Spyware 201

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
QUOTE (OregonSoxFan @ Feb 10 2010, 03:28 PM) index.php?act=findpost&pid=2807416
Okay, last week one of my office computers got hit with a Vundo infection. At the time, I was still running AVG, have since switched to Microsoft Security Essentials and sought their phone support yesterday to clean up the mess, all to no avail. Despite finding and removing 4 Vundo files during last night's scan, I'm still getting pop-ups and it also disables MSE's update service.

Is my only solution to back up data and do a fresh install?
MBAM should get it. Or, as Harry pointed out, there are

That said, I'd do a fresh install anyway. Rule of thumb is, once you're owned, you don't have any assurances that you haven't been owned somewhere you can't detect.

Are you an IT guy? Or is this a small business?
 

OregonSoxFan

New Member
Jul 14, 2005
17
QUOTE (Blacken @ Feb 11 2010, 10:31 AM) index.php?act=findpost&pid=2808520
Are you an IT guy? Or is this a small business?

Sort of yes to both. Solo lawyer and semi geek who tries to take care of most issues myself. My IT guy calls me his "most geeky" client.

MBAM installed as suggested by Harry appears to have done the trick, although MSE in its daily scan last night did detect and remove one more instance of the infection. Haven't had any further problems so far today.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
Ahh, gotcha.

If you have multiple computers that are mostly similar, I might look into a disk imaging solution. Build a computer once, image it (creating a file you can store on an external drive or something) - if a computer gets trashed, just re-image it. Don't know if you want to spend that much time, but it makes dealing with this shit a lot easier. (Doing it for one of my clients right now, just sitting here waiting for the copy to finish.)
 

DrBlinky

Member
SoSH Member
Jun 18, 2002
825
Cranston, RI
QUOTE (The Four Peters @ Feb 9 2010, 07:59 PM) index.php?act=findpost&pid=2806237
Ok, found a hidden McAfee Folder in C:\ProgramData that has a few things in it that are pretty unrecognizeable. Yet nothing regarding McAfee comes up in Add/Remove programs or the CC Cleaner Uninstall window. I'm guessing just straight deleting the folder probably isn't the way to go, right?

Check out the McAfee Consumer Products Removal tool (MCPR.exe) found here. It might be able to find and clean up the McAfee installation.
 

OregonSoxFan

New Member
Jul 14, 2005
17
QUOTE (Blacken @ Feb 11 2010, 11:45 AM) index.php?act=findpost&pid=2808659
If you have multiple computers that are mostly similar, I might look into a disk imaging solution. Build a computer once, image it (creating a file you can store on an external drive or something) - if a computer gets trashed, just re-image it.


What imaging software would you recommend? I'm currently using SyncToy to back up my data to an external drive.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
Well, I'm a nerd and I'm poor, so I just use Linux and the dd command. We use Norton Ghost at work, though, and it's pretty easy to get along with.
 

NomoMrNiceGuy

Member
SoSH Member
Oct 18, 2007
188
NYC
QUOTE (OregonSoxFan @ Feb 10 2010, 03:28 PM) index.php?act=findpost&pid=2807416
Okay, last week one of my office computers got hit with a Vundo infection. At the time, I was still running AVG, have since switched to Microsoft Security Essentials and sought their phone support yesterday to clean up the mess, all to no avail. Despite finding and removing 4 Vundo files during last night's scan, I'm still getting pop-ups and it also disables MSE's update service.

Is my only solution to back up data and do a fresh install?


echoing some other comments on removal, i would ensure that you've disabled system restore then run this vundo Fix from Safe Mode - http://www.atribune.org/ccount/click.php?id=4

we'd need to see the vundo.txt file if it's unsuccessful.

If that doesn't fix it, use VirtumondoBeGone - http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

it's probably a good idea to use something like process explorer to help map what's running to its executable.
http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Going forward, imaging software is certainly the best option...assuming you have similar hardware. In cases like this, it's a time issue and you're often better served to return to a safe image then to work with removal tools.
 

TFP

Moderator
Moderator
SoSH Member
Dec 10, 2007
20,380
QUOTE (DrBlinky @ Feb 12 2010, 12:52 AM) index.php?act=findpost&pid=2809474
Check out the McAfee Consumer Products Removal tool (MCPR.exe) found here. It might be able to find and clean up the McAfee installation.

Gene Tenace to the plate. Annnnnd whammy.

This got it. Thanks.
 

Oil Can Dan

Well-Known Member
Lifetime Member
SoSH Member
Jul 31, 2003
8,014
0-3 to 4-3
So I got nailed with this Antispyware 2010 virus. Nasty stuff. This happened on my work laptop, and after reading all 11 pages of this thread I'm thinking the best thing for me to do is to have IT reformat the whole thing tomorrow morning. So, before I do that I thought I'd ask a couple questions:

1. Will taking documents and pictures off the laptop via thumb drive cause any potential danger to the reformatted computer?
2. How do I get my iTunes music library off the work computer and onto another? I am obviously a total idiot because I'm not finding an easy answer anywhere. Also, I should de-authorize the computer as I have apparently used up all 5 of my freebies so far.

I can't seem to do jack on the laptop as things stand. I'm prevented from opening the Task Folder, so I'm a slave to the various popups. Awful, frustrating shit. My own fault though - I'm pretty sure I know where I got the virus from.

Any help is appreciated!
 

kneemoe

Member
SoSH Member
Dec 19, 2006
2,436
Glens Falls, NY
QUOTE (Oil Can Dan @ Feb 15 2010, 03:01 PM) index.php?act=findpost&pid=2813148
So I got nailed with this Antispyware 2010 virus. Nasty stuff. This happened on my work laptop, and after reading all 11 pages of this thread I'm thinking the best thing for me to do is to have IT reformat the whole thing tomorrow morning. So, before I do that I thought I'd ask a couple questions:

1. Will taking documents and pictures off the laptop via thumb drive cause any potential danger to the reformatted computer?
2. How do I get my iTunes music library off the work computer and onto another? I am obviously a total idiot because I'm not finding an easy answer anywhere. Also, I should de-authorize the computer as I have apparently used up all 5 of my freebies so far.

I can't seem to do jack on the laptop as things stand. I'm prevented from opening the Task Folder, so I'm a slave to the various popups. Awful, frustrating shit. My own fault though - I'm pretty sure I know where I got the virus from.

Any help is appreciated!


That's actually a pretty easy one to get rid of, usually- it'll reside in your Docs & Settings/User (replace w/ your username)/Local Settings/Temp folder and be some randomly named (jibberish) .exe, it'll get called in the registry under the 'local user/software/microsoft/windows/current version/run' key, and you can just delete that entry (sometimes you need to hack out the infection first as it will often make regedit not run)
You can usually find it easiest by date sorting that folder.
After you do that update Flash and Adobe Reader, and any security updates IE might need. Don't know which fix does it, but those updates usually make it so I don't have to revisit the same machine (whereas when I don't update those....)
 

Oil Can Dan

Well-Known Member
Lifetime Member
SoSH Member
Jul 31, 2003
8,014
0-3 to 4-3
All I know is that I had upwards of 15 different trojans and everything was pretty messed up to the point that I wowed the head of my IT department. We reformatted everything and started from scratch. All appears good now, except I'm not sure about my iTunes Battlestar Galactica purchases. :)
 

IpswichSox

Member
SoSH Member
Jul 14, 2005
2,792
Suburbs of Washington, DC
My wife's computer has Vista Antivirus 2010. She also had this previously (2009 version?), and I think then I removed it with Malwarebytes. But a quick and full Malwarebytes scan didn't detect the 2010 version (I updated Malwarebytes before doing the scans). There are a lot of Antivirus 2010 removal tools and techniques posted online -- is there one that's preferred or one that I should use? Thanks.
 

sittingstill

Well-Known Member
Lifetime Member
SoSH Member
Jul 17, 2005
1,585
Bay State Road
QUOTE (IpswichSox @ Feb 24 2010, 03:18 PM) index.php?act=findpost&pid=2825511
My wife's computer has Vista Antivirus 2010. She also had this previously (2009 version?), and I think then I removed it with Malwarebytes. But a quick and full Malwarebytes scan didn't detect the 2010 version (I updated Malwarebytes before doing the scans). There are a lot of Antivirus 2010 removal tools and techniques posted online -- is there one that's preferred or one that I should use? Thanks.

My brother just called and has some version of Vista Antivirus--not sure if it's 2009 or 2010. Trying to research it online, I found this page, which seems to suggest that you need an extra step--that you can't download Malwarebytes to the infected machine itself but need to download it on a clean one and transfer it via a drive. Seems like the report from IpswichSox might bear this out. Thoughts?
 

PortlandSoxFan

Father of Idontgiveafuckism
Lifetime Member
SoSH Member
Guy at work has the XP Antivirus 2010...he already had Malwarebytes, so I booted into safe mode, updated, scanned...it found a couple of things and I thought it was gone.

However, THIS tricky little bugger does not completely disable Malwarebytes...it lets it update, but to a file older than what detects it (I didn't look at the date; I was just happy it let me update). I then installed the Microsoft product, as well as run a boot time scan with Avast (I've found Security Essentials and Avast work fine hand in hand). Thought it was all set...until he restarted and logged in...there it was again.

http://forums.malwarebytes.org/index.php?showtopic=38629

I did all the fixes as Administrator, not as him..so that may have been an issue. I'm logged in as him in safe mode now, and this bugger is still active and 'warning' me. Malwarebytes updated to a

Evidently there is an extra step; you need to rename mbam.exe to mbam.com...then run it and update it and scan, and it will work properly and remove the annoying bugger.
 

sfip

directly related to Marilyn Monroe
Lifetime Member
SoSH Member
Apr 19, 2003
7,838
Philadelphia suburb
Any tips on how to stop these popups?
linksadoor.com
theinternetsurvey.com
thewebsitesurvey.com

I have ZoneAlarm (no I'm not replacing that), Firefox and Adblock Plus. I added all 3 sites with an asterisk after it to my Adblock Plus Preferences. I did the right-click>>Adblock Plus: block image on every image I could try on those 3 sites, but I still get popups from all 3.
 

bosox4283

Well-Known Member
Gold Supporter
SoSH Member
Mar 2, 2004
4,673
Philadelphia
I just ran a HijackThis scan, and as instructed, I am posting the scan results here:



if(!spoilerid) var spoilerid=1; else spoilerid++; mytagid = spoilerid;
document.write("
- Click here to show/hide the message.");

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:22 AM, on 3/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\mswinext.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\npwinext.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\npwinext.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TalkAndWrite] C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [VoipBuster] "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://pinkemc.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://pinkemc.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - https://bis.na.blackberry.com/html/web/clie...ls/TOImport.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
document.write("
"); document.close();


Thanks for all your help. This topic has been incredibly informative and useful.
 

OCST

Sunny von Bulow
SoSH Member
Jan 10, 2004
24,483
The 718
Just want to thank everyone in this thread, especially the original poster. My laptop caught something nasty and I had to reformat it. It wasn't nearly as hard as I thought it would be. I'm fine now and running Malwarebytes and Microsoft Security Essentials.

Thanks again.
 

IpswichSox

Member
SoSH Member
Jul 14, 2005
2,792
Suburbs of Washington, DC
Is Microsoft Security Essentials better than McAfee or another fee-based AV?

I have a McAfee subscription expiring next month, and I need to make a decision. For me, it's not a question of financially needing to go with a free AV opiton, but I'm not interested in throwing cash away either. Thoughts?
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
QUOTE (IpswichSox @ Apr 15 2010, 11:15 AM) index.php?act=findpost&pid=2899432
Is Microsoft Security Essentials better than McAfee or another fee-based AV?

I have a McAfee subscription expiring next month, and I need to make a decision. For me, it's not a question of financially needing to go with a free AV opiton, but I'm not interested in throwing cash away either. Thoughts?
There are good for-pay AVs. Nothing made by McAfee qualifies, and the difference between the "best" and the "worst" AVs is pretty small. MSE is somewhere between "good enough" and "good", and it's pretty light on system resources.
 

Dogman

Yukon Cornelius
Moderator
SoSH Member
Mar 19, 2004
15,180
Missoula, MT
Blacken,

Something is attacking my machine. The virus has popped up as XP Defender in the tool bar. My firewall has been disabled and I cannot turn it back on. I have the latest Avast and have run 2 boot scans and nothing comes up. I downloaded windows defender and ran that scan and nothing comes up. I downloaded Malwarebytes but for some reason the program will not run.

I think the virus came from Maalox's post about Russian Cheerleaders in the things learned recently thread.

What's next?
 

DrBlinky

Member
SoSH Member
Jun 18, 2002
825
Cranston, RI
QUOTE (Dogman2 @ Apr 19 2010, 01:23 PM) index.php?act=findpost&pid=2910078
Blacken,

Something is attacking my machine. The virus has popped up as XP Defender in the tool bar. My firewall has been disabled and I cannot turn it back on. I have the latest Avast and have run 2 boot scans and nothing comes up. I downloaded windows defender and ran that scan and nothing comes up. I downloaded Malwarebytes but for some reason the program will not run.

I think the virus came from Maalox's post about Russian Cheerleaders in the things learned recently thread.

What's next?

I recently took care of a relative's machine that had been infected with a 'rogue antivirus' malware. I downloaded and then tried to install Malwarebytes, but the malware prevented its installation.

Booting in safe mode, however, allowed me to install Malwarebytes and run it. It took care of the rogue AV problem.

Id you haven't yet tried installing Malwarebytes in safe mode, I'd give that a try.
 

Dogman

Yukon Cornelius
Moderator
SoSH Member
Mar 19, 2004
15,180
Missoula, MT
QUOTE (DrBlinky @ Apr 19 2010, 11:56 AM) index.php?act=findpost&pid=2910215
I recently took care of a relative's machine that had been infected with a 'rogue antivirus' malware. I downloaded and then tried to install Malwarebytes, but the malware prevented its installation.

Booting in safe mode, however, allowed me to install Malwarebytes and run it. It took care of the rogue AV problem.

Id you haven't yet tried installing Malwarebytes in safe mode, I'd give that a try.



How do I go about doing that?
 

DrBlinky

Member
SoSH Member
Jun 18, 2002
825
Cranston, RI
QUOTE (Dogman2 @ Apr 19 2010, 02:07 PM) index.php?act=findpost&pid=2910243
How do I go about doing that?

As the machine boots, press F8 a couple of times. You'll get a menu with a variety of different boot options. Usually I would say to choose simply 'Safe Mode'. However, since Malwarebytes isn't yet installed, you'll want to select 'Safe Mode with Networking' so that you can pull down the latest Malwarebytes definition file following its installation. (I had to deal with the same issue regarding downloading the updates to Malwarebytes.)

Note: Since you're not loading all your drivers when starting in safe mode, your display is probably going to look different. You'll desktop will probably display in a lower resolution, such as 800x600. When you go back to running in 'normal' mode, it will go back to your prior resolution.
 

Dogman

Yukon Cornelius
Moderator
SoSH Member
Mar 19, 2004
15,180
Missoula, MT
Thanks for the help folks.

New member Ean611 was of major assistance in the great purge. Kudos to him as my system is running better than before.
 

Rod Becks Mullet

Member
SoSH Member
Aug 9, 2001
2,095
NYC
I appear to have a virus that keeps popping up "Desktop Security 2010" windows. From what I've read its not incredibly harmful, just more annoying than anything else. However, I can't seem to get rid of it. I've got Microsoft Security, but after I run a clean, it still shows a potential threat. Also its somehow blocked from downloading updates. So I downloaded Malewarebytes (which I've read is supposed to work well on removing it), but for some reason, it won't open. I'm assuming the virus may have something to do with this. Any thoughts?


If it helps, I ran hijack this, and here's my log


if(!spoilerid) var spoilerid=1; else spoilerid++; mytagid = spoilerid;
document.write("
- Click here to show/hide the message.");

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:33 AM, on 5/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.cbs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [eBook Library Launcher] C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
O4 - HKLM\..\Run: [SetupConnectivity] C:\DOCUME~1\Bill\LOCALS~1\Temp\TjAI.exe
O4 - HKLM\..\Run: [mlihffsys] rundll32.exe "yabcde.dll",DllRegisterServer
O4 - HKLM\..\Run: [dddbcddrv] rundll32.exe "jkkhhi.dll",s
O4 - HKLM\..\Run: [vttspndrv] rundll32.exe "wvwtrr.dll",s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ServiceLibrary] c:\docume~1\bill\locals~1\temp\tjai.exe
O4 - HKLM\..\Run: [ErrorReporting] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
O4 - HKLM\..\Run: [RICHINKActiveSync] c:\program files\microsoft activesync\richinkmicrosoft.exe
O4 - HKLM\..\Run: [Data32CdrMmc32] C:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
O4 - HKLM\..\Run: [ReportingDWIntl20] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
O4 - HKLM\..\RunServices: [AcsInstallSetup] C:\DOCUME~1\Bill\LOCALS~1\Temp\TjAI.exe
O4 - HKLM\..\RunServices: [SonyLibrary9961] c:\docume~1\bill\locals~1\temp\tjai.exe
O4 - HKLM\..\RunServices: [psecuedummycomponent00psecuedummycomponent00] c:\program files\hp\digital imaging\plugins\imagingpsecuedummycomponent00.exe
O4 - HKLM\..\RunServices: [iTunesiPodServiceLocalized] c:\program files\ipod\bin\ipodservice.resources\ko.lproj\ipodservicelocalizeditunes9.0.0.53.exe
O4 - HKLM\..\RunServices: [DataEx32RealNetworks25081] c:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
O4 - HKLM\..\RunServices: [QuickTimeResourcesQuickTime7.6.4] c:\program files\quicktime\qtsystem\quicktimeinternetextras.resources\pl.lproj\quicktimeresourcesquicktime.exe
O4 - HKLM\..\RunServices: [RealNetworksProducts] C:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
O4 - HKLM\..\RunServices: [ReportingError] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [fmacweuwuok6] C:\Documents and Settings\Bill\Local Settings\Temp\m.282.tmp.exe
O4 - HKCU\..\Run: [vtuturdrv] rundll32.exe "jkkhhi.dll",s
O4 - HKCU\..\Run: [SecurityCenter] C:\Documents and Settings\Bill\Application Data\Desktop Security 2010\securitycenter.exe
O4 - HKCU\..\Run: [opmjkldrv] rundll32.exe "wvwtrr.dll",s
O4 - HKUS\S-1-5-18\..\Run: [tusqomsys] rundll32.exe "yabcde.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [awwxuudrv] rundll32.exe "jkkhhi.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [byywxxdrv] rundll32.exe "wvwtrr.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [tusqomsys] rundll32.exe "yabcde.dll",DllRegisterServer (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173313210734
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak05.pictures.aol.com/ygp/aol/plug...US.9.1.6.18.cab
O18 - Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - C:\DOCUME~1\Bill\LOCALS~1\Temp\F.tmp
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8675 bytes
document.write("
"); document.close();
 

The_Powa_of_Seiji_Ozawa

Member
SoSH Member
Sep 9, 2006
7,874
SS Botany Bay
QUOTE (Rod Becks Mullet @ May 7 2010, 08:42 AM) index.php?act=findpost&pid=2952189
I appear to have a virus that keeps popping up "Desktop Security 2010" windows. From what I've read its not incredibly harmful, just more annoying than anything else. However, I can't seem to get rid of it. I've got Microsoft Security, but after I run a clean, it still shows a potential threat. Also its somehow blocked from downloading updates. So I downloaded Malewarebytes (which I've read is supposed to work well on removing it), but for some reason, it won't open. I'm assuming the virus may have something to do with this. Any thoughts?


If it helps, I ran hijack this, and here's my log


if(!spoilerid) var spoilerid=1; else spoilerid++; mytagid = spoilerid;
document.write("
- Click here to show/hide the message.");

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:33 AM, on 5/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.cbs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [eBook Library Launcher] C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
O4 - HKLM\..\Run: [SetupConnectivity] C:\DOCUME~1\Bill\LOCALS~1\Temp\TjAI.exe
O4 - HKLM\..\Run: [mlihffsys] rundll32.exe "yabcde.dll",DllRegisterServer
O4 - HKLM\..\Run: [dddbcddrv] rundll32.exe "jkkhhi.dll",s
O4 - HKLM\..\Run: [vttspndrv] rundll32.exe "wvwtrr.dll",s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ServiceLibrary] c:\docume~1\bill\locals~1\temp\tjai.exe
O4 - HKLM\..\Run: [ErrorReporting] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
O4 - HKLM\..\Run: [RICHINKActiveSync] c:\program files\microsoft activesync\richinkmicrosoft.exe
O4 - HKLM\..\Run: [Data32CdrMmc32] C:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
O4 - HKLM\..\Run: [ReportingDWIntl20] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
O4 - HKLM\..\RunServices: [AcsInstallSetup] C:\DOCUME~1\Bill\LOCALS~1\Temp\TjAI.exe
O4 - HKLM\..\RunServices: [SonyLibrary9961] c:\docume~1\bill\locals~1\temp\tjai.exe
O4 - HKLM\..\RunServices: [psecuedummycomponent00psecuedummycomponent00] c:\program files\hp\digital imaging\plugins\imagingpsecuedummycomponent00.exe
O4 - HKLM\..\RunServices: [iTunesiPodServiceLocalized] c:\program files\ipod\bin\ipodservice.resources\ko.lproj\ipodservicelocalizeditunes9.0.0.53.exe
O4 - HKLM\..\RunServices: [DataEx32RealNetworks25081] c:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
O4 - HKLM\..\RunServices: [QuickTimeResourcesQuickTime7.6.4] c:\program files\quicktime\qtsystem\quicktimeinternetextras.resources\pl.lproj\quicktimeresourcesquicktime.exe
O4 - HKLM\..\RunServices: [RealNetworksProducts] C:\program files\real\realplayer\cdburning\realnetworkspdnodewrapper25081.exe
O4 - HKLM\..\RunServices: [ReportingError] c:\program files\common files\microsoft shared\dw\3082\microsofterror.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [fmacweuwuok6] C:\Documents and Settings\Bill\Local Settings\Temp\m.282.tmp.exe
O4 - HKCU\..\Run: [vtuturdrv] rundll32.exe "jkkhhi.dll",s
O4 - HKCU\..\Run: [SecurityCenter] C:\Documents and Settings\Bill\Application Data\Desktop Security 2010\securitycenter.exe
O4 - HKCU\..\Run: [opmjkldrv] rundll32.exe "wvwtrr.dll",s
O4 - HKUS\S-1-5-18\..\Run: [tusqomsys] rundll32.exe "yabcde.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [awwxuudrv] rundll32.exe "jkkhhi.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [byywxxdrv] rundll32.exe "wvwtrr.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [tusqomsys] rundll32.exe "yabcde.dll",DllRegisterServer (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173313210734
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak05.pictures.aol.com/ygp/aol/plug...US.9.1.6.18.cab
O18 - Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - C:\DOCUME~1\Bill\LOCALS~1\Temp\F.tmp
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8675 bytes
document.write("
"); document.close();

I had a similar problem on one of my older machines and it turns out the trigger for this thing was buried in the Windows backup/System restore files. Some antivirus/antimalware programs don't always do a thorough job of digging that deep. I've had good results with the new Symantec/Norton Endpoint (the previous AV version was horrible, bloated and ineffective).
 

DrBlinky

Member
SoSH Member
Jun 18, 2002
825
Cranston, RI
QUOTE (Rod Becks Mullet @ May 7 2010, 08:42 AM) index.php?act=findpost&pid=2952189
I appear to have a virus that keeps popping up "Desktop Security 2010" windows. From what I've read its not incredibly harmful, just more annoying than anything else. However, I can't seem to get rid of it. I've got Microsoft Security, but after I run a clean, it still shows a potential threat. Also its somehow blocked from downloading updates. So I downloaded Malewarebytes (which I've read is supposed to work well on removing it), but for some reason, it won't open. I'm assuming the virus may have something to do with this. Any thoughts?

Regarding the installation of Malwarebytes, see my post here. I had a similar situation but was able to install it in safe mode.
 

Harry Hooper

Well-Known Member
Lifetime Member
SoSH Member
Jan 4, 2002
34,368
RBM, did you try the bolded suggestion?

QUOTE (Alcohol&Overcalls @ Apr 19 2010, 06:20 PM) index.php?act=findpost&pid=2910572
Also try turning on file extensions, and changing the mbam.EXE to mbam.COM and running the program that way - should not affect performance, and seems to get around many of the infections.
 

Rod Becks Mullet

Member
SoSH Member
Aug 9, 2001
2,095
NYC
Ah, missed that step. Changing the exe extension seemed to work. Somewhat related question, I had AVG Anti-Virus on my computer, should I uninstall that since I loaded up Malwarebytes? Will that effect how quickly my computer boots and loads, or is it okay to have both?
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
Malwarebytes and AVG are tools designed to address different issues. Having both is fine.
 

John Marzano Olympic Hero

has fancy plans, and pants to match
Dope
SoSH Member
Apr 12, 2001
24,537
I think that I may have the same problem that some of you guys have had. Basically I am getting a million pop-ups for Antispywaresoft or something similar. In addition, I keep getting notices saying that certain programs are being compromised and that I need to DL this software to stop it.

It's more of a pain in the ass than anything else, it seems to me that the proper course of action is to DL malwarebytes, power down my computer, boot it up in safe mode and install it. Do I have that correct?

Thanks.
 

mascho

Kane is Able
SoSH Member
Nov 30, 2007
14,952
Silver Spring, Maryland
Yeah, my office computer got hit with that Antispyware Soft program as well. Was annoying for 20 minutes, and took about as long to get rid of it. First step was to download Process Explorer so I could actually run a Task Manager-type window, stop all the related applications/processes, and then blow everything away.
 

loshjott

Member
SoSH Member
Dec 30, 2004
14,943
Silver Spring, MD
I'm getting a new Win 7 desktop and I want to install some protective defenses. It will be wired to my Verizon-supplied modem (I have FiOS). From reading this thread and having some general knowledge, this is my plan:

Firewall: rely on Windows firewall that comes with Win 7
Anti-Virus: Avast
Anti-Spyware: Malwarebytes
Browsing: Firefox or Chrome only

Any thoughts on Verizon's security apparatus?

Or other things to install?

Thanks in advance.
 

John Marzano Olympic Hero

has fancy plans, and pants to match
Dope
SoSH Member
Apr 12, 2001
24,537
My father-in-law got a virus--he received an email with a link, clicked on it and the rest is history. Silly mistake. I'm not sure exactly what it is, I thought that it was the one that I got a few weeks ago (the one that we all seem to be getting) but I ran Malware and it did not find anything during the scan. However, his computer is only able to run in safe mode. When we start it in regular mode, nothing works. I can't get into any programs, if we can get into a program, it takes forever to run.

Any ideas?
 

Mystic Merlin

Member
SoSH Member
Sep 21, 2007
46,767
Hartford, CT
Ok, so, I'm having a problem with this anti-virus spyware.

I attempted to install Malwarebytes, but I cannot access certain websites. I cannot access google or other random sites, but I can access some (espn, this one, etc.). How the hell can I get around this?

EDIT - Would transferring the file via flash drive work?
 

Alcohol&Overcalls

Member
SoSH Member
QUOTE (Mystic Merlin @ Jun 10 2010, 01:30 AM) index.php?act=findpost&pid=3015981
Ok, so, I'm having a problem with this anti-virus spyware.

I attempted to install Malwarebytes, but I cannot access certain websites. I cannot access google or other random sites, but I can access some (espn, this one, etc.). How the hell can I get around this?

EDIT - Would transferring the file via flash drive work?


Generally, yes, it would. The virus is redirecting your web traffic, so using a jump drive should work well.

Just a note, often the same virus will make you unable to open mbam.exe (the Malwarebytes file), which can be avoided using the workaround noted above: change the file extension to .com rather than .exe.
 

Bongorific

Thinks he’s clever
SoSH Member
Jul 16, 2005
8,433
Balboa Towers
AVG picked up a threat today while surfing. File name: tmp49221929.exe . Threat name: Trojan horse Generic18.pln

I have the free version of AVG. I can either move the file to the vault, ignore, or view the folder the file is in (local temp). Should I open the temp folder and delete the exe, or is there a better way to do this? It looks like I need the upgraded version of avg to remove the threat.
 

Jnai

is not worried about sex with goats
SoSH Member
Sep 15, 2007
16,123
<null>
I have an odd google redirect that seems to happen once in a while, usually to sites like bargainmatch.com.

MalwareBytes is not picking up anything.

Any suggestions for the next step?
 

Catcher Block

Member
SoSH Member
Mar 7, 2006
5,825
St. Louis
QUOTE (Jnai @ Jul 10 2010, 09:55 AM) index.php?act=findpost&pid=3069009
I have an odd google redirect that seems to happen once in a while, usually to sites like bargainmatch.com.

MalwareBytes is not picking up anything.

Any suggestions for the next step?


I had this problem at work. IT managed to clear the initial infection, but as soon as I rebooted IE and clicked on any links as a result of a google search, I was redirected to similar sites. Like you, Malwarebytes (or SpyBot S&D, for that matter) didn't pick up anything on my machine.

I did a little research and ended up downloading Hitman Pro and ran a scan during the day. Haven't had a problem since.

Hitman Pro Download (via CNET)
 

Nite Vizhun UV

proctological researcher
SoSH Member
Aug 30, 2002
4,646
Shakedown Street
I had been using the Comcast free Norton Antivirus on my 6 year old laptop (XP Pro 2002 SP3) for the past few months (I was using Comcast's free McAfee before that, until they switched to Norton). Ever since installing Norton, whenever I right-clicked on any folder, I would get an error and explorer.exe would crash, closing my task bar briefly before it restarted. I was a fool before, and now I've seen the light. I'm running Microsoft Security Essentials and all is right with the world once again.

I also downloaded and ran Malwarebytes. I think, based on everything I read in this thread, that MSE and Malwarebytes are the only 2 things I need (along with my Windows Firewall of course) for the best protection.



Question regarding the results of my Malwarebytes scan: I wound up with 2 items considered "malicious software". Both are registry items, but they're item name gives me pause:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify

Are these really "malicious"? Should I go ahead and have Malwarebytes remove them?
 

kneemoe

Member
SoSH Member
Dec 19, 2006
2,436
Glens Falls, NY
I had been using the Comcast free Norton Antivirus on my 6 year old laptop (XP Pro 2002 SP3) for the past few months (I was using Comcast's free McAfee before that, until they switched to Norton). Ever since installing Norton, whenever I right-clicked on any folder, I would get an error and explorer.exe would crash, closing my task bar briefly before it restarted. I was a fool before, and now I've seen the light. I'm running Microsoft Security Essentials and all is right with the world once again.

I also downloaded and ran Malwarebytes. I think, based on everything I read in this thread, that MSE and Malwarebytes are the only 2 things I need (along with my Windows Firewall of course) for the best protection.



Question regarding the results of my Malwarebytes scan: I wound up with 2 items considered "malicious software". Both are registry items, but they're item name gives me pause:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify

Are these really "malicious"? Should I go ahead and have Malwarebytes remove them?
Its just notifying you that you (or possibly a program) disabled windows' notification/alerts that would remind you that the firewall/antivirus is not running or up to date. You can safely have malware change these, but then you'll get the bubble notification that you've disabled your firewall or whenever your AV isn't perfectly up to date. Frankly I find those annoying and have them disabled too.
 

wibi

Member
SoSH Member
Jul 15, 2005
11,835
<!--quoteo(post=3069009:date=Jul 10 2010, 09:55 AM:name=Jnai)--><div class='quotetop'>QUOTE (Jnai @ Jul 10 2010, 09:55 AM) <a href="index.php?act=findpost&pid=3069009"><{POST_SNAPBACK}></a></div><div class='quotemain'><!--quotec-->I have an odd google redirect that seems to happen once in a while, usually to sites like bargainmatch.com.

MalwareBytes is not picking up anything.

Any suggestions for the next step?<!--QuoteEnd--></div><!--QuoteEEnd-->

I had this problem at work. IT managed to clear the initial infection, but as soon as I rebooted IE and clicked on any links as a result of a google search, I was redirected to similar sites. Like you, Malwarebytes (or SpyBot S&D, for that matter) didn't pick up anything on my machine.

I did a little research and ended up downloading Hitman Pro and ran a scan during the day. Haven't had a problem since.

<a href="http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html" target="_blank">Hitman Pro Download (via CNET)</a>
My SIL just picked this up and Hitman Pro worked like a charm to fix it