to post
Share on other sites

Why not simply run Ad-aware + Spybot? I think I recognize this shitty spyware. An antivirus would probably be better for that one, I think, that's how I got rid of it.

0

Share this post


Link to post
Share on other sites

been doing that so far norton mcfee and stopsign are no go the first to found nothing as usual and the other was crashtopia. doing housecall then pAnda next. and nearly have housecall done scanning but so far nothing.

0

Share this post


Link to post
Share on other sites

sounds like something smitfraudfix would be able to clean up. It cleans up most of the desktop hijacks that spybot and friends cant. http://siri.geekstogo.com/SmitfraudFix.php

Make sure you run it in safemode, and its usually better if you kill explorer.exe first.

If that doesn't fix it, figure out what file is running (use stuff from sysinternals, or search by date modified, etc.) Then find the files and explicitly deny all access to the system account. Then reboot and delete the file.

0

Share this post


Link to post
Share on other sites

Well, not exactly answering your question if you want to clean the system best idea would be to reinstall your Operating System for it seem's it'd be a much harder, longer process to remove all of this with no guarantee it isn't still there.

It might be a good learning experience to try and remove it yourself, however if you're after a clean system Reinstallation is your best method.

After you re-install goto www.google.com and search for HOSTS FILE and you'll get a result similiar to, " Blocking Unwanted Parasites with a Hosts File "

Tis a good way to block alot of common things you don't want and stop alot of banners.

0

Share this post


Link to post
Share on other sites

Hi, this is my first post on here, so I hope this works for an introduction(I like sushi, gaming, and dr pepper just in case you ever wanted to know). I do in-home computer repair and frequent this particular spyware, though it usually come in combination with viruses as well.

Just running scanners won't likely get rid of the issue, it sounds like you may have ultimate defender on your computer(whether you meant to install it or not). I looked at your Hijack this log, and noticed a lot of the shopping report entries. Those are all infected and you can feel free to remove any of those entires. Also "http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 " takes you to the ultimate defender homepage, and that item should also be removed, as well as the last entry on the log.

Part of the annoyance with ultimate defender is that it creates winlogon hooks, and sometimes hooks into lsass.exe. Since both of these files are running in both normal and safe mode, even if you delete the.dlls causing the problem, they will simply be recreated. There are two ways you could try this. Download a PE environment like bartPE, or even a linux live disk, and go into the system32 folder and sort all of the files by date. Most of the infected .dll files will be the most recently modified. You could delete these .dlls, however be careful its very easy to delete something that is needed. You can generally tell a legit dll and non-legit by checking the properties of the file and seeing if it has a company name, most of the time the infected .dll files do not.

Hijack this also has a "delete on reboot" feature that can be access, I think under the tools or options button. You can boot into windows, find the infected files, set them to be deleted on reboot, and this will hopefully take care of them.

Once those .dll files are gone regardless of the method, then run your scans and clean up the last bits. I like to run CCleaner or JV16 afterwards to cleanup the registry, but thats up to you.

You can obviously save all the trouble and simply wipe the OS, however I've learned a lot from removing spyware and viruses, and so I always recommend you try removal first, simply for the sake of learning(as friendless said).

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0