Spyware Removal

This looks like a pretty fast and knowledgeable forum so I am posting for help. I keep getting new browser pop-ups while online. Also a spyware program automatically was installed on my PC. I removed the program (using the add/remove programs in the control panel) but i am still getting pop ups. I used ad-aware and removed the infections but when i re run a scan they are still present. Any help on fixing these would be helpful thanks in advance. For time sake below is a hijack this log if it helps.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:46:32 PM, on 01/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:








C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\UltraVNC\WinVNC.exe


C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe



C:\Program Files\Network Associates\VirusScan\Mcshield.exe



C:\Documents and Settings\xxxx\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\firefox.exe

C:\Program Files\Network Associates\VirusScan\scan32.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [d4b3e524] rundll32.exe "C:\WINDOWS\system32\ybofuigp.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxx.INTERNAL

O17 - HKLM\Software\..\Telephony: DomainName = xxx.INTERNAL

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxx.INTERNAL

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxx.INTERNAL

O20 - AppInit_DLLs: kflynk.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe


End of file - 5112 bytes


  • I just removed some program that was also misc. got installed called shopping reports. But I am still getting the same 6 Virtumonde malware infections in my adaware scan. The problem still seems to have ceased.. for now

  • edited January 2009


    I have already answered your log somewhere else. It appears that you have started this same thread at a lot of different forums. This is confusing for the people who are helping you and actually a waste of time since many helpers will now analyze your log while someone else is already helping you.

    That's why it may be a good idea to post in the other forums that you are already receiving help. Thanks :)

    extra note...

    Also not sure why you have posted this in the Bitdefender forums since you don't even have Bitdefender installed.. :unsure:

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.