Dismiss Notice
Guest, I have a big favor to ask you. We've been working very hard to establish ourselves on social media. If you like/follow our pages it would be a HUGE help to us. SoSH on Facebook and Inside the Pylon Thanks! Nip

Spyware 201

Discussion in 'BYTE ME: Technology discussion' started by Blacken, Jul 12, 2008.

  1. Blacken

    Blacken Robespierre in a Cape SoSH Member

    Messages:
    11,980
    QUOTE (OregonSoxFan @ Feb 10 2010, 03:28 PM)
    Okay, last week one of my office computers got hit with a Vundo infection. At the time, I was still running AVG, have since switched to Microsoft Security Essentials and sought their phone support yesterday to clean up the mess, all to no avail. Despite finding and removing 4 Vundo files during last night's scan, I'm still getting pop-ups and it also disables MSE's update service.

    Is my only solution to back up data and do a fresh install?
    MBAM should get it. Or, as Harry pointed out, there are

    That said, I'd do a fresh install anyway. Rule of thumb is, once you're owned, you don't have any assurances that you haven't been owned somewhere you can't detect.

    Are you an IT guy? Or is this a small business?
     
  2. OregonSoxFan

    OregonSoxFan lurker

    Messages:
    17
    QUOTE (Blacken @ Feb 11 2010, 10:31 AM)
    Are you an IT guy? Or is this a small business?

    Sort of yes to both. Solo lawyer and semi geek who tries to take care of most issues myself. My IT guy calls me his "most geeky" client.

    MBAM installed as suggested by Harry appears to have done the trick, although MSE in its daily scan last night did detect and remove one more instance of the infection. Haven't had any further problems so far today.
     
  3. Blacken

    Blacken Robespierre in a Cape SoSH Member

    Messages:
    11,980
    Ahh, gotcha.

    If you have multiple computers that are mostly similar, I might look into a disk imaging solution. Build a computer once, image it (creating a file you can store on an external drive or something) - if a computer gets trashed, just re-image it. Don't know if you want to spend that much time, but it makes dealing with this shit a lot easier. (Doing it for one of my clients right now, just sitting here waiting for the copy to finish.)
     
  4. DrBlinky

    DrBlinky Member SoSH Member

    Messages:
    714
    QUOTE (The Four Peters @ Feb 9 2010, 07:59 PM)
    Ok, found a hidden McAfee Folder in C:\ProgramData that has a few things in it that are pretty unrecognizeable. Yet nothing regarding McAfee comes up in Add/Remove programs or the CC Cleaner Uninstall window. I'm guessing just straight deleting the folder probably isn't the way to go, right?

    Check out the McAfee Consumer Products Removal tool (MCPR.exe) found here. It might be able to find and clean up the McAfee installation.
     
  5. OregonSoxFan

    OregonSoxFan lurker

    Messages:
    17
    QUOTE (Blacken @ Feb 11 2010, 11:45 AM)
    If you have multiple computers that are mostly similar, I might look into a disk imaging solution. Build a computer once, image it (creating a file you can store on an external drive or something) - if a computer gets trashed, just re-image it.


    What imaging software would you recommend? I'm currently using SyncToy to back up my data to an external drive.
     
  6. Blacken

    Blacken Robespierre in a Cape SoSH Member

    Messages:
    11,980
    Well, I'm a nerd and I'm poor, so I just use Linux and the dd command. We use Norton Ghost at work, though, and it's pretty easy to get along with.
     
  7. NomoMrNiceGuy

    NomoMrNiceGuy Member SoSH Member

    Messages:
    166
    QUOTE (OregonSoxFan @ Feb 10 2010, 03:28 PM)
    Okay, last week one of my office computers got hit with a Vundo infection. At the time, I was still running AVG, have since switched to Microsoft Security Essentials and sought their phone support yesterday to clean up the mess, all to no avail. Despite finding and removing 4 Vundo files during last night's scan, I'm still getting pop-ups and it also disables MSE's update service.

    Is my only solution to back up data and do a fresh install?


    echoing some other comments on removal, i would ensure that you've disabled system restore then run this vundo Fix from Safe Mode - http://www.atribune.org/ccount/click.php?id=4

    we'd need to see the vundo.txt file if it's unsuccessful.

    If that doesn't fix it, use VirtumondoBeGone - http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

    it's probably a good idea to use something like process explorer to help map what's running to its executable.
    http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

    Going forward, imaging software is certainly the best option...assuming you have similar hardware. In cases like this, it's a time issue and you're often better served to return to a safe image then to work with removal tools.
     
  8. NomoMrNiceGuy

    NomoMrNiceGuy Member SoSH Member

    Messages:
    166
  9. TFP

    TFP Dope Dope

    Messages:
    16,882
    QUOTE (DrBlinky @ Feb 12 2010, 12:52 AM)
    Check out the McAfee Consumer Products Removal tool (MCPR.exe) found here. It might be able to find and clean up the McAfee installation.

    Gene Tenace to the plate. Annnnnd whammy.

    This got it. Thanks.
     
  10. Oil Can Dan

    Oil Can Dan Well-Known Member Lifetime Member SoSH Member

    Messages:
    6,434
    So I got nailed with this Antispyware 2010 virus. Nasty stuff. This happened on my work laptop, and after reading all 11 pages of this thread I'm thinking the best thing for me to do is to have IT reformat the whole thing tomorrow morning. So, before I do that I thought I'd ask a couple questions:

    1. Will taking documents and pictures off the laptop via thumb drive cause any potential danger to the reformatted computer?
    2. How do I get my iTunes music library off the work computer and onto another? I am obviously a total idiot because I'm not finding an easy answer anywhere. Also, I should de-authorize the computer as I have apparently used up all 5 of my freebies so far.

    I can't seem to do jack on the laptop as things stand. I'm prevented from opening the Task Folder, so I'm a slave to the various popups. Awful, frustrating shit. My own fault though - I'm pretty sure I know where I got the virus from.

    Any help is appreciated!
     
  11. kneemoe

    kneemoe Member SoSH Member

    Messages:
    2,136
    QUOTE (Oil Can Dan @ Feb 15 2010, 03:01 PM)
    So I got nailed with this Antispyware 2010 virus. Nasty stuff. This happened on my work laptop, and after reading all 11 pages of this thread I'm thinking the best thing for me to do is to have IT reformat the whole thing tomorrow morning. So, before I do that I thought I'd ask a couple questions:

    1. Will taking documents and pictures off the laptop via thumb drive cause any potential danger to the reformatted computer?
    2. How do I get my iTunes music library off the work computer and onto another? I am obviously a total idiot because I'm not finding an easy answer anywhere. Also, I should de-authorize the computer as I have apparently used up all 5 of my freebies so far.

    I can't seem to do jack on the laptop as things stand. I'm prevented from opening the Task Folder, so I'm a slave to the various popups. Awful, frustrating shit. My own fault though - I'm pretty sure I know where I got the virus from.

    Any help is appreciated!


    That's actually a pretty easy one to get rid of, usually- it'll reside in your Docs & Settings/User (replace w/ your username)/Local Settings/Temp folder and be some randomly named (jibberish) .exe, it'll get called in the registry under the 'local user/software/microsoft/windows/current version/run' key, and you can just delete that entry (sometimes you need to hack out the infection first as it will often make regedit not run)
    You can usually find it easiest by date sorting that folder.
    After you do that update Flash and Adobe Reader, and any security updates IE might need. Don't know which fix does it, but those updates usually make it so I don't have to revisit the same machine (whereas when I don't update those....)
     
  12. Oil Can Dan

    Oil Can Dan Well-Known Member Lifetime Member SoSH Member

    Messages:
    6,434
    All I know is that I had upwards of 15 different trojans and everything was pretty messed up to the point that I wowed the head of my IT department. We reformatted everything and started from scratch. All appears good now, except I'm not sure about my iTunes Battlestar Galactica purchases. :)
     
  13. IpswichSox

    IpswichSox Well-Known Member Gold Supporter SoSH Member

    Messages:
    2,482
    My wife's computer has Vista Antivirus 2010. She also had this previously (2009 version?), and I think then I removed it with Malwarebytes. But a quick and full Malwarebytes scan didn't detect the 2010 version (I updated Malwarebytes before doing the scans). There are a lot of Antivirus 2010 removal tools and techniques posted online -- is there one that's preferred or one that I should use? Thanks.
     
  14. sittingstill

    sittingstill Well-Known Member Lifetime Member SoSH Member

    Messages:
    1,483
    QUOTE (IpswichSox @ Feb 24 2010, 03:18 PM)
    My wife's computer has Vista Antivirus 2010. She also had this previously (2009 version?), and I think then I removed it with Malwarebytes. But a quick and full Malwarebytes scan didn't detect the 2010 version (I updated Malwarebytes before doing the scans). There are a lot of Antivirus 2010 removal tools and techniques posted online -- is there one that's preferred or one that I should use? Thanks.

    My brother just called and has some version of Vista Antivirus--not sure if it's 2009 or 2010. Trying to research it online, I found this page, which seems to suggest that you need an extra step--that you can't download Malwarebytes to the infected machine itself but need to download it on a clean one and transfer it via a drive. Seems like the report from IpswichSox might bear this out. Thoughts?
     
  15. PortlandSoxFan

    PortlandSoxFan Father of Idontgiveafuckism Lifetime Member SoSH Member

    Messages:
    6,139
    Guy at work has the XP Antivirus 2010...he already had Malwarebytes, so I booted into safe mode, updated, scanned...it found a couple of things and I thought it was gone.

    However, THIS tricky little bugger does not completely disable Malwarebytes...it lets it update, but to a file older than what detects it (I didn't look at the date; I was just happy it let me update). I then installed the Microsoft product, as well as run a boot time scan with Avast (I've found Security Essentials and Avast work fine hand in hand). Thought it was all set...until he restarted and logged in...there it was again.

    http://forums.malwarebytes.org/index.php?showtopic=38629

    I did all the fixes as Administrator, not as him..so that may have been an issue. I'm logged in as him in safe mode now, and this bugger is still active and 'warning' me. Malwarebytes updated to a

    Evidently there is an extra step; you need to rename mbam.exe to mbam.com...then run it and update it and scan, and it will work properly and remove the annoying bugger.
     
  16. sfip

    sfip directly related to Marilyn Monroe Lifetime Member SoSH Member

    Messages:
    7,823
    Any tips on how to stop these popups?
    linksadoor.com
    theinternetsurvey.com
    thewebsitesurvey.com

    I have ZoneAlarm (no I'm not replacing that), Firefox and Adblock Plus. I added all 3 sites with an asterisk after it to my Adblock Plus Preferences. I did the right-click>>Adblock Plus: block image on every image I could try on those 3 sites, but I still get popups from all 3.
     
  17. bosox4283

    bosox4283 Member SoSH Member

    Messages:
    3,761
    I just ran a HijackThis scan, and as instructed, I am posting the scan results here:



    if(!spoilerid) var spoilerid=1; else spoilerid++; mytagid = spoilerid;
    document.write("
    - Click here to show/hide the message.");

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:44:22 AM, on 3/28/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\mswinext.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\npwinext.dll
    O2 - BHO: Java¬ô Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\npwinext.dll
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
    O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [TalkAndWrite] C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\mswinext.exe"
    O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [VoipBuster] "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
    O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
    O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://pinkemc.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://pinkemc.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
    O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - https://bis.na.blackberry.com/html/web/clie...ls/TOImport.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    document.write("
    "); document.close();


    Thanks for all your help. This topic has been incredibly informative and useful.
     
  18. OilCanShotTupac

    OilCanShotTupac Sunny von Bulow Gold Supporter SoSH Member

    Messages:
    16,312
    Just want to thank everyone in this thread, especially the original poster. My laptop caught something nasty and I had to reformat it. It wasn't nearly as hard as I thought it would be. I'm fine now and running Malwarebytes and Microsoft Security Essentials.

    Thanks again.
     
  19. IpswichSox

    IpswichSox Well-Known Member Gold Supporter SoSH Member

    Messages:
    2,482
    Is Microsoft Security Essentials better than McAfee or another fee-based AV?

    I have a McAfee subscription expiring next month, and I need to make a decision. For me, it's not a question of financially needing to go with a free AV opiton, but I'm not interested in throwing cash away either. Thoughts?
     
  20. Blacken

    Blacken Robespierre in a Cape SoSH Member

    Messages:
    11,980
    QUOTE (IpswichSox @ Apr 15 2010, 11:15 AM)
    Is Microsoft Security Essentials better than McAfee or another fee-based AV?

    I have a McAfee subscription expiring next month, and I need to make a decision. For me, it's not a question of financially needing to go with a free AV opiton, but I'm not interested in throwing cash away either. Thoughts?
    There are good for-pay AVs. Nothing made by McAfee qualifies, and the difference between the "best" and the "worst" AVs is pretty small. MSE is somewhere between "good enough" and "good", and it's pretty light on system resources.
     
  21. Dogman2

    Dogman2 Yukon Cornelius Dope

    Messages:
    13,536
    Blacken,

    Something is attacking my machine. The virus has popped up as XP Defender in the tool bar. My firewall has been disabled and I cannot turn it back on. I have the latest Avast and have run 2 boot scans and nothing comes up. I downloaded windows defender and ran that scan and nothing comes up. I downloaded Malwarebytes but for some reason the program will not run.

    I think the virus came from Maalox's post about Russian Cheerleaders in the things learned recently thread.

    What's next?
     
  22. DrBlinky

    DrBlinky Member SoSH Member

    Messages:
    714
    QUOTE (Dogman2 @ Apr 19 2010, 01:23 PM)
    Blacken,

    Something is attacking my machine. The virus has popped up as XP Defender in the tool bar. My firewall has been disabled and I cannot turn it back on. I have the latest Avast and have run 2 boot scans and nothing comes up. I downloaded windows defender and ran that scan and nothing comes up. I downloaded Malwarebytes but for some reason the program will not run.

    I think the virus came from Maalox's post about Russian Cheerleaders in the things learned recently thread.

    What's next?

    I recently took care of a relative's machine that had been infected with a 'rogue antivirus' malware. I downloaded and then tried to install Malwarebytes, but the malware prevented its installation.

    Booting in safe mode, however, allowed me to install Malwarebytes and run it. It took care of the rogue AV problem.

    Id you haven't yet tried installing Malwarebytes in safe mode, I'd give that a try.
     
  23. Dogman2

    Dogman2 Yukon Cornelius Dope

    Messages:
    13,536
    QUOTE (DrBlinky @ Apr 19 2010, 11:56 AM)
    I recently took care of a relative's machine that had been infected with a 'rogue antivirus' malware. I downloaded and then tried to install Malwarebytes, but the malware prevented its installation.

    Booting in safe mode, however, allowed me to install Malwarebytes and run it. It took care of the rogue AV problem.

    Id you haven't yet tried installing Malwarebytes in safe mode, I'd give that a try.



    How do I go about doing that?
     
  24. DrBlinky

    DrBlinky Member SoSH Member

    Messages:
    714
    QUOTE (Dogman2 @ Apr 19 2010, 02:07 PM)
    How do I go about doing that?

    As the machine boots, press F8 a couple of times. You'll get a menu with a variety of different boot options. Usually I would say to choose simply 'Safe Mode'. However, since Malwarebytes isn't yet installed, you'll want to select 'Safe Mode with Networking' so that you can pull down the latest Malwarebytes definition file following its installation. (I had to deal with the same issue regarding downloading the updates to Malwarebytes.)

    Note: Since you're not loading all your drivers when starting in safe mode, your display is probably going to look different. You'll desktop will probably display in a lower resolution, such as 800x600. When you go back to running in 'normal' mode, it will go back to your prior resolution.
     
  25. Alcohol&Overcalls

    Alcohol&Overcalls Member SoSH Member

    Messages:
    1,686
    Also try turning on file extensions, and changing the mbam.EXE to mbam.COM and running the program that way - should not affect performance, and seems to get around many of the infections.
     
  26. Dogman2

    Dogman2 Yukon Cornelius Dope

    Messages:
    13,536
    Thanks for the help folks.

    New member Ean611 was of major assistance in the great purge. Kudos to him as my system is running better than before.
     
  27. Rod Becks Mullet

    Rod Becks Mullet Member SoSH Member

    Messages:
    2,023
    I appear to have a virus that keeps popping up "Desktop Security 2010" windows. From what I've read its not incredibly harmful, just more annoying than anything else. However, I can't seem to get rid of it. I've got Microsoft Security, but after I run a clean, it still shows a potential threat. Also its somehow blocked from downloading updates. So I downloaded Malewarebytes (which I've read is supposed to work well on removing it), but for some reason, it won't open. I'm assuming the virus may have something to do with this. Any thoughts?


    If it helps, I ran hijack this, and here's my log


    if(!spoilerid) var spoilerid=1; else spoilerid++; mytagid = spoilerid;
    document.write("
    - Click here to show/hide the message.");

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:35:33 AM, on 5/7/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.cbs.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKLM\..\Run: [eBook Library Launcher] C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
    O4 - HKLM\..\Run: [SetupConnectivity] C:\DOCUME~1\Bill\LOCALS~1\Temp\TjAI.exe
    O4 - HKLM\..\Run: [mlihffsys] rundll32.exe "yabcde.dll",DllRegisterServer
    O4 - HKLM\..\Run: [dddbcddrv] rundll32.exe "jkkhhi.dll",s
    O4 - HKLM\..\Run: [vttspndrv] rundll32.exe "wvwtrr.dll",s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ServiceLibrary] c:\docume~1\bill\locals~1\temp\tjai.exe
    O4 - HKLM\..\Run: [ErrorReporting] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
    O4 - HKLM\..\Run: [RICHINKActiveSync] c:\program files\microsoft activesync\richinkmicrosoft.exe
    O4 - HKLM\..\Run: [Data32CdrMmc32] C:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
    O4 - HKLM\..\Run: [ReportingDWIntl20] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
    O4 - HKLM\..\RunServices: [AcsInstallSetup] C:\DOCUME~1\Bill\LOCALS~1\Temp\TjAI.exe
    O4 - HKLM\..\RunServices: [SonyLibrary9961] c:\docume~1\bill\locals~1\temp\tjai.exe
    O4 - HKLM\..\RunServices: [psecuedummycomponent00psecuedummycomponent00] c:\program files\hp\digital imaging\plugins\imagingpsecuedummycomponent00.exe
    O4 - HKLM\..\RunServices: [iTunesiPodServiceLocalized] c:\program files\ipod\bin\ipodservice.resources\ko.lproj\ipodservicelocalizeditunes9.0.0.53.exe
    O4 - HKLM\..\RunServices: [DataEx32RealNetworks25081] c:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
    O4 - HKLM\..\RunServices: [QuickTimeResourcesQuickTime7.6.4] c:\program files\quicktime\qtsystem\quicktimeinternetextras.resources\pl.lproj\quicktimeresourcesquicktime.exe
    O4 - HKLM\..\RunServices: [RealNetworksProducts] C:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
    O4 - HKLM\..\RunServices: [ReportingError] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [fmacweuwuok6] C:\Documents and Settings\Bill\Local Settings\Temp\m.282.tmp.exe
    O4 - HKCU\..\Run: [vtuturdrv] rundll32.exe "jkkhhi.dll",s
    O4 - HKCU\..\Run: [SecurityCenter] C:\Documents and Settings\Bill\Application Data\Desktop Security 2010\securitycenter.exe
    O4 - HKCU\..\Run: [opmjkldrv] rundll32.exe "wvwtrr.dll",s
    O4 - HKUS\S-1-5-18\..\Run: [tusqomsys] rundll32.exe "yabcde.dll",DllRegisterServer (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [awwxuudrv] rundll32.exe "jkkhhi.dll",s (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [byywxxdrv] rundll32.exe "wvwtrr.dll",s (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [tusqomsys] rundll32.exe "yabcde.dll",DllRegisterServer (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173313210734
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak05.pictures.aol.com/ygp/aol/plug...US.9.1.6.18.cab
    O18 - Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - C:\DOCUME~1\Bill\LOCALS~1\Temp\F.tmp
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
    O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

    --
    End of file - 8675 bytes
    document.write("
    "); document.close();
     
  28. The_Powa_of_Seiji_Ozawa

    The_Powa_of_Seiji_Ozawa Member SoSH Member

    Messages:
    5,481
    QUOTE (Rod Becks Mullet @ May 7 2010, 08:42 AM)
    I appear to have a virus that keeps popping up "Desktop Security 2010" windows. From what I've read its not incredibly harmful, just more annoying than anything else. However, I can't seem to get rid of it. I've got Microsoft Security, but after I run a clean, it still shows a potential threat. Also its somehow blocked from downloading updates. So I downloaded Malewarebytes (which I've read is supposed to work well on removing it), but for some reason, it won't open. I'm assuming the virus may have something to do with this. Any thoughts?


    If it helps, I ran hijack this, and here's my log


    if(!spoilerid) var spoilerid=1; else spoilerid++; mytagid = spoilerid;
    document.write("
    - Click here to show/hide the message.");

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:35:33 AM, on 5/7/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.cbs.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKLM\..\Run: [eBook Library Launcher] C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
    O4 - HKLM\..\Run: [SetupConnectivity] C:\DOCUME~1\Bill\LOCALS~1\Temp\TjAI.exe
    O4 - HKLM\..\Run: [mlihffsys] rundll32.exe "yabcde.dll",DllRegisterServer
    O4 - HKLM\..\Run: [dddbcddrv] rundll32.exe "jkkhhi.dll",s
    O4 - HKLM\..\Run: [vttspndrv] rundll32.exe "wvwtrr.dll",s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ServiceLibrary] c:\docume~1\bill\locals~1\temp\tjai.exe
    O4 - HKLM\..\Run: [ErrorReporting] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
    O4 - HKLM\..\Run: [RICHINKActiveSync] c:\program files\microsoft activesync\richinkmicrosoft.exe
    O4 - HKLM\..\Run: [Data32CdrMmc32] C:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
    O4 - HKLM\..\Run: [ReportingDWIntl20] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
    O4 - HKLM\..\RunServices: [AcsInstallSetup] C:\DOCUME~1\Bill\LOCALS~1\Temp\TjAI.exe
    O4 - HKLM\..\RunServices: [SonyLibrary9961] c:\docume~1\bill\locals~1\temp\tjai.exe
    O4 - HKLM\..\RunServices: [psecuedummycomponent00psecuedummycomponent00] c:\program files\hp\digital imaging\plugins\imagingpsecuedummycomponent00.exe
    O4 - HKLM\..\RunServices: [iTunesiPodServiceLocalized] c:\program files\ipod\bin\ipodservice.resources\ko.lproj\ipodservicelocalizeditunes9.0.0.53.exe
    O4 - HKLM\..\RunServices: [DataEx32RealNetworks25081] c:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
    O4 - HKLM\..\RunServices: [QuickTimeResourcesQuickTime7.6.4] c:\program files\quicktime\qtsystem\quicktimeinternetextras.resources\pl.lproj\quicktimeresourcesquicktime.exe
    O4 - HKLM\..\RunServices: [RealNetworksProducts] C:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
    O4 - HKLM\..\RunServices: [ReportingError] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [fmacweuwuok6] C:\Documents and Settings\Bill\Local Settings\Temp\m.282.tmp.exe
    O4 - HKCU\..\Run: [vtuturdrv] rundll32.exe "jkkhhi.dll",s
    O4 - HKCU\..\Run: [SecurityCenter] C:\Documents and Settings\Bill\Application Data\Desktop Security 2010\securitycenter.exe
    O4 - HKCU\..\Run: [opmjkldrv] rundll32.exe "wvwtrr.dll",s
    O4 - HKUS\S-1-5-18\..\Run: [tusqomsys] rundll32.exe "yabcde.dll",DllRegisterServer (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [awwxuudrv] rundll32.exe "jkkhhi.dll",s (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [byywxxdrv] rundll32.exe "wvwtrr.dll",s (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [tusqomsys] rundll32.exe "yabcde.dll",DllRegisterServer (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173313210734
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak05.pictures.aol.com/ygp/aol/plug...US.9.1.6.18.cab
    O18 - Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - C:\DOCUME~1\Bill\LOCALS~1\Temp\F.tmp
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
    O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

    --
    End of file - 8675 bytes
    document.write("
    "); document.close();

    I had a similar problem on one of my older machines and it turns out the trigger for this thing was buried in the Windows backup/System restore files. Some antivirus/antimalware programs don't always do a thorough job of digging that deep. I've had good results with the new Symantec/Norton Endpoint (the previous AV version was horrible, bloated and ineffective).
     
  29. DrBlinky

    DrBlinky Member SoSH Member

    Messages:
    714
    QUOTE (Rod Becks Mullet @ May 7 2010, 08:42 AM)
    I appear to have a virus that keeps popping up "Desktop Security 2010" windows. From what I've read its not incredibly harmful, just more annoying than anything else. However, I can't seem to get rid of it. I've got Microsoft Security, but after I run a clean, it still shows a potential threat. Also its somehow blocked from downloading updates. So I downloaded Malewarebytes (which I've read is supposed to work well on removing it), but for some reason, it won't open. I'm assuming the virus may have something to do with this. Any thoughts?

    Regarding the installation of Malwarebytes, see my post here. I had a similar situation but was able to install it in safe mode.
     
  30. Rod Becks Mullet

    Rod Becks Mullet Member SoSH Member

    Messages:
    2,023
    yeah, I tried installing Malwarebytes in safe mode also, still didn't open.
     
  31. Harry Hooper

    Harry Hooper Well-Known Member Lifetime Member SoSH Member

    Messages:
    24,748
    RBM, did you try the bolded suggestion?

    QUOTE (Alcohol&Overcalls @ Apr 19 2010, 06:20 PM)
    Also try turning on file extensions, and changing the mbam.EXE to mbam.COM and running the program that way - should not affect performance, and seems to get around many of the infections.
     
  32. Rod Becks Mullet

    Rod Becks Mullet Member SoSH Member

    Messages:
    2,023
    Ah, missed that step. Changing the exe extension seemed to work. Somewhat related question, I had AVG Anti-Virus on my computer, should I uninstall that since I loaded up Malwarebytes? Will that effect how quickly my computer boots and loads, or is it okay to have both?
     
  33. Blacken

    Blacken Robespierre in a Cape SoSH Member

    Messages:
    11,980
    Malwarebytes and AVG are tools designed to address different issues. Having both is fine.
     
  34. John Marzano Olympic Hero

    John Marzano Olympic Hero has fancy plans, and pants to match Dope

    Messages:
    19,678
    I think that I may have the same problem that some of you guys have had. Basically I am getting a million pop-ups for Antispywaresoft or something similar. In addition, I keep getting notices saying that certain programs are being compromised and that I need to DL this software to stop it.

    It's more of a pain in the ass than anything else, it seems to me that the proper course of action is to DL malwarebytes, power down my computer, boot it up in safe mode and install it. Do I have that correct?

    Thanks.
     
  35. John Marzano Olympic Hero

    John Marzano Olympic Hero has fancy plans, and pants to match Dope

    Messages:
    19,678
    Guys, I was able to fix it.
     
  36. mascho

    mascho Kane is Able SoSH Member

    Messages:
    14,951
    Yeah, my office computer got hit with that Antispyware Soft program as well. Was annoying for 20 minutes, and took about as long to get rid of it. First step was to download Process Explorer so I could actually run a Task Manager-type window, stop all the related applications/processes, and then blow everything away.
     
  37. loshjott

    loshjott Well-Known Member Gold Supporter SoSH Member

    Messages:
    7,717
    I'm getting a new Win 7 desktop and I want to install some protective defenses. It will be wired to my Verizon-supplied modem (I have FiOS). From reading this thread and having some general knowledge, this is my plan:

    Firewall: rely on Windows firewall that comes with Win 7
    Anti-Virus: Avast
    Anti-Spyware: Malwarebytes
    Browsing: Firefox or Chrome only

    Any thoughts on Verizon's security apparatus?

    Or other things to install?

    Thanks in advance.
     
  38. roundegotrip

    roundegotrip Member SoSH Member

    Messages:
    1,940
    Yup, I got hit with antispyware soft, too, last night. Annoying little bugger.
     
  39. John Marzano Olympic Hero

    John Marzano Olympic Hero has fancy plans, and pants to match Dope

    Messages:
    19,678
    My father-in-law got a virus--he received an email with a link, clicked on it and the rest is history. Silly mistake. I'm not sure exactly what it is, I thought that it was the one that I got a few weeks ago (the one that we all seem to be getting) but I ran Malware and it did not find anything during the scan. However, his computer is only able to run in safe mode. When we start it in regular mode, nothing works. I can't get into any programs, if we can get into a program, it takes forever to run.

    Any ideas?
     
  40. Mystic Merlin

    Mystic Merlin Member SoSH Member

    Messages:
    29,493
    Ok, so, I'm having a problem with this anti-virus spyware.

    I attempted to install Malwarebytes, but I cannot access certain websites. I cannot access google or other random sites, but I can access some (espn, this one, etc.). How the hell can I get around this?

    EDIT - Would transferring the file via flash drive work?
     
  41. Alcohol&Overcalls

    Alcohol&Overcalls Member SoSH Member

    Messages:
    1,686
    QUOTE (Mystic Merlin @ Jun 10 2010, 01:30 AM)
    Ok, so, I'm having a problem with this anti-virus spyware.

    I attempted to install Malwarebytes, but I cannot access certain websites. I cannot access google or other random sites, but I can access some (espn, this one, etc.). How the hell can I get around this?

    EDIT - Would transferring the file via flash drive work?


    Generally, yes, it would. The virus is redirecting your web traffic, so using a jump drive should work well.

    Just a note, often the same virus will make you unable to open mbam.exe (the Malwarebytes file), which can be avoided using the workaround noted above: change the file extension to .com rather than .exe.
     
  42. Mystic Merlin

    Mystic Merlin Member SoSH Member

    Messages:
    29,493
    Yep, that worked.

    Thanks for the tip.
     
  43. Bongorific

    Bongorific Member SoSH Member

    Messages:
    5,726
    AVG picked up a threat today while surfing. File name: tmp49221929.exe . Threat name: Trojan horse Generic18.pln

    I have the free version of AVG. I can either move the file to the vault, ignore, or view the folder the file is in (local temp). Should I open the temp folder and delete the exe, or is there a better way to do this? It looks like I need the upgraded version of avg to remove the threat.
     
  44. Jnai

    Jnai is not worried about sex with goats SoSH Member

    Messages:
    13,751
    I have an odd google redirect that seems to happen once in a while, usually to sites like bargainmatch.com.

    MalwareBytes is not picking up anything.

    Any suggestions for the next step?
     
  45. Catcher Block

    Catcher Block Member SoSH Member

    Messages:
    2,855
    QUOTE (Jnai @ Jul 10 2010, 09:55 AM)
    I have an odd google redirect that seems to happen once in a while, usually to sites like bargainmatch.com.

    MalwareBytes is not picking up anything.

    Any suggestions for the next step?


    I had this problem at work. IT managed to clear the initial infection, but as soon as I rebooted IE and clicked on any links as a result of a google search, I was redirected to similar sites. Like you, Malwarebytes (or SpyBot S&D, for that matter) didn't pick up anything on my machine.

    I did a little research and ended up downloading Hitman Pro and ran a scan during the day. Haven't had a problem since.

    Hitman Pro Download (via CNET)
     
  46. Nite Vizhun UV

    Nite Vizhun UV proctological researcher SoSH Member

    Messages:
    4,587
    I had been using the Comcast free Norton Antivirus on my 6 year old laptop (XP Pro 2002 SP3) for the past few months (I was using Comcast's free McAfee before that, until they switched to Norton). Ever since installing Norton, whenever I right-clicked on any folder, I would get an error and explorer.exe would crash, closing my task bar briefly before it restarted. I was a fool before, and now I've seen the light. I'm running Microsoft Security Essentials and all is right with the world once again.

    I also downloaded and ran Malwarebytes. I think, based on everything I read in this thread, that MSE and Malwarebytes are the only 2 things I need (along with my Windows Firewall of course) for the best protection.



    Question regarding the results of my Malwarebytes scan: I wound up with 2 items considered "malicious software". Both are registry items, but they're item name gives me pause:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify

    Are these really "malicious"? Should I go ahead and have Malwarebytes remove them?
     
  47. kneemoe

    kneemoe Member SoSH Member

    Messages:
    2,136
    Its just notifying you that you (or possibly a program) disabled windows' notification/alerts that would remind you that the firewall/antivirus is not running or up to date. You can safely have malware change these, but then you'll get the bubble notification that you've disabled your firewall or whenever your AV isn't perfectly up to date. Frankly I find those annoying and have them disabled too.
     
  48. wibi

    wibi Member SoSH Member

    Messages:
    10,187
    My SIL just picked this up and Hitman Pro worked like a charm to fix it
     
  49. rmurph3

    rmurph3 Member SoSH Member

    Messages:
    991
    Yup, Hitman Pro scrubbed this for me tonight, as well. Thanks for the tip.
     
  50. savage362

    savage362 Member SoSH Member

    Messages:
    1,307

Share This Page