Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Gamefly audio pop ups- 1st Hijackthis log posted for help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Gamefly audio pop ups- 1st Hijackthis log posted for help

Unread postby magerac » January 28th, 2009, 11:02 pm

Sharagoz, I let SuperAntispyware do a full scan again before I left for work, when I came back it had found 119! tracking cookies and a remnant of the vundo virus. below is the log and also a new HJT log.

I dont recognize these lines in the hjt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

I did not delete DDS or do the system restore steps yet in case we are not done. I dont detect any problems on the pc that are noticeable, all appears to be good. it just worries me a bit that the SAS found all this crap left over still. i have not done any browser surfing other than on yahoo and this forum in about a week. Firefox is set to clear private data when it closes and I use CCleaner once in awhile too to clear old temp files. Thanks again buddy, magerac

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/28/2009 at 01:53 AM

Application Version : 4.25.1012

Core Rules Database Version : 3732
Trace Rules Database Version: 1702

Scan type : Quick Scan
Total Scan Time : 03:03:00

Memory items scanned : 676
Memory threats detected : 0
Registry items scanned : 499
Registry threats detected : 0
File items scanned : 333656
File threats detected : 120

Adware.Tracking Cookie
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@247realmedia[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@247realmedia[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@a.websponsors[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@a.websponsors[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@affiliates.commissionaccount[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@airtrafficcontrolequipment[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@airtrafficcontrolequipment[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@at.atwola[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@at.atwola[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atwola[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atwola[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@azjmp[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bravenet[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bs.serving-sys[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bs.serving-sys[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@burstnet[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@burstnet[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@c5.zedo[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@cache.trafficmp[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@cache.trafficmp[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@casalemedia[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@casalemedia[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@chitika[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@chitika[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clickarrows[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clickbooth[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clickbooth[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@collective-media[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager.edgesuite[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager.edgesuite[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[5].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@crackle[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@d3.zedo[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@date.ventivmedia[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@discounthotelny[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@discounthotelny[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@eas.apm.emediate[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@enhance[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@enhance[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@exitexchange[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@exitexchange[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@exoclick[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@exoclick[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@fastclick[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@fastclick[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@hornymatches[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imediablast[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imediablast[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@indextools[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@insightexpressai[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@insightexpressai[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@interclick[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@interclick[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@linkstattrack[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@myroitracking[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@myroitracking[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@nacromedia[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@partner.finditquick[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@partner.finditquick[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@precisionclick[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@primetrafficsite[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@pro-market[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@questionmarket[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@questionmarket[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@realmedia[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@realmedia[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@redirect.clickshield[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@redirect.clickshield[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@revenue[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@revenue[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@revsci[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@revsci[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@sales.liveperson[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@sales.liveperson[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@searchfeed[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@searchfeed[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serw.clicksor[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serw.clicksor[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@specificclick[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@specificclick[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@specificmedia[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@specificmedia[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@statcounter[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@statcounter[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tacoda[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tacoda[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@teen[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficmp[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficmp[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficmp[4].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tribalfusion[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tribalfusion[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.burstbeacon[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.burstbeacon[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.burstnet[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.burstnet[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.clickxchange[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.clickxchange[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.icityfind[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.icityfind[2].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@yieldmanager[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@yieldmanager[3].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@zedo[1].txt
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@zedo[3].txt

Adware.Vundo Variant
D:\I386\APPS\APP000058\SYSTEM32\USP10.DLL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:14 PM, on 1/28/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RtHDVCpl.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\ModPS2Key.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... P&M=GM5472
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... P&M=GM5472
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... P&M=GM5472
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... P&M=GM5472
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... P&M=GM5472
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 7564 bytes
magerac
Active Member
 
Posts: 11
Joined: January 24th, 2009, 1:10 am
Advertisement
Register to Remove

Re: Gamefly audio pop ups- 1st Hijackthis log posted for help

Unread postby Sharagoz » January 29th, 2009, 5:02 pm

I dont recognize these lines in the hjt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

These are legitimate.
The first two belongs to NVIDIA
The third belongs to Realtek High Definition Audio

it had found 119! tracking cookies

119 tacking cookies sounds grotesque, but is actually nothing to worry about.
Let me quote something written by Chaslang of MarjoGeeks to help ease your mind.
The True Story About Cookies
First let's get right to the point. Cookies are not problems that you need to be concerned with. Too many antispyware programs flag cookies and make them sound like they are high risk items. The truth is that they are not high risk problems and in most cases are actually very useful to you.

This subject has long been debated on the internet and obviously there are many opinions about cookies. Cookies are not executable programs. They are simple text files stored on your PC to help websites (and you) track useful user settings and non-personal information, like which advertisement you last saw (which prevents you from seeing the same ad over and over again).

Yes some cookies are often referred to tracking cookies, but tracking is more complicated then just having a cookie. Every website you visit would have to have knowledge of the particular cookie so that they could use it to add tracking info to it and to make use of it. You will see many antispyware programs indicating various cookies as tracking cookies and this can artifically make detection counts look very high. It is also a sore point when doing comparisons between antispyware programs. If one program detects cookies and another does not, it can make the one that does not detect them look like it is doing a bad job.

Similarly it makes the one detecting them look like a great product since it picks up things the other missed. Thus most (not all) programs will detect cookies to avoid this hazard. Don't be fooled by cookie counting. If cookies are the only thing showing up, you are in good shape. They are not harmful and you can just ignore them or if so desired, you can easily clean them using your browser or other tools like CCleaner.


The vundo file found on your computer is a false positive.
See this discussion on the SUPERAntiSpyware forums for more info.
This slip is fixed in the latest database version.

You should restore this file from quarantine, as it is a legitimate file.
  • Launch SUPERAntiSpyware
  • Click Manage Quarantine and restore the USP10.DLL from there

So all in all there was no real malware in the latest logs you posted.
If you're still worried about there being infected files I'll provide you with a very thorough scan you can do (see below).
If you chose to run it and anything is found, post the log here so I can have a look.

Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note:
This is a very thorough scan that takes longer than most other scanners to complete. It will often take 2-6 hrs depending on the number of files on your computer and how powerfull the computer is.
It is recommended to disable onboard antivirus program and antispyware programs while performing the scan to speed up scan time and to make sure there are no conflicts.
If you disable your resident protection, do not go surfing until its enabled again. Its a good idea to simply disconnect the computer from the internet after the scan has started and not connect again until the scan is finished and the resident protection is enabled again.
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available, otherwise use standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Under select a target to scan, select My Computer
  • The scan will take a while so be patient and let it run
  • Do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • If anything is found, do the below steps to retrieve the log so I can have a look
    • Click the Save Report As...
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file KasScan-ddmmyy (or similar)
    • In the Save as type prompt, select Text file
    • Include the report in your next post.

Enable antivirus and antispyware programs if you disabled them before the scan.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Gamefly audio pop ups- 1st Hijackthis log posted for help

Unread postby magerac » January 30th, 2009, 9:14 pm

OK, no issues, computer running smoothly. Thanks Sharagoz and MWR, keep up the fight!!! -mageac
magerac
Active Member
 
Posts: 11
Joined: January 24th, 2009, 1:10 am

Re: Gamefly audio pop ups- 1st Hijackthis log posted for help

Unread postby NonSuch » February 4th, 2009, 7:22 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware