Page 1 of 4 123 ... LastLast
Results 1 to 10 of 39

Thread: Pop-ups, Ad-Aware, Failure

  1. #1

    Pop-ups, Ad-Aware, Failure

    I caught something or other that has been doing very annoying things to my web browsers. For a while, it would open up a new window in Firefox every now and then with three tabs. In the URL bar, it would try to open "key", "is", and some other word on the respective tabs. Later it would open up a different set of tabs as well in another new window. Eventually it started opening up Internet Explorer, which isn't my default browser.

    Additionally, the Google Maps and Google Calendar interfaces weren't working for me, or if they did they ran slowly. Web pages would not reload on the first try. I could not open "Add or Remove Programs".

    I ran scans with Malwarebytes and avast! to no avail. Ad-Aware wasn't working for some reason, so I downloaded the installer and ran it. At the end of the install, it asked to restart my computer and run a scan. I let it do this.

    Now my computer won't start up properly in Normal or Safe Mode. In Normal Mode, it logs into my account and shows my wallpaper but nothing else. I can open the Task Manager with Ctrl + Alt + Del, but that's it. In Safe Mode, it does the same thing but with a black screen instead of my wallpaper (which is just something Safe Mode does with wallpapers, as I recall).

    So... help?

  2. #2
    Never mind. I ran explorer.exe from the Task Manager and fixed all the viruses, etc.

  3. #3
    Join Date
    Aug 2006
    Posts
    2,763
    You may want to post the requested logs to get a second opinion/be on the safe side etc..

  4. #4
    Turns out that my attempt failed. I read up on the protocol, so here's what I've got for you:

    Pop-ups appear in both Internet Explorer and Firefox. The Internet Explorer pop-ups are single pages for dating sites, etc. The pop-ups in Firefox are multiple tabs that often open to nothing in particular. My Google results are rerouted most of the time when I click on them to pages about swine flu, bogus health information, etc. SecurityTool, a fake anti-virus application, appears on my computer and opens itself sometimes when I restart my computer. It restricts what I can open (Task Manager, Thunderbird, etc.), but I can get rid of it through Safe Mode for a while. Some web pages will not open at all, and some take refreshing or re-entry before they work.

    I went through the processes in the sticky that I missed:

    - No suspicious programs in Add/Remove programs
    - Could not run the Microsoft Windows Malicious Software Removal Tool. I executed the file, but nothing happened.
    - ATF-Cleaner ran fine
    - Malwarebyes installed but could not find mbam.exe and thus could not run

    The requested log files (minus the Malwarebytes one, of course) are attached.
    Attached Files Attached Files

  5. #5
    Join Date
    Aug 2006
    Posts
    2,763
    thanks for the logs, glad you found the sticky, forgot to mention it.
    I'm gonna paste your logs into this post, to make it easier for us to read through; that way nobody has to download potentially infected files.
    -----------
    ESETlog.txt
    -----------

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.16762 (vista_gdr.081013-1507)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=744d72e8c34716418b4230c2be2fac71
    # end=stopped
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2009-10-28 05:13:34
    # local_time=2009-10-28 01:13:34 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=769 16775145 100 98 0 192073371 1785299 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=2235
    # found=0
    # cleaned=0
    # scan_time=198
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=7.00.6000.16762 (vista_gdr.081013-1507)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=744d72e8c34716418b4230c2be2fac71
    # end=stopped
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2009-10-28 05:16:02
    # local_time=2009-10-28 01:16:02 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=769 16775145 100 98 0 192073682 1785610 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=2235
    # found=0
    # cleaned=0
    # scan_time=36
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=7.00.6000.16762 (vista_gdr.081013-1507)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=744d72e8c34716418b4230c2be2fac71
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2009-10-28 05:49:30
    # local_time=2009-10-28 01:49:30 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=769 16775145 100 98 0 192073741 1785669 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=63742
    # found=15
    # cleaned=0
    # scan_time=1983
    C:\Documents and Settings\Garrett\Local Settings\Temp\n.exn a variant of Win32/Kryptik.AVX trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\Garrett\Local Settings\Temp\y.exy a variant of Win32/Kryptik.AJB trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\bihawonu.exe Win32/Adware.SecurityTool application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\dimisawo.dll a variant of Win32/Adware.SuperJuan.K application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\gafuhelu.dll a variant of Win32/Kryptik.AVX trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\genilede.exe Win32/Adware.SecurityTool application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\henebevi.dll a variant of Win32/Adware.SuperJuan.K application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\jalopeya.exe Win32/Adware.SecurityTool application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\jepiliwu.dll a variant of Win32/Adware.SuperJuan.K application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\kofiraha.dll a variant of Win32/Adware.Virtumonde.NFY application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\wakatuha.dll a variant of Win32/Adware.SuperJuan.K application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\womovire.dll a variant of Win32/AntiAV.NDE trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\zebilemo.dll a variant of Win32/AntiAV.NDE trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan 00000000000000000000000000000000 I
    ${Memory} multiple threats 00000000000000000000000000000000 I



    --------------------


    --------------------
    HIJACKTHIS LOG:
    --------------------
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:59:38 AM, on 10/28/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.e xe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Garrett\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    O1 - Hosts: 82.98.231.89 url.adtrgt.com
    O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [gifirarez] Rundll32.exe "c:\windows\system32\kofiraha.dll",a
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-20\..\Run: [wajarazeje] Rundll32.exe "C:\WINDOWS\system32\sipuyoyo.dll",s (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos...ineScanner.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: c:\windows\system32\dopezulu.dll henebevi.dll c:\windows\system32\wuduwezu.dll c:\windows\system32\kofiraha.dll
    O20 - Winlogon Notify: wvUkJcAT - wvUkJcAT.dll (file missing)
    O21 - SSODL: ralenemef - {f1a67b6e-f925-459f-8adf-fc75a0f83089} - c:\windows\system32\dopezulu.dll (file missing)
    O21 - SSODL: kamoteliw - {177c537a-837c-40a4-a4dd-b7bae8339608} - c:\windows\system32\wuduwezu.dll (file missing)
    O21 - SSODL: rawojehah - {69a2bfd6-2b01-4ba0-b0d7-3c36a7632863} - c:\windows\system32\kofiraha.dll
    O22 - SharedTaskScheduler: tokatiluy - {f1a67b6e-f925-459f-8adf-fc75a0f83089} - c:\windows\system32\dopezulu.dll (file missing)
    O22 - SharedTaskScheduler: tokatiluy - {177c537a-837c-40a4-a4dd-b7bae8339608} - c:\windows\system32\wuduwezu.dll (file missing)
    O22 - SharedTaskScheduler: tokatiluy - {69a2bfd6-2b01-4ba0-b0d7-3c36a7632863} - c:\windows\system32\kofiraha.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate1c99c9f4f87c110) (gupdate1c99c9f4f87c110) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 12591 bytes

    -------------------

    Uninstall list.txt

    7-Zip 4.64
    Access IBM
    Access IBM Message Center
    Ad-Aware
    Ad-Aware
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0
    Adobe Shockwave Player 11.5
    AIM 6
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Audacity 1.3.6 (Unicode)
    avast! Antivirus
    Bonjour
    Celtx (2.0.2)
    Choice Guard
    DivX Web Player
    ESET Online Scanner v3
    Finale Reader 2009
    FrostWire 4.18.3
    Google Gears
    Google Update Helper
    HijackThis 2.0.2
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    IBM 32-bit Runtime Environment for Java 2, v1.4.1
    IBM Access Connections
    IBM Active Protection System
    IBM DLA
    IBM RecordNow!
    IBM Rescue and Recovery with Rapid Restore
    IBM Themes
    IBM ThinkPad Battery MaxiMiser and Power Management Features
    IBM ThinkPad Configuration
    IBM ThinkPad EasyEject Utility
    IBM ThinkPad Keyboard Customizer Utility
    IBM ThinkPad Presentation Director
    IBM ThinkPad UltraNav Wizard
    IBM TrackPoint Accessibility Features
    IBM Update Connector
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) Network Connections Drivers
    Intel(R) Sebring API
    InterVideo WinDVD
    iTunes
    Java(TM) 6 Update 15
    Java(TM) 6 Update 7
    Logitech Desktop Messenger
    Logitech QuickCam
    Logitech QuickCam Driver Package
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 Redistributable
    MobileMe Control Panel
    Mozilla Firefox (3.5.4)
    Mozilla Thunderbird (2.0.0.23)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    OpenOffice.org 3.1
    PC-Doctor for Windows
    QuickTime
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB960714)
    Segoe UI
    Skype™ 3.8
    Sonic Update Manager
    ThinkPad FullScreen Magnifier
    ThinkPad Integrated 56K Modem
    ThinkPad Power Management Driver
    ThinkPad Software Installer
    ThinkPad UltraNav Driver
    Trillian
    Update for Windows XP (KB955839)
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.0.1
    Wallpapers
    Windows Installer Clean Up
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    Windows XP Service Pack 3
    Yahoo! Messenger

  6. #6
    Join Date
    Aug 2006
    Posts
    2,763
    There's quite a few things that need attention in the list, and due to the nature of the baddies, it is very important that you follow up with the final logs for mbam if we can get it to run.. There are a couple applications that need to be uninstalled before we can move on; mainly the application in your install list; frostwire. This is considered "p2p" software, we don't provide support for computers that are filesharing, filesharing can be the source of your infection; and can lead to re-infection, "then we would just be spinning our wheels" however, you may have just stumbled onto one of those malicious websites that automatically install their malware.. We have no way of knowing what you use the p2p software (majority is for filesharing/uscrupulous downloads) but in any case, we need you to uninstall the filesharing application, even if it is just temporary on your part..

    Uninstall MBAM as well, for now; then:

    If you can get your computer to boot into safemode; log in as administrator, the find and delete the following files:

    C:\Documents and Settings\Garrett\Local Settings\Temp\n.exn
    C:\Documents and Settings\Garrett\Local Settings\Temp\y.exy
    C:\WINDOWS\system32\bihawonu.exe
    C:\WINDOWS\system32\dimisawo.dll
    C:\WINDOWS\system32\gafuhelu.dll
    C:\WINDOWS\system32\genilede.exe
    C:\WINDOWS\system32\henebevi.dll
    C:\WINDOWS\system32\jalopeya.exe ~this is that dodgy security tool; as per the eset log
    C:\WINDOWS\system32\jepiliwu.dll
    C:\WINDOWS\system32\kofiraha.dll
    C:\WINDOWS\system32\wakatuha.dll
    C:\WINDOWS\system32\womovire.dll
    C:\WINDOWS\system32\zebilemo.dll

    I'm not sure how to deal with this one: C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan 00000000000000000000000000000000 I

    Reboot your computer into normal mode; logged in as administrator; then open hijackthis, select scan only, prepare to re-install and update MBAM, you want to run full scan/ have it fix all, and we will need to see the MBAM log after it runs; but only attempt to re-install and run mbam JUST "very quickly" AFTER you perform the following! As soon as you click the FIX button for hijack this, you should be attempting to install and run MBAM.


    Back to the hijackthis scan,

    Find and put a check next to the following:

    C:\Program Files\Viewpoint\Common\ViewpointService.exe ~Edit, I don't think there's a check box for this entry, but it's listed under 023, so we got it covered.

    O1 - Hosts: 82.98.231.89 url.adtrgt.com
    O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [gifirarez] Rundll32.exe "c:\windows\system32\kofiraha.dll",a
    O4 - HKUS\S-1-5-20\..\Run: [wajarazeje] Rundll32.exe "C:\WINDOWS\system32\sipuyoyo.dll",s (User 'NETWORK SERVICE')
    O20 - AppInit_DLLs: c:\windows\system32\dopezulu.dll henebevi.dll c:\windows\system32\wuduwezu.dll c:\windows\system32\kofiraha.dll
    O20 - Winlogon Notify: wvUkJcAT - wvUkJcAT.dll (file missing)
    O21 - SSODL: ralenemef - {f1a67b6e-f925-459f-8adf-fc75a0f83089} - c:\windows\system32\dopezulu.dll (file missing)
    O21 - SSODL: kamoteliw - {177c537a-837c-40a4-a4dd-b7bae8339608} - c:\windows\system32\wuduwezu.dll (file missing)
    O21 - SSODL: rawojehah - {69a2bfd6-2b01-4ba0-b0d7-3c36a7632863} - c:\windows\system32\kofiraha.dll
    O22 - SharedTaskScheduler: tokatiluy - {f1a67b6e-f925-459f-8adf-fc75a0f83089} - c:\windows\system32\dopezulu.dll (file missing)
    O22 - SharedTaskScheduler: tokatiluy - {177c537a-837c-40a4-a4dd-b7bae8339608} - c:\windows\system32\wuduwezu.dll (file missing)
    O22 - SharedTaskScheduler: tokatiluy - {69a2bfd6-2b01-4ba0-b0d7-3c36a7632863} - c:\windows\system32\kofiraha.dll
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Once you have these items checked, select the fix button, have hijack this fix those issues; then imediately run MBAM installer/updater and then once it's updated, start the scan with fix all? according to the directions in the sticky.. If you can get it to run, let it do it's thing, then find and copy/paste the MBAM log into your next post.. I'm afraid that this issue is going to try and restore/protect itself and that you may not get mbam to run.. but hopefully having hijackthis fix those issues will allow MBAM to install and run..


    The other thing is viewpoint media player; This application is considered "foistware" It's usually included with some other application and installed without your concent, and may pose a security risk because it connects to the internet and searches for updates.

    It is suggested to uninstall this application; however, the application that installed it may stop working, or may try to re-install the viewpoint application/toolbar.

    To uninstall viewpoint media player; first open the task manager by right clicking on the clock in the system tray, then select task manager, click on the PROCESSES tab/button in the task manager window, then look for viewmgr.exe, if you find it, click on it then select "end task" then open the control panel, select add/remove programs, find and uninstall any of the following: "viewpoint manager" "viewpoint media player" "viewpoint toolbar"

  7. #7
    Sorry about the attachment thing. The sticky said to do that. Maybe this should be addressed?

    I rebooted in Safe Mode and deleted the files save for two that it would not allow me to delete and one that wasn't there to begin with. When I rebooted in Normal Mode, the SecurityTool application launched, forcing me to reboot again. I rebooted in Safe Mode, ran msconfig, and turned off what I recognized as the SecurityTool files under the Startup menu.

    I uninstalled Frostwire and Viewpoint Media Player. I don't think the infection came from Frostwire. I'm fairly certain it was a malicious website, but I guess that's really beside the point right now.

    I ran HijackThis! and checked and fixed the specified files (except for the Viewpoint file(s) which disappeared, I'm assuming, upon uninstallation).

    MalwareBytes didn't install properly, but I was prepared this time. I installed it on another computer and copied the .exe file onto this one. I put it in the proper place after installation, updated it, and ran the scan:

    Malwarebytes' Anti-Malware 1.41
    Database version: 3048
    Windows 5.1.2600 Service Pack 3

    10/28/2009 5:22:55 PM
    mbam-log-2009-10-28 (17-22-55).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 179181
    Time elapsed: 1 hour(s), 45 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 3
    Registry Keys Infected: 4
    Registry Values Infected: 3
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\WINDOWS\system32\tokibete.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\henebevi.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\dimisawo.dll (Trojan.Vundo) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{60e54b62-ca6c-4ec6-87ea-affe8bc07690} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\seneka (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\gifirarez (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{60e54b62-ca6c-4ec6-87ea-affe8bc07690} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\fehiwudow (Trojan.Vundo.H) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tokibete.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tokibete.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\tokibete.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\henebevi.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\dimisawo.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\tijezaze.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Garrett\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

    When I rebooted, I got a TORRENT of error messages that were titled "[so-and-so].exe - Bad Image" with the body text "The application or DLL C:\WINDOWS\system32\[either 'henebevi' or 'tokibete'].dll is not a valid Windows image. Please check this against your installation diskette." Each of my start-up items (the .exe's in the warning box titles) had an error message for each of the malicious .dll files. There was a different error message toward the end, but I'm afraid I missed it.

    I've opened Firefox and played around a bit. Nothing seems to be going wrong now, and Ad-Aware has stopped yelling at me about malicious processes going on. I believe I owe you a drink, sir.

    If I missed anything, just let me know.

  8. #8
    Join Date
    Aug 2006
    Posts
    2,763
    COOL! I'm glad that you had the resources to inject MBAM.EXE

    It sounds like a usefull process to add to the anti-malware aresenal..

    If you are booted in normal mode; logged in as administrator, go through and delete/clear out temporary files; C:\documents and settings\****\TEMP\ and delete/clear out temporary internet files. Some of the temporary internet files may be your cookies that are used to log into forums/mail etc.. be sure you know your passwords so that you can log into mail/forums etc.. as deleting the temporary internet files will also delete the login credentials for such sites.

    Turn off system restore, if you have not already done so.

    Once you have the temp files cleared out, need to address the error regarding "bad image" as well as the error towards the end. If the files mentioned in the error are ones that have been cleaned by MBAM, it could just be residual registry entries that can be cleared up with hijackthis or another application called crapcleaner... Could be worse; the malware could have injected itself into the windows cab files, and will be ready to bring itself back to life at some random time..

    While still logged in as administrator, and having already cleared the temp files; Run hijackthis again and post a new hijackthis log.

  9. #9
    I was able to delete all but one file from TEMP: thumbs.db. I got a warning that it was a system file, so I thought I'd better just leave it until I know any more about it.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:03:32 PM, on 10/28/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.e xe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
    C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\Garrett\My Documents\Virus Cleanup\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Documents and Settings\Garrett\My Documents\Virus Cleanup\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos...ineScanner.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: henebevi.dll
    O20 - Winlogon Notify: wvUkJcAT - wvUkJcAT.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate1c99c9f4f87c110) (gupdate1c99c9f4f87c110) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

    --
    End of file - 11487 bytes

  10. #10
    Google search result redirection is happening again, and so are the Firefox pop-ups.

    The pop-ups are several tabs based on my recent Google searches.

    ~edit by admin/ links removed
    Last edited by cauzomb; 10-29-2009 at 02:11 PM. Reason: removing links

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •