Options
Browser hijack distrupts tranquil home
Thank you for reading this and offering to restore peace and harmony in our household. Four years ago I came here for help with a browser hijack and learned a lot. I have practiced safe browsing ever since. My husband, however, did something I told him not to do 
and infected his computer with a nasty virus.
Using AVG then McAfee he has rooted out most of it, but there's still a hijack that reports out to doubleclick and launches pop-ups. Now he has given it over to me for final mop-up.
That's about all there is to tell. Oh, except this: my dear husband spent $80 on an anti-virus program I never heard of which he found by asking Google about one of the dll files named in a Windows error message. The search hits on that file (three of them) all pointed to this vendor's site. I suspect it is part of the scam. I think they probably deployed this variant to sell their stuff. I had him remove it and ask for his money back. He did and got a refund instantly--on Sunday. I think that's part of the scam. Complainers get instant refunds to keep the heat off. They probably still make a bundle. Their program removed all the porn popups, too.
Here's his HJT log, thanks again for your help---DarthMom
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:58 AM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Video Chat\DellVideoChat.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\MSC\McLgView.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Diodia Software\Cooxie Toolbar\Cooxie.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [{E7-78-85-5E-DW}] c:\windows\system32\rrwnw64l.exe DWmmm01
O4 - HKLM\..\Run: [cclsyqprrj] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ofaijuhkxeivhkas.dll"
O4 - HKLM\..\Run: [{dacda840-6ea6-3d43-d565-5a048fc960f7}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gfgnxeeicq.dll" DllStart
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\hirisaki.dll",s
O4 - HKLM\..\Run: [787e78f1] rundll32.exe "C:\WINDOWS\system32\fdbaabhn.dll",b
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [SightSpeed] "C:\Program Files\Dell Video Chat\DellVideoChat.exe" -bootmode
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\hirisaki.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\hirisaki.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntrsdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rrwnw64l.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,C:\WINDOWS\system32\fuwojake.dll ibpwie.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 8997 bytes
So, here's the HJT log
and infected his computer with a nasty virus.Using AVG then McAfee he has rooted out most of it, but there's still a hijack that reports out to doubleclick and launches pop-ups. Now he has given it over to me for final mop-up.
That's about all there is to tell. Oh, except this: my dear husband spent $80 on an anti-virus program I never heard of which he found by asking Google about one of the dll files named in a Windows error message. The search hits on that file (three of them) all pointed to this vendor's site. I suspect it is part of the scam. I think they probably deployed this variant to sell their stuff. I had him remove it and ask for his money back. He did and got a refund instantly--on Sunday. I think that's part of the scam. Complainers get instant refunds to keep the heat off. They probably still make a bundle. Their program removed all the porn popups, too.
Here's his HJT log, thanks again for your help---DarthMom
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:58 AM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Video Chat\DellVideoChat.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\MSC\McLgView.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Diodia Software\Cooxie Toolbar\Cooxie.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [{E7-78-85-5E-DW}] c:\windows\system32\rrwnw64l.exe DWmmm01
O4 - HKLM\..\Run: [cclsyqprrj] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ofaijuhkxeivhkas.dll"
O4 - HKLM\..\Run: [{dacda840-6ea6-3d43-d565-5a048fc960f7}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gfgnxeeicq.dll" DllStart
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\hirisaki.dll",s
O4 - HKLM\..\Run: [787e78f1] rundll32.exe "C:\WINDOWS\system32\fdbaabhn.dll",b
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [SightSpeed] "C:\Program Files\Dell Video Chat\DellVideoChat.exe" -bootmode
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\hirisaki.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\hirisaki.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntrsdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rrwnw64l.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,C:\WINDOWS\system32\fuwojake.dll ibpwie.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 8997 bytes
So, here's the HJT log
0
Comments
My name is DeFe and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. Please Read All Instructions Carefully
2. If you don''t understand something, stop and ask! Don''t keep going on.
3. Please do not run any other tools or scans whilst I am helping you
4. Please continue to respond until I give you the \"All Clear\"
(Just because you can''t see a problem doesn''t mean it isn''t there)
If you can do those few things, everything should go smoothly.
Question:
What was anti-virus programs names?
Cleaning progress begins here.
Start Hijackthis press Do system scan only and mark these lines.
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [{E7-78-85-5E-DW}] c:\windows\system32\rrwnw64l.exe DWmmm01
O4 - HKLM\..\Run: [cclsyqprrj] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ofaijuhkxeivhkas.dll"
O4 - HKLM\..\Run: [{dacda840-6ea6-3d43-d565-5a048fc960f7}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gfgnxeeicq.dll" DllStart
O4 - HKLM\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\hirisaki.dll",s
O4 - HKLM\..\Run: [787e78f1] rundll32.exe "C:\WINDOWS\system32\fdbaabhn.dll",b
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntrsdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rrwnw64l.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,C:\WINDOWS system32\fuwojake.dll ibpwie.dll
This green line is alternative so you can fix it if you want to.
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
Info about green line.
Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers. If you delete this file, then you will not be able to properly update your drivers in the future. It is therefore recommended that you disable the startup instead.
After marked lines click Fix checked.
Download SDFix
and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Copy/paste this guideline into a notepad saved in your desktop,
otherwise you won't be able to read it in Safe Mode:
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before
the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu
should appear:
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
Close open windows.
- While in Safe Mode:
- Open the SDFix folder and double click RunThis.cmd to start
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the
- Once the desktop icons load the SDFix report will open on screen
- Finally paste the contents of the Report.txt back on the forum
Please download Malwarebytes'' Anti-Malware to your desktop.the script.
finds then prompt you to press any key to Reboot.
removal process then display Finished, press any key to end the
script and load your desktop icons.
and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on
the forum).
with a new HijackThis log
Reboot your computer after the scan!
Logs what need to post:
The program my husband paid for is Virus Remover 2008. I just learned from Wiki-Security that it is spyware, as I suspected. They say it is free, and my poor husband paid for it! At least they returned his money and I don't have to chase that down too. I'm so glad I have you to help me through the rest.
Cheers.
Starting Repairs
Checking Running Processes and Services
It stayed there for 2 hours. It never displayed the next line as shown in the screen shot at http://www.bleepingcomputer.com/forums/topic131299.html
"Please Be Patient As This May Take Up To 20 Minutes"
I rebooted in Safe Mode again and launched SDFix again. It has been hung in the same spot for over an hour. Should I just leave it that way for hours?
Also, I had turned off the machine (because it was cranking out popups like a popcorn popper) while I was waiting for your first instructions. When I booted it up and ran HJT the results were not exactly as they had been. One of the items you told me to delete had changed its name.
O4 - HKLM\..\Run: [787e78f1] rundll32.exe "C:\WINDOWS\system32\fdbaabhn.dll",b
had changed to some-other-string-of-letters.dll I checked it anyway since everything but the *.dll was the same.
Also, between the first and second try at running SDFix, I rebooted to normal (to see if I'd broken the registry by interrupting SDFix) and had another look at HJT. This time the line
O4 - HKLM\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\hirisaki.dll",s
was back, but with a different ending dll
Currently, SDFix is running. Should I terminate it, post another HJT log and leave the machine churning out popups until you respond?
Thanks,
DarthMom
Just go forward in instruction and let me know if you have problems whit malwarebytes too.
DarthMom
Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 3
12/2/2008 2:04:30 PM
mbam-log-2008-12-02 (14-04-30).txt
Scan type: Full Scan (C:\|)
Objects scanned: 116596
Time elapsed: 23 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 27
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 4
Files Infected: 37
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\tuvSigFU.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awtrRIBu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ylggsj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tisisiga.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{245a1446-f25f-4731-b4fa-44cfa1dbfff4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{245a1446-f25f-4731-b4fa-44cfa1dbfff4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4b34f240-d118-487a-b85b-efc8ade8b402} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4b34f240-d118-487a-b85b-efc8ade8b402} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtrribu (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75106d84-d905-4a13-9ba8-cac232cf8639} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{75106d84-d905-4a13-9ba8-cac232cf8639} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{245a1446-f25f-4731-b4fa-44cfa1dbfff4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4b34f240-d118-487a-b85b-efc8ade8b402} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4ba2c55c-e45e-4339-f330-0c1dc89f7771} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4ba2c55c-e45e-4339-f330-0c1dc89f7771} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8289ce51-2824-2fbb-46cc-aff5fde73cfb} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8289ce51-2824-2fbb-46cc-aff5fde73cfb} (Adware.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aculijoha (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tvotegi (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cclsyqprrj (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\manedigiko (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\tuvsigfu -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\tuvsigfu -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\tisisiga.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\tisisiga.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\tisisiga.dll -> Delete on reboot.
Folders Infected:
C:\WINDOWS\Fonts\' (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VirusRemover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\tuvSigFU.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\UFgiSvut.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UFgiSvut.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ylggsj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awtrRIBu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cumcdnfm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfndcmuc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fdbaabhn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nhbaabdf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jnatwrxk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kxrwtanj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vkatcahh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hhactakv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mozehete.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\CWNIUAKA\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\E4ERR073\zc113432[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ibpwie.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ogiidq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jukazudu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stgqfs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tquwpgth.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ixhvgowe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bobebeji.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yazelado.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yggeaoju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uisfhnpd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Rmosopepac.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\irakezako.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ofaijuhkxeivhkas.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nojelawo.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tisisiga.dll (Trojan.Vundo) -> Delete on reboot.
Try SDFix again and let me know if it works or doesn't work.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:30 PM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Dell Video Chat\DellVideoChat.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {76C29276-6653-4A6C-BB13-3E4800844367} - C:\WINDOWS\system32\opnkiiGy.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Diodia Software\Cooxie Toolbar\Cooxie.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [SightSpeed] "C:\Program Files\Dell Video Chat\DellVideoChat.exe" -bootmode
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\nojelawo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\nojelawo.dll",s (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 8408 bytes
SDFix: Version 1.240
Run by Administrator on Tue 12/02/2008 at 06:47 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 18:53:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\system32
C:\WINDOWS\LastGood\system32\wuweb.dll 205000 bytes executable
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"="C:\\Program Files\\Dell Video Chat\\DellVideoChat.exe:*:Enabled:SightSpeed"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\WINDOWS\\system32\\logonui.exe"="C:\\WINDOWS\\system32\\logonui.exe:*:Enabled:logonui"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exe:*:Enabled:lsass"
"C:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe"="C:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe:*:Enabled:mcmscsvc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
Files with Hidden Attributes :
Mon 1 Dec 2008 65,076 A.SH. --- "C:\WINDOWS\system32\kasituva.dll"
Sat 29 Nov 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sat 29 Nov 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sat 27 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 8 Nov 2008 30,208 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0004.tmp"
Sun 5 Oct 2008 19,968 A..H. --- "C:\Documents and Settings\Mike\My Documents\Traction Files\Walkin Blues 2\~WRL0260.tmp"
Sat 12 Jul 2008 27,648 ...H. --- "C:\Documents and Settings\Mike\My Documents\My Music\Music Stuff\Words_Chords\~WRL0002.tmp"
Sun 9 Nov 2008 26,112 ...H. --- "C:\Documents and Settings\Mike\My Documents\My Music\Music Stuff\Words_Chords\~WRL0230.tmp"
Sun 9 Nov 2008 25,600 ...H. --- "C:\Documents and Settings\Mike\My Documents\My Music\Music Stuff\Words_Chords\~WRL0267.tmp"
Sun 9 Nov 2008 24,576 ...H. --- "C:\Documents and Settings\Mike\My Documents\My Music\Music Stuff\Words_Chords\~WRL1501.tmp"
Sun 9 Nov 2008 27,648 ...H. --- "C:\Documents and Settings\Mike\My Documents\My Music\Music Stuff\Words_Chords\~WRL2299.tmp"
Sun 9 Nov 2008 65,536 ...H. --- "C:\Documents and Settings\Mike\My Documents\My Music\Music Stuff\Words_Chords\~WRL2689.tmp"
Sun 9 Nov 2008 87,552 ...H. --- "C:\Documents and Settings\Mike\My Documents\My Music\Music Stuff\Words_Chords\~WRL3069.tmp"
Sun 9 Nov 2008 26,112 ...H. --- "C:\Documents and Settings\Mike\My Documents\My Music\Music Stuff\Words_Chords\~WRL3454.tmp"
Sun 17 Aug 2008 67,584 ...H. --- "C:\Documents and Settings\Mike\My Documents\My Music\Music Stuff\Words_Chords\~WRL3620.tmp"
Finished!
Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 3
12/2/2008 6:42:07 PM
mbam-log-2008-12-02 (18-42-07).txt
Scan type: Full Scan (C:\|)
Objects scanned: 116302
Time elapsed: 21 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
===============================
All is working as it seems it should. Are we clean?
Thank you very much,
DarthMom
Almost clean
Start Hijackthis press Do system scan only and mark these lines.
O2 - BHO: (no name) - {76C29276-6653-4A6C-BB13-3E4800844367} - C:\WINDOWS\system32\opnkiiGy.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\nojelawo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [manedigiko] Rundll32.exe "C:\WINDOWS\system32\nojelawo.dll",s (User 'NETWORK SERVICE')
After marked lines click Fix checked.
CCleaner
Please download CCleaner ... © Piriform Ltd. (slim version) and save it to your desktop. CCleaner guide can be found here...if needed.
To Install CCleaner:
The default is set to C:\Program Files\CCleaner. Unless you want it installed elsewhere, just leave it.
To Run CCleaner:
Note: "Cookies"...box. If checked will require re-entry of user names, passwords on "next" visit to sites that require users log in.
Firefox Caution: "Saved Form Information"...box. If checked will remove all your saved passwords, if you use that feature.
FYI...You may see some files "marked" for deletion when Windows restarts...this is because they are "in use" by the system and can't be removed until restart.
CAUTION: Please do NOT use the "Issues" button in the left pane.
This is a built-in registry cleaner. Removing certain entries can render your computer inoperable!
Please do a scan with Kaspersky Online Scanner
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run.
- Once the scan is complete, click on View scan report
- Now, click on the Save Report as button.
- Save the file to your desktop.
- Copy and paste that information in your next post.
Send New Hijackthis log too.If it has been 7 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.
If you are not the user who started this thread, you must start your own Thread instead (grin)