Windows XP Playing Random Audio Files/Popups

Penance · 04-01-2008, 04:06 PM

Hello,

I am working on the Windows XP OS, and recently had to fight off a couple of Downloader virus infections. Since then, my computer keeps playing random audio files that I have never downloaded onto my computer, mostly ads for something, and at one point, the beginnning of a baseball game. CPU activity spikes when the files are played, but there is no way to stop them, and no visible reason they'd be playing (I won't even have a browser up when they play). I've tried using msconfig to keep things I don't recognize from starting up, but that doesn't appear to be the problem. Google searches for the same problem haven't turned up anything helpful, and now my computer is also turning up a lot of popups, even when my browser is not open (yes, I do have cable Internet).

I think it's a virus, but I've run several virus and malware/spyware programs (PC Doctor, Spybot, several antivirus programs, including Norton), and nothing is catching it. Any ideas on what this is and how to fix it?

I've gone through the five steps and posted my Panda ActiveScan and Deckard/Hijack This logs below. Thanks for any help you can give me!!

Panda Active Scan:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-04-01 18:37:32
PROTECTIONS: 2
MALWARE: 9
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Spyware Doctor with AntiVirus 4.4.5 Yes Yes
Norton AntiVirus 2005 2005 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00149104 Cookie/Date TrackingCookie No 0 Yes No C:\Documents and Settings\Beth\Cookies\beth@date[2].txt
00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Cookies\owner@findwhat[1].txt
00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Beth\Cookies\beth@findwhat[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.apmebf.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Beth\Application Data\Mozilla\Firefox\Profiles\35mxc0m0.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Beth\Application Data\Mozilla\Firefox\Profiles\35mxc0m0.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Beth\Application Data\Mozilla\Firefox\Profiles\35mxc0m0.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Beth\Application Data\Mozilla\Firefox\Profiles\35mxc0m0.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Beth\Application Data\Mozilla\Firefox\Profiles\35mxc0m0.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Cookies\owner@advertising[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Beth\Application Data\Mozilla\Firefox\Profiles\35mxc0m0.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Application Data\Mozilla\Firefox\Profiles\oq0z3w8v.default\cookies.txt[.target.com/]
02907934 Trj/Downloader.TAV Virus/Trojan Yes 1 Yes No C:\WINDOWS\INSTALLER\{0CE553AE-91B6-4DF1-B9E8-46DD6CACD5EB}\DRIVESYS.DLL
02908672 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\dwnrpofk.dll
02909975 Cookie/CookingLuck TrackingCookie No 0 Yes No C:\Documents and Settings\Beth\Cookies\beth@cookingluck[1].txt
02909975 Cookie/CookingLuck TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.MILLERFAM\Cookies\owner@cookingluck[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location F
;===================================================================================================================================================================================
No C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\F3HTMLMU.DLL F
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description F
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Deckard Scan

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-01 18:56:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
7: 2008-04-01 22:57:02 UTC - RP7 - Deckard's System Scanner Restore Point
6: 2008-04-01 22:53:10 UTC - RP6 - Software Distribution Service 3.0
5: 2008-04-01 20:27:03 UTC - RP5 - System Checkpoint
4: 2008-03-31 15:43:30 UTC - RP4 - System Checkpoint
3: 2008-03-30 14:57:57 UTC - RP3 - System Checkpoint

-- First Restore Point --
1: 2008-03-27 23:45:46 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-01 18:59:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\McAfee\MSC\mcpromgr.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Owner.MILLERFAM\Desktop\dss.exe
C:\Program Files\Jasc Software Inc\Paint Shop Pro 8\Paint Shop Pro.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...O=A&UT=classic
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Program Files\ComcastToolbar\comcasttoolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Program Files\ComcastToolbar\comcasttoolbar.dll
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\T3954LC5\TRACE_~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\RWGTU6M5\INFORM~3.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\RWGTU6M5\INFORM~2.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\T3954LC5\INFORM~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\RWGTU6M5\BLANK_~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\T3954LC5\DOWNLO~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\RWGTU6M5\TOSEEK~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\8FM61CQB\INFORM~2.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\T3954LC5\INFORM~4.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\8FM61CQB\ADS_2_~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\T3954LC5\INFORM~3.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\8FM61CQB\ADS_1_~1.SH!
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O21 - SSODL: DriveSys - {0ce553ae-91b6-4df1-b9e8-46dd6cacd5eb} - C:\WINDOWS\Installer\{0ce553ae-91b6-4df1-b9e8-46dd6cacd5eb}\DriveSys.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPWDSVC.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVSCAN.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBSERV.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 15262 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 RioMSC (Rio MSC Manager) - c:\windows\system32\riomsc.exe <Not Verified; Digital Networks North America, Inc.; Rio Mass Storage Class Device Manager>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-28 21:16:33 530 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job
2008-03-26 23:44:19 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-18 09:00:00 260 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job
2008-02-09 21:47:12 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-02-09 21:47:11 332 --a------ C:\WINDOWS\Tasks\McQcTask.job

-- Files created between 2008-03-01 and 2008-04-01 -----------------------------

2008-04-01 18:45:25 0 d-------- C:\ie-spyad_zo
2008-04-01 17:33:18 0 d-------- C:\Program Files\Panda Security
2008-04-01 17:33:17 0 d-------- C:\WINDOWS\LastGood
2008-03-27 17:28:52 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-03-27 17:21:49 0 d-------- C:\WINDOWS\pss
2008-03-26 20:58:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-03-26 20:58:37 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-26 20:58:37 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-03-26 20:58:37 0 d-------- C:\Documents and Settings\LocalService\Application Data\COMCASTTOOLBAR
2008-03-26 17:41:33 0 d-------- C:\Program Files\Common Files\PC Tools
2008-03-26 17:31:06 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-26 17:30:53 0 d-------- C:\Program Files\Spyware Doctor
2008-03-26 17:30:53 0 d-------- C:\Documents and Settings\Owner.MILLERFAM\Application Data\PC Tools
2008-03-23 19:57:23 158 --a------ C:\tempdel.bat
2008-03-23 19:57:13 151552 --a------ C:\WINDOWS\qvdntlmw.dll
2008-03-23 19:57:13 81920 --a------ C:\WINDOWS\norlatmx.exe
2008-03-23 19:57:13 212992 --a------ C:\WINDOWS\kdftlboemno.dll
2008-03-23 19:57:13 212992 --a------ C:\WINDOWS\dwnrpofk.dll
2008-03-23 19:57:12 221184 --a------ C:\WINDOWS\vbgtorfd.dll
2008-03-23 14:03:10 0 d-------- C:\Program Files\Tall Emu
2008-03-19 23:44:55 0 d-------- C:\Program Files\Safari
2008-03-17 12:58:10 0 d-------- C:\Documents and Settings\Owner.MILLERFAM\Application Data\Template
2008-03-17 12:58:09 0 --a------ C:\Documents and Settings\Owner.MILLERFAM\Application Data\wklnhst.dat
2008-03-14 13:31:21 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-12 16:51:28 0 d-------- C:\SMART
2008-03-01 12:22:49 0 d-------- C:\Program Files\iPod

-- Find3M Report ---------------------------------------------------------------

2008-04-01 17:19:40 0 d-------- C:\Documents and Settings\Owner.MILLERFAM\Application Data\OpenOffice.org2
2008-04-01 17:17:56 0 d-------- C:\Program Files\Common Files
2008-03-31 18:37:14 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 14:31:09 0 d-------- C:\Program Files\McAfee
2008-03-28 08:39:19 0 d-------- C:\Program Files\Norton AntiVirus
2008-03-28 08:36:34 0 d-------- C:\Program Files\Symantec
2008-03-26 18:37:00 0 d-------- C:\Documents and Settings\Owner.MILLERFAM\Application Data\ComcastToolbar
2008-03-19 23:47:33 0 d-------- C:\Program Files\Avant Browser
2008-03-19 23:45:28 0 d-------- C:\Documents and Settings\Owner.MILLERFAM\Application Data\Apple Computer
2008-03-14 13:31:18 0 d-------- C:\Program Files\Real
2008-03-14 13:31:10 0 d-------- C:\Program Files\Common Files\Real
2008-03-12 16:51:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-01 12:23:08 0 d-------- C:\Program Files\iTunes
2008-02-25 19:54:35 0 d-------- C:\Documents and Settings\Owner.MILLERFAM\Application Data\Real
2008-02-23 13:44:39 0 d-------- C:\Documents and Settings\Owner.MILLERFAM\Application Data\Yahoo!
2008-02-21 00:50:32 0 d-------- C:\Program Files\QuickTime
2008-02-14 08:44:55 0 d-------- C:\Program Files\Google
2008-02-14 08:44:55 0 d-------- C:\Program Files\AskPBar
2008-02-10 14:29:19 0 d-------- C:\Program Files\Yahoo!
2008-02-10 14:28:45 0 d-------- C:\Program Files\Trillian
2008-02-10 14:27:49 0 d-------- C:\Program Files\ICQToolbar
2008-02-09 21:47:27 0 d-------- C:\Program Files\Common Files\McAfee
2008-02-09 21:47:04 0 d-------- C:\Program Files\McAfee.com
2008-02-02 22:29:15 0 d-------- C:\Documents and Settings\Owner.MILLERFAM\Application Data\Adobe
2008-01-27 19:15:09 3121 --a------ C:\WINDOWS\mozver.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/17/2008 11:42 AM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 07:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 01:38 PM]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [04/19/2007 03:21 PM]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" [10/24/2007 09:56 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/14/2008 01:30 PM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [03/28/2008 08:36 AM]
"SoundMan"="SOUNDMAN.EXE" [09/26/2005 06:07 PM C:\WINDOWS\soundman.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [12/09/2005 09:44 PM]
"nwiz"="nwiz.exe" [09/18/2005 11:32 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/18/2005 11:32 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/18/2005 11:32 AM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 03:18 PM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/06/2005 12:56 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 06:43 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DelayShred"=c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\T3954LC5\TRACE_~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\RWGTU6M5\INFORM~3.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\RWGTU6M5\INFORM~2.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\T3954LC5\INFORM~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\RWGTU6M5\BLANK_~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\T3954LC5\DOWNLO~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\RWGTU6M5\TOSEEK~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\8FM61CQB\INFORM~2.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\T3954LC5\INFORM~4.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\8FM61CQB\ADS_2_~1.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\T3954LC5\INFORM~3.SH! C:\DOCUME~1\OWNER~1.MIL\LOCALS~1\TEMPOR~1\Content.IE5\8FM61CQB\ADS_1_~1.SH!

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DriveSys"= {0ce553ae-91b6-4df1-b9e8-46dd6cacd5eb} - C:\WINDOWS\Installer\{0ce553ae-91b6-4df1-b9e8-46dd6cacd5eb}\DriveSys.dll [03/23/2008 07:56 PM 14378]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f29d5201-1d05-11db-af56-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - RKPAVPROC

-- End of Deckard's System Scanner: finished at 2008-04-01 19:00:55 ------------

Extra.txt is attached to the post.

Penance · 04-03-2008, 05:11 PM

Bumping because it has been 3 days with no reply.

Penance · 04-06-2008, 01:28 PM

Bumping again after 72 hours.

Also, more info: after I completed the five steps, it's stopped playing random audio files and popups, however my computer is super slow opening programs and booting up. From the Hijack This log I see that I have the Downloader Trojan, I simply need to know how to remove it. I can post an updated log if needed.

Penance · 04-10-2008, 06:16 PM

Bumping again.

04-03-2008, 05:11 PM	#2 (permalink)
Penance Registered User Join Date: Mar 2008 Location: Northern USA Posts: 13 OS: Windows XP	Re: Windows XP Playing Random Audio Files/Popups Bumping because it has been 3 days with no reply.

04-06-2008, 01:28 PM	#3 (permalink)
Penance Registered User Join Date: Mar 2008 Location: Northern USA Posts: 13 OS: Windows XP	Re: Windows XP Playing Random Audio Files/Popups Bumping again after 72 hours. Also, more info: after I completed the five steps, it's stopped playing random audio files and popups, however my computer is super slow opening programs and booting up. From the Hijack This log I see that I have the Downloader Trojan, I simply need to know how to remove it. I can post an updated log if needed. Last edited by Penance : 04-06-2008 at 01:30 PM.

04-10-2008, 06:16 PM	#4 (permalink)
Penance Registered User Join Date: Mar 2008 Location: Northern USA Posts: 13 OS: Windows XP	Re: Windows XP Playing Random Audio Files/Popups Bumping again.