HELP, FAST!!!! SYSTEM HIJACKED!!!!

[RebelMan]

My Internet Explorer(which I never use, whatsoever) has been hijacked!!!! Need to know how to disable or delete from Windows Vista Home so it can't access the web anymore. Tried deleteing but says it can't delete because program is busy.

Whatever it is keeps popping up those fake security warnings & posting 2 Web Links on my desktop.

Ran a virus/malware/spyware scan & that can't get rid of it either.

Need help fast, in getting it off my system or in getting a program to get rid of it off my system.

This is what keeps running through IE \/

Code:

http://scanner.vav-x-scanner.com/27/?advid=0000004683&KJSBDHBHVBSDGVBSDD+df

[teenhollywood]

Quote:

Originally Posted by RebelMan

My Internet Explorer(which I never use, whatsoever) has been hijacked!!!! Need to know how to disable or delete from Windows Vista Home so it can't access the web anymore. Tried deleteing but says it can't delete because program is busy.

Can't delete or disable IE in Vista - it is built in to the core system, I believe.

Your best bet is to install a virus scanner and then start windows in safe mode (press and hold the F8 key as your computer is booting, it will give you a menu which includes "Safe Mode"). Then run the virus scanner once you're booted into safe mode.

[FireBird]

RebelMan,

I hope you have all your important files backed up (it's good practice to do that once a week) because it seems that you might have to re-install your operating system.

But, before you do anything drastic, here's a couple of things I would suggest you do:

1) Just to satisfy my curiosity, tell me step-by-step what happens when you interact with Internet Explorer. Does this fake anti-virus message come up randomly, or does this pop up immediately after you open IE?

1.a) It is possible that it changed your homepage settings in IE? You know how in the properties you can set the homepage URL to go to some place when you start IE?

(by the way, you can't get rid of IE, as it's part of OS.)

2) Does this problem arise only when you try to browse the web, or just immediately after login into your computer? If its only when you are using your browser, it may be isolated. If its when immediately after login into your computer, it might have set something up like a starup file somewhere. I'm not familiar with Vista, but I don't think they've gotten rid of that feature.

3) Make a HouseCall. It's free, and it will scan your whole system and delete every threat it finds.


mced,

Is it possible for malware to inject a URL into the registry to fire up when the browser is activated? That might be a stretch, but Windows really is that weak of a OS to be manipulated in such way.

4) I'm not sure if Vista has this, but in XP there's a "System Restore" feature that keeps a copy of your registry. Perhaps restoring it to the earliest time might help? That is, of course, if its a registry issue.

5) Ad-aware.

5.a) Adblock and Adblock Filterset.G Updater for FireFox. Although it will block all ads from FH, I think its better to block all ads at the price of avoiding things like this altogether.

6) When all else fails, I would re-install. That would be the last resort if none of the things that I or mced works. Wait until mced has something to say. Then plan out your attack and see if anything results in eliminating this issue.

Stay frosty.

[mced]

Firebird's tips are right: follow them. Anyway, before reinstalling, you can ask me to clean your registry, using a excellent tool called Hijackthis.

And yes, a malware can inject an URL into the registry. And since many IE libraries are loaded even before running the browser, annoying ads can appear even if we don't use IE.

[RebelMan]

Sorry, I forgot to mention that I mainly use my laptop as my main comp & that is the one that's having all this trouble right now.

And as of right now I am on a backup desktop comp that has Windows XP on it & works perfectly fine.

Quote:

Originally Posted by FireBird

1) Just to satisfy my curiosity, tell me step-by-step what happens when you interact with Internet Explorer. Does this fake anti-virus message come up randomly, or does this pop up immediately after you open IE?

I don't interact with IE I only use FireFox. It just keeps popping up those fake security warnings randomly & everytime I delete those 2 URLs on my desktop they keep coming back randomly too & a blank window from IE that has nothing in it at all keeps popping up randomly too.

Quote:

Originally Posted by FireBird

(by the way, you can't get rid of IE, as it's part of OS.)

When something like this happened to me before in Windows XP, I completely deleted IE from the system & it stopped happening. It just won't let me do the same thing in Windows Vista Home Edition.

Quote:

Originally Posted by FireBird

2) Does this problem arise only when you try to browse the web, or just immediately after login into your computer? If its only when you are using your browser, it may be isolated. If its when immediately after login into your computer, it might have set something up like a starup file somewhere. I'm not familiar with Vista, but I don't think they've gotten rid of that feature.

Starts happening right when I log into my computer to start using it.

Quote:

Originally Posted by FireBird

3) Make a HouseCall. It's free, and it will scan your whole system and delete every threat it finds.

Won't let me use it. When I start the scan my comp completely locks up.

[Plastic Flute]

Quote:

Originally Posted by RebelMan

My Internet Explorer(which I never use, whatsoever) has been hijacked!!!! Need to know how to disable or delete from Windows Vista Home so it can't access the web anymore. Tried deleteing but says it can't delete because program is busy.

Whatever it is keeps popping up those fake security warnings & posting 2 Web Links on my desktop.

Ran a virus/malware/spyware scan & that can't get rid of it either.

Need help fast, in getting it off my system or in getting a program to get rid of it off my system.

This is what keeps running through IE \/

Code:

http://scanner.vav-x-scanner.com/27/?advid=0000004683&KJSBDHBHVBSDGVBSDD+df

Same thing happened to my son.
He fixed it ..but the new Comp game SPORE has given us the Blue screen of Death.
it scrolls. The comp is Dell and not even 2 yrs old. im so mad

[RebelMan]

Quote:

Originally Posted by Plastic Flute

Same thing happened to my son. He fixed it.

How did he fix it Flute?

[Plastic Flute]

"Tried deleteing but says it can't delete because program is busy."

If you know where the program, if a program, is, but get the "Unable to delete these files, the process is in use." End the process by using the "Task Manager" (Control+Alt+Delete), going to the processes tab, and ending the process, although, if your not good at telling the names of processes in this tab, you can use a website "http://www.processlibrary.com/", but only use this method if you are sure what you are disabling, as ending the wrong process can lead to un-wanted results.

If you do not wish to use this method, try looking at what programs are in your start-up menu. I'm not sure what method is used in Vista, but this works in XP.
1. Press the Start Button/Vista Logo
2. Use the run command
3. Type in "msconfig"
4. Go to the start-up tab
5. End any processes that are not needed, or at least disable the program that gives you the faulty links.
6. Reboot, and try deleting the program again, it should not tell you "The process is currently in use."
Although this should work, it will not help if you do not know what programs you are enabling/disabling, and should only be used if you know or feel comfortable doing.

Another possible solution, if you know where this program is, is to boot in "Safe-Mode." This will only boot the computer with the needed programs to run Windows safely.
1. Turn On/Restart the computer to go to the boot screen
2. While on the boot screen, look at what the command is for boot types (Should be F12 by default)
3. While on the boot selection, choose "Safe-Mode"
4. Now that the program should not be running, you can delete it without the "The process is currently in use."

If you need help with some of these items, try using programs such as "Ccleaner" or "TuneUp Utilities." They are both good, Ccleaner can be aggresive though if you do not know what you are doing, and "TuneUp Utilities" is not free-ware, unlike Ccleaner.


****Reb my son wrote this for you hope it helps.GL

[RebelMan]

Thanks Flute's son & everyone else for helping me out.

Will be giving all this a try a little later tonight. Again, MAJOR Thanks for the Help.

[Plastic Flute]

YQW Luv

[Captain Beefheart]

Or you could:

Format and reinstall. It's not the pretentiously correct way to fix the problem, but it's something that most users can accomplish with some effort. Cleaning it up correctly takes a lot of knowledge (and maybe a bit of skill).

When you reinstall, do this to avoid reinfection:
Install FireFox and use that.
Set up a second user account.
Give it a "User" role.
Whenever possible, use that account.
Try to only use the Administrator account to install programs and make other system changes.

Don't use "pirated" software. Buy your **** or find free alternatives. OpenOffice.org is a million times better than a copy of Microsoft Office downloaded from a torrent site.

If you have Photoshop and you just use it to clean up photos then there's free software to do the same work easier. I have Photoshop available to me at all times but I use Picasa to manage my photo collection. You don't need a jackhammer to crush an ant.

You can keep your porn habit, but you should use a different player than Windows Media Player. WMP allows, stupidly, embedded COM objects in certain file types. I believe WMV, WMA, and AVI. If you lock down your Internet Explorer security settings (stupid, right?) then you can protect yourself from this. The easier solution is to just use another media player or not view content downloaded from an unknown source.

But take Ham's son advice.

[RebelMan]

I got rid of most of the problems using a combination of suggestions here & from a computer expert from my mom's work, I HOPE, but now I have a trojan located in this area:

C://Users/My Name/AppData/Local/

My programs were unsuccessful in getting rid of it, but says I can go in that location & delete it out. So, how do I get in there to delete it?

[FireBird]

Quote:

Originally Posted by RebelMan

I got rid of most of the problems using a combination of suggestions here & from a computer expert from my mom's work, I HOPE, but now I have a trojan located in this area:

C://Users/My Name/AppData/Local/

My programs were unsuccessful in getting rid of it, but says I can go in that location & delete it out. So, how do I get in there to delete it?

That may be a folder that is hidden. For Vista to show hidden folders, do the following:

1) Open any Explorer window (e.g. Go into the Start menu and choose Computer).

2) Click on the Organize button choose Folder and Search Options.

3) In the Folder Options window you'll see Hidden files and folders, change the radio button to select show hidden files and folders and uncheck hide protected operating system files.

4) You'll get a pop-up warning asking if you're sure you want to do this, say Yes.




I believe the problem lies deeper, my friend. I've done some search on this problem and any connection with the registry. Seems like my suspicions were right: your registry was injected with information from the malware.

Here's the real scary part:
The ones responsible for this are a Russian team of hackers who are not only tricking people into paying for this fake anti-virus scanner, they're also releasing false information on how to get rid of it. They have a whole gimmick of fake domains and fake programme names that its not possible to distinguish who's real and who's not.

I found this page: http://www.computing.net/answers/sec...ked/23128.html

Of a person who apparently had similar problems in August. I'm not too sure if "jabuck" can be trusted. Maybe mced can look over his method of ridding this malware and see if it's a good fit for you. I don't know anything about "Malwarebytes" being it was only released "Date: 2008-09-10", suspicious if anything.

By the way, the connection I see with this malware and the windows registry is this:

Code:

HKEY_CLASSES_ROOT\CLSID\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}

There could be more injected keys that I have not discovered.

To get rid of this completely, it will be a great mess to clean up. I would suggest if you could, restore you system to the most earliest date you can. That should restore you system file and registry to what it was before this happened. If that fails, you may have no choice but re-installing.

But one thing's for sure. If/when you get your computer back in good health, following my method in the previous post will help you stay safe 98% of the time. Since I download torrents and games, a few trojans sneak in here and there, but not once has my system been hijacked so severely like yours.

Good luck.

[mced]

This is the help I can give you:

http://www.whatthetech.com/hijackthis/

Read the Hijackthis Quickstart section and follow its instructions. Just one point:

Highlight the entire contents. Copy and paste the contents into your post. DO NOT fix anything. Wait for help.

As "the contents" are usually very large, please paste them between 'code' tags:

Code:

contents

Or paste them, select them and press the icon.

[RebelMan]

Here you go mced:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 5:05:59 PM, on 9/18/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: fqbewlna - {A3AC6E80-6FAE-4B5C-9901-488A75685383} - C:\Windows\fqbewlna.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\urqpNGVp.dll,#1
O4 - HKLM\..\Run: [\YURB9E.exe] C:\Windows\system32\YURB9E.exe
O4 - HKLM\..\Run: [\YURCB7.exe] C:\Windows\system32\YURCB7.exe
O4 - HKLM\..\Run: [\YUR109D.exe] C:\Windows\system32\YUR109D.exe
O4 - HKLM\..\Run: [\YUR1399.exe] C:\Windows\system32\YUR1399.exe
O4 - HKLM\..\Run: [\YUR92D7.exe] C:\Windows\system32\YUR92D7.exe
O4 - HKLM\..\Run: [\YUR494D.exe] C:\Windows\system32\YUR494D.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [\YURB9E.exe] C:\Windows\system32\YURB9E.exe
O4 - HKCU\..\Run: [\YURCB7.exe] C:\Windows\system32\YURCB7.exe
O4 - HKCU\..\Run: [\YUR109D.exe] C:\Windows\system32\YUR109D.exe
O4 - HKCU\..\Run: [\YUR1399.exe] C:\Windows\system32\YUR1399.exe
O4 - HKCU\..\Run: [\YUR92D7.exe] C:\Windows\system32\YUR92D7.exe
O4 - HKCU\..\Run: [\YUR494D.exe] C:\Windows\system32\YUR494D.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Stephen\AppData\Local\Temp\ddcCRIXn.dll,#1
O4 - HKCU\..\Run: [\YUR512B.exe] C:\Windows\system32\YUR512B.exe
O4 - HKCU\..\Run: [\YUR5215.exe] C:\Windows\system32\YUR5215.exe
O4 - HKCU\..\Run: [\YUR5A9D.exe] C:\Windows\system32\YUR5A9D.exe
O4 - HKCU\..\Run: [\YUR710A.exe] C:\Windows\system32\YUR710A.exe
O4 - HKCU\..\Run: [\YURCF40.exe] C:\Windows\system32\YURCF40.exe
O4 - HKCU\..\Run: [\YUR4FC7.exe] C:\Windows\system32\YUR4FC7.exe
O4 - HKCU\..\Run: [\YUR981.exe] C:\Windows\system32\YUR981.exe
O4 - HKCU\..\Run: [\YUR7AD.exe] C:\Windows\system32\YUR7AD.exe
O4 - HKCU\..\Run: [\YUR7BD.exe] C:\Windows\system32\YUR7BD.exe
O4 - HKCU\..\Run: [\YUR11FA.exe] C:\Windows\system32\YUR11FA.exe
O4 - HKCU\..\Run: [\YUR6CB6.exe] C:\Windows\system32\YUR6CB6.exe
O4 - HKCU\..\Run: [\YUR80F1.exe] C:\Windows\system32\YUR80F1.exe
O4 - HKCU\..\Run: [\YUR9433.exe] C:\Windows\system32\YUR9433.exe
O4 - HKCU\..\Run: [\YUR8111.exe] C:\Windows\system32\YUR8111.exe
O4 - HKCU\..\Run: [\YUR95F7.exe] C:\Windows\system32\YUR95F7.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Stephen\AppData\Local\Temp\iiFyXnkH.dll,c
O4 - HKCU\..\Run: [\YURD632.exe] C:\Windows\system32\YURD632.exe
O4 - HKCU\..\Run: [\YUR5B39.exe] C:\Windows\system32\YUR5B39.exe
O4 - HKCU\..\Run: [\YUR779F.exe] C:\Windows\system32\YUR779F.exe
O4 - HKCU\..\Run: [\YUR139F.exe] C:\Windows\system32\YUR139F.exe
O4 - HKCU\..\Run: [\YUR1592.exe] C:\Windows\system32\YUR1592.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix: 
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O21 - SSODL: mgxfebsq - {A966EA17-01A8-4DEA-9E04-9E46B572E10C} - C:\Windows\mgxfebsq.dll
O21 - SSODL: dtseqrxk - {85D1C6F5-0FD1-42B7-8AE6-CC86ADBCCF44} - C:\Windows\dtseqrxk.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device -   - C:\Windows\system32\dlbtcoms.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

And those 2 Desktop URLs are still showing up on my comp. The only way to stop them is by doing the Task Manager Process Stop suggested by Flute's Son.

Those 2 Desktop URLs are 2 of the ones listed below, but I can't remember which ones they are when they are listed in the Task Manager Process Section:

Code:

C:\Windows\system32\YURB9E.exe
C:\Windows\system32\YURCB7.exe
C:\Windows\system32\YUR494D.exe
C:\Windows\system32\jJDwUOE.dll
C:\Windows\system32\nnnmlJBR.dll
C:\Windows\system32\YUR92D7.exe

And since I don't really have much on my laptop, I made a backup copy of the stuff that I really wanted to save from it just incase I have to do a full system restore like some of you have suggested already.

[mced]

Wow. It's been centuries since I watched a Hijackthis log, but yours is full of crap!

I won't be able to deeply analyze it until 17:00 Spanish time (that's 8:00 Pacific time, I guess), but you could start to erase the obvious ones:

EDITED: See next message.

[mced]

I'm back. It seems you haven't read my last message, so I'm gonna make a deep scan.

1. Run Hijackthis again
2. Do a "system scan only"
3. Check the following entries:

Code:

O3 - Toolbar: fqbewlna - {A3AC6E80-6FAE-4B5C-9901-488A75685383} - C:\Windows\fqbewlna.dll
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\urqpNGVp.dll,#1
O4 - HKLM\..\Run: [\YURB9E.exe] C:\Windows\system32\YURB9E.exe
O4 - HKLM\..\Run: [\YURCB7.exe] C:\Windows\system32\YURCB7.exe
O4 - HKLM\..\Run: [\YUR109D.exe] C:\Windows\system32\YUR109D.exe
O4 - HKLM\..\Run: [\YUR1399.exe] C:\Windows\system32\YUR1399.exe
O4 - HKLM\..\Run: [\YUR92D7.exe] C:\Windows\system32\YUR92D7.exe
O4 - HKLM\..\Run: [\YUR494D.exe] C:\Windows\system32\YUR494D.exe
O4 - HKCU\..\Run: [\YURB9E.exe] C:\Windows\system32\YURB9E.exe
O4 - HKCU\..\Run: [\YURCB7.exe] C:\Windows\system32\YURCB7.exe
O4 - HKCU\..\Run: [\YUR109D.exe] C:\Windows\system32\YUR109D.exe
O4 - HKCU\..\Run: [\YUR1399.exe] C:\Windows\system32\YUR1399.exe
O4 - HKCU\..\Run: [\YUR92D7.exe] C:\Windows\system32\YUR92D7.exe
O4 - HKCU\..\Run: [\YUR494D.exe] C:\Windows\system32\YUR494D.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Stephen\AppData\Local\Temp\ddcCRIXn.dll,#1
O4 - HKCU\..\Run: [\YUR512B.exe] C:\Windows\system32\YUR512B.exe
O4 - HKCU\..\Run: [\YUR5215.exe] C:\Windows\system32\YUR5215.exe
O4 - HKCU\..\Run: [\YUR5A9D.exe] C:\Windows\system32\YUR5A9D.exe
O4 - HKCU\..\Run: [\YUR710A.exe] C:\Windows\system32\YUR710A.exe
O4 - HKCU\..\Run: [\YURCF40.exe] C:\Windows\system32\YURCF40.exe
O4 - HKCU\..\Run: [\YUR4FC7.exe] C:\Windows\system32\YUR4FC7.exe
O4 - HKCU\..\Run: [\YUR981.exe] C:\Windows\system32\YUR981.exe
O4 - HKCU\..\Run: [\YUR7AD.exe] C:\Windows\system32\YUR7AD.exe
O4 - HKCU\..\Run: [\YUR7BD.exe] C:\Windows\system32\YUR7BD.exe
O4 - HKCU\..\Run: [\YUR11FA.exe] C:\Windows\system32\YUR11FA.exe
O4 - HKCU\..\Run: [\YUR6CB6.exe] C:\Windows\system32\YUR6CB6.exe
O4 - HKCU\..\Run: [\YUR80F1.exe] C:\Windows\system32\YUR80F1.exe
O4 - HKCU\..\Run: [\YUR9433.exe] C:\Windows\system32\YUR9433.exe
O4 - HKCU\..\Run: [\YUR8111.exe] C:\Windows\system32\YUR8111.exe
O4 - HKCU\..\Run: [\YUR95F7.exe] C:\Windows\system32\YUR95F7.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Stephen\AppData\Local\Temp\iiFyXnkH.dll,c
O4 - HKCU\..\Run: [\YURD632.exe] C:\Windows\system32\YURD632.exe
O4 - HKCU\..\Run: [\YUR5B39.exe] C:\Windows\system32\YUR5B39.exe
O4 - HKCU\..\Run: [\YUR779F.exe] C:\Windows\system32\YUR779F.exe
O4 - HKCU\..\Run: [\YUR139F.exe] C:\Windows\system32\YUR139F.exe
O4 - HKCU\..\Run: [\YUR1592.exe] C:\Windows\system32\YUR1592.exe
O21 - SSODL: mgxfebsq - {A966EA17-01A8-4DEA-9E04-9E46B572E10C} - C:\Windows\mgxfebsq.dll
O21 - SSODL: dtseqrxk - {85D1C6F5-0FD1-42B7-8AE6-CC86ADBCCF44} - C:\Windows\dtseqrxk.dll

4. Click the "Fix Checked" button
5. Reboot your system

That's a fifteen minutes cleaning. Let's hope it kills all the bastards.

[RebelMan]

MAJOR THANX to everyone in helping me regain control of my system.