Thread: A mess with ads and popups
View Single Post
Old 12-03-2007, 04:14 PM   #3 (permalink)
Alexlonebear
Registered User
 
Join Date: Dec 2007
Posts: 17
OS: Windows XP


Re: A mess with ads and popups
OK, here it goes.

Deckard's System Scanner v20071014.68
Run by Hank on 2007-12-03 17:47:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
89: 2007-12-03 22:47:59 UTC - RP1413 - Deckard's System Scanner Restore Point
88: 2007-12-03 15:02:21 UTC - RP1412 - System Checkpoint
87: 2007-12-02 14:57:32 UTC - RP1411 - Last known good configuration
86: 2007-12-02 04:26:14 UTC - RP1410 - Last known good configuration
85: 2007-12-02 04:15:06 UTC - RP1409 - Last known good configuration


-- First Restore Point --
1: 2007-09-20 15:15:44 UTC - RP1325 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Hank.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:36 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\explorer.exe
C:\Palm\HOTSYNC.EXE
C:\Documents and Settings\Hank\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Hank.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4574ECBE-7799-48C7-A514-C499EAB88AD8} - C:\WINDOWS\system32\sstqp.dll (file missing)
O2 - BHO: (no name) - {4F42E612-4210-4896-BEEF-D2E484659561} - (no file)
O2 - BHO: (no name) - {50A3D411-02D2-4AA8-9EF8-953C513AF631} - (no file)
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Opera\rteme.html

--
End of file - 3472 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft(R) Windows NT(R) Operating System>
R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok(R)>
R1 core - c:\windows\system32\drivers\core.sys
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R2 AVFilter - c:\windows\system32\drivers\avfilter.sys <Not Verified; PC Tools Research Pty Ltd; AVFilter Device Driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path ManagerŽ (32-bit)>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 AVHook - c:\windows\system32\drivers\avhook.sys <Not Verified; PC Tools Research Pty Ltd.; PC Tools AntiVirus>
R3 AVRec - c:\windows\system32\drivers\avrec.sys <Not Verified; PC Tools Research Pty Ltd; PC Tools AntiVirus>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 pfc (PADUS ASPI SHELL) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 SQTECH930B (Motion Track Webcam) - c:\windows\system32\drivers\capt930b.sys

S1 AEC671X - c:\windows\system32\drivers\aec671x.sys <Not Verified; Acard Technology Corp.; AcardŽ AEC-671X PCI Ultra/W SCSC-3 Controller>
S1 DMX3191 - c:\windows\system32\drivers\dmx3191.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
S2 UDNT - c:\windows\system32\drivers\udnt.sys
S3 Eplpdx02 - c:\windows\system32\drivers\eplpdx02.sys <Not Verified; MK Systems CO., LTD.; MK Systems LPT I/O Driver for Windows2000>
S3 nuvaud2 (Pinnacle LINX 2 Audio) - c:\windows\system32\drivers\nuvaud2.sys <Not Verified; Zoran Ltd.; USBVision>
S3 NUVision (Pinnacle LINX) - c:\windows\system32\drivers\nuvision.sys <Not Verified; Nogatech Ltd.; USBVision>
S3 nuvvid2 (Pinnacle LINX 2 Video) - c:\windows\system32\drivers\nuvvid2.sys <Not Verified; Zoran Ltd.; USBVision>
S3 SQTECH9080 (MegaCam(PID_9080_00)) - c:\windows\system32\drivers\capt9080.sys <Not Verified; Service & Quality Technology.; SQ908>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>

S? Sfloscont -
S4 Iomega Activity Disk2 - ""
S4 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Pinnacle LINX
Device ID: ROOT\MEDIA\0000
Manufacturer: Pinnacle Systems
Name: Pinnacle LINX
PNP Device ID: ROOT\MEDIA\0000
Service: NUVision

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Pinnacle LINX 2 Video
Device ID: ROOT\MEDIA\0001
Manufacturer: Pinnacle Systems
Name: Pinnacle LINX 2 Video
PNP Device ID: ROOT\MEDIA\0001
Service: nuvvid2

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Pinnacle LINX 2 Audio
Device ID: ROOT\MEDIA\0002
Manufacturer: Pinnacle Systems
Name: Pinnacle LINX 2 Audio
PNP Device ID: ROOT\MEDIA\0002
Service: nuvaud2


-- Scheduled Tasks -------------------------------------------------------------

2007-12-03 03:00:01 494 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job


-- Files created between 2007-11-03 and 2007-12-03 -----------------------------

2007-12-02 14:00:02 0 d-------- C:\Program Files\Trend Micro
2007-12-02 12:56:17 0 d-------- C:\VundoFix Backups
2007-12-02 00:22:01 1152 --a------ C:\WINDOWS\system32\windrv.sys
2007-12-02 00:21:22 0 d-------- C:\Program Files\SpyNoMore
2007-12-02 00:20:42 0 d-------- C:\Program Files\Common Files\Download Manager
2007-12-01 21:49:33 0 d-------- C:\Documents and Settings\Hank\Application Data\AdwareAlert
2007-12-01 21:49:28 0 d-------- C:\Program Files\AdwareAlert
2007-12-01 13:57:45 78400 --a------ C:\WINDOWS\system32\hpnftbua.dll
2007-12-01 13:55:37 85056 --a------ C:\WINDOWS\system32\hblcddcb.dll
2007-12-01 13:55:32 71232 --a------ C:\WINDOWS\system32\uujofwtx.exe <Not Verified; ; DDC>
2007-11-20 12:05:33 84544 --a------ C:\WINDOWS\system32\wrycgywn.dll
2007-11-19 17:31:47 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-11-19 17:30:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2007-11-19 17:28:57 0 d-------- C:\Program Files\E404 Helper
2007-11-19 17:23:55 0 d-------- C:\WINDOWS\system32\fibagbia
2007-11-19 17:23:53 114688 --a------ C:\Documents and Settings\All Users\Application Data\xcrkrubg.dll
2007-11-19 17:23:50 0 d-------- C:\Program Files\Tfbbwtah
2007-11-19 17:23:27 37376 --a------ C:\WINDOWS\system32\opnmkjj.dll
2007-11-19 17:23:26 1147424 --a------ C:\Install
2007-11-19 17:23:22 0 d-------- C:\Program Files\rcxcdsxg
2007-11-19 17:22:54 0 d-------- C:\Documents and Settings\Hank\Application Data\SpyGuardPro
2007-11-19 1750 2 --a------ C:\WINDOWS\system32\wapiiit.exe
2007-11-19 1731 41723 ---hs---- C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
2007-11-19 1729 0 d-------- C:\Program Files\?ppPatch
2007-11-19 17:05:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-11-19 17:05:35 0 d--hs---- C:\WINDOWS\SGFuaw
2007-11-19 17:05:31 80640 -----n--- C:\WINDOWS\system32\drivers\core.sys
2007-11-19 17:05:29 0 d-------- C:\WINDOWS\system32\n8
2007-11-19 17:05:29 0 d-------- C:\WINDOWS\system32\i2
2007-11-19 17:05:29 0 d-------- C:\WINDOWS\system32\g2
2007-11-19 17:05:29 0 d-------- C:\WINDOWS\system32\e1
2007-11-19 17:05:29 0 d-------- C:\WINDOWS\system32\a1
2007-11-19 17:05:25 0 d-------- C:\WINDOWS\system32\rMa02yy


-- Find3M Report ---------------------------------------------------------------

2007-12-02 16:58:35 0 d-------- C:\Documents and Settings\Hank\Application Data\Adobe
2007-12-02 00:53:12 0 d-------- C:\Program Files\Common Files
2007-12-01 15:34:08 0 d-------- C:\Program Files\Opera
2007-12-01 13:53:59 0 d-------- C:\Program Files\PC Tools AntiVirus
2007-11-19 1730 0 d-------- C:\Program Files\?ppPatch
2007-10-14 22:10:29 139432 --a------ C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2007-09-21 14:21:14 146432 ---hs---- C:\Program Files\Common Files\Yazzle1549OinAdmin.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4574ECBE-7799-48C7-A514-C499EAB88AD8}]
C:\WINDOWS\system32\sstqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F42E612-4210-4896-BEEF-D2E484659561}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50A3D411-02D2-4AA8-9EF8-953C513AF631}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [12/17/2003 08:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [05/20/2005 01:46 PM C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [12/02/2007 12:22 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [5/29/2006 12:41:29 PM]
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe [6/9/2004 2:27:34 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Opera\rteme.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [08/17/2006 02:57 PM 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineak32]
wineak32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.0.8.lnk]
backup=C:\WINDOWS\pss\LimeWire 4.0.8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PhotoCAL Startup.lnk]
backup=C:\WINDOWS\pss\PhotoCAL Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^Virtual Bouncer.lnk]
backup=C:\WINDOWS\pss\Virtual Bouncer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Open Site]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyKiller]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Macromedia Licensing Service"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53de9c33-01c0-11dc-8070-0040ca587ccf}]
AutoRun\command- G:\system\viewer\FlipVideoforPC.exe
Flip Video for PC\command- G:\system\viewer\FlipVideoforPC.exe




-- End of Deckard's System Scanner: finished at 2007-12-03 18:00:25 ------------
Attached Files
File Type: txt extra.txt (23.1 KB, 6 views)
Alexlonebear is offline