First, I want to apologize in advance for the length of my post. I am really distraught and want to see if I can get help, from the forum tech people. If I am posting this in the wrong column or topic, please just point me in the right direction and I will post it there. THANKS IN ADVANCE FOR ANY HELP!!
I am listing all the things I found, did, and sequence of events, if that might possibly help someone give me assistance. I am so upset because I have never had any virus/trojan/malware problems (as far back Win95, Win98, Win200, WinXP – sounds like I’m 100, but not). Anyway, NEVER a problem! I always used McAfee, kept it up to date every day, didn’t download from strangers, don’t open email from unknowns, always scan, yadda yadda. About 3 years ago, I was concerned about spyware, so even installed Spybot and LavaSoft's Adaware and ran them on about a monthly basis. Only found a bit of tracking junk here and there.
Now, I'm on a 7 mo-old new out of box HP laptop running Windows Vista 32 home ed, and never had problems with it either, although I switched to Norton 360 for AV, because it seemed like a good price (and trial version came preloaded). I keep it running all the time the computer is on and it is automatically updated every day. Norton never told me there was any problem at all. I also have Windows updates automatically every day – emergency/critical/ you name it, I get it.
Then on Wednesday, 4/2/08 in the evening, I was on the web doing research for some cosmetic (personal) surgery I am considering, (and I don’t want to post what it is here), but all of a sudden I started getting PORN SITES come up, when I was NOT clicking on going to them!! There was stuff popping up all over and I was hitting the X (exit) and trying to go back page STOP Loading, (even tried to close the tabs!). I usually try to remember to run Mozilla's Firefox and didn't, unfortunately I was on IE. :-(
But I had to finally CAD and restart because I could not get the pages to close! They HUNG on to my computer!
But, when Windows came back, all of a sudden, I started receiving strange popups:
** A couple appeared as though they were Windows Security alerts - a RED border and "Security System Warning" c:\windows\wml.exe Abebot - click here to visit PC-Antispyware web site."
(lots of other words, but I had a feeling it was NOT really windows, or Norton. So, I just closed it and ran a full NORTON scan and it said I had "Trojan.Vunda" - and had to fix it manually. However, the Norton will NOT FIX it (I even logged on as administrator) and it would not fix the vundo item.
As I got to Norton’s web site to look up what to do – next strange thing:
** I noticed I had a "new" toolbar with 3 or 4 new little buttons. That was not right! So, I viewed toolbars and it showed a "stfngdvw" toolbar. Had no idea what that was so I unchecked it and the buttons went away, but it is still listed there. I couldn’t find info on Norton’s site, except for web chat/email with them, but then the next strange thing happened:
** Started getting a popup that shows: "Possible spyware infection detected - Threat Name TrojanDownloader.xs"
** Next even stranger things began to happen: my formally smooth-running, predictable laptop was acting nuts - I would lose the desktop-- lose everything! Icons, status bar, systray, MOUSE, touch pad. Also, I couldn't open programs, couldn't even shut down!
Had to do HARD crash shutdowns, just to turn it off, several times.
I ran Windows Defender and it found 3 items:
** SideStep (the travel finder side bar, which I rarely use)
** Atomic Clock Sync (from Software Bundler--have had for about 3 years on diff machines and never a problem), and one called
** "ADWARE.WIN32/VAPSUP" The ADWARE ...VAPSUP showed as C:\windows\svpekgonwdn.dll and also as c:\windows\dwltqnmx.exe
So, I indicated for windows to remove all, because I didn’t care. And, the result was that all were removed.
Since I work all day and this is my home personal computer, I have only been able to work on trying to fix this Thursday and Friday nights, and I spent over 15 hours yesterday and all morning today just trying to fix things.
My problems have not stopped, so I did some researching on web and downloaded newest Spybot and ran it and it said the items were fixed - don't even think they were the same items, but I did not make a note of them. BTW, had tried to run Spybot and Lavasoft when I first got Vista and Vista would not let them work.
Again, the computer problems did not stop. NEXT, I called Norton 360 because I had just paid $79 for the full 360 service which includes “a year of online/chat support.” And, guess what? AFTER 1 hour on the phone with the tech--they wanted to
"escalate my problem" to a phone call with one of their removal experts and charge me $99! It did not matter that I had copies of their web site that shows they DEFEND AGAINST and PROVIDE SUPPORT for
spyware/adware/malware/virus/trojan. I am definitely going back to McAfee. (sorry for the rant about Norton, I am sure some people like it, but I am not happy with them right now)
I researched what else I could do. And, this was not easy because no matter whether I
used Firefox or IE, I kept getting complete computer freezes and/or the mean "warning" garbage popups all over the desktop. I was afraid to even go to "tech support" places online because I thought somehow things might get worse and didn’t know who to trust.
I was able to locate another file called "penytybw.exe" which was listed as "c:\Program Data\xgnifkjw\penytybw.exe." It was dated at the same time as when I first had the web site latching on to me and not letting go (4/2/08 pm). So, I disabled it from starting up.
I found instructions somewhere and logged on again as administrator and found this:
(user name)>DesktopVirii> (that was the ACTUAL NAME OF THE FOLDER!)
Within that folder were 5 items - all started out with:
Trojan-Downloader.Win32.Agent. (and then each one had a different extension and exe.)
Agent.bl.exe
Agent.p.exe
Agent.r.exe
Agent.t.exe
Agent.v.exe
I deleted the folder and all of them - they all had the date and time when I first started having problems.
Then I searched and deleted EVERYTHING that had the same date/time as those – there were 8 of these files:
DesktopEditor FKWP1.5.exe
DesktopEditorFKWP2.0.exe
Desktopfilemanagerclient.exe
Desktopfkwp1.5.exe
Desktopfkwp2.0.exe
Desktopfwebd.exe
DesktopFWebEditor.exe
DesktopTrojan.Win32.BlackBird.exe
I restarted and seemed like things were coming along, but THEN, I STILL started getting the popups. Oh - and I forgot to say before, but I *DID* disable the system restore before starting all this.
When I searched more on my computer – by DATE, I found 56 (FIFTY SIX!) files with the exactsame date and time as those before: They were all in c:\windows. They were just all strange names and I am actually too worn out to write them down, so i just left them.
I found one of the 56 files titled "rs.txt" - so I copied it to desktop, scanned with Norton (I don't know why, though!) and renamed it trash.doc and opened it. After the first 3 lines that showed:
redirect-settings
version:4
SAVE-dt:1075828488
Then, there were 648 lines of domain names with pornographi addresses!!)
Domain
porn name.com)
(Ditto...648 different lines of different bad web sites!)
I have to say I feel helpless. I have no idea how to fix this and am feeling that I probably will have to just trash my laptop. Since I sort of trusted Spybot, I am here and found the post about hijack this. I went to the trend micro site. I figured at this point - what the heck is ONE MORE infection or trojen or whatever! Hijack this log follows. Again, I am so sorry for the LONG post/rant. If there is anyone that could possibly help me I would be forever grateful – and I sincerely mean that! THANKS FOR ANY HELP!
Here’s the hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:28 PM, on 4/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal
Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\DllHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {4ACCAF8C-0320-4321-9BE4-7B5B759CC66C} - C:\Windows\system32\wVpPGXnL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: stfngdvw - {505968FB-8A4C-4CAB-8EA1-A8D9C0B91DCA} - C:\Windows\stfngdvw.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\qkbpprnt.dll",b
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: APSHook.dll
O21 - SSODL: fkdnrwsv - {4CD0B89C-F7B0-4D52-9DFB-CB8C4A34CF4B} - C:\Windows\fkdnrwsv.dll
O21 - SSODL: sxfnewqb - {D1F866DA-259A-4349-9609-951FF42D1283} - C:\Windows\sxfnewqb.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
--
End of file - 10348 bytes
I am listing all the things I found, did, and sequence of events, if that might possibly help someone give me assistance. I am so upset because I have never had any virus/trojan/malware problems (as far back Win95, Win98, Win200, WinXP – sounds like I’m 100, but not). Anyway, NEVER a problem! I always used McAfee, kept it up to date every day, didn’t download from strangers, don’t open email from unknowns, always scan, yadda yadda. About 3 years ago, I was concerned about spyware, so even installed Spybot and LavaSoft's Adaware and ran them on about a monthly basis. Only found a bit of tracking junk here and there.
Now, I'm on a 7 mo-old new out of box HP laptop running Windows Vista 32 home ed, and never had problems with it either, although I switched to Norton 360 for AV, because it seemed like a good price (and trial version came preloaded). I keep it running all the time the computer is on and it is automatically updated every day. Norton never told me there was any problem at all. I also have Windows updates automatically every day – emergency/critical/ you name it, I get it.
Then on Wednesday, 4/2/08 in the evening, I was on the web doing research for some cosmetic (personal) surgery I am considering, (and I don’t want to post what it is here), but all of a sudden I started getting PORN SITES come up, when I was NOT clicking on going to them!! There was stuff popping up all over and I was hitting the X (exit) and trying to go back page STOP Loading, (even tried to close the tabs!). I usually try to remember to run Mozilla's Firefox and didn't, unfortunately I was on IE. :-(
But I had to finally CAD and restart because I could not get the pages to close! They HUNG on to my computer!
But, when Windows came back, all of a sudden, I started receiving strange popups:
** A couple appeared as though they were Windows Security alerts - a RED border and "Security System Warning" c:\windows\wml.exe Abebot - click here to visit PC-Antispyware web site."
(lots of other words, but I had a feeling it was NOT really windows, or Norton. So, I just closed it and ran a full NORTON scan and it said I had "Trojan.Vunda" - and had to fix it manually. However, the Norton will NOT FIX it (I even logged on as administrator) and it would not fix the vundo item.
As I got to Norton’s web site to look up what to do – next strange thing:
** I noticed I had a "new" toolbar with 3 or 4 new little buttons. That was not right! So, I viewed toolbars and it showed a "stfngdvw" toolbar. Had no idea what that was so I unchecked it and the buttons went away, but it is still listed there. I couldn’t find info on Norton’s site, except for web chat/email with them, but then the next strange thing happened:
** Started getting a popup that shows: "Possible spyware infection detected - Threat Name TrojanDownloader.xs"
** Next even stranger things began to happen: my formally smooth-running, predictable laptop was acting nuts - I would lose the desktop-- lose everything! Icons, status bar, systray, MOUSE, touch pad. Also, I couldn't open programs, couldn't even shut down!
Had to do HARD crash shutdowns, just to turn it off, several times.
I ran Windows Defender and it found 3 items:
** SideStep (the travel finder side bar, which I rarely use)
** Atomic Clock Sync (from Software Bundler--have had for about 3 years on diff machines and never a problem), and one called
** "ADWARE.WIN32/VAPSUP" The ADWARE ...VAPSUP showed as C:\windows\svpekgonwdn.dll and also as c:\windows\dwltqnmx.exe
So, I indicated for windows to remove all, because I didn’t care. And, the result was that all were removed.
Since I work all day and this is my home personal computer, I have only been able to work on trying to fix this Thursday and Friday nights, and I spent over 15 hours yesterday and all morning today just trying to fix things.
My problems have not stopped, so I did some researching on web and downloaded newest Spybot and ran it and it said the items were fixed - don't even think they were the same items, but I did not make a note of them. BTW, had tried to run Spybot and Lavasoft when I first got Vista and Vista would not let them work.
Again, the computer problems did not stop. NEXT, I called Norton 360 because I had just paid $79 for the full 360 service which includes “a year of online/chat support.” And, guess what? AFTER 1 hour on the phone with the tech--they wanted to
"escalate my problem" to a phone call with one of their removal experts and charge me $99! It did not matter that I had copies of their web site that shows they DEFEND AGAINST and PROVIDE SUPPORT for
spyware/adware/malware/virus/trojan. I am definitely going back to McAfee. (sorry for the rant about Norton, I am sure some people like it, but I am not happy with them right now)
I researched what else I could do. And, this was not easy because no matter whether I
used Firefox or IE, I kept getting complete computer freezes and/or the mean "warning" garbage popups all over the desktop. I was afraid to even go to "tech support" places online because I thought somehow things might get worse and didn’t know who to trust.
I was able to locate another file called "penytybw.exe" which was listed as "c:\Program Data\xgnifkjw\penytybw.exe." It was dated at the same time as when I first had the web site latching on to me and not letting go (4/2/08 pm). So, I disabled it from starting up.
I found instructions somewhere and logged on again as administrator and found this:
(user name)>DesktopVirii> (that was the ACTUAL NAME OF THE FOLDER!)
Within that folder were 5 items - all started out with:
Trojan-Downloader.Win32.Agent. (and then each one had a different extension and exe.)
Agent.bl.exe
Agent.p.exe
Agent.r.exe
Agent.t.exe
Agent.v.exe
I deleted the folder and all of them - they all had the date and time when I first started having problems.
Then I searched and deleted EVERYTHING that had the same date/time as those – there were 8 of these files:
DesktopEditor FKWP1.5.exe
DesktopEditorFKWP2.0.exe
Desktopfilemanagerclient.exe
Desktopfkwp1.5.exe
Desktopfkwp2.0.exe
Desktopfwebd.exe
DesktopFWebEditor.exe
DesktopTrojan.Win32.BlackBird.exe
I restarted and seemed like things were coming along, but THEN, I STILL started getting the popups. Oh - and I forgot to say before, but I *DID* disable the system restore before starting all this.
When I searched more on my computer – by DATE, I found 56 (FIFTY SIX!) files with the exactsame date and time as those before: They were all in c:\windows. They were just all strange names and I am actually too worn out to write them down, so i just left them.
I found one of the 56 files titled "rs.txt" - so I copied it to desktop, scanned with Norton (I don't know why, though!) and renamed it trash.doc and opened it. After the first 3 lines that showed:
redirect-settings
version:4
SAVE-dt:1075828488
Then, there were 648 lines of domain names with pornographi addresses!!)
Domain
porn name.com)(Ditto...648 different lines of different bad web sites!)
I have to say I feel helpless. I have no idea how to fix this and am feeling that I probably will have to just trash my laptop. Since I sort of trusted Spybot, I am here and found the post about hijack this. I went to the trend micro site. I figured at this point - what the heck is ONE MORE infection or trojen or whatever! Hijack this log follows. Again, I am so sorry for the LONG post/rant. If there is anyone that could possibly help me I would be forever grateful – and I sincerely mean that! THANKS FOR ANY HELP!
Here’s the hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:28 PM, on 4/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal
Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\DllHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {4ACCAF8C-0320-4321-9BE4-7B5B759CC66C} - C:\Windows\system32\wVpPGXnL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: stfngdvw - {505968FB-8A4C-4CAB-8EA1-A8D9C0B91DCA} - C:\Windows\stfngdvw.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\qkbpprnt.dll",b
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: APSHook.dll
O21 - SSODL: fkdnrwsv - {4CD0B89C-F7B0-4D52-9DFB-CB8C4A34CF4B} - C:\Windows\fkdnrwsv.dll
O21 - SSODL: sxfnewqb - {D1F866DA-259A-4349-9609-951FF42D1283} - C:\Windows\sxfnewqb.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
--
End of file - 10348 bytes
