Tech Support Forum - View Single Post - Constant Pop-ups, three different programs on Desktop, comes back after cleaning

katsumoto · 08-10-2007, 04:11 AM

ComboFix 07-08-09.4 - "Bry-Un" 2007-08-10 6:07:57.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.687 [GMT -4:00]
Command switches used :: /killall

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Bry-Un\Desktop.\Spyware&Malware Protection.url
C:\DOCUME~1\Bry-Un\Desktop\Error Cleaner.url
C:\DOCUME~1\Bry-Un\Desktop\Privacy Protector.url
C:\DOCUME~1\Bry-Un\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\Bry-Un\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\Bry-Un\FAVORI~1.\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm

((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))

2007-08-09 18:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-09 18:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-08 22:19 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 21:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-08 21:15 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 21:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-08 21:11 <DIR> d-------- C:\DOCUME~1\Bry-Un\APPLIC~1\SUPERAntiSpyware.com
2007-08-08 21:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-08 21:09 <DIR> d-------- C:\Program Files\CCleaner
2007-08-08 01:13 221,184 --a------ C:\WINDOWS\wmpconf.dll
2007-08-08 01:13 188,416 --a------ C:\WINDOWS\wmpenv.dll
2007-08-08 01:13 188,416 --a------ C:\WINDOWS\duocore.dll
2007-08-06 18:29 2,424 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-06 01:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-28 04:43 <DIR> d-------- C:\DOCUME~1\Other\APPLIC~1\Apple Computer
2007-07-28 03:42 <DIR> d-------- C:\DOCUME~1\Other\APPLIC~1\Real
2007-07-25 22:23 <DIR> d-------- C:\WinCD

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-10 05:48 --------- d-------- C:\Program Files\Steam
2007-08-09 21:37 --------- d-------- C:\Program Files\Viewpoint
2007-08-08 21:11 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-03 17:21 --------- d-------- C:\Program Files\World of Warcraft
2007-07-31 17:44 --------- d---s---- C:\Program Files\Xfire
2007-07-31 09:08 --------- d-------- C:\DOCUME~1\Bry-Un\APPLIC~1\Xfire
2007-07-29 01:01 --------- d-------- C:\DOCUME~1\Bry-Un\APPLIC~1\LimeWire
2007-07-16 19:07 --------- d-------- C:\Program Files\speedDIAL
2007-07-07 20:57 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-07 20:47 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-07 20:47 --------- d-------- C:\Program Files\THQ
2007-07-07 20:46 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-18 22:27 --------- d-------- C:\Program Files\Winamp
2007-05-16 11:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-04-07 13:28 6718976 --a------ C:\Program Files\winamp533_full_emusic-7plus.exe
2007-03-14 07:25 37844544 --a------ C:\Program Files\iTunesSetup.exe
2007-02-27 01:59 197596 --a------ C:\Program Files\klhthreatmeter-19-8-bugfixes.zip
2007-02-19 00:37 422821 --a------ C:\Program Files\titan-panel-3-0-5.zip
2006-12-15 01:33 14285021 --a------ C:\Program Files\speedDIALInstall.exe
2006-12-01 01:30 7313592 --a------ C:\Program Files\iMeshV7.exe
2006-11-15 00:52 2027528 --a------ C:\Program Files\16X3DVD9-8X_FW_v1F3.exe
2006-09-25 00:28 12288 --ahs---- C:\Program Files\Thumbs.db
2006-06-27 17:45 6206440 --a------ C:\Program Files\winamp524_full_emusic-7plus.exe
2006-05-31 06:56 4243060 --a------ C:\Program Files\sabrina_trailer.wmv
2006-05-22 00:13 15557928 --a------ C:\Program Files\DivXPlay.exe
2006-05-21 23:56 12754672 --a------ C:\Program Files\MP10Setup.exe
2006-05-07 20:35 5616888 --a------ C:\Program Files\winamp521_full_emusic-7plus.exe
2006-05-05 20:04 35935472 --a------ C:\Program Files\6-4_xp-2k_dd_ccc_wdm_enu_31959.exe
2006-05-05 19:59 23510720 --a------ C:\Program Files\dotnetfx.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7AF59C20-A1D8-4C1C-927A-99DD9F2A9E0B}]
2007-08-07 13:43 188416 --a------ C:\WINDOWS\duocore.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-17 21:10]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
"HostManager"="C:\Program Files\Common Files\AOL\1146789630\ee\AOLSoftware.exe" [2006-05-09 20:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 10:24 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 15:32 C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 C:\WINDOWS\ALCMTR.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-16 14:41]
"Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 11:31]
"Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 11:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 15:24]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 18:22]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-06-15 22:22]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-08-26 23:51]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 20:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-07-01 02:26]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wmpconf"= {2063F75E-CF83-4941-AD4E-46DBF2C99221} - C:\WINDOWS\wmpconf.dll [2007-08-07 13:43 221184]
"wmpenv"= {80B31C18-6200-4551-8ED1-779938A12499} - C:\WINDOWS\wmpenv.dll [2007-08-07 13:43 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R3 ATI Remote Wonder II;ATI Remote Wonder II;C:\WINDOWS\system32\drivers\ATIRWVD.SYS
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 SMBios;Intel (R) System Management BIOS Service;C:\WINDOWS\system32\DRIVERS\SMBios.sys
S3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver;C:\WINDOWS\system32\DRIVERS\NetMotCM.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\EISetup.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 06:08:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 6:08:45
C:\ComboFix-quarantined-files.txt ... 2007-08-10 06:08
C:\ComboFix2.txt ... 2007-08-10 05:59
C:\ComboFix3.txt ... 2007-08-10 05:54

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 6:09:16 AM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: MSVPS System - {7AF59C20-A1D8-4C1C-927A-99DD9F2A9E0B} - C:\WINDOWS\duocore.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146789630\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by128fd.bay128.hotmail.msn.co...x/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: wmpconf - {2063F75E-CF83-4941-AD4E-46DBF2C99221} - C:\WINDOWS\wmpconf.dll
O21 - SSODL: wmpenv - {80B31C18-6200-4551-8ED1-779938A12499} - C:\WINDOWS\wmpenv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

K, seems the files came right back, I noticed after doing this process a couple times that the files coming up on the hijackthis scan come back within a few seconds after clicking "fix checked"

08-10-2007, 04:11 AM	#4 (permalink)
katsumoto Registered User Join Date: Aug 2007 Posts: 7 OS: XP	Re: Constant Pop-ups, three different programs on Desktop, comes back after cleaning ComboFix 07-08-09.4 - "Bry-Un" 2007-08-10 6:07:57.8 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.687 [GMT -4:00] Command switches used :: /killall ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Bry-Un\Desktop.\Spyware&Malware Protection.url C:\DOCUME~1\Bry-Un\Desktop\Error Cleaner.url C:\DOCUME~1\Bry-Un\Desktop\Privacy Protector.url C:\DOCUME~1\Bry-Un\FAVORI~1.\Error Cleaner.url C:\DOCUME~1\Bry-Un\FAVORI~1.\Privacy Protector.url C:\DOCUME~1\Bry-Un\FAVORI~1.\Spyware&Malware Protection.url C:\WINDOWS\dat.txt C:\WINDOWS\privacy_danger C:\WINDOWS\privacy_danger\images\capt.gif C:\WINDOWS\privacy_danger\images\danger.jpg C:\WINDOWS\privacy_danger\images\down.gif C:\WINDOWS\privacy_danger\images\spacer.gif C:\WINDOWS\privacy_danger\index.htm ((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 ))))))))))))))))))))))))))))))) 2007-08-09 18:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-08-09 18:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab 2007-08-08 22:19 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-08 21:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com 2007-08-08 21:15 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-08-08 21:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2007-08-08 21:11 <DIR> d-------- C:\DOCUME~1\Bry-Un\APPLIC~1\SUPERAntiSpyware.com 2007-08-08 21:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com 2007-08-08 21:09 <DIR> d-------- C:\Program Files\CCleaner 2007-08-08 01:13 221,184 --a------ C:\WINDOWS\wmpconf.dll 2007-08-08 01:13 188,416 --a------ C:\WINDOWS\wmpenv.dll 2007-08-08 01:13 188,416 --a------ C:\WINDOWS\duocore.dll 2007-08-06 18:29 2,424 --a------ C:\WINDOWS\system32\tmp.reg 2007-08-06 01:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-07-28 04:43 <DIR> d-------- C:\DOCUME~1\Other\APPLIC~1\Apple Computer 2007-07-28 03:42 <DIR> d-------- C:\DOCUME~1\Other\APPLIC~1\Real 2007-07-25 22:23 <DIR> d-------- C:\WinCD (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-10 05:48 --------- d-------- C:\Program Files\Steam 2007-08-09 21:37 --------- d-------- C:\Program Files\Viewpoint 2007-08-08 21:11 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-03 17:21 --------- d-------- C:\Program Files\World of Warcraft 2007-07-31 17:44 --------- d---s---- C:\Program Files\Xfire 2007-07-31 09:08 --------- d-------- C:\DOCUME~1\Bry-Un\APPLIC~1\Xfire 2007-07-29 01:01 --------- d-------- C:\DOCUME~1\Bry-Un\APPLIC~1\LimeWire 2007-07-16 19:07 --------- d-------- C:\Program Files\speedDIAL 2007-07-07 20:57 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2007-07-07 20:47 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-07-07 20:47 --------- d-------- C:\Program Files\THQ 2007-07-07 20:46 --------- d-------- C:\Program Files\Common Files\InstallShield 2007-06-18 22:27 --------- d-------- C:\Program Files\Winamp 2007-05-16 11:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll 2007-05-16 11:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll 2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-05-16 11:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-05-16 11:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll 2007-05-16 11:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll 2007-04-07 13:28 6718976 --a------ C:\Program Files\winamp533_full_emusic-7plus.exe 2007-03-14 07:25 37844544 --a------ C:\Program Files\iTunesSetup.exe 2007-02-27 01:59 197596 --a------ C:\Program Files\klhthreatmeter-19-8-bugfixes.zip 2007-02-19 00:37 422821 --a------ C:\Program Files\titan-panel-3-0-5.zip 2006-12-15 01:33 14285021 --a------ C:\Program Files\speedDIALInstall.exe 2006-12-01 01:30 7313592 --a------ C:\Program Files\iMeshV7.exe 2006-11-15 00:52 2027528 --a------ C:\Program Files\16X3DVD9-8X_FW_v1F3.exe 2006-09-25 00:28 12288 --ahs---- C:\Program Files\Thumbs.db 2006-06-27 17:45 6206440 --a------ C:\Program Files\winamp524_full_emusic-7plus.exe 2006-05-31 06:56 4243060 --a------ C:\Program Files\sabrina_trailer.wmv 2006-05-22 00:13 15557928 --a------ C:\Program Files\DivXPlay.exe 2006-05-21 23:56 12754672 --a------ C:\Program Files\MP10Setup.exe 2006-05-07 20:35 5616888 --a------ C:\Program Files\winamp521_full_emusic-7plus.exe 2006-05-05 20:04 35935472 --a------ C:\Program Files\6-4_xp-2k_dd_ccc_wdm_enu_31959.exe 2006-05-05 19:59 23510720 --a------ C:\Program Files\dotnetfx.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7AF59C20-A1D8-4C1C-927A-99DD9F2A9E0B}] 2007-08-07 13:43 188416 --a------ C:\WINDOWS\duocore.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-17 21:10] "ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07] "HostManager"="C:\Program Files\Common Files\AOL\1146789630\ee\AOLSoftware.exe" [2006-05-09 20:24] "IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59] "SoundMan"="SOUNDMAN.EXE" [2005-09-21 10:24 C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-09-21 15:32 C:\WINDOWS\ALCWZRD.EXE] "Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 C:\WINDOWS\ALCMTR.EXE] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-16 14:41] "Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 11:31] "Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 11:14] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 15:24] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 18:22] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-06-15 22:22] "ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-08-26 23:51] "Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 20:24] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24] "Steam"="C:\Program Files\Steam\Steam.exe" [2007-07-01 02:26] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= file:///C:\WINDOWS\privacy_danger\index.htm FriendlyName= Privacy Protection [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "wmpconf"= {2063F75E-CF83-4941-AD4E-46DBF2C99221} - C:\WINDOWS\wmpconf.dll [2007-08-07 13:43 221184] "wmpenv"= {80B31C18-6200-4551-8ED1-779938A12499} - C:\WINDOWS\wmpenv.dll [2007-08-07 13:43 188416] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys R3 ATI Remote Wonder II;ATI Remote Wonder II;C:\WINDOWS\system32\drivers\ATIRWVD.SYS R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS R3 SMBios;Intel (R) System Management BIOS Service;C:\WINDOWS\system32\DRIVERS\SMBios.sys S3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver;C:\WINDOWS\system32\DRIVERS\NetMotCM.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] AutoRun\command- D:\EISetup.exe ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-10 06:08:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-08-10 6:08:45 C:\ComboFix-quarantined-files.txt ... 2007-08-10 06:08 C:\ComboFix2.txt ... 2007-08-10 05:59 C:\ComboFix3.txt ... 2007-08-10 05:54 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 6:09:16 AM, on 8/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\netdde.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: MSVPS System - {7AF59C20-A1D8-4C1C-927A-99DD9F2A9E0B} - C:\WINDOWS\duocore.dll O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146789630\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by128fd.bay128.hotmail.msn.co...x/HMAtchmt.ocx O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O21 - SSODL: wmpconf - {2063F75E-CF83-4941-AD4E-46DBF2C99221} - C:\WINDOWS\wmpconf.dll O21 - SSODL: wmpenv - {80B31C18-6200-4551-8ED1-779938A12499} - C:\WINDOWS\wmpenv.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe K, seems the files came right back, I noticed after doing this process a couple times that the files coming up on the hijackthis scan come back within a few seconds after clicking "fix checked"