Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology
New Virus, Please Help. New Virus, Please Help.

Donate now! Members List


 
 
LinkBack Thread Tools
Old 03-28-2008, 12:16 PM   #1 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
New Virus, Please Help.
Still can't beat this virus. Dell XPS410, Win Xp Pro. Says an Active Desktop to on with a Red Background with a big biohazard sign on it. Norton, Spybot, and ad aware can't seem to catch it. It's causing huge amounts of popups. I need some help.
__________________
I like stuff.
Wyodiver33 is offline  
Old 03-28-2008, 03:09 PM   #2 (permalink)
has a plan
 
Hain's Avatar
 
Location: middle of Whywouldanyonebethere
http://www.tfproject.org/tfp/showthr...t=126832#augi1

Try a-Squared, Housecall, AVG, CWShredder, and try posting a Hijack-This! log here and at their forums for assistance. If all else fails, you'll just have to DBAN your computer. //kidding// Also, try CCleaning your computer of all temp files.

What do you use as a browser? What Norton are you using? Up to date? Etc.

EDIT: Oh I already gave this advice. Where is the Hijack-This log? What are you doing online that is giving you all these viruses?
__________________
Last edited by Hain; 03-28-2008 at 03:12 PM.. Reason: Automerged Doublepost
Hain is offline  
Old 03-28-2008, 04:47 PM   #3 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
Here's the Hijack-this info. Newest Norton, newest everything, trust me. Not a newb but this one is kicking my ass.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:29 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\vghd\vghd.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6070706
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {65255C76-B542-44A2-BA6F-2D6B2DF2DB34} - (no file)
R3 - URLSearchHook: (no name) - {E26029B4-C5E8-4645-9C02-E798715F8C0D} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: GNX Bingo - {7DEE5BA2-CB70-4BBB-BD94-208BBA8AA6C4} - C:\WINDOWS\drnpfdxlsk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: TBSB02678 - {BDCA7AC9-C27B-4D30-A808-9B9081279C03} - C:\PROGRA~1\QUICKN~1\YOUTUB~1.DLL (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: BrowsingTool - {D0661233-42D4-F7F1-80E1-8A9E0E99E71D} - C:\Program Files\BrowsingTool\BrowsingTool-4.dll
O2 - BHO: TBSB04757 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Freeze.com Toolbar\freeze_us.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Freeze.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\Freeze.com Toolbar\freeze_us.dll (file missing)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Aqua Dock] C:\Program Files\Aqua Dock\Aqua Dock.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Dell DataSafe Scheduler] C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: VirtuaGirl HD.LNK = C:\Program Files\vghd\vghd.exe
O8 - Extra context menu item: &Search - ?p=ZRfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/...l/gtdownde.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: bokpkov - {77A17D2D-E12E-46B6-9A42-6066EBA42BED} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {10AFEF02-A70D-4578-8234-8706725C4B95} - C:\WINDOWS\altvxvm.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 14487 bytes

Please help me.
__________________
I like stuff.
Last edited by Wyodiver33; 03-28-2008 at 04:48 PM.. Reason: Automerged Doublepost
Wyodiver33 is offline  
Old 03-28-2008, 04:55 PM   #4 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
question:

you actually added the virtual girl HD and the freeze.com screensavesrs yourself?
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.
Cynthetiq is offline  
Old 03-28-2008, 04:56 PM   #5 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
No, I didn't. My Girlfriend did.
__________________
I like stuff.
Wyodiver33 is offline  
Old 03-28-2008, 04:58 PM   #6 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
can you post a screenshot of the error? I'm having a hard time understanding the Active Desktop error
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.
Cynthetiq is offline  
Old 03-28-2008, 04:58 PM   #7 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
Please, help me.
__________________
I like stuff.
Wyodiver33 is offline  
Old 03-28-2008, 04:59 PM   #8 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
and those free screensavers just suck ass... and used to contain more malware than funware. I dunno how they are today but I think they still suck ass.
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.
Cynthetiq is offline  
Old 03-28-2008, 05:00 PM   #9 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
I can turn off Active desktop for a while but then it's backs, Blood red, With A Biohazard sign

First person who fixes this gets my Girl for fifteen minutes. She's hot, great rack.

Oh well. She wouldn't have gone fore it anyway.
__________________
I like stuff.
Last edited by Wyodiver33; 03-28-2008 at 05:06 PM.. Reason: Automerged Doublepost
Wyodiver33 is offline  
Old 03-28-2008, 05:07 PM   #10 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
what does the error say specifically because you can get a similar error that just says your privacy is questionable.

can you get a screenshot of it at all?
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.
Cynthetiq is offline  
Old 03-28-2008, 05:08 PM   #11 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
I just really need some help.
__________________
I like stuff.
Wyodiver33 is offline  
Old 03-28-2008, 05:08 PM   #12 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
I'm wondering if all those little helper apps aren't just flagging it s a privacy issue. since none of the other adware and other secruity apps aren't going apeshit.

GNX Bingo is also suspect

Freeze.com toolbar
Quote:
Adware.Softomate Adware.Softomate is a potentially unwanted adware program that installs a toolbar in Internet Explorer. It does not provide a EULA nor displays a license agreement when installed.
Adware.Maxifiles Maxifiles adds a toolbar onto your task manager and creates pop-up advertisements.
Spyware.Rogue_Anti-Spyware_Products Rogue and suspect anti-spyware products use deceptive and unfair practices to trick consumers into purchasing them. Methods can include not providing proven, reliable anti-spyware protection or being prone to ridiculous false positives; unfair, deceptive or high pressure sales tactics; being associated with known distributors of spyware/adware or having been known to install spyware/adware themselves.
GNX Bingo
Quote:
Security Risk Description
Adware.Agent.BN Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer.
everytime you open your browser you reinfect yourself with this line:

Code:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
these other items are also suspect. It looks like you cleaned off some of the Freeze.com toolbar but not all of it.
Code:
O21 - SSODL: bokpkov - {77A17D2D-E12E-46B6-9A42-6066EBA42BED} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {10AFEF02-A70D-4578-8234-8706725C4B95} - C:\WINDOWS\altvxvm.dll

R3 - URLSearchHook: (no name) - {65255C76-B542-44A2-BA6F-2D6B2DF2DB34} - (no file)
R3 - URLSearchHook: (no name) - {E26029B4-C5E8-4645-9C02-E798715F8C0D} - (no file)

O2 - BHO: GNX Bingo - {7DEE5BA2-CB70-4BBB-BD94-208BBA8AA6C4} - C:\WINDOWS\drnpfdxlsk.dll
Toolbar: Freeze.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\Freeze.com Toolbar\freeze_us.dll (file missing)
BHO: TBSB04757 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Freeze.com Toolbar\freeze_us.dll (file missing)
This is the best help I can do next to doing it myself. The other thing to do is to tell your g/f to stop downloading a bunch of extra crap. Codecs to watch porn is a good way to get infected these days. So are all those toolbars and "fun" helper applications.
Quote:
How to remove softwarereferral/safewebnavigate hijackers and etlrlws toolbar
Softwarereferral infection is a hijacker. If your computer was infected, you got many popups, Internet Explorer start page changed to softwarereferral.com, blinking stopsign with X in system tray, continual system alert popups.

Download HijackThis and double click on the file for install.
Download CCleaner. Double click on the file for install.
Download Combofix.
Download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your Desktop.

Reboot your computer again in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items (if exists):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll
O2 - BHO: GNX Bingo - {B2DCA34E-9D1C-4EDA-A1BE-C24D1B4AAE55} - C:\WINDOWS\kdftlboepta.dll
O2 - BHO: GNX Rolex - {CD6DCA54-AE70-4562-BD9E-0C0A32F01347} - C:\WINDOWS\drnpfdxsnp.dll
O3 - Toolbar: etlrlws - {13F5AE57-486D-41B6-BA43-806EA7CCAE14} - C:\WINDOWS\etlrlws.dll
O4 - HKCU\..\Run: [awedpedp] C:\WINDOWS\system32\naxgxwbu.exe
O4 - HKLM\..\Policies\Explorer\Run: [bZ76ULmU0g] C:\Documents and Settings\All Users\Application Data\titkpyhg\vyzwdszw.exe
O21 - SSODL: bokpkov - {919071FA-540C-4492-BE14-79F7E72B24A1} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {360925C8-9CA2-4D10-9C9D-4DA09A5840FB} - C:\WINDOWS\altvxvm.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Note: SSODL modules can have random name(blue color) and some different clsid(red color), use google for check them.

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.
Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Close any open browsers. Double click on combofix.exe and follow the prompts.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

If everything seems to be good - pop ups are gone, no any redirects, then you should make a new restore point.Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

If you are still having problems with spyware after completing these instructions, maybe you have another version of the infection, then please follow the steps: How to use Spyware Removal Forum.
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.
Last edited by Cynthetiq; 03-28-2008 at 05:46 PM.. Reason: Automerged Doublepost
Cynthetiq is offline  
Old 03-28-2008, 07:06 PM   #13 (permalink)
Just here for the beer.
 
Wyodiver33's Avatar
 
Location: Ft. Lauderdale, Floriduh
I did sign up for GMX email. Recently. Any ideas about that?

They had a two page add in a computer mag and it sounded like a good service. I was quite happy with Gmail.
__________________
I like stuff.
Last edited by Wyodiver33; 03-28-2008 at 07:07 PM.. Reason: Automerged Doublepost
Wyodiver33 is offline  
Old 03-29-2008, 12:47 AM   #14 (permalink)
has a plan
 
Hain's Avatar
 
Location: middle of Whywouldanyonebethere
Quote:
Originally Posted by Wyodiver33
C:\Program Files\vghd\vghd.exe
This concerns me. VirtuaGirl?

I notice you have a lot of toolbars for your browser. Why so many? As far as I am concerned, that is asking for more things to go wrong. Don't ask me why. That is just my gut feeling.

possible infections   click to show 


These are the things I figure you can get rid of. Bolded elements means I don't know what they are. I was reading online about Freeze and it has been suggested to be an adware toolbar. Maybe you can explain what they other ones are.

I will read through the remainder of these posts in this thread now.

Quote:
Originally Posted by Wyodiver33
Please, help me.
Quote:
Originally Posted by Wyodiver33
I just really need some help.
We're trying, and why didn't you answer with something more substantial?


Quote:
Originally Posted by Cynthetiq
everytime you open your browser you reinfect yourself with this line:

Code:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
Good eye. I missed that one.
Cynthetiq has a good plan of operation. They only thing I can suggest is that you don't just CClean it, you CClean it with an additional pass (Options > Settings > Secure Deletion > Secure File Deletion > "Simple Overwrite (1 Pass)").
__________________
Last edited by Hain; 03-29-2008 at 12:53 AM.. Reason: Automerged Doublepost
Hain is offline  
Old 03-29-2008, 05:44 AM   #15 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
yes, I thing virtualgirl HD is suspect too. I've outgrown "look at the little stripper walking across my desktop" You may not be a newb, but you sure aren't skilled enough to get yourself out of this kind of trouble to be cruising these suspect type web sites you are going to. I go to them from time to time so that I can learn how to remove and prevent them from infecting my machine.

oh duh.

I just figured out what your active desktop biohazard warning image is.

When you switch to active desktop, it opens the browser URL location as your desktop background. Which is set to this software referral, which is an error type screen by itself. Your virus systems aren't reporting it. It's reporting itself as an advertisement.

I kept asking for a screenshot because screenshots give EXACT words and images that I can determine which kind of malware you got stuck with. It was the softwarereferral.com link that got me the answer. But it would have been faster to deduce if one can see the errors on the desktop as opposed to someone describing it.

Follow the links and instructions I sent. Then tell your g/f to stop clicking on everything that moves, looks shiny and pretty, porn that wants to download anything codec, dialer, etc. AND you don't need that many toolbars. I don't care what kind of functionality you think is cool it's bloatware or spyware most of the time.
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.
Cynthetiq is offline  
Old 03-31-2008, 01:01 PM   #16 (permalink)
Loves my girl in thongs
 
arch13's Avatar
 
Location: North of Mexico, South of Canada
Quote:
Originally Posted by Cynthetiq

oh duh.

I just figured out what your active desktop biohazard warning image is.

When you switch to active desktop, it opens the browser URL location as your desktop background. Which is set to this software referral, which is an error type screen by itself. Your virus systems aren't reporting it. It's reporting itself as an advertisement.
Damn. I would not have realized that. Good Catch!
__________________
Seen on an employer evaluation:

"The wheel is turning but the hamsters dead"
____________________________
Is arch13 really a porn diety ? find out after the film at 11.
-Nanofever
arch13 is offline  
Old 03-31-2008, 02:01 PM   #17 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
Wyodiver33 how'd that work out for you?
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.
Cynthetiq is offline  
Old 05-21-2008, 05:50 PM   #18 (permalink)
Upright
 
I got the same thing as this guy
I know VirtuaGirl never on this computer here is what I do know.
It seems to reoccur and reactivate AppleMobilDeviceService.exe

which came on cd but may have been update from the web.
The big red 'back ground' really isn't. It is a webpage over

laying the background.
If you go to Display Properties - Customize Desktop - web It is

call privacy protection, uncheck that and it will dissappear when

you hit apply until you reboot.
I found it is coming from

file:///C:/WINDOWS/privacy_danger/images/spacer.gif
so I deleted the privacy_danger folder but it comes back in the

next boot
I think that it was connected to a file in C:\WINDOWS\Registration

called

{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC3B39D8-985E-4C67-B930-AE

6669F22FE6}.crmlog
so I tossed that in the recycle bin but it was still being used so

it wouldn't go.

I have a very limited boot up and noticed an 'atuflxto' item

the\at was new so I unchecked it and deleted atuflxto.dll from

C:\WINDOWS\system32 but got an access denied. it's time stamp it

close to when this all started. so I did run regedit and got rid

of it there. only for it to come back 5 minutes later with the

big red and the red biohazard sign advertising a virus remover.
only this time I GOT THE AUDIO OF WHAT SOUNDED LIKE IN ONLINE TV
STATION PLAYING A SEX SHOW!!! AND NOTHING NEW IS IN THE TASKMANAGER!!!

It also seems to cycle through different items that are opened.

Okay that is all I can get anyone got any ideas. I'll try to do a hyjackthis in a minute but I think that might bomb.
Arachia is offline  
Old 05-21-2008, 06:25 PM   #19 (permalink)
Upright
 
cwshredder and Hyjack this logs
here is the logs from CWShredder and Hyjack-This.


**** Run Keys ****

RUN: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_05\bin\jusched.exe"
RUN: [nwiz] nwiz.exe /install
RUN: [SoundMan] SOUNDMAN.EXE
RUN: [KBD] C:\HP\KBD\KBD.EXE
RUN: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

/auto
RUN: [ac22098a] rundll32.exe "C:\WINDOWS\system32\atuflxto.dll",b
RUN: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


**** Browser Helper Objects ****

BHO: [QXK Rhythm] C:\WINDOWS\nldfmtapxvt.dll
BHO: [QXK Rhythm] C:\WINDOWS\system32\ssqqNdec.dll
BHO: [ShoppingReport] C:\Program

Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
BHO: [ShoppingReport] C:\WINDOWS\system32\vtUmNDWM.dll
BHO: [ShoppingReport] C:\WINDOWS\system32\vtUmNDWM.dll
BHO: [DriveLetterAccess] C:\WINDOWS\system32\dla\tfswshx.dll
BHO: [SSVHelper Class] C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
BHO: [Google Toolbar Helper] c:\program

files\google\googletoolbar2.dll
BHO: [Google Toolbar Notifier BHO] C:\Program

Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll


**** IE Toolbars ****

TOOLBAR: [&Google] c:\program files\google\googletoolbar2.dll
TOOLBAR: [gktxaspm] C:\WINDOWS\gktxaspm.dll


**** IE Extensions ****

IEExt: []
IEExt: [ShopperReports - Compare product prices]
IEExt: [ShopperReports - Compare travel rates]
IEExt: [ShopperReports - Compare travel rates]
IEExt: [Messenger] C:\Program Files\Messenger\msmsgs.exe


**** Hosts File Entries ****

HOSTS: 127.0.0.1 localhost
HOSTS: 0.0.0.1 www.facebook.com
HOSTS: 0.0.0.2 facebook.com
HOSTS: 0.0.0.2 facebook.com


**** IE Settings ****

IEBypass: *.local
Default Page: http://go.microsoft.com/fwlink/?LinkId=69157
Default Search: http://go.microsoft.com/fwlink/?LinkId=54896
Local Page: C:\WINDOWS\system32\blank.htm
Search Bar: http://www.google.com/ie
Search Page: http://www.google.com


**** IE Context Menu (Right click) ****



**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{7B378BAD-1A1B-4903-9C98-36D07AC35E60}]

SEQPACKET 5
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{7B378BAD-1A1B-4903-9C98-36D07AC35E60}]

DATAGRAM 5
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{E83D656B-AC52-4F21-889D-4F4A54CEEB3F}]

SEQPACKET 4
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{E83D656B-AC52-4F21-889D-4F4A54CEEB3F}]

DATAGRAM 4
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{B45FF219-2EC9-47D4-AC00-C4AFA4CC7564}]

SEQPACKET 0
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{B45FF219-2EC9-47D4-AC00-C4AFA4CC7564}]

DATAGRAM 0
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{62B049C2-D71E-4404-B114-CE88DBF848D3}]

SEQPACKET 1
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{62B049C2-D71E-4404-B114-CE88DBF848D3}]

DATAGRAM 1
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{D2DA7B32-DAF0-49CA-97E7-0F8EA61B7721}]

SEQPACKET 2
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{D2DA7B32-DAF0-49CA-97E7-0F8EA61B7721}]

DATAGRAM 2
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{9F139041-8C92-40EB-A58B-B9F67AC3F4DD}]

SEQPACKET 3
LSP: MSAFD NetBIOS

[\Device\NetBT_Tcpip_{9F139041-8C92-40EB-A58B-B9F67AC3F4DD}]

DATAGRAM 3


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

{166B1BCA-3F9C-11CF-8075-444553540000}

[http://download.macromedia.com/pub/s...irector/sw.cab

]
{17492023-C23A-453E-A040-C7C580BBF700}

[http://download.microsoft.com/downlo...54-aa20-495c-b

89f-c1c34c691085/LegitCheckControl.cab]

C:\WINDOWS\system32\LegitCheckControl.DLL
{3DCEC959-378A-4922-AD7E-FD5C925D927F}

[http://disney.go.com/pirates/online/...lt/signed/Disn

eyOnlineGames.cab]
{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}

[http://www.nvidia.com/content/Driver...0.0.1/sysreqla

b2.cab]
{6B75345B-AA36-438A-BBE6-4078B4C6984D}

[http://h20270.www2.hp.com/ediags/gmn...oductDetection.

cab]
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

[http://www.update.microsoft.com/micr...V5Controls/en/

x86/client/muweb_site.cab?1193939347000]
{6F15128C-E66A-490C-B848-5000B5ABEEAC}

[https://h20436.www2.hp.com/ediags/de.../HPDEXAXO.cab]
{7FC1B346-83E6-4774-8D20-1A6B09B0E737}

[http://cid-2412d39e051747cb.spaces.l...pload/MsnPUpld.

cab] C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
{8AD9C840-044E-11D1-B3E9-00805F499D93}

[http://java.sun.com/update/1.6.0/jin...windows-i586.c

ab]
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}

[http://fpdownload.macromedia.com/get...rrent/ultrashi

m.cab]
{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}

[http://javadl-esd.sun.com/update/1.5..._0_12-windows-

i586.cab]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

[http://java.sun.com/update/1.6.0/jin...windows-i586.c

ab]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

[http://java.sun.com/update/1.6.0/jin...windows-i586.c

ab]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

[http://java.sun.com/update/1.6.0/jin...windows-i586.c

ab]
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}

[http://www.popcap.com/webgames/popcaploader_v10.cab]


**** Windows Services ****

[Alerter] %SystemRoot%\system32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[ANIWZCSdService] C:\Program Files\ANI\ANIWZCS2

Service\ANIWZCSdS.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state]

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\system32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\system32\svchost.exe -k netsvcs
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[clr_optimization_v2.0.50727_32]

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
[COMSysApp] C:\WINDOWS\system32\dllhost.exe

/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\system32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\system32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\system32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe

-k netsvcs
[gusvc] "C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe"
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[ImapiService] C:\WINDOWS\system32\imapi.exe
[lanmanserver] %SystemRoot%\system32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\system32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\system32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs
[MHN] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\system32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\system32\msdtc.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\system32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\system32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\system32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\system32\nvsvc32.exe
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\system32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\system32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\system32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService
[RpcLocator] %SystemRoot%\system32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\system32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\system32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\system32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\system32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\system32\dllhost.exe

/Processid:{3647D27E-C3E5-46DA-AD61-429DF5AAE770}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] C:\WINDOWS\system32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\system32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\system32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\system32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://www.google.com/ie
SEARCH: [SearchAssistant] http://www.google.com/ie
SEARCH: [CustomizeSearch]

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
SEARCH: [Default_Search_URL] http://www.google.com/ie


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page]

http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://www.google.com
IEOPT: [NotifyDownloadComplete] no
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [Use FormSuggest] yes
IEOPT: [HistoryViewType]
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Use Search Asst] no
IEOPT: [Search Bar] http://www.google.com/ie
IEOPT: [Enable Browser Extensions] yes
IEOPT: [XMLHTTP]
IEOPT: [UseClearType] yes
IEOPT: [AlwaysShowMenus]
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Play_Animations] yes
IEOPT: [CompatibilityFlags]
IEOPT: [SearchMigrated]
IEOPT: [SearchMigratedDefaultName] Google
IEOPT: [SearchMigratedDefaultURL]

http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.

microsoft:en-US&ie=utf8&oe=utf8
IEOPT: [SearchMigratedInstalled]
IEOPT: [RunOnceHasShown]
IEOPT: [RunOnceComplete]
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [StatusBarWeb]
IEOPT: [ControlTooltipCount]
IEOPT: [Save Directory] C:\Documents and Settings\malachi\My

Documents\
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [DisableScriptDebuggerIE] yes
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [UseThemes]
IEOPT: [EnableSearchPane]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Friendly http errors] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Show image placeholders]
IEOPT: [Print_Background] no
IEOPT: [AutoSearch]
IEOPT: [AutoHide] no
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Check_Associations] no
IEOPT: [Default_Page_URL]

http://go.microsoft.com/fwlink/?LinkId=69157
IEOPT: [Default_Search_URL]

http://go.microsoft.com/fwlink/?LinkId=54896
IEOPT: [Search Page] http://go.microsoft.com/fwlink/?LinkId=54896
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://go.microsoft.com/fwlink/?LinkId=69157
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Default_Secondary_Page_URL]
IEOPT: [Extensions Off Page] about:NoAdd-ons
IEOPT: [Security Risk Page] about:SecurityRisk
IEOPT: [Check_Associations] yes




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:04 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 0.0.0.1 www.facebook.com
O1 - Hosts: 0.0.0.2 facebook.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: gktxaspm - {9CF47BCD-57A7-4591-BEA0-F37911D9D1EB} - C:\WINDOWS\gktxaspm.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ac22098a] rundll32.exe "C:\WINDOWS\system32\atuflxto.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.merriam-webster.com
O15 - Trusted Zone: http://www.runescape.com
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193939347000
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-2412d39e051747cb.spaces.l...d/MsnPUpld.cab
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O21 - SSODL: gnowmebk - {2992B3E3-F03A-43B1-92BC-C5196C6868E0} - C:\WINDOWS\gnowmebk.dll
O21 - SSODL: pxgdslro - {622CA5DB-A778-48E6-907C-E7BD06D3EE02} - C:\WINDOWS\pxgdslro.dll
O21 - SSODL: BootCheck - {621e5d81-1172-4bf0-9c16-6d1bbb1f3b3d} - C:\WINDOWS\Resources\BootCheck.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 5878 bytes

Okay that really is everything any thoughts
Arachia is offline  
Old 05-21-2008, 06:56 PM   #20 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
ShoppingReport.dll is the first suspect from my quick read... i'm still studying and researching some of the others... but shoppingreport is the culprit of the moment.

http://www.smartshopper.com/SmartShopper/Default.aspx

did you intend on installing this application?
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.
Last edited by Cynthetiq; 05-21-2008 at 06:58 PM.. Reason: Automerged Doublepost
Cynthetiq is offline  
 

Tags
virus

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -8. The time now is 07:45 AM.

Tilted Forum Project
Contact Us - Tilted Forum Project - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360