robhatesviruses
2009-11-12, 23:07
I'm having problems removing all of virtumonde. Below is my log. Every second website I type into browser comes up with fake warning wanting me to buy "anti-virus plus." I've scanned system with current spybot, symantic, windows malicious software removal tool, and symantic's virtumonde removal tool.
Below is my log:
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TSSchBkpService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Antivirus Plus BHO - {C2B5AAB8-2183-4be7-81A6-F11493C45872} - C:\WINDOWS\system32\config\systemprofile\Application Data\AntiVirus Plus\AntiVirus Plus.70367200.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - S-1-5-18 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\ (User 'SYSTEM')
O4 - .DEFAULT Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .efp: C:\Program Files\Internet Explorer\Plugins\NPEFPrn.dll
O12 - Plugin for .efv: C:\Program Files\Internet Explorer\Plugins\NPEFV.dll
O12 - Plugin for .fmp: C:\Program Files\Internet Explorer\Plugins\NPFMP.dll
O12 - Plugin for .fmr: C:\Program Files\Internet Explorer\Plugins\NPFME.dll
O12 - Plugin for .ifx: C:\Program Files\Internet Explorer\Plugins\NPWebPrn.dll
O12 - Plugin for .lfx: C:\Program Files\Internet Explorer\Plugins\NPLaunch.dll
O12 - Plugin for .mwp: C:\Program Files\Internet Explorer\Plugins\NPMWPrn.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\Plugins\NPTVP.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://lawserver/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258001085779
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258010374937
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://lawserver/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KellerGrover.com
O17 - HKLM\Software\..\Telephony: DomainName = KellerGrover.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KellerGrover.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = KellerGrover.com
O20 - AppInit_DLLs: c:\windows\system32\ gofadadi.dll c:\windows\system32\yaturite.dll c:\windows\system32\refurepo.dll c:\windows\system32\ rujazeke.dll c:\windows\system32\fibanana.dll c:\windows\system32\ c:\windows\system32\zojitiyu.dll c:\windows\system32\ c:\windows\system32\tunayiri.dll c:\windows\system32\ c:\windows\system32\
O21 - SSODL: gajupinuz - {d8a674e6-2c9a-4db5-a470-40317fedf47f} - c:\windows\system32\yaturite.dll (file missing)
O21 - SSODL: yudiduneb - {4fba0202-e885-4019-be78-d5c25c1e6190} - c:\windows\system32\refurepo.dll (file missing)
O21 - SSODL: tahefifod - {728b1413-a35b-4f71-87a6-f9cf29d90b5d} - c:\windows\system32\fibanana.dll (file missing)
O21 - SSODL: sililosuw - {59051de2-4d45-4e4b-a107-886514f80e66} - c:\windows\system32\zojitiyu.dll (file missing)
O21 - SSODL: vewekugim - {1c673cec-9540-422c-be85-7592e69839e3} - c:\windows\system32\tunayiri.dll (file missing)
O21 - SSODL: dudopuvik - {bbdc905c-3cb5-4d4e-9644-5953f2ed6787} - c:\windows\system32\fehamito.dll (file missing)
O21 - SSODL: bagowuvut - {68a24f38-21cd-4fa8-960d-8f3f7c768314} - c:\windows\system32\nifisito.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {d8a674e6-2c9a-4db5-a470-40317fedf47f} - c:\windows\system32\yaturite.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {4fba0202-e885-4019-be78-d5c25c1e6190} - c:\windows\system32\refurepo.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {728b1413-a35b-4f71-87a6-f9cf29d90b5d} - c:\windows\system32\fibanana.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {59051de2-4d45-4e4b-a107-886514f80e66} - c:\windows\system32\zojitiyu.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {1c673cec-9540-422c-be85-7592e69839e3} - c:\windows\system32\tunayiri.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {bbdc905c-3cb5-4d4e-9644-5953f2ed6787} - c:\windows\system32\fehamito.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {68a24f38-21cd-4fa8-960d-8f3f7c768314} - c:\windows\system32\nifisito.dll (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TimeslipsBackup (TSScheduleBackup) - Unknown owner - C:\WINDOWS\system32\TSSchBkpService.exe
--
End of file - 11536 bytes
I'm running Windows XP, SP3.
Below is what the hijacker places on my browser screen:
"Insecure Internet activity. Threat of virus attackDue to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register Antivirus Plus.
We recommend you to protect your PC now and continue safe Internet browsing.
Click here to get full advanced real-time protection and continue browsing.
Continue to this website unprotected (not recommended). "
Below is my log:
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TSSchBkpService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Antivirus Plus BHO - {C2B5AAB8-2183-4be7-81A6-F11493C45872} - C:\WINDOWS\system32\config\systemprofile\Application Data\AntiVirus Plus\AntiVirus Plus.70367200.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - S-1-5-18 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\ (User 'SYSTEM')
O4 - .DEFAULT Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .efp: C:\Program Files\Internet Explorer\Plugins\NPEFPrn.dll
O12 - Plugin for .efv: C:\Program Files\Internet Explorer\Plugins\NPEFV.dll
O12 - Plugin for .fmp: C:\Program Files\Internet Explorer\Plugins\NPFMP.dll
O12 - Plugin for .fmr: C:\Program Files\Internet Explorer\Plugins\NPFME.dll
O12 - Plugin for .ifx: C:\Program Files\Internet Explorer\Plugins\NPWebPrn.dll
O12 - Plugin for .lfx: C:\Program Files\Internet Explorer\Plugins\NPLaunch.dll
O12 - Plugin for .mwp: C:\Program Files\Internet Explorer\Plugins\NPMWPrn.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\Plugins\NPTVP.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://lawserver/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258001085779
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258010374937
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://lawserver/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KellerGrover.com
O17 - HKLM\Software\..\Telephony: DomainName = KellerGrover.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KellerGrover.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = KellerGrover.com
O20 - AppInit_DLLs: c:\windows\system32\ gofadadi.dll c:\windows\system32\yaturite.dll c:\windows\system32\refurepo.dll c:\windows\system32\ rujazeke.dll c:\windows\system32\fibanana.dll c:\windows\system32\ c:\windows\system32\zojitiyu.dll c:\windows\system32\ c:\windows\system32\tunayiri.dll c:\windows\system32\ c:\windows\system32\
O21 - SSODL: gajupinuz - {d8a674e6-2c9a-4db5-a470-40317fedf47f} - c:\windows\system32\yaturite.dll (file missing)
O21 - SSODL: yudiduneb - {4fba0202-e885-4019-be78-d5c25c1e6190} - c:\windows\system32\refurepo.dll (file missing)
O21 - SSODL: tahefifod - {728b1413-a35b-4f71-87a6-f9cf29d90b5d} - c:\windows\system32\fibanana.dll (file missing)
O21 - SSODL: sililosuw - {59051de2-4d45-4e4b-a107-886514f80e66} - c:\windows\system32\zojitiyu.dll (file missing)
O21 - SSODL: vewekugim - {1c673cec-9540-422c-be85-7592e69839e3} - c:\windows\system32\tunayiri.dll (file missing)
O21 - SSODL: dudopuvik - {bbdc905c-3cb5-4d4e-9644-5953f2ed6787} - c:\windows\system32\fehamito.dll (file missing)
O21 - SSODL: bagowuvut - {68a24f38-21cd-4fa8-960d-8f3f7c768314} - c:\windows\system32\nifisito.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {d8a674e6-2c9a-4db5-a470-40317fedf47f} - c:\windows\system32\yaturite.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {4fba0202-e885-4019-be78-d5c25c1e6190} - c:\windows\system32\refurepo.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {728b1413-a35b-4f71-87a6-f9cf29d90b5d} - c:\windows\system32\fibanana.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {59051de2-4d45-4e4b-a107-886514f80e66} - c:\windows\system32\zojitiyu.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {1c673cec-9540-422c-be85-7592e69839e3} - c:\windows\system32\tunayiri.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {bbdc905c-3cb5-4d4e-9644-5953f2ed6787} - c:\windows\system32\fehamito.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {68a24f38-21cd-4fa8-960d-8f3f7c768314} - c:\windows\system32\nifisito.dll (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TimeslipsBackup (TSScheduleBackup) - Unknown owner - C:\WINDOWS\system32\TSSchBkpService.exe
--
End of file - 11536 bytes
I'm running Windows XP, SP3.
Below is what the hijacker places on my browser screen:
"Insecure Internet activity. Threat of virus attackDue to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register Antivirus Plus.
We recommend you to protect your PC now and continue safe Internet browsing.
Click here to get full advanced real-time protection and continue browsing.
Continue to this website unprotected (not recommended). "