05-21-2008, 06:21 PM | #1 (permalink) |
Upright
|
Big Red Biohazard Active Desktop Virus
Okay I know I put this at another posting but I figured if I add the log files I should do it under a seperate posting.
Here is what learned so far. It seems to reoccur and reactivate AppleMobilDeviceService.exe which came on cd but may have been update from the web. The big red 'back ground' really isn't. It is a webpage over laying the background. If you go to Display Properties - Customize Desktop - web It is call privacy protection, uncheck that and it will dissappear when you hit apply until you reboot. I found it is coming from file:///C:/WINDOWS/privacy_danger/images/spacer.gif so I deleted the privacy_danger folder but it comes back in the next boot I think that it was connected to a file in C:\WINDOWS\Registration called {02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC3B39D8-985E-4C67-B930-AE 6669F22FE6}.crmlog so I tossed that in the recycle bin but it was still being used so it wouldn't go. I have a very limited boot up and noticed an 'atuflxto' item the\at was new so I unchecked it and deleted atuflxto.dll from C:\WINDOWS\system32 but got an access denied. it's time stamp it close to when this all started. so I did run regedit and got rid of it there. only for it to come back 5 minutes later with the big red and the red biohazard sign advertising a virus remover. only this time I GOT THE AUDIO OF WHAT SOUNDED LIKE IN ONLINE TV STATION PLAYING A SEX SHOW!!! AND NOTHING NEW IS IN THE TASKMANAGER!!! It also seems to cycle through different items that are opened. CWShredder seems to get rid of some of graphic and the sound for a short time. Okay that is all I can get anyone got any ideas. here is the logs from CWShredder and Hyjack-This. **** Run Keys **** RUN: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" RUN: [nwiz] nwiz.exe /install RUN: [SoundMan] SOUNDMAN.EXE RUN: [KBD] C:\HP\KBD\KBD.EXE RUN: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto RUN: [ac22098a] rundll32.exe "C:\WINDOWS\system32\atuflxto.dll",b RUN: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe **** Browser Helper Objects **** BHO: [QXK Rhythm] C:\WINDOWS\nldfmtapxvt.dll BHO: [QXK Rhythm] C:\WINDOWS\system32\ssqqNdec.dll BHO: [ShoppingReport] C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll BHO: [ShoppingReport] C:\WINDOWS\system32\vtUmNDWM.dll BHO: [ShoppingReport] C:\WINDOWS\system32\vtUmNDWM.dll BHO: [DriveLetterAccess] C:\WINDOWS\system32\dla\tfswshx.dll BHO: [SSVHelper Class] C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll BHO: [Google Toolbar Helper] c:\program files\google\googletoolbar2.dll BHO: [Google Toolbar Notifier BHO] C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll **** IE Toolbars **** TOOLBAR: [&Google] c:\program files\google\googletoolbar2.dll TOOLBAR: [gktxaspm] C:\WINDOWS\gktxaspm.dll **** IE Extensions **** IEExt: [] IEExt: [ShopperReports - Compare product prices] IEExt: [ShopperReports - Compare travel rates] IEExt: [ShopperReports - Compare travel rates] IEExt: [Messenger] C:\Program Files\Messenger\msmsgs.exe **** Hosts File Entries **** HOSTS: 127.0.0.1 localhost HOSTS: 0.0.0.1 www.facebook.com HOSTS: 0.0.0.2 facebook.com HOSTS: 0.0.0.2 facebook.com **** IE Settings **** IEBypass: *.local Default Page: http://go.microsoft.com/fwlink/?LinkId=69157 Default Search: http://go.microsoft.com/fwlink/?LinkId=54896 Local Page: C:\WINDOWS\system32\blank.htm Search Bar: http://www.google.com/ie Search Page: http://www.google.com **** IE Context Menu (Right click) **** **** Layered Service Providers **** LSP: MSAFD Tcpip [TCP/IP] LSP: MSAFD Tcpip [UDP/IP] LSP: RSVP UDP Service Provider LSP: RSVP TCP Service Provider LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7B378BAD-1A1B-4903-9C98-36D07AC35E60}] SEQPACKET 5 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7B378BAD-1A1B-4903-9C98-36D07AC35E60}] DATAGRAM 5 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E83D656B-AC52-4F21-889D-4F4A54CEEB3F}] SEQPACKET 4 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E83D656B-AC52-4F21-889D-4F4A54CEEB3F}] DATAGRAM 4 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B45FF219-2EC9-47D4-AC00-C4AFA4CC7564}] SEQPACKET 0 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B45FF219-2EC9-47D4-AC00-C4AFA4CC7564}] DATAGRAM 0 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{62B049C2-D71E-4404-B114-CE88DBF848D3}] SEQPACKET 1 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{62B049C2-D71E-4404-B114-CE88DBF848D3}] DATAGRAM 1 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2DA7B32-DAF0-49CA-97E7-0F8EA61B7721}] SEQPACKET 2 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2DA7B32-DAF0-49CA-97E7-0F8EA61B7721}] DATAGRAM 2 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9F139041-8C92-40EB-A58B-B9F67AC3F4DD}] SEQPACKET 3 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9F139041-8C92-40EB-A58B-B9F67AC3F4DD}] DATAGRAM 3 **** Blocked Control Panel Items **** BLOCKED: [ncpa.cpl] No BLOCKED: [odbccp32.cpl] No **** Downloaded Program Files **** {166B1BCA-3F9C-11CF-8075-444553540000} [http://download.macromedia.com/pub/s...irector/sw.cab ] {17492023-C23A-453E-A040-C7C580BBF700} [http://download.microsoft.com/downlo...54-aa20-495c-b 89f-c1c34c691085/LegitCheckControl.cab] C:\WINDOWS\system32\LegitCheckControl.DLL {3DCEC959-378A-4922-AD7E-FD5C925D927F} [http://disney.go.com/pirates/online/...lt/signed/Disn eyOnlineGames.cab] {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} [http://www.nvidia.com/content/Driver...0.0.1/sysreqla b2.cab] {6B75345B-AA36-438A-BBE6-4078B4C6984D} [http://h20270.www2.hp.com/ediags/gmn...oductDetection. cab] {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [http://www.update.microsoft.com/micr...V5Controls/en/ x86/client/muweb_site.cab?1193939347000] {6F15128C-E66A-490C-B848-5000B5ABEEAC} [https://h20436.www2.hp.com/ediags/de.../HPDEXAXO.cab] {7FC1B346-83E6-4774-8D20-1A6B09B0E737} [http://cid-2412d39e051747cb.spaces.l...pload/MsnPUpld. cab] C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll {8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/update/1.6.0/jin...windows-i586.c ab] {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [http://fpdownload.macromedia.com/get...rrent/ultrashi m.cab] {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} [http://javadl-esd.sun.com/update/1.5..._0_12-windows- i586.cab] {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jin...windows-i586.c ab] {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jin...windows-i586.c ab] {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jin...windows-i586.c ab] {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} [http://www.popcap.com/webgames/popcaploader_v10.cab] **** Windows Services **** [Alerter] %SystemRoot%\system32\svchost.exe -k LocalService [ALG] %SystemRoot%\System32\alg.exe [ANIWZCSdService] C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe [AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs [aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs [BITS] %SystemRoot%\system32\svchost.exe -k netsvcs [Browser] %SystemRoot%\system32\svchost.exe -k netsvcs [CiSvc] %SystemRoot%\system32\cisvc.exe [ClipSrv] %SystemRoot%\system32\clipsrv.exe [clr_optimization_v2.0.50727_32] C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [COMSysApp] C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} [CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs [DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch [Dhcp] %SystemRoot%\system32\svchost.exe -k netsvcs [dmadmin] %SystemRoot%\System32\dmadmin.exe /com [dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs [Dnscache] %SystemRoot%\system32\svchost.exe -k NetworkService [ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs [Eventlog] %SystemRoot%\system32\services.exe [EventSystem] C:\WINDOWS\system32\svchost.exe -k netsvcs [FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs [gusvc] "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs [HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs [HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter [ImapiService] C:\WINDOWS\system32\imapi.exe [lanmanserver] %SystemRoot%\system32\svchost.exe -k netsvcs [lanmanworkstation] %SystemRoot%\system32\svchost.exe -k netsvcs [LmHosts] %SystemRoot%\system32\svchost.exe -k LocalService [Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs [MHN] %SystemRoot%\System32\svchost.exe -k netsvcs [mnmsrvc] C:\WINDOWS\system32\mnmsrvc.exe [MSDTC] C:\WINDOWS\system32\msdtc.exe [MSIServer] C:\WINDOWS\system32\msiexec.exe /V [NetDDE] %SystemRoot%\system32\netdde.exe [NetDDEdsdm] %SystemRoot%\system32\netdde.exe [Netlogon] %SystemRoot%\system32\lsass.exe [Netman] %SystemRoot%\System32\svchost.exe -k netsvcs [Nla] %SystemRoot%\system32\svchost.exe -k netsvcs [NtLmSsp] %SystemRoot%\system32\lsass.exe [NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs [NVSvc] %SystemRoot%\system32\nvsvc32.exe [PlugPlay] %SystemRoot%\system32\services.exe [PolicyAgent] %SystemRoot%\system32\lsass.exe [ProtectedStorage] %SystemRoot%\system32\lsass.exe [RasAuto] %SystemRoot%\system32\svchost.exe -k netsvcs [RasMan] %SystemRoot%\system32\svchost.exe -k netsvcs [RDSessMgr] C:\WINDOWS\system32\sessmgr.exe [RemoteAccess] %SystemRoot%\system32\svchost.exe -k netsvcs [RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService [RpcLocator] %SystemRoot%\system32\locator.exe [RpcSs] %SystemRoot%\system32\svchost -k rpcss [RSVP] %SystemRoot%\system32\rsvp.exe [SamSs] %SystemRoot%\system32\lsass.exe [SCardSvr] %SystemRoot%\System32\SCardSvr.exe [Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs [seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs [SENS] %SystemRoot%\system32\svchost.exe -k netsvcs [SharedAccess] %SystemRoot%\system32\svchost.exe -k netsvcs [ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs [Spooler] %SystemRoot%\system32\spoolsv.exe [srservice] %SystemRoot%\system32\svchost.exe -k netsvcs [SSDPSRV] %SystemRoot%\system32\svchost.exe -k LocalService [stisvc] %SystemRoot%\system32\svchost.exe -k imgsvc [SwPrv] C:\WINDOWS\system32\dllhost.exe /Processid:{3647D27E-C3E5-46DA-AD61-429DF5AAE770} [SysmonLog] %SystemRoot%\system32\smlogsvc.exe [TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs [TermService] %SystemRoot%\System32\svchost -k DComLaunch [Themes] %SystemRoot%\System32\svchost.exe -k netsvcs [TlntSvr] C:\WINDOWS\system32\tlntsvr.exe [TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs [upnphost] %SystemRoot%\system32\svchost.exe -k LocalService [UPS] %SystemRoot%\System32\ups.exe [VSS] %SystemRoot%\System32\vssvc.exe [W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs [WebClient] %SystemRoot%\system32\svchost.exe -k LocalService [winmgmt] %systemroot%\system32\svchost.exe -k netsvcs [WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs [Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs [WmiApSrv] C:\WINDOWS\system32\wbem\wmiapsrv.exe [wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs [wuauserv] %systemroot%\system32\svchost.exe -k netsvcs [WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs [xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs **** Custom IE Search Items **** SEARCH: [SearchAssistant] http://www.google.com/ie SEARCH: [SearchAssistant] http://www.google.com/ie SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm SEARCH: [Default_Search_URL] http://www.google.com/ie **** Complete IE Options **** IEOPT: [NoUpdateCheck] IEOPT: [NoJITSetup] IEOPT: [Disable Script Debugger] yes IEOPT: [Show_ChannelBand] No IEOPT: [Anchor Underline] yes IEOPT: [Cache_Update_Frequency] Once_Per_Session IEOPT: [Display Inline Images] yes IEOPT: [Do404Search] IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm IEOPT: [Save_Session_History_On_Exit] no IEOPT: [Show_FullURL] no IEOPT: [Show_StatusBar] yes IEOPT: [Show_ToolBar] yes IEOPT: [Show_URLinStatusBar] yes IEOPT: [Show_URLToolBar] yes IEOPT: [Start Page] http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 IEOPT: [Use_DlgBox_Colors] yes IEOPT: [Search Page] http://www.google.com IEOPT: [NotifyDownloadComplete] no IEOPT: [FullScreen] no IEOPT: [Window_Placement] , IEOPT: [Use FormSuggest] yes IEOPT: [HistoryViewType] IEOPT: [AddToFavoritesExpanded] IEOPT: [Use Search Asst] no IEOPT: [Search Bar] http://www.google.com/ie IEOPT: [Enable Browser Extensions] yes IEOPT: [XMLHTTP] IEOPT: [UseClearType] yes IEOPT: [AlwaysShowMenus] IEOPT: [Play_Background_Sounds] yes IEOPT: [Play_Animations] yes IEOPT: [CompatibilityFlags] IEOPT: [SearchMigrated] IEOPT: [SearchMigratedDefaultName] Google IEOPT: [SearchMigratedDefaultURL] http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com. microsoft:en-US&ie=utf8&oe=utf8 IEOPT: [SearchMigratedInstalled] IEOPT: [RunOnceHasShown] IEOPT: [RunOnceComplete] IEOPT: [Error Dlg Displayed On Every Error] no IEOPT: [StatusBarWeb] IEOPT: [ControlTooltipCount] IEOPT: [Save Directory] C:\Documents and Settings\malachi\My Documents\ IEOPT: [Expand Alt Text] no IEOPT: [Move System Caret] no IEOPT: [NscSingleExpand] IEOPT: [DisableScriptDebuggerIE] yes IEOPT: [Page_Transitions] IEOPT: [FavIntelliMenus] no IEOPT: [UseThemes] IEOPT: [EnableSearchPane] IEOPT: [Force Offscreen Composition] IEOPT: [AllowWindowReuse] IEOPT: [Friendly http errors] yes IEOPT: [SmoothScroll] IEOPT: [Enable AutoImageResize] yes IEOPT: [Show image placeholders] IEOPT: [Print_Background] no IEOPT: [AutoSearch] IEOPT: [AutoHide] no IEOPT: [ShowedCheckBrowser] Yes IEOPT: [Check_Associations] no IEOPT: [Default_Page_URL] http://go.microsoft.com/fwlink/?LinkId=69157 IEOPT: [Default_Search_URL] http://go.microsoft.com/fwlink/?LinkId=54896 IEOPT: [Search Page] http://go.microsoft.com/fwlink/?LinkId=54896 IEOPT: [Enable_Disk_Cache] yes IEOPT: [Cache_Percent_of_Disk] IEOPT: [Delete_Temp_Files_On_Exit] yes IEOPT: [Local Page] %SystemRoot%\system32\blank.htm IEOPT: [Anchor_Visitation_Horizon] IEOPT: [Use_Async_DNS] yes IEOPT: [Placeholder_Width] IEOPT: [Placeholder_Height] IEOPT: [Start Page] http://go.microsoft.com/fwlink/?LinkId=69157 IEOPT: [CompanyName] Microsoft Corporation IEOPT: [Custom_Key] MICROSO IEOPT: [Wizard_Version] 6.0.2600.0000 IEOPT: [FullScreen] no IEOPT: [Default_Secondary_Page_URL] IEOPT: [Extensions Off Page] about:NoAdd-ons IEOPT: [Security Risk Page] about:SecurityRisk IEOPT: [Check_Associations] yes Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:09:04 PM, on 5/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\eHome\ehRecvr.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O1 - Hosts: 0.0.0.1 www.facebook.com O1 - Hosts: 0.0.0.2 facebook.com O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: gktxaspm - {9CF47BCD-57A7-4591-BEA0-F37911D9D1EB} - C:\WINDOWS\gktxaspm.dll (file missing) O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ac22098a] rundll32.exe "C:\WINDOWS\system32\atuflxto.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.merriam-webster.com O15 - Trusted Zone: http://www.runescape.com O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193939347000 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-2412d39e051747cb.spaces.l...d/MsnPUpld.cab O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab O21 - SSODL: gnowmebk - {2992B3E3-F03A-43B1-92BC-C5196C6868E0} - C:\WINDOWS\gnowmebk.dll O21 - SSODL: pxgdslro - {622CA5DB-A778-48E6-907C-E7BD06D3EE02} - C:\WINDOWS\pxgdslro.dll O21 - SSODL: BootCheck - {621e5d81-1172-4bf0-9c16-6d1bbb1f3b3d} - C:\WINDOWS\Resources\BootCheck.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm -- End of file - 5878 bytes Okay that really is everything any thoughts |
05-21-2008, 08:13 PM | #2 (permalink) |
We work alone
Location: Cake Town
|
My uncle got it. IT techs at my work couldn't get rid of it by conventional means and had to reinstall windows. To get rid of the red background, right click on desktop, Properties > Desktop > Customize Desktop > Web and uncheck and delete the entry that does not say "My Current Web Page".
Norton, Windows Defender, AdAware and Spybot couldn't get rid of it.
__________________
Maturity is knowing you were an idiot in the past. Wisdom is knowing that you'll be an idiot in the future. Common sense is knowing that you should try not to be an idiot now. - J. Jacques |
05-21-2008, 08:35 PM | #3 (permalink) | |
Tilted Cat Head
Administrator
Location: Manhattan, NY
|
ShoppingReport.dll is the first suspect from my quick read... i'm still studying and researching some of the others... but shoppingreport is the culprit of the moment.
http://www.smartshopper.com/SmartShopper/Default.aspx did you intend on installing this application? QXK Rhythm is also a suspect file. You'll get an opportunity to remove this as well. I'd start with all the steps in this quote: Quote:
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not. |
|
Tags |
active, big, biohazard, desktop, red, virus |
|
|