Tech Support Forum - View Single Post

kouye · 10-08-2007, 10:32 AM

Hi,
I've been having pop-up windows showing up regularly in Internet Explorer 6 and Firefox 2, on a Windows XP Home SP2 system, over the past few days. Most of these pop-ups advertise what really looks like rogue antispyware and other junk.
I have run the five steps.
Any idea how to get back on my feet ?
Thanks guys.

Deckard's System Scanner v20070905.67
Run by kouye on 2007-10-08 18:08:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
32: 2007-10-08 16:09:01 UTC - RP32 - Deckard's System Scanner Restore Point
31: 2007-10-08 16:00:27 UTC - RP31 - Supprimé Ma-Config.com plugin
30: 2007-10-07 20:51:44 UTC - RP30 - Software Distribution Service 3.0
29: 2007-10-07 17:57:58 UTC - RP29 - Point de vérification système
28: 2007-10-06 17:57:34 UTC - RP28 - Point de vérification système

-- First Restore Point --
1: 2007-07-23 21:18:02 UTC - RP1 - Point de vérification système

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-08 18:10:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\sugarcrm-4.5.1e\apache2\bin\Apache.exe
C:\Program Files\sugarcrm-4.5.1e\mysql\bin\mysqld.exe
C:\Program Files\sugarcrm-4.5.1e\apache2\bin\Apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTTrayp.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\kouye\Bureau\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [VTTimer] VTTimer.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe"
O23 - Service: sugarApache - Apache Software Foundation - "C:\PROGRA~1\SUGARC~1.1E\apache2\bin\Apache.exe" -k runservice
O23 - Service: sugarMysql - Unknown owner - C:\PROGRA~1\SUGARC~1.1E\mysql\bin\mysqld.exe --defaults-file=C:\PROGRA~1\SUGARC~1.1E\mysql\my.ini sugarMysql

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 USBIO (USBIO Driver (usbio.sys)) - c:\windows\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sugarApache - "c:\progra~1\sugarc~1.1e\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 sugarMysql - c:\progra~1\sugarc~1.1e\mysql\bin\mysqld.exe --defaults-file=c:\progra~1\sugarc~1.1e\mysql\my.ini sugarmysql

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Contrôleur d'interruptions systèmes
Device ID: PCI\VEN_1106&DEV_5327&SUBSYS_53271849&REV_00\3&267A616A&0&05
Manufacturer:
Name: Contrôleur d'interruptions systèmes
PNP Device ID: PCI\VEN_1106&DEV_5327&SUBSYS_53271849&REV_00\3&267A616A&0&05
Service:

-- Scheduled Tasks -------------------------------------------------------------

2007-10-03 16:32:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-09-08 and 2007-10-08 -----------------------------

2007-10-05 22:40:42 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-05 20:53:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-05 20:51:48 0 d---s---- C:\Documents and Settings\kouye\UserData
2007-10-03 17:28:58 0 d-------- C:\Program Files\Lavasoft
2007-10-03 17:28:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-03 17:27:27 0 d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-10-03 17:05:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 16:30:29 0 d-------- C:\Program Files\sugarcrm-4.5.1e
2007-10-03 16:01:13 72192 --a------ C:\WINDOWS\system32\taskkill.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-10-02 23:14:17 0 d--hs---- C:\$RECYCLE.BIN
2007-10-02 22:27:18 438840 -rahs---- C:\bootmgr
2007-10-02 22:27:17 0 d--hs---- C:\Boot

-- Find3M Report ---------------------------------------------------------------

2007-10-08 18:03:08 0 d-------- C:\Program Files\SpywareBlaster
2007-10-08 18:00:32 0 d-------- C:\Documents and Settings\kouye\Application Data\ma-config.com
2007-10-07 22:56:24 458230 --a------ C:\WINDOWS\system32\perfh00C.dat
2007-10-07 22:56:24 71248 --a------ C:\WINDOWS\system32\perfc00C.dat
2007-10-03 17:27:27 0 d-------- C:\Program Files\Fichiers communs
2007-08-26 18:37:37 339968 --a------ C:\WINDOWS\system32\chotdkcbs.exe
2007-08-26 12:14:24 336896 --a------ C:\WINDOWS\system32\wxyvcxot.exe
2007-08-26 11:52:53 323584 --a------ C:\WINDOWS\system32\idsgnwv.exe
2007-08-25 17:05:09 0 d-------- C:\Program Files\QuickTime
2007-08-25 17:04:26 0 d-------- C:\Program Files\Apple Software Update
2007-08-25 16:51:53 337408 --a------ C:\WINDOWS\system32\riligssxuk.exe
2007-08-25 13:33:48 336384 --a------ C:\WINDOWS\system32\spwbsg.exe
2007-08-25 10:46:56 340480 --a------ C:\WINDOWS\system32\rqiwsgjab.exe
2007-08-24 19

38 341504 --a------ C:\WINDOWS\system32\mtnvkjn.exe
2007-08-24 15:24:45 327680 --a------ C:\WINDOWS\system32\gdndsltoq.exe
2007-08-24 11:16:41 331776 --a------ C:\WINDOWS\system32\cohnlnyqg.exe
2007-08-23 22:38:34 334848 --a------ C:\WINDOWS\system32\mficltwjq.exe
2007-08-23 19:35:49 0 d-------- C:\Program Files\Mindscape
2007-08-23 19:32:10 0 d-------- C:\Program Files\Aventures sur l'Ile LEGO
2007-08-23 19:05:26 0 d-------- C:\Program Files\InterActual
2007-08-23 14:54:26 0 d-------- C:\Program Files\MSXML 4.0
2007-08-23 14:53:29 0 d-------- C:\Program Files\Datel
2007-07-30 12:44:03 2745 --a------ C:\WINDOWS\mozver.dat
2007-07-24 10:26:24 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-24 01:02:22 62 --ahs---- C:\Documents and Settings\kouye\Application Data\desktop.ini
2007-07-23 23:12:30 0 -rahs---- C:\MSDOS.SYS
2007-07-23 23:12:30 0 -rahs---- C:\IO.SYS
2007-07-23 23:12:30 0 --a------ C:\CONFIG.SYS
2007-07-23 23:12:30 0 --a------ C:\AUTOEXEC.BAT
2007-07-23 23:09:48 21892 --a------ C:\WINDOWS\system32\emptyregdb.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [07/03/2005 21:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [10/07/2006 20:33 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [02/03/2006 01:22 C:\WINDOWS\soundman.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [06/09/2007 12:06]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"xizdvfpbsu"="c:\windows\system32\xizdvfpbsu.exe" [23/08/2007 22:36]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 16:09]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

*Newly Created Service* - APPMGMT

-- End of Deckard's System Scanner: finished at 2007-10-08 18:12:43 ------------

Panda online scan report :

Incident Status Location

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Smartadserver Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.smartadserver.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.overture.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.weborama.fr/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.2o7.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\atwl8r92.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Johan\Cookies\johan@xiti[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\kouye\Application Data\Mozilla\Firefox\Profiles\ewg6v4od.default\cookies.txt[.weborama.fr/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\kouye\Application Data\Mozilla\Firefox\Profiles\ewg6v4od.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\kouye\Application Data\Mozilla\Firefox\Profiles\ewg6v4od.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\kouye\Application Data\Mozilla\Firefox\Profiles\ewg6v4od.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\kouye\Application Data\Mozilla\Firefox\Profiles\ewg6v4od.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\kouye\Application Data\Mozilla\Firefox\Profiles\ewg6v4od.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\kouye\Cookies\kouye@xiti[1].txt
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\cohnlnyqg.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\gdndsltoq.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\idsgnwv.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\mficltwjq.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\mtnvkjn.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\riligssxuk.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\rqiwsgjab.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\spwbsg.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\wxyvcxot.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\xizdvfpbsu.exe
Spyware:Cookie/2o7 Not disinfected F:\Users\Edward\AppData\Roaming\Microsoft\Windows\Cookies\Low\edward@2o7[2].txt
Spyware:Cookie/Bluestreak Not disinfected F:\Users\Edward\AppData\Roaming\Microsoft\Windows\Cookies\Low\edward@bluestreak[1].txt
Spyware:Cookie/Serving-sys Not disinfected F:\Users\Edward\AppData\Roaming\Microsoft\Windows\Cookies\Low\edward@bs.serving-sys[1].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Users\Edward\AppData\Roaming\Microsoft\Windows\Cookies\Low\edward@doubleclick[1].txt
Spyware:Cookie/Serving-sys Not disinfected F:\Users\Edward\AppData\Roaming\Microsoft\Windows\Cookies\Low\edward@serving-sys[1].txt
Spyware:Cookie/Smartadserver Not disinfected F:\Users\Edward\AppData\Roaming\Microsoft\Windows\Cookies\Low\edward@smartadserver[1].txt
Spyware:Cookie/Toplist Not disinfected F:\Users\Edward\AppData\Roaming\Microsoft\Windows\Cookies\Low\edward@toplist[1].txt