• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
BlinnSatt

Can't Stop the Pop Ups

14 posts in this topic

Hi. I've read the SWI FAQ and already run (several times) up-to-date versions of Spybot and Ad-Aware. I also followed the tutorial on your website by Acsell about "Analyzing your own HiJackThis log, and removed three pieces of spy/malware that were identified.

 

Nothing has helped. I continue to have the same problem, which is each time I try accessing a webpage on the internet (using IE or Firefox), I will get the website I want, but I will also get (about 2-3 times out of 5) a pop-up (in an IE window) of some seemingly random website. (Not always entirely random. For example, if I intentionally go to a hotel website, I might get a pop up for a travel-related website.) Typical websites that have popped up include: setthetrend.com, brandarama.com, smashits.com, ad.netcrefer.net, wallst.net, iwon.com, true.com, netcrefer.net, trafficadmin.net, and many, many others.

 

I have tried using Vundofix, SDfix and CWShredder, but they apparently did not find anything. So I've run out of self-help options, and hope that one of the specialists on this forum can help me.

 

I downloaded the most current version of HiJackThis from TrendMicro, and have generated the following HiJackThis log. I'd really appreciate it if someone could help me fix this.

 

 

HIJACKTHIS LOG

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:10:08 PM, on 1/22/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Location Finder\LocationFinder.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\HJT\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\PAUL\Application Data\Mozilla\Profiles\default\zr0zyzql.slt\prefs.js)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O2 - BHO: (no name) - {89051EFA-65F4-445C-B651-AFADDBB794C7} - C:\Program Files\Internet Explorer\hokevowagC:\WINDOWS\system32\t8\tycodllz83122.exe.dll (file missing)

O2 - BHO: (no name) - {9357a224-b4e7-4f88-917e-b5a807d31173} - C:\WINDOWS\system32\arrddcgv.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: BMCViewerPackage - https://omaha.bmcgroup.com/BMCViewer.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144373316734

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...399/mcfscan.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O20 - Winlogon Notify: gyointqv - gyointqv.dll (file missing)

O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

 

--

End of file - 9122 bytes

Edited by BlinnSatt

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi BlinnSatt, and Welcome to SWI

 

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

 

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

 

Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

 

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

 

Please download VundoFix.exe

to your desktop.

  • Double-click *VundoFix.exe* to run it.
  • Click the *Scan for Vundo* button.
  • Once it's done scanning, click the *Remove Vundo* button.
  • You will receive a prompt asking if you want to remove the files, click *YES*
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click *OK*.
  • Please post the contents of C:\vundofix.txt in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above

instructions starting from "Click the *Scan for Vundo* button." when

VundoFix appears at reboot.

 

Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

 

O2 - BHO: (no name) - {89051EFA-65F4-445C-B651-AFADDBB794C7} - C:\Program Files\Internet Explorer\hokevowagC:\WINDOWS\system32\t8\tycodllz83122.exe.dll (file missing)

O2 - BHO: (no name) - {9357a224-b4e7-4f88-917e-b5a807d31173} - C:\WINDOWS\system32\arrddcgv.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O20 - Winlogon Notify: gyointqv - gyointqv.dll (file missing)

O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll (file missing)

 

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

 

Using Windows Explorer, delete the following folder (if still there):

C:\WINDOWS\system32\t8

 

Download ComboFix© by sUBs from one of these links:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

Save the file to your Desktop.

Double click combofix.exe & follow the prompts.

Don't click on the ComboFix window while its running; that could cause it to stall.

When finished, and after reboot, it should open a log, combofix.txt.

Post that log in your next reply.

 

Please post a new HijackThis log, the log from VundoFix (C:\vundofix.txt), and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Share this post


Link to post
Share on other sites

Hi, TheJoker. What a relief to get your reply.

 

Later tonight, when I return home, I will do everything you've suggested in your post, and then show you my results.

 

In the meantime, I have one question. Should I first restore the three pieces of malware that I earlier "fixed" with HiJackThis before I posted my original HiJackThis Log to SWI? I ask, just in case seeing that malware would help you somehow.

 

For your information, the suspected malware I previously removed from my comptuer were the following three:

 

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O20 - Winlogon Notify: htproc - htproc32.dll (file missing)

 

Of course, removing them did not help my pop up problem, which is why I came SWI Forum for help.

 

Thanks.

Edited by BlinnSatt

Share this post


Link to post
Share on other sites

The first is an empty registry entry that should be "fixed" simply for good housekeeping. The last one is malware related and shouldn't be restored. The second one is not malicious, but doesn't necessarily need to be restored; it's related to Windows Messenger. If you don't use Windows Messenger, you can go to Windows Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts".

Share this post


Link to post
Share on other sites

I performed the various tasks you suggested. Pasted below are a newly run HiJackThis log, VundoFix text and the Combofix log.

 

(NOTE: VundoFix did not give me a prompt to "remove files"; I guess it didn't find any files. ComboFix did not give me any error readings, though I have bolded the parts of the log file that mention "failed to delete" in case that is what you were looking for.)

 

 

 

HIJACK THIS LOG FROM JAN 29, 2008

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:17:32 PM, on 1/29/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\PAUL\Application Data\Mozilla\Profiles\default\zr0zyzql.slt\prefs.js)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144373316734

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...399/mcfscan.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

 

--

End of file - 7262 bytes

 

 

VUNDOFIX TEXT -- Which appears to have recorded a previous VundoFix I ran last week, plus the one I ran tonight, Jan 29

 

 

VundoFix V6.7.7

 

Checking Java version...

 

Scan started at 2:47:57 PM 1/20/2008

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

VundoFix V6.7.7

 

Checking Java version...

 

Scan started at 6:34:01 PM 1/20/2008

 

Listing files found while scanning....

 

No infected files were found.

 

 

VundoFix V6.7.7

 

Checking Java version...

 

Scan started at 7:41:50 PM 1/29/2008

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

 

END OF VUNDOFIX TEXT

 

 

See my next post for my ComboFix log ...

Share this post


Link to post
Share on other sites

... and here is my ComboFix log.

 

COMBOFIX LOG FROM JAN 29, 2008

 

ComboFix 08-01-30.1 - Paul 2008-01-29 20:57:36.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.586 [GMT -5:00]

Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\temp\tn3

C:\WINDOWS\Downloaded Program Files\t1fonts

C:\WINDOWS\Downloaded Program Files\t1fonts\d050000l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n019003l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n019004l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n019023l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n019024l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n021003l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n021004l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n021023l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n021024l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n022003l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n022004l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n022023l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\n022024l.pfb

C:\WINDOWS\Downloaded Program Files\t1fonts\s050000l.pfb

C:\WINDOWS\system32\b3

C:\WINDOWS\system32\drivers\core.cache(2).dsk

C:\WINDOWS\system32\drivers\core.cache(3).dsk

C:\WINDOWS\system32\drivers\core.cache(4).dsk

C:\WINDOWS\system32\drivers\core.cache(5).dsk

C:\WINDOWS\system32\drivers\core.cache(6).dsk

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

C:\WINDOWS\system32\e9

C:\WINDOWS\system32\e9\farstadcom2.exe

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\oitpxfdj.dll

C:\WINDOWS\system32\p2

C:\WINDOWS\system32\ummaxemo.dll

C:\WINDOWS\system32\z4

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

-------\nm

 

 

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))

.

 

2008-01-29 21:02 . 2008-01-29 21:02 <DIR> d-------- C:\Temp\tn3

2008-01-22 20:55 . 2008-01-26 17:36 <DIR> d-------- C:\HJT

2008-01-21 21:05 . 2008-01-21 21:05 <DIR> d-------- C:\Program Files\Trend Micro

2008-01-20 19:12 . 2008-01-20 19:12 167,545 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk

2008-01-20 18:34 . 2008-01-20 18:34 <DIR> d-------- C:\VundoFix Backups

2008-01-20 15:29 . 2008-01-20 15:30 <DIR> d-------- C:\WINDOWS\ERUNT

2008-01-20 15:16 . 2008-01-20 15:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-01-20 15:15 . 2008-01-20 15:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7

2008-01-20 11:18 . 2008-01-20 15:18 <DIR> d-------- C:\Program Files\Windows Defender

2008-01-19 15:34 . 2008-01-22 22:03 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-01-19 13:05 . 2008-01-19 13:05 <DIR> d-------- C:\Program Files\Lavasoft

2008-01-19 13:05 . 2008-01-19 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-19 11:18 . 2008-01-20 15:15 <DIR> d-------- C:\Program Files\Common Files\Java

2008-01-19 11:18 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl

2008-01-19 09:11 . 2008-01-19 09:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft

2008-01-14 11:48 . 2008-01-14 11:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA01

2008-01-13 07:50 . 2008-01-14 14:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA17

2008-01-13 07:50 . 2008-01-13 07:50 <DIR> d-------- C:\Temp\Ryuan1

2008-01-13 07:50 . 2008-01-13 07:50 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\netbtt.sys

2008-01-09 04:20 . 2008-01-09 04:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo01

2008-01-09 04:20 . 2008-01-09 04:20 <DIR> d-------- C:\Temp\cEeer12

2008-01-09 04:20 . 2008-01-29 21:02 <DIR> d-------- C:\Temp

2008-01-09 02:34 . 2008-01-09 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Muzzy Lane Software

2008-01-09 02:30 . 2008-01-09 02:30 <DIR> d-------- C:\Program Files\Strategy First

2007-12-28 22:21 . 2007-12-28 22:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft

2007-12-28 22:20 . 2007-12-28 22:21 <DIR> d-------- C:\Program Files\Dell Support Center

2007-12-28 22:20 . 2007-12-28 22:20 <DIR> d-------- C:\Program Files\Common Files\supportsoft

2007-12-24 08:16 . 2007-12-24 08:16 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat

2007-12-17 06:29 . 2007-12-17 06:30 <DIR> d-------- C:\Program Files\iTunes

2007-12-17 06:29 . 2007-12-17 06:29 <DIR> d-------- C:\Program Files\iPod

2007-12-14 11:32 . 2007-12-14 11:32 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe

2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx

2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts

2007-12-04 22:50 . 2008-01-29 20:54 7,168 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-27 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7

2008-01-20 20:16 --------- d-----w C:\Documents and Settings\Paul\Application Data\Lavasoft

2008-01-19 17:38 --------- d-----w C:\Documents and Settings\Paul\Application Data\MSN6

2008-01-19 16:18 --------- d-----w C:\Program Files\Java

2007-12-29 03:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell

2007-12-17 11:23 --------- d-----w C:\Program Files\QuickTime

2007-12-17 11:21 --------- d-----w C:\Program Files\Apple Software Update

2007-11-24 20:04 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT

2007-11-24 20:04 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT

2006-03-23 23:58 713,205 --sh--w C:\WINDOWS\SYSTEM32\qpqss.bak1

2006-04-01 16:01 661,476 --sh--w C:\WINDOWS\SYSTEM32\qpqss.bak2

2006-04-01 18:05 319,476 --sh--w C:\WINDOWS\SYSTEM32\qpqss.ini2

2005-09-20 15:08 420,852 --sha-w C:\WINDOWS\SYSTEM32\rtstv.bak1

2005-09-23 21:55 423,533 --sha-w C:\WINDOWS\SYSTEM32\rtstv.bak2

2005-09-24 17:01 423,984 --sha-w C:\WINDOWS\SYSTEM32\rtstv.ini2

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]

"Sonic RecordNow!"="" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:54 579072]

"nwiz"="nwiz.exe" [2005-12-10 02:06 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:17 219136]

"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--------- 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]

C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

--a------ 2004-03-15 01:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]

--a------ 2003-08-13 10:27 28672 C:\WINDOWS\System32\DSentry.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWHeartbeatMonitor]

C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2003-08-04 16:28 49152 C:\Program Files\HP\HP Software Update\HPWuSchd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

--a------ 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

--a------ 2005-03-12 06:25 110592 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

--a------ 2003-06-18 12:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2005-12-10 02:06 7311360 C:\WINDOWS\System32\NvCpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2003-08-26 19:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

--a------ 2004-06-30 18:04 95344 C:\PROGRA~1\SYMNET~1\SNDMon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2006-07-01 12:14 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]

C:\Program Files\Norton Internet Security\UrlLstCk.exe

 

R1 netbtt;netbtt;C:\WINDOWS\system32\drivers\netbtt.sys [2008-01-13 07:50]

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-12-03 11:55]

 

.

Contents of the 'Scheduled Tasks' folder

"2008-01-25 04:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-12-01 22:08:16 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1088283945.job"

- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 2400 series#1088283945

"2008-01-30 02:05:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-29 21:03:38

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\msiexec.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2008-01-29 21:10:16 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-30 02:10:13

.

2008-01-29 23:43:23 --- E O F ---

Share this post


Link to post
Share on other sites

First, you need to update your copy of ComboFix before doing the below action.

Delete the copy of ComboFix.exe you currently have.

Download ComboFix© by sUBs from one of these links:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

Save the file to your Desktop.

 

For this next step, please ensure that ComboFix.exe is on your desktop:

 

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

 

Killall::

 

File::

C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk

C:\WINDOWS\SYSTEM32\DRIVERS\netbtt.sys

C:\WINDOWS\SYSTEM32\qpqss.bak1

C:\WINDOWS\SYSTEM32\qpqss.bak2

C:\WINDOWS\SYSTEM32\qpqss.ini2

C:\WINDOWS\SYSTEM32\rtstv.bak1

C:\WINDOWS\SYSTEM32\rtstv.bak2

C:\WINDOWS\SYSTEM32\rtstv.ini2

 

Folder::

C:\Temp\tn3

C:\WINDOWS\SYSTEM32\edcA01

C:\WINDOWS\SYSTEM32\edcA17

C:\Temp\Ryuan1

C:\WINDOWS\SYSTEM32\ardCo01

C:\Temp\cEeer12

 

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sonic RecordNow!"=-

CFScript-createdbyMiekiemoes.gif

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).

First, please close all other open programs, including any non-essential programs running in your System Tray (do NOT close your antivirus or firewall).

Go to http://www.kaspersky.co.uk/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

 

Please post a new HijackThis log, the log from Kaspersky's online scanner, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Share this post


Link to post
Share on other sites

Here are the three new logs you've requested:

 

HIJACK THIS LOG -- JAN 30 2008

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:35:19 PM, on 1/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\PAUL\Application Data\Mozilla\Profiles\default\zr0zyzql.slt\prefs.js)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144373316734

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...399/mcfscan.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

 

--

End of file - 7400 bytes

 

 

 

KASPERSKY ONLINE SCANNER LOG

 

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Wednesday, January 30, 2008 9:33:59 PM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 30/01/2008

Kaspersky Anti-Virus database records: 538921

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

 

Scan Statistics:

Total number of scanned objects: 109200

Number of viruses found: 5

Number of infected objects: 20

Number of suspicious objects: 0

Duration of the scan process: 01:21:09

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\59c95a4d7f7e8aef27d13eb9f20cefeb_9192d17a-9a72-4204-823a-85ab53b53cd0 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b9359a290e84dc28add6a11bb0d8df04_9192d17a-9a72-4204-823a-85ab53b53cd0 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d953eda3e26304d35e06e3f99844845b_9192d17a-9a72-4204-823a-85ab53b53cd0 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01202008-111851.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Paul\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Identities\{68C8549C-B54C-49C8-AE06-8BBD06069FA8}\Microsoft\Outlook Express\Deleted Items.dbx/[From new_account@jtsa.edu][Date Wed, 08 Dec 2004 05:12:21 GMT]/UNNAMED/jtsa3167.eml.zip/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Identities\{68C8549C-B54C-49C8-AE06-8BBD06069FA8}\Microsoft\Outlook Express\Deleted Items.dbx/[From new_account@jtsa.edu][Date Wed, 08 Dec 2004 05:12:21 GMT]/UNNAMED/jtsa3167.eml.zip Infected: Email-Worm.Win32.Sober.i skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Identities\{68C8549C-B54C-49C8-AE06-8BBD06069FA8}\Microsoft\Outlook Express\Deleted Items.dbx/[From new_account@jtsa.edu][Date Wed, 08 Dec 2004 05:12:21 GMT]/UNNAMED Infected: Email-Worm.Win32.Sober.i skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Identities\{68C8549C-B54C-49C8-AE06-8BBD06069FA8}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 3 skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{66605DC2-2CD3-40A1-A856-33814C50BB65} Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\SupportSoft\DellSupportCenter\Paul\state\logs\sprtcmd.log Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\History\History.IE5\MSHist012008013020080131\index.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\tepU2314.exe/data0006 Infected: Trojan-Downloader.Win32.VB.ceh skipped

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\tepU2314.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Paul\ntuser.dat Object is locked skipped

C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oitpxfdj.dll.vir Infected: Trojan.Win32.Crypt.o skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ummaxemo.dll.vir Infected: Trojan.Win32.Crypt.o skipped

C:\QooBox\Quarantine\catchme2008-01-30_192544.82.zip/netbtt.sys Infected: Rootkit.Win32.Agent.to skipped

C:\QooBox\Quarantine\catchme2008-01-30_192544.82.zip ZIP: infected - 1 skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1082\A0227332.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1082\A0227332.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1085\A0229444.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1085\A0229444.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1098\A0235097.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1098\A0235097.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1099\A0236088.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1099\A0236088.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1111\A0239552.dll Infected: Trojan.Win32.Crypt.o skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1111\A0239553.dll Infected: Trojan.Win32.Crypt.o skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1113\change.log Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{ED17FF9A-A5BB-4F19-896F-7253DD2110F3}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan process completed.

Share this post


Link to post
Share on other sites

... and here is the ComboFix log. (As you requested, I downloaded ComboFix all over again, this time from the forospyware site.)

 

COMBOFIX LOG

 

 

ComboFix 08-01-31.1 - Paul 2008-01-30 19:18:02.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.666 [GMT -5:00]

Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Paul\Desktop\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE

C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk

C:\WINDOWS\SYSTEM32\DRIVERS\netbtt.sys

C:\WINDOWS\SYSTEM32\qpqss.bak1

C:\WINDOWS\SYSTEM32\qpqss.bak2

C:\WINDOWS\SYSTEM32\qpqss.ini2

C:\WINDOWS\SYSTEM32\rtstv.bak1

C:\WINDOWS\SYSTEM32\rtstv.bak2

C:\WINDOWS\SYSTEM32\rtstv.ini2

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk

C:\WINDOWS\SYSTEM32\DRIVERS\netbtt.sys

C:\Temp\cEeer12

C:\Temp\Ryuan1

C:\Temp\Ryuan1\tepU.log

C:\temp\tn3

C:\WINDOWS\SYSTEM32\ardCo01

C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk

C:\WINDOWS\SYSTEM32\DRIVERS\netbtt.sys

C:\WINDOWS\SYSTEM32\edcA01

C:\WINDOWS\SYSTEM32\edcA17

C:\WINDOWS\SYSTEM32\qpqss.bak1

C:\WINDOWS\SYSTEM32\qpqss.bak2

C:\WINDOWS\SYSTEM32\qpqss.ini2

C:\WINDOWS\SYSTEM32\rtstv.bak1

C:\WINDOWS\SYSTEM32\rtstv.bak2

C:\WINDOWS\SYSTEM32\rtstv.ini2

 

.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))

.

 

2008-01-30 05:19 . 2008-01-30 05:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles

2008-01-29 21:11 . 2008-01-29 21:16 <DIR> d-------- C:\ComboFix Folder

2008-01-22 20:55 . 2008-01-26 17:36 <DIR> d-------- C:\HJT

2008-01-21 21:05 . 2008-01-21 21:05 <DIR> d-------- C:\Program Files\Trend Micro

2008-01-20 18:34 . 2008-01-20 18:34 <DIR> d-------- C:\VundoFix Backups

2008-01-20 15:29 . 2008-01-20 15:30 <DIR> d-------- C:\WINDOWS\ERUNT

2008-01-20 15:16 . 2008-01-20 15:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-01-20 15:15 . 2008-01-20 15:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7

2008-01-20 11:18 . 2008-01-20 15:18 <DIR> d-------- C:\Program Files\Windows Defender

2008-01-19 15:34 . 2008-01-22 22:03 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-01-19 13:05 . 2008-01-19 13:05 <DIR> d-------- C:\Program Files\Lavasoft

2008-01-19 13:05 . 2008-01-19 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-19 11:18 . 2008-01-20 15:15 <DIR> d-------- C:\Program Files\Common Files\Java

2008-01-19 11:18 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl

2008-01-19 09:11 . 2008-01-19 09:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft

2008-01-09 04:20 . 2008-01-30 19:22 <DIR> d-------- C:\Temp

2008-01-09 02:34 . 2008-01-09 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Muzzy Lane Software

2008-01-09 02:30 . 2008-01-09 02:30 <DIR> d-------- C:\Program Files\Strategy First

2007-12-28 22:21 . 2007-12-28 22:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft

2007-12-28 22:20 . 2007-12-28 22:21 <DIR> d-------- C:\Program Files\Dell Support Center

2007-12-28 22:20 . 2007-12-28 22:20 <DIR> d-------- C:\Program Files\Common Files\supportsoft

2007-12-24 08:16 . 2007-12-24 08:16 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat

2007-12-17 06:29 . 2007-12-17 06:30 <DIR> d-------- C:\Program Files\iTunes

2007-12-17 06:29 . 2007-12-17 06:29 <DIR> d-------- C:\Program Files\iPod

2007-12-14 11:32 . 2007-12-14 11:32 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe

2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx

2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts

2007-12-04 22:50 . 2008-01-29 20:54 7,168 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-27 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7

2008-01-20 20:16 --------- d-----w C:\Documents and Settings\Paul\Application Data\Lavasoft

2008-01-19 17:38 --------- d-----w C:\Documents and Settings\Paul\Application Data\MSN6

2008-01-19 16:18 --------- d-----w C:\Program Files\Java

2007-12-29 03:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell

2007-12-17 11:23 --------- d-----w C:\Program Files\QuickTime

2007-12-17 11:21 --------- d-----w C:\Program Files\Apple Software Update

2007-11-24 20:04 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT

2007-11-24 20:04 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:54 579072]

"nwiz"="nwiz.exe" [2005-12-10 02:06 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:17 219136]

"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--------- 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]

C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

--a------ 2004-03-15 01:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]

--a------ 2003-08-13 10:27 28672 C:\WINDOWS\System32\DSentry.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWHeartbeatMonitor]

C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2003-08-04 16:28 49152 C:\Program Files\HP\HP Software Update\HPWuSchd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

--a------ 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

--a------ 2005-03-12 06:25 110592 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

--a------ 2003-06-18 12:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2005-12-10 02:06 7311360 C:\WINDOWS\System32\NvCpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2003-08-26 19:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

--a------ 2004-06-30 18:04 95344 C:\PROGRA~1\SYMNET~1\SNDMon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2006-07-01 12:14 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]

C:\Program Files\Norton Internet Security\UrlLstCk.exe

 

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

S1 netbtt;netbtt;C:\WINDOWS\system32\drivers\netbtt.sys []

S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-12-03 11:55]

 

.

Contents of the 'Scheduled Tasks' folder

"2008-01-25 04:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-12-01 22:08:16 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1088283945.job"

- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 2400 series#1088283945

"2008-01-31 00:27:18 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-30 19:25:56

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\msiexec.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2008-01-30 19:32:02 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-31 00:32:00

ComboFix2.txt 2008-01-30 02:10:17

.

2008-01-29 23:43:23 --- E O F ---

Share this post


Link to post
Share on other sites

For this next step, please ensure that ComboFix.exe is on your desktop:

 

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

 

Driver::

netbtt

 

File::

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\tepU2314.exe

CFScript-createdbyMiekiemoes.gif

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

After ComboFix is through running, and after the system restarts (if necessary):

Go to start > run and copy and paste next command in the field:

ComboFix /u

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

 

Create a Restore Point (XP Only)

  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close

Run Disk Cleanup

  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK

    [*]When Disk Cleanup opens, select the More Options tab

    [*]In the System Restore section (bottom of window), click Cleanup

    • In the confirmation window that opens, click Yes

    [*]Now click on the Disk Cleanup tab and select the following items:

    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files

    [*]Click OK

    [*]in the confirmation window, select Yes (Disk Cleanup will close).

Please post a new HijackThis log, and the log from ComboFix (combofix.txt).

How is the system running now?

Share this post


Link to post
Share on other sites

Hi. Sorry for the delay. I performed your suggestions a couple of days ago, but it appeared the SWI site was down for a while.

 

Knock on wood, but, yes, you seemed to have fixed my pop up problem! I cannot thank you enough, so instead I will figure out how to donate to SWI Forum. (My computer is slower on start up ... by about a minute or so; is that to be expected? Even so, I much prefer that to my pop up problem.)

 

Thanks a million, TheJoker.

 

Here are the two logs you asked me to post.

 

HIJACKTHIS LOG

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:39:46 PM, on 1/31/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\PAUL\Application Data\Mozilla\Profiles\default\zr0zyzql.slt\prefs.js)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144373316734

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...399/mcfscan.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

 

--

End of file - 7478 bytes

 

 

COMBOFIX LOG

 

 

ComboFix 08-01-31.1 - Paul 2008-01-31 19:12:22.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.620 [GMT -5:00]

Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Paul\Desktop\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\tepU2314.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\tepU2314.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

-------\LEGACY_NETBTT

-------\netbtt

 

 

((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))

.

 

2008-01-30 19:39 . 2008-01-30 19:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab

2008-01-30 19:39 . 2008-01-30 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-01-30 05:19 . 2008-01-30 05:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles

2008-01-29 21:11 . 2008-01-29 21:16 <DIR> d-------- C:\ComboFix Folder

2008-01-22 20:55 . 2008-01-26 17:36 <DIR> d-------- C:\HJT

2008-01-21 21:05 . 2008-01-21 21:05 <DIR> d-------- C:\Program Files\Trend Micro

2008-01-20 18:34 . 2008-01-20 18:34 <DIR> d-------- C:\VundoFix Backups

2008-01-20 15:29 . 2008-01-20 15:30 <DIR> d-------- C:\WINDOWS\ERUNT

2008-01-20 15:16 . 2008-01-20 15:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-01-20 15:15 . 2008-01-20 15:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7

2008-01-20 11:18 . 2008-01-20 15:18 <DIR> d-------- C:\Program Files\Windows Defender

2008-01-19 15:34 . 2008-01-22 22:03 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-01-19 13:05 . 2008-01-19 13:05 <DIR> d-------- C:\Program Files\Lavasoft

2008-01-19 13:05 . 2008-01-19 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-19 11:18 . 2008-01-20 15:15 <DIR> d-------- C:\Program Files\Common Files\Java

2008-01-19 11:18 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl

2008-01-19 09:11 . 2008-01-19 09:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft

2008-01-09 04:20 . 2008-01-30 19:22 <DIR> d-------- C:\Temp

2008-01-09 02:34 . 2008-01-09 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Muzzy Lane Software

2008-01-09 02:30 . 2008-01-09 02:30 <DIR> d-------- C:\Program Files\Strategy First

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-27 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7

2008-01-20 20:16 --------- d-----w C:\Documents and Settings\Paul\Application Data\Lavasoft

2008-01-19 17:38 --------- d-----w C:\Documents and Settings\Paul\Application Data\MSN6

2008-01-19 16:18 --------- d-----w C:\Program Files\Java

2007-12-29 03:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell

2007-12-29 03:21 --------- d-----w C:\Program Files\Dell Support Center

2007-12-29 03:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft

2007-12-29 03:20 --------- d-----w C:\Program Files\Common Files\supportsoft

2007-12-17 11:30 --------- d-----w C:\Program Files\iTunes

2007-12-17 11:29 --------- d-----w C:\Program Files\iPod

2007-12-17 11:23 --------- d-----w C:\Program Files\QuickTime

2007-12-17 11:21 --------- d-----w C:\Program Files\Apple Software Update

2007-11-24 20:04 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT

2007-11-24 20:04 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:54 579072]

"nwiz"="nwiz.exe" [2005-12-10 02:06 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:17 219136]

"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--------- 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]

C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

--a------ 2004-03-15 01:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]

--a------ 2003-08-13 10:27 28672 C:\WINDOWS\System32\DSentry.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWHeartbeatMonitor]

C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2003-08-04 16:28 49152 C:\Program Files\HP\HP Software Update\HPWuSchd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

--a------ 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

--a------ 2005-03-12 06:25 110592 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

--a------ 2003-06-18 12:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2005-12-10 02:06 7311360 C:\WINDOWS\System32\NvCpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2003-08-26 19:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

--a------ 2004-06-30 18:04 95344 C:\PROGRA~1\SYMNET~1\SNDMon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2006-07-01 12:14 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]

C:\Program Files\Norton Internet Security\UrlLstCk.exe

 

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-12-03 11:55]

 

.

Contents of the 'Scheduled Tasks' folder

"2008-01-25 04:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-12-01 22:08:16 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1088283945.job"

- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 2400 series#1088283945

"2008-02-01 00:22:07 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-31 19:19:44

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\fxssvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2008-01-31 19:26:41 - machine was rebooted

ComboFix-quarantined-files.txt 2008-02-01 00:26:38

ComboFix2.txt 2008-01-31 00:32:03

ComboFix3.txt 2008-01-30 02:10:17

.

2008-01-29 23:43:23 --- E O F ---

Share this post


Link to post
Share on other sites
I performed your suggestions a couple of days ago, but it appeared the SWI site was down for a while.

Yes, the forum software was being updated.

 

Knock on wood, but, yes, you seemed to have fixed my pop up problem!

Excellent! :)

 

I cannot thank you enough, so instead I will figure out how to donate to SWI Forum.

And we thank you greatly for that, for helping us continue the fight. :D

You can do that here:

http://www.flyinghamster.com/support-us/

 

(My computer is slower on start up ... by about a minute or so; is that to be expected? Even so, I much prefer that to my pop up problem.)

You might want to take a look at this page created by miekiemoes, one of the Global Moderators here, on slow systems, and some things you can try to do to try to improve it:

Help! My computer is slow!

 

Next, go to start > run and copy and paste next command in the field:

ComboFix /u

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

 

Next, if you do not already have it, please download Spybot Search & Destroy v1.5.2 from here:

http://www.safer-networking.org/en/download/index.html

Install Spybot-S&D and run it. Select "Search for updates", choose a download location nearest to you, click "Continue", and then select all available updates and click "Download". When all updates have downloaded, click "Exit" to close the updater, and close Spybot-S&D.

If you do have Spybot Search & Destroy, skip the download and install, and just check for updates.

After installing any updates, exit Spybot Search & Destroy

 

Spybot Full Scan

Next, please restart Spybot Search & Destroy.

Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems".

 

Was anything found?

How is the system running now?

Share this post


Link to post
Share on other sites

Since the issue appears to be resolved this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0