Jump to content


Photo

Popups, Weird Mouse Action


  • This topic is locked This topic is locked
11 replies to this topic

#1 fstroupe

fstroupe

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 May 2007 - 08:59 PM

Picked up something pretty nasty. I've always been able to get rid of malware before, but need a little help with this one.

Getting popups in IE and Firefox. Disabled IE and started running Firefox after getting this bug. (still getting some popups in IE) Some of the popups are: Security Monitor, System Doctor, Zedo, WinAntiVirus Pro, Fling.com. At one point last night, I got a popup in IE with 11 tabs. Unfortunitely, I didn't look at them.

Running XP Home, SP2, latest updates. Daily updates and full system scan with latest version of AVG. Running Spybot S&D every couple of weeks. Used to run AdAware, but I guess I just didn't reinstall it after last clean install. Have also been running AVG Anti-Spyware since getting this bug.

Ran Spybot S&D, ran latest version of AdAware with latest updates per your instructions 3 times, until it showed no more infections, then rebooted.


Logfile of HijackThis v1.99.1
Scan saved at 9:09:02 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Frank Stroupe\Desktop\hijackthis(3)\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\kpiprgad.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MySurvey Messenger.lnk = C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1162667253562
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEAF9FE6-71B0-4748-B67A-BEA2B441DC01}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

Edited by fstroupe, 25 May 2007 - 09:47 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 28 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 29 May 2007 - 08:13 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 fstroupe

fstroupe

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 May 2007 - 07:17 PM

Hi Miekiemoes.

Actually, I ran combofix yesterday. It did help, but things aren't yet cured.

Ran it again:

"Frank Stroupe" - 2007-05-29 19:11:03 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Frank Stroupe\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))


2007-05-28 18:48 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-28 10:56 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-28 07:22 <DIR> d-------- C:\VundoFix Backups
2007-05-25 19:16 <DIR> d-------- C:\DOCUME~1\FRANKS~1\APPLIC~1\Lavasoft
2007-05-25 19:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-21 07:08 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-19 07:01 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-18 21:08 <DIR> d-------- C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy
2007-05-16 23:05 6,291,456 --a------ C:\Documents and Settings\FRANKS~1\ntuser.dat
2007-05-16 23:05 6,291,456 --a------ C:\DOCUME~1\FRANKS~1\ntuser.dat
2007-05-13 22:08 <DIR> d-------- C:\Program Files\Native Instruments
2007-05-08 18:12 <DIR> d-------- C:\Program Files\MP3 Player Utilities 3.68
2007-05-08 18:12 <DIR> d-------- C:\Program Files\MP3 Player Utilities 3.5.02
2007-05-07 00:00 <DIR> d-------- C:\Program Files\THQ
2007-05-05 10:52 311,808 --a------ C:\WINDOWS\system32\CAMSDKR.DLL
2007-05-05 10:52 11,776 --a------ C:\WINDOWS\system32\PMSBFN32.DLL
2007-05-05 10:52 <DIR> d-------- C:\WINDOWS\system32\color
2007-05-05 10:52 <DIR> d-------- C:\WINDOWS\NewSoft
2007-05-05 10:51 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-05-05 10:51 45,056 -ra------ C:\WINDOWS\system32\Micdrv.dll
2007-05-05 10:51 32,768 -ra------ C:\WINDOWS\IPCSet.dll
2007-05-05 10:51 <DIR> d-------- C:\Program Files\OpticSlim M12
2007-05-05 10:51 <DIR> d-------- C:\My PageManager


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-19 02:12:58 -------- d-----w C:\DOCUME~1\FRANKS~1\APPLIC~1\Xfire
2007-05-13 19:10:28 153 ----a-w C:\WINDOWS\popcinfo.dat
2007-05-05 15:51:51 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-28 22:16:05 -------- d-----w C:\DOCUME~1\FRANKS~1\APPLIC~1\U3
2007-04-22 00:30:47 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-04-20 23:14:46 82,000 ----a-w C:\WINDOWS\system32\rockalldll.dll
2007-04-20 22:27:35 -------- d-----w C:\Program Files\RegCleaner
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-10 01:43:36 19,558 ----a-w C:\WINDOWS\hpoins01.dat
2007-04-09 15:45:46 34,066 ----a-w C:\WINDOWS\system32\FlashMenu.sys
2007-04-09 15:45:26 -------- d-----w C:\Program Files\ABIT
2007-04-09 11:55:31 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-05 22:47:59 -------- d-----w C:\Program Files\microsoft frontpage
2007-04-02 12:50:35 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-03-31 12:58:27 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-03-31 12:58:27 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-03-18 07:32:42 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-03-17 17:04:23 335 ----a-w C:\WINDOWS\nsreg.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 01:20:13 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 16:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 02:56]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 07:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fb42737-ef91-11db-8f28-00508d81abde}]
AutoRun\command- J:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-05-29 01:44:00 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1176169416.job
2007-05-30 00:10:00 C:\WINDOWS\tasks\User_Feed_Synchronization-{7FAD3B5B-B353-4726-BBB9-61A67DC100CF}.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 19:11:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-29 19:12:21
C:\ComboFix-quarantined-files.txt ... 2007-05-29 19:12
C:\ComboFix2.txt ... 2007-05-28 19:36
C:\ComboFix3.txt ... 2007-05-28 10:56

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 7:13:59 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MySurvey Messenger.lnk = C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1162667253562
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEAF9FE6-71B0-4748-B67A-BEA2B441DC01}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

#5 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 30 May 2007 - 03:43 AM

Hi,

Delete next folders:

C:\VundoFix Backups
C:\Qoobox

Your logs look clean again. Can you tell me what exact problems you are still having now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 fstroupe

fstroupe

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 May 2007 - 04:28 AM

Popups seem to have stopped. Only other symptom that remains is some lag. For example, while scrolling to the bottom of this page, at one point the screen "froze" for a second or so. Or when moving the mouse, the cursor occasionally "freezes". I never had this happen prior to the popups.

#7 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 30 May 2007 - 05:01 AM

Hi,

At SWI, it is a common thing that the screen freezes. I have it all the time.
The freezing mouse which happens once in a while, while you moving it, could because of Punkbuster. I have seen this before.

I don't see anything suspicious anymore here.

As a final check.. first do next:
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then, Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 fstroupe

fstroupe

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 May 2007 - 10:26 PM

Definitely some stuff I need to get rid of.

Wednesday, May 30, 2007 10:25:04 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 31/05/2007
Kaspersky Anti-Virus database records: 313731
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics
Total number of scanned objects 98554
Number of viruses found 3
Number of infected objects 13
Number of suspicious objects 0
Duration of the scan process 01:18:02

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Application Data\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx/[From "service@paypal.com"][Date Sun, 15 Oct 2006 14:42:48 -0400]/html Infected: Trojan-Spy.HTML.Paylap.je skipped
C:\Documents and Settings\Frank Stroupe\Application Data\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Frank Stroupe\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Desktop\As a final check.doc Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Local Settings\Application Data\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx/[From "service@paypal.com"][Date Sun, 15 Oct 2006 14:42:48 -0400]/html Infected: Trojan-Spy.HTML.Paylap.je skipped
C:\Documents and Settings\Frank Stroupe\Local Settings\Application Data\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Frank Stroupe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Local Settings\History\History.IE5\MSHist012007053020070531\index.dat Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Local Settings\Temp\~DF3E7C.tmp Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Local Settings\Temp\~DF420C.tmp Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Frank Stroupe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frank Stroupe\ntuser.dat Object is locked skipped
C:\Documents and Settings\Frank Stroupe\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip/BarGraphMDI.msi/Instal01.cab/_62B50A6F3175433497156F3688765E6B/Instal01.cab/_037532706A8547B6825E530FD938512A Infected: Virus.Win32.Parite.b skipped
E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip/BarGraphMDI.msi/Instal01.cab/_62B50A6F3175433497156F3688765E6B/Instal01.cab Infected: Virus.Win32.Parite.b skipped
E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip/BarGraphMDI.msi/Instal01.cab/_62B50A6F3175433497156F3688765E6B Infected: Virus.Win32.Parite.b skipped
E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip/BarGraphMDI.msi/Instal01.cab Infected: Virus.Win32.Parite.b skipped
E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip/BarGraphMDI.msi Infected: Virus.Win32.Parite.b skipped
E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip ZIP: infected - 5 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\reinstall\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx/[From "service@paypal.com"][Date Sun, 15 Oct 2006 14:42:48 -0400]/html Infected: Trojan-Spy.HTML.Paylap.je skipped
F:\reinstall\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 1 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\8fec8a469b22f5bcba1b65934a88c377\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O=high-end digital audio workstation=FULL\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O\file_id.diz Object is locked skipped
I:\8fec8a469b22f5bcba1b65934a88c377\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O=high-end digital audio workstation=FULL\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O\h2o.nfo Object is locked skipped
I:\8fec8a469b22f5bcba1b65934a88c377\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O=high-end digital audio workstation=FULL\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O\H2OB.nfo Object is locked skipped
I:\8fec8a469b22f5bcba1b65934a88c377\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O=high-end digital audio workstation=FULL\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O\setup.exe Object is locked skipped
I:\8fec8a469b22f5bcba1b65934a88c377\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O=high-end digital audio workstation=FULL\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O\TS.nfo Object is locked skipped
I:\Shared\(ALLiANCE) jason and the argonauts 1963 [release] (Rock).wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.

#9 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 31 May 2007 - 12:20 AM

Hi,

It isn't that bad..
They are just leftovers from older infection, mainly on your other drives.

One is still present in your Outlook inbox. It's the mail:

From "service@paypal.com"][Date Sun, 15 Oct 2006 14:42:48 -0400]

So delete that mail, delete it from your recycle bin box in Outlook as well. Then rightclick on every mailbox to compress them.

The other ones is a file present in your recycle bin on your E and the same mail you deleted on your C:\, but a backup of it:

F:\reinstall\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx/[From "service@paypal.com"][Date Sun, 15 Oct 2006 14:42:48 -0400]/html Infected: Trojan-Spy.HTML.Paylap.je skipped

So I suggest you delete the entire inbox backup there on your F:
F:\reinstall\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx

Don't do this on your C:\, because all your mails will be gone.

And another one present on your I drive:

I:\Shared\(ALLiANCE) jason and the argonauts 1963 [release] (Rock).wma

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 fstroupe

fstroupe

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 31 May 2007 - 04:20 AM

Thank you so much.

#11 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 31 May 2007 - 09:35 AM

You're most welcome.

:)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#12 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 02 June 2007 - 03:42 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here
This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button