09-09-2007, 07:53 PM
|
#3 (permalink)
|
|
Registered User
Join Date: Sep 2007
Posts: 16
OS: XP
|
Re: Ad windows keep popping up
Thanks. Here's the logs:
Quote:
ComboFix 07-09-10.2 - "MM" 2007-09-09 20:31:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.674 [GMT -5:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\MICHAE~1\APPLIC~1\WNSXS~1
C:\DOCUME~1\MICHAE~1\Desktop\internet.lnk
C:\DOCUME~1\MICHAE~1\MYDOCU~1\RACLE~1
C:\DOCUME~1\MICHAE~1\MYDOCU~1\YSTEM3~1
C:\Program Files\Common Files\sks~1
C:\Program Files\inetget2
C:\Program Files\inetget2\install.exe
C:\Program Files\ISM
C:\Program Files\mbols~1
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\smante~1
C:\temp\tn3
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\retadpu11.exe
C:\WINDOWS\retadpu72.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\tmp39.tmp
C:\WINDOWS\system32\wcpisvsu.exe
C:\WINDOWS\tsks~1
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\core
((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.
2007-09-09 20:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-09 19:00 <DIR> d-------- C:\The 4400 Season3 (XviD asd) EnglishV+NapisyPL
2007-09-08 21:56 <DIR> d-------- C:\Program Files\Maxis
2007-09-07 22:03 <DIR> d-------- C:\Heroes - Season One [Complete]
2007-09-06 23:06 <DIR> d-------- C:\[KAA]_Ghost_in_the_Shell_SAC_01-26.DVD(AC3_5.1)(Complete)
2007-09-06 19:23 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-06 15:25 <DIR> d-------- C:\Program Files\Common Files\Authentium
2007-09-06 15:25 <DIR> d-------- C:\Program Files\Common Files\Aluria
2007-09-06 15:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Authentium
2007-09-05 07:09 <DIR> d-------- C:\WiC
2007-09-05 07:09 <DIR> d-------- C:\Program Files\Sierra Entertainment
2007-09-03 13:34 <DIR> d-------- C:\Program Files\CENEGA
2007-08-25 11:28 <DIR> d-------- C:\Matrix Games
2007-08-24 23:38 <DIR> d-------- C:\The Operational Art Of War III [PCCD][English][www.newpct.com]
2007-08-16 22:31 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-08-16 22:31 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-08-16 22:31 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-08-16 19:39 <DIR> d-------- C:\Program Files\America's Army
2007-08-16 16:05 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-08-09 15:28 <DIR> d-------- C:\DOCUME~1\MICHAE~1\APPLIC~1\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 16:24 --------- d-------- C:\Program Files\eMule
2007-09-09 13:04 --------- d-------- C:\Program Files\PeerGuardian2
2007-09-09 09:57 --------- d-------- C:\Program Files\MagicISO
2007-09-06 20:12 --------- d-------- C:\Program Files\PokerStars
2007-09-06 15:24 --------- d--h----- C:\Program Files\Common Files\Authentium Shared
2007-09-05 15:33 --------- d-------- C:\Program Files\Save
2007-09-05 10:34 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-05 10:34 --------- d-------- C:\Program Files\Electronic Arts
2007-09-04 17:44 --------- d-------- C:\Program Files\BitComet
2007-08-20 20:36 --------- d-------- C:\Program Files\EA GAMES
2007-08-09 18:51 --------- d-------- C:\Program Files\Stardock
2007-07-10 14:13 --------- d---s---- C:\Program Files\Xfire
2007-07-10 11:36 197108 --a------ C:\WINDOWS\system32\drivers\core.cache(4).dsk
2007-07-10 11:36 197108 --a------ C:\WINDOWS\system32\drivers\core.cache(3).dsk
2007-07-10 11:36 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(2).dsk
2007-07-10 11:26 --------- d-------- C:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\NetMon
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2004-03-19 03:33 C:\WINDOWS\system32\CTHELPER.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-05 20:58]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-02 14:18]
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-10-08 07:01]
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 07:44:06]
C:\DOCUME~1\MICHAE~1\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2006-08-17 17:00:47]
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 20:36:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-09 20:39:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-09 20:39
.
--- E O F ---
|
Quote:
Logfile of HijackThis v1.99.1
Scan saved at 8:54:04 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\MM\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slashdot.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://chat.goarmy.com:8563/Java/cfs40320.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.2.2.89.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)
|
Last edited by CamwynF; 09-09-2007 at 07:55 PM.
|
|
|