• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Rico Tetrazini

Red desktop & phony spyware adware

4 posts in this topic

Please help! This nasty bug is resistant to Ad-Aware, Spybot, & Ewido/AVG. It turns the desktop red, puts up phony alert balloons on the status bar, and hijacks IE, sometimes pointing you to their site (via "pt.htm" buried locally) to buy their disinfectant, sometimes just blanking out the IE window.

 

 

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 11:22:58 AM 5/31/2007

 

+ Scan result:

 

 

 

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Cleaned with backup (quarantined).

HKU\S-1-5-21-845982908-1996580397-4253646710-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP310\A0024965.exe -> Backdoor.Small.os : Cleaned with backup (quarantined).

C:\WINDOWS\system32\perfc000.dat -> Backdoor.Small.os : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP315\A0029065.exe -> Downloader.Delf.bld : Cleaned with backup (quarantined).

C:\WINDOWS\zzzx.exe -> Downloader.Delf.bld : Cleaned with backup (quarantined).

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SLMZ8PMR\setup[1].exe -> Downloader.VB.att : Cleaned with backup (quarantined).

C:\WINDOWS\axnes.exe -> Downloader.VB.att : Cleaned with backup (quarantined).

C:\WINDOWS\system32\tmrsrv32.exe -> Downloader.VB.avl : Cleaned with backup (quarantined).

C:\WINDOWS\system32\msorcl32.exe -> Not-A-Virus.Hoax.Win32.Renos.fn : Cleaned with backup (quarantined).

C:\WINDOWS\system32\PLSRemote.exe -> Not-A-Virus.RemoteAdmin.Win32.PLSRemot : Cleaned with backup (quarantined).

C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.

C:\Documents and Settings\Administrator\Cookies\administrator@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.

C:\Documents and Settings\Administrator\Cookies\administrator@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.

C:\Documents and Settings\Administrator\Cookies\administrator@ads.cnn[2].txt -> TrackingCookie.Cnn : Cleaned.

C:\Documents and Settings\Administrator\Cookies\administrator@realguide.real[1].txt -> TrackingCookie.Real : Cleaned.

C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.

C:\WINDOWS\sysrlb32.exe -> Trojan.Small : Cleaned with backup (quarantined).

 

 

::Report end

 

=============

 

Hijackthis output to follow.

Share this post


Link to post
Share on other sites

Please help! This nasty bug is resistant to Ad-Aware, Spybot, & Ewido/AVG. It turns the desktop red, puts up phony alert balloons on the status bar, and hijacks IE, sometimes pointing you to their site (via "pt.htm" buried locally) to buy their disinfectant, sometimes just blanking out the IE window.

 

 

....

 

Hijackthis output to follow.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:30:48 AM, on 5/31/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

c:\program files\lenovo\system update\suservice.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\tp4serv.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\NETGEAR\WAG511 Configuration Utility\wlancfg3.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\PawPrint.net\WorldTime\worldtime.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\zipitpro\zipitfast.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/Stasis%20Oasis.htm

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: H - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - C:\WINDOWS\system32\comi.dll (file missing)

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [NPDTray] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [bMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [install.exe] C:\WINDOWS\svchost.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - Startup: WorldTime.lnk = C:\Program Files\PawPrint.net\WorldTime\worldtime.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NETGEAR WAG511 Smart Wizard.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c7/v15.585/qboax9.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128446784720

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179244072552

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab

O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c7/v16.607/qboax10.cab

O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} - https://accounting.quickbooks.com/c1/v15.269/qboax8.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll

O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe

O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0