• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
fstroupe

Popups, Weird Mouse Action

12 posts in this topic

Picked up something pretty nasty. I've always been able to get rid of malware before, but need a little help with this one.

 

Getting popups in IE and Firefox. Disabled IE and started running Firefox after getting this bug. (still getting some popups in IE) Some of the popups are: Security Monitor, System Doctor, Zedo, WinAntiVirus Pro, Fling.com. At one point last night, I got a popup in IE with 11 tabs. Unfortunitely, I didn't look at them.

 

Running XP Home, SP2, latest updates. Daily updates and full system scan with latest version of AVG. Running Spybot S&D every couple of weeks. Used to run AdAware, but I guess I just didn't reinstall it after last clean install. Have also been running AVG Anti-Spyware since getting this bug.

 

Ran Spybot S&D, ran latest version of AdAware with latest updates per your instructions 3 times, until it showed no more infections, then rebooted.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 9:09:02 PM, on 5/25/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Frank Stroupe\Desktop\hijackthis(3)\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\kpiprgad.dll",realset

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: MySurvey Messenger.lnk = C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162667253562

O17 - HKLM\System\CCS\Services\Tcpip\..\{BEAF9FE6-71B0-4748-B67A-BEA2B441DC01}: NameServer = 192.168.1.1

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

Edited by fstroupe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

* Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

Hi Miekiemoes.

 

Actually, I ran combofix yesterday. It did help, but things aren't yet cured.

 

Ran it again:

 

"Frank Stroupe" - 2007-05-29 19:11:03 Service Pack 2

ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Frank Stroupe\Desktop\"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))

 

 

2007-05-28 18:48 <DIR> d-------- C:\Program Files\SpywareBlaster

2007-05-28 10:56 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-05-28 07:22 <DIR> d-------- C:\VundoFix Backups

2007-05-25 19:16 <DIR> d-------- C:\DOCUME~1\FRANKS~1\APPLIC~1\Lavasoft

2007-05-25 19:15 <DIR> d-------- C:\Program Files\Lavasoft

2007-05-21 07:08 1,156 --a------ C:\WINDOWS\mozver.dat

2007-05-19 07:01 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-05-18 21:08 <DIR> d-------- C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy

2007-05-16 23:05 6,291,456 --a------ C:\Documents and Settings\FRANKS~1\ntuser.dat

2007-05-16 23:05 6,291,456 --a------ C:\DOCUME~1\FRANKS~1\ntuser.dat

2007-05-13 22:08 <DIR> d-------- C:\Program Files\Native Instruments

2007-05-08 18:12 <DIR> d-------- C:\Program Files\MP3 Player Utilities 3.68

2007-05-08 18:12 <DIR> d-------- C:\Program Files\MP3 Player Utilities 3.5.02

2007-05-07 00:00 <DIR> d-------- C:\Program Files\THQ

2007-05-05 10:52 311,808 --a------ C:\WINDOWS\system32\CAMSDKR.DLL

2007-05-05 10:52 11,776 --a------ C:\WINDOWS\system32\PMSBFN32.DLL

2007-05-05 10:52 <DIR> d-------- C:\WINDOWS\system32\color

2007-05-05 10:52 <DIR> d-------- C:\WINDOWS\NewSoft

2007-05-05 10:51 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll

2007-05-05 10:51 45,056 -ra------ C:\WINDOWS\system32\Micdrv.dll

2007-05-05 10:51 32,768 -ra------ C:\WINDOWS\IPCSet.dll

2007-05-05 10:51 <DIR> d-------- C:\Program Files\OpticSlim M12

2007-05-05 10:51 <DIR> d-------- C:\My PageManager

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-19 02:12:58 -------- d-----w C:\DOCUME~1\FRANKS~1\APPLIC~1\Xfire

2007-05-13 19:10:28 153 ----a-w C:\WINDOWS\popcinfo.dat

2007-05-05 15:51:51 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-28 22:16:05 -------- d-----w C:\DOCUME~1\FRANKS~1\APPLIC~1\U3

2007-04-22 00:30:47 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-04-20 23:14:46 82,000 ----a-w C:\WINDOWS\system32\rockalldll.dll

2007-04-20 22:27:35 -------- d-----w C:\Program Files\RegCleaner

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-10 01:43:36 19,558 ----a-w C:\WINDOWS\hpoins01.dat

2007-04-09 15:45:46 34,066 ----a-w C:\WINDOWS\system32\FlashMenu.sys

2007-04-09 15:45:26 -------- d-----w C:\Program Files\ABIT

2007-04-09 11:55:31 -------- d-----w C:\Program Files\MSXML 4.0

2007-04-05 22:47:59 -------- d-----w C:\Program Files\microsoft frontpage

2007-04-02 12:50:35 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat

2007-03-31 12:58:27 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2007-03-31 12:58:27 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2007-03-18 07:32:42 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2007-03-17 17:04:23 335 ----a-w C:\WINDOWS\nsreg.dat

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-16 01:20:13 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"amd_dc_opt"="C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 16:42]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 02:56]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]

"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 07:20]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

AutoRun\command- J:\LaunchU3.exe -a

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fb42737-ef91-11db-8f28-00508d81abde}]

AutoRun\command- J:\LaunchU3.exe -a

 

 

Contents of the 'Scheduled Tasks' folder

2007-05-29 01:44:00 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1176169416.job

2007-05-30 00:10:00 C:\WINDOWS\tasks\User_Feed_Synchronization-{7FAD3B5B-B353-4726-BBB9-61A67DC100CF}.job

 

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-29 19:11:51

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-29 19:12:21

C:\ComboFix-quarantined-files.txt ... 2007-05-29 19:12

C:\ComboFix2.txt ... 2007-05-28 19:36

C:\ComboFix3.txt ... 2007-05-28 10:56

 

--- E O F ---

 

Logfile of HijackThis v1.99.1

Scan saved at 7:13:59 PM, on 5/29/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\explorer.exe

C:\Program Files\HijackThis\scanner.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: MySurvey Messenger.lnk = C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162667253562

O17 - HKLM\System\CCS\Services\Tcpip\..\{BEAF9FE6-71B0-4748-B67A-BEA2B441DC01}: NameServer = 192.168.1.1

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

Share this post


Link to post
Share on other sites

Hi,

 

Delete next folders:

 

C:\VundoFix Backups

C:\Qoobox

 

Your logs look clean again. Can you tell me what exact problems you are still having now?

Share this post


Link to post
Share on other sites

Popups seem to have stopped. Only other symptom that remains is some lag. For example, while scrolling to the bottom of this page, at one point the screen "froze" for a second or so. Or when moving the mouse, the cursor occasionally "freezes". I never had this happen prior to the popups.

Share this post


Link to post
Share on other sites

Hi,

 

At SWI, it is a common thing that the screen freezes. I have it all the time.

The freezing mouse which happens once in a while, while you moving it, could because of Punkbuster. I have seen this before.

 

I don't see anything suspicious anymore here.

 

As a final check.. first do next:

* Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window

* Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

Then, Please perform this online scan: Kaspersky Webscan

1. Read the Requirements and Privacy statement, then select "Accept"

2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.

4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"

5. When the download is complete it will say ready, click "Next"

6. Select a target to scan: Click on "My Computer"

7. When the scan is complete choose to save the results as "Save as Text"

8. Post the Kaspersky scan results in your next reply.

Share this post


Link to post
Share on other sites

Definitely some stuff I need to get rid of.

 

Wednesday, May 30, 2007 10:25:04 PM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.93.0

Kaspersky Anti-Virus database last update: 31/05/2007

Kaspersky Anti-Virus database records: 313731

Scan Settings

Scan using the following antivirus database standard

Scan Archives true

Scan Mail Bases true

Scan Target My Computer

A:\

C:\

D:\

E:\

F:\

G:\

H:\

I:\

Scan Statistics

Total number of scanned objects 98554

Number of viruses found 3

Number of infected objects 13

Number of suspicious objects 0

Duration of the scan process 01:18:02

 

Infected Object Name Virus Name Last Action

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Application Data\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx/[From "service@paypal.com"][Date Sun, 15 Oct 2006 14:42:48 -0400]/html Infected: Trojan-Spy.HTML.Paylap.je skipped

C:\Documents and Settings\Frank Stroupe\Application Data\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 1 skipped

C:\Documents and Settings\Frank Stroupe\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Desktop\As a final check.doc Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Local Settings\Application Data\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx/[From "service@paypal.com"][Date Sun, 15 Oct 2006 14:42:48 -0400]/html Infected: Trojan-Spy.HTML.Paylap.je skipped

C:\Documents and Settings\Frank Stroupe\Local Settings\Application Data\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 1 skipped

C:\Documents and Settings\Frank Stroupe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Local Settings\History\History.IE5\MSHist012007053020070531\index.dat Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Local Settings\Temp\~DF3E7C.tmp Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Local Settings\Temp\~DF420C.tmp Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Frank Stroupe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Frank Stroupe\ntuser.dat Object is locked skipped

C:\Documents and Settings\Frank Stroupe\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip/BarGraphMDI.msi/Instal01.cab/_62B50A6F3175433497156F3688765E6B/Instal01.cab/_037532706A8547B6825E530FD938512A Infected: Virus.Win32.Parite.b skipped

E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip/BarGraphMDI.msi/Instal01.cab/_62B50A6F3175433497156F3688765E6B/Instal01.cab Infected: Virus.Win32.Parite.b skipped

E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip/BarGraphMDI.msi/Instal01.cab/_62B50A6F3175433497156F3688765E6B Infected: Virus.Win32.Parite.b skipped

E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip/BarGraphMDI.msi/Instal01.cab Infected: Virus.Win32.Parite.b skipped

E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip/BarGraphMDI.msi Infected: Virus.Win32.Parite.b skipped

E:\RECYCLER\S-1-5-21-1482476501-1417001333-839522115-1004\De22.zip ZIP: infected - 5 skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

F:\reinstall\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx/[From "service@paypal.com"][Date Sun, 15 Oct 2006 14:42:48 -0400]/html Infected: Trojan-Spy.HTML.Paylap.je skipped

F:\reinstall\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 1 skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

I:\8fec8a469b22f5bcba1b65934a88c377\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O=high-end digital audio workstation=FULL\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O\file_id.diz Object is locked skipped

I:\8fec8a469b22f5bcba1b65934a88c377\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O=high-end digital audio workstation=FULL\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O\h2o.nfo Object is locked skipped

I:\8fec8a469b22f5bcba1b65934a88c377\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O=high-end digital audio workstation=FULL\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O\H2OB.nfo Object is locked skipped

I:\8fec8a469b22f5bcba1b65934a88c377\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O=high-end digital audio workstation=FULL\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O\setup.exe Object is locked skipped

I:\8fec8a469b22f5bcba1b65934a88c377\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O=high-end digital audio workstation=FULL\Steinberg.Nuendo.v2.2.0.33.incl.Surround.Edition-H2O\TS.nfo Object is locked skipped

I:\Shared\(ALLiANCE) jason and the argonauts 1963 [release] (Rock).wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Share this post


Link to post
Share on other sites

Hi,

 

It isn't that bad..

They are just leftovers from older infection, mainly on your other drives.

 

One is still present in your Outlook inbox. It's the mail:

 

From "service@paypal.com"][Date Sun, 15 Oct 2006 14:42:48 -0400]

 

So delete that mail, delete it from your recycle bin box in Outlook as well. Then rightclick on every mailbox to compress them.

 

The other ones is a file present in your recycle bin on your E and the same mail you deleted on your C:\, but a backup of it:

 

F:\reinstall\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx/[From "service@paypal.com"][Date Sun, 15 Oct 2006 14:42:48 -0400]/html Infected: Trojan-Spy.HTML.Paylap.je skipped

 

So I suggest you delete the entire inbox backup there on your F:

F:\reinstall\Identities\{D606D57D-DDC4-4486-BD85-0F4EA68A092B}\Microsoft\Outlook Express\Inbox.dbx

 

Don't do this on your C:\, because all your mails will be gone.

 

And another one present on your I drive:

 

I:\Shared\(ALLiANCE) jason and the argonauts 1963 [release] (Rock).wma

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

You're most welcome.

 

:)

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here

This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0