Malware and popping up AD

mikeshi88 · 04-14-2008, 03:58 PM

Hi,

One of my computer keeps popping up AD and asking me to install Malware to remove spywares in my syetem. Please help me on this problem. THX a lot.

Here is my scan:

Deckard's System Scanner v20071014.68
Run by Kelly on 2008-04-14 18:45:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
30: 2008-04-14 22:45:32 UTC - RP36 - Deckard's System Scanner Restore Point
29: 2008-04-13 16:29:40 UTC - RP35 - Software Distribution Service 3.0
28: 2008-04-13 12:40:03 UTC - RP34 - Software Distribution Service 3.0
27: 2008-04-13 12:36:23 UTC - RP33 - Last known good configuration
26: 2008-04-13 12:36:16 UTC - RP32 - Software Distribution Service 3.0

-- First Restore Point --
1: 2008-04-13 12:36:13 UTC - RP7 - Installed Realtek High Definition Audio Driver

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Kelly.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:41 PM, on 14/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\svchost.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\PROGRA~1\YAHOO!\YOP\SSDK02.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kelly\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kelly.exe

R3 - URLSearchHook: Yahoo! ¤u¨?|C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {01A33D85-4706-452A-B71A-99510ADA8C0C} - C:\WINDOWS\system32\geBtUkjj.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29A61B58-CE5F-484B-A9FF-ED09B06455BA} - C:\WINDOWS\system32\byXNfCsp.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: {5450a4eb-2625-1f49-1c94-fe4dad4823e4} - {4e3284da-d4ef-49c1-94f1-5262be4a0545} - C:\WINDOWS\system32\hqroaypf.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! ¤u¨?|C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [BM59482e98] Rundll32.exe "C:\WINDOWS\system32\ypdvjytd.dll",s
O4 - HKLM\..\Run: [5a7b1d04] rundll32.exe "C:\WINDOWS\system32\hbrxkxeg.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acer Empowering Technology.lnk = C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://duiyi.sina.com.cn/download/OroCheck.cab
O20 - Winlogon Notify: geBtUkjj - geBtUkjj.dll (file missing)
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11509 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R2 DritekPortIO (Dritek General Port I/O) - c:\program files\launch manager\dportio.sys <Not Verified; Dritek System Inc.; DPortIO>
R2 int15 - c:\windows\system32\drivers\int15.sys
R2 tvicport - c:\windows\system32\drivers\tvicport.sys <Not Verified; EnTech Taiwan; TVicPort Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
R2 zntport - c:\windows\system32\drivers\zntport.sys <Not Verified; Zeal SoftStudio; NTPort Library>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S2 eLock2BurnerLockDriver - c:\windows\system32\elock2burnerlockdriver.sys (file missing)
S2 eLock2FSCTLDriver - c:\windows\system32\elock2fsctldriver.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcerMemUsageCheckService (Memory Check Service) - c:\acer\empowering technology\eperformance\memcheck.exe <Not Verified; Acer Inc.; >
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-04-12 18:00:20 442 --a------ C:\WINDOWS\Tasks\ParetoLogic Registration.job
2008-04-11 19:08:24 576 --a------ C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Kelly.job

-- Files created between 2008-03-14 and 2008-04-14 -----------------------------

2008-04-14 18:50:06 0 d-------- C:\Program Files\Trend Micro
2008-04-14 12:45:18 92224 --a------ C:\WINDOWS\system32\hqroaypf.dll
2008-04-14 12:42:24 85056 --a------ C:\WINDOWS\system32\hbrxkxeg.dll
2008-04-14 12:33:17 96320 --a------ C:\WINDOWS\system32\ypdvjytd.dll
2008-04-14 12:31:10 96320 --a------ C:\WINDOWS\system32\tvqdjwfq.dll
2008-04-13 11:18:10 85568 -----n--- C:\WINDOWS\system32\capvxpnj.dll
2008-04-13 11:18:03 92736 --a------ C:\WINDOWS\system32\vqlvalto.dll
2008-04-13 11:15:03 95296 --a------ C:\WINDOWS\system32\jtcvyafv.dll
2008-04-12 20:23:39 0 d-------- C:\WINDOWS\network diagnostic
2008-04-12 20:17:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-12 18:03:18 0 d-------- C:\Program Files\MSXML 4.0
2008-04-12 17:16:06 1160 --a------ C:\WINDOWS\mozver.dat
2008-04-12 16:34:31 0 d-------- C:\Program Files\Common Files\Scanner
2008-04-12 16:34:26 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-04-12 16:33:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-12 13:02:37 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-12 13:01:16 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-12 13:01:02 0 d-------- C:\Documents and Settings\Kelly\Application Data\Mozilla
2008-04-12 12:47:24 0 d-------- C:\Documents and Settings\Kelly\Application Data\Google
2008-04-12 12:43:06 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-12 12:41:49 0 d-------- C:\Program Files\Real
2008-04-12 12:41:28 0 d-------- C:\Program Files\Common Files\Real
2008-04-12 12:41:22 0 d-------- C:\Documents and Settings\Kelly\Application Data\Real
2008-04-12 12:39:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-04-12 12:39:09 0 d-------- C:\Program Files\Google
2008-04-12 12:27:49 0 d-------- C:\Program Files\SogouInput
2008-04-12 12:27:49 0 d-------- C:\Documents and Settings\Kelly\Application Data\SogouPY.users
2008-04-12 12:27:44 0 d-------- C:\Documents and Settings\Kelly\Application Data\SogouPY
2008-04-12 12:15:13 1415680 --a------ C:\WINDOWS\system32\WMV9VCM.dll <Not Verified; Microsoft Corporation; Windows Media Video 9 VCM>
2008-04-12 12:15:13 539968 --a------ C:\WINDOWS\system32\Voctool.dll <Not Verified; Kingsoft, Co.; VocTool>
2008-04-12 12:15:13 525824 --a------ C:\WINDOWS\system32\VOCTL32.DLL <Not Verified; Voxware, Inc.; ToolVox>
2008-04-12 12:15:13 0 d-------- C:\WINDOWS\system32\Redist
2008-04-12 12:15:13 19760 --a------ C:\WINDOWS\system32\Ractdnet.dll <Not Verified; Progressive Networks, Inc.; RealAudio(tm) Shared Component (32-bit)>
2008-04-12 12:15:13 53568 --a------ C:\WINDOWS\system32\Ract14_4.dll <Not Verified; Progressive Networks, Inc.; 14.4 Audio Codec for RealAudio(tm) (16-bit) Version 3.0>
2008-04-12 12:15:13 14848 --a------ C:\WINDOWS\system32\Ra32dnet.dll <Not Verified; Progressive Networks, Inc.; RealAudio(tm) Shared Component (32-bit)>
2008-04-12 12:15:13 72704 --a------ C:\WINDOWS\system32\Ra3228_8.dll <Not Verified; Progressive Networks, Inc.; 28.8 Audio Codec for RealAudio(tm) (32-bit) Version 3.0>
2008-04-12 12:15:12 81920 --a------ C:\WINDOWS\system32\Ra3214_4.dll <Not Verified; Progressive Networks, Inc.; 14.4 Audio Codec for RealAudio(tm) (32-bit) Version 3.0>
2008-04-12 12:15:12 189952 --a------ C:\WINDOWS\system32\Pnui3230.dll <Not Verified; Progressive Networks, Inc.; High-level Support Library for RealAudio? (32-bit) Version 3.0>
2008-04-12 12:15:12 27024 --a------ C:\WINDOWS\system32\Pnloader.dll <Not Verified; Progressive Networks, Inc.; Dynamic Load and Bind Support for RealAudio?(16-bit) Version 3.0>
2008-04-12 12:15:12 163328 --a------ C:\WINDOWS\system32\Pnen3230.dll <Not Verified; Progressive Networks, Inc.; Core Support Library for RealAudio? (32-bit) Version 3.0>
2008-04-12 12:15:12 61440 --a------ C:\WINDOWS\system32\Decdnet.dll <Not Verified; Progressive Networks, Inc.; RealAudio(tm) Shared Component (32-bit)>
2008-04-12 12:13:29 1712128 --a------ C:\WINDOWS\system32\GdiPlus.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-04-12 12:13:29 0 d-------- C:\Program Files\Common Files\Kingsoft
2008-04-12 12:04:30 0 d-------- C:\Documents and Settings\Kelly\Application Data\Kingsoft
2008-04-12 12:02:19 82432 --a------ C:\WINDOWS\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2008-04-12 12:02:19 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2008-04-12 11:22:08 92736 --a------ C:\WINDOWS\system32\resncwqi.dll
2008-04-12 11:21:39 0 d-------- C:\Program Files\Kingsoft
2008-04-12 11:16:09 94272 --a------ C:\WINDOWS\system32\yywtlnkt.dll
2008-04-12 10:46:27 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-12 10:42:46 0 d-------- C:\WINDOWS\pss
2008-04-12 10:22:15 0 d-------- C:\Program Files\Bonjour
2008-04-12 10:05:21 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-12 09:48:00 0 d-------- C:\WINDOWS\system32\Viewers
2008-04-12 09:45:00 0 d-------- C:\WINDOWS\ShellNew
2008-04-12 09:43:45 0 d-------- C:\Program Files\Snapshot Viewer
2008-04-12 09:41:24 0 d-------- C:\Documents and Settings\Kelly\Application Data\Microsoft Web Folders
2008-04-12 09:41:23 0 d-------- C:\WINDOWS\Twain32
2008-04-12 08:58:28 50 --a------ C:\WINDOWS\system32\BRIDF04A.dat
2008-04-12 08:57:43 65536 --a------ C:\WINDOWS\system32\Brmfrmps.exe <Not Verified; Brother Industries, Ltd.; Brother MFL Pro>
2008-04-12 08:57:43 51200 -----n--- C:\WINDOWS\system32\brinsstr.dll <Not Verified; Brother Industries,Ltd.; Brother MFL Pro>
2008-04-12 08:57:26 81920 -----n--- C:\WINDOWS\system32\BrWebIns.dll <Not Verified; brother; brother BrWebIns>
2008-04-12 08:57:25 176128 -----n--- C:\WINDOWS\system32\Pdrvinst.dll <Not Verified; brother; installer>
2008-04-12 08:57:25 65536 -----n--- C:\WINDOWS\system32\Brwebup.exe <Not Verified; brother; brother brwebup>
2008-04-12 08:57:17 0 d-------- C:\Brother
2008-04-12 08:57:07 126976 -----n--- C:\WINDOWS\system32\BrfxD04a.dll <Not Verified; Brother Industries,LTD; Brother PC-FAX DIAL Dynamic Link Library>
2008-04-12 08:57:07 0 -----n--- C:\WINDOWS\brdfxspd.dat
2008-04-12 08:57:06 147456 -----n--- C:\WINDOWS\brunin03.dll <Not Verified; Brother Industries,Ltd.; Brother MFL-Pro>
2008-04-12 08:57:06 0 d-------- C:\Program Files\Brother
2008-04-12 08:48:10 0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-04-12 08:48:02 0 d-------- C:\Program Files\ScanSoft
2008-04-12 08:48:01 0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-04-12 08:46:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-04-11 23

37 266896 --a------ C:\WINDOWS\system32\cbXPFXnk.dll
2008-04-11 19:12:10 0 d-------- C:\Documents and Settings\Kelly\Application Data\Yahoo!
2008-04-11 18:57:51 0 d-------- C:\Program Files\Symantec
2008-04-11 18:57:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-11 18:57:15 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-11 18:56:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-11 18:56:00 86016 --a------ C:\WINDOWS\system32\YPcservice.exe <Not Verified; Yahoo! Inc.; YPCService Module>
2008-04-11 18:56:00 131072 --a------ C:\WINDOWS\system32\ypclsp.dll <Not Verified; Yahoo! Inc.; Yahoo! YPCLSP>
2008-04-11 18:55:01 65536 --a------ C:\WINDOWS\system32\YCRWin32.dll <Not Verified; ; YCRWin32 Module>
2008-04-11 18:54:56 84992 --a------ C:\WINDOWS\system32\ATL70.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2008-04-11 18:53:53 0 d-------- C:\Program Files\Rogers
2008-04-11 18:44:34 0 d-------- C:\Program Files\Yahoo!
2008-04-11 17:53:37 0 d--h----- C:\recovery
2008-04-11 11:15:24 90176 --a------ C:\WINDOWS\system32\fojtnvri.dll
2008-04-10 09:33:02 0 d-------- C:\Documents and Settings\Kelly\Application Data\vlc
2008-04-10 09:31:01 0 d-------- C:\Program Files\VideoLAN
2008-04-10 08:10:23 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-09 23:23:42 0 d-------- C:\Program Files\******
2008-04-09 23:07:57 0 d-------- C:\Documents and Settings\Kelly\Application Data\Thinstall
2008-04-09 23:05:39 188027 --ahs---- C:\WINDOWS\system32\psCfNXyb.ini2
2008-04-09 23:05:35 270336 --a------ C:\WINDOWS\system32\byXNfCsp.dll
2008-04-09 23:02:46 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-09 23:01:02 0 d-------- C:\Documents and Settings\Kelly\Application Data\WinRAR
2008-04-09 22:42:52 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-04-09 22:42:52 0 d-------- C:\Downloads
2008-04-09 22:42:31 0 d-------- C:\Program Files\BitComet
2008-04-09 22:02:55 0 d-------- C:\Documents and Settings\Kelly\Application Data\Macromedia
2008-04-09 22:02:54 0 d-------- C:\WINDOWS\Acer
2008-04-09 22:02:21 0 d--h----- C:\Documents and Settings\Kelly\Templates
2008-04-09 22:02:21 0 dr------- C:\Documents and Settings\Kelly\Start Menu
2008-04-09 22:02:21 0 dr-h----- C:\Documents and Settings\Kelly\SendTo
2008-04-09 22:02:21 0 dr-h----- C:\Documents and Settings\Kelly\Recent
2008-04-09 22:02:21 0 d--h----- C:\Documents and Settings\Kelly\PrintHood
2008-04-09 22:02:21 0 d--h----- C:\Documents and Settings\Kelly\NetHood
2008-04-09 22:02:21 0 dr------- C:\Documents and Settings\Kelly\My Documents
2008-04-09 22:02:21 0 d--h----- C:\Documents and Settings\Kelly\Local Settings
2008-04-09 22:02:21 0 dr------- C:\Documents and Settings\Kelly\Favorites
2008-04-09 22:02:21 0 d-------- C:\Documents and Settings\Kelly\Desktop
2008-04-09 22:02:21 0 d--hs---- C:\Documents and Settings\Kelly\Cookies
2008-04-09 22:02:21 0 dr-h----- C:\Documents and Settings\Kelly\Application Data
2008-04-09 22:02:21 0 d-------- C:\Documents and Settings\Kelly\Application Data\Identities
2008-04-09 22:02:21 0 d-------- C:\Documents and Settings\Kelly\Application Data\ATI
2008-04-09 22:02:20 3145728 --ah----- C:\Documents and Settings\Kelly\NTUSER.DAT
2008-04-09 22:00:15 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2008-04-09 20:31:57 0 d-------- C:\Documents and Settings\Kelly\Application Data\Adobe
2008-04-09 20:31:26 0 d--hs---- C:\Recycled
2008-04-09 20:26:51 0 d--hs---- C:\Documents and Settings\Kelly\UserData
2008-04-09 19:28:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-09 19:25:26 258048 --a------ C:\WINDOWS\system32\Uninstall_eRecovery.exe <Not Verified; Acer Inc.; Uninstall_eRecovery.exe>
2008-04-09 19:25:26 1168896 --a------ C:\WINDOWS\system32\ERUpdateHidden.EXE <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-04-09 19:25:26 159744 --a------ C:\WINDOWS\system32\CloseProcessWindow.dll <Not Verified; acer inc.; CloseProcessWindow.dll>
2008-04-09 19:25:26 16384 --a------ C:\WINDOWS\system32\ClearEvent.exe
2008-04-09 19:25:26 258048 --a------ C:\WINDOWS\system32\CheckD2DSystem.exe <Not Verified; Acer Inc.; CheckD2DSystem.exe>
2008-04-09 19:24:26 0 d-------- C:\WINDOWS\Options
2008-04-09 19:21:37 0 d-------- C:\Program Files\Launch Manager
2008-04-09 19:20:55 0 d-------- C:\Program Files\Synaptics
2008-04-09 19:16:50 45056 --a------ C:\WINDOWS\system32\Epm-Po.dll <Not Verified; Acer Labs USA; EPM-PO Dynamic Link Library>
2008-04-09 19:16:50 53248 --a------ C:\WINDOWS\system32\acpimof.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-04-09 19:05:17 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-09 19:00:11 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-04-09 19:00:11 0 d-------- C:\Documents and Settings\Default User\Application Data\ATI
2008-04-09 18:54:54 0 d-------- C:\WINDOWS\BisonCam
2008-04-09 18:52:51 159821 --a------ C:\WINDOWS\EMEAPAGE.EXE
2008-04-09 18:52:51 180224 --a------ C:\WINDOWS\ADDITEM.EXE <Not Verified; Acer Inc.; AddItem.exe>
2008-04-09 18:52:50 633446 --a------ C:\WINDOWS\GVista.exe
2008-04-09 18:52:50 589824 --a------ C:\WINDOWS\AntiV.EXE
2008-04-09 18:52:50 163840 --a------ C:\WINDOWS\AExec.exe <Not Verified; Acer Inc.; Acer Tool>
2008-04-09 18:52:38 147456 --a------ C:\WINDOWS\UNINST32.EXE <Not Verified; Dritek System Inc.; Dritek System Inc. Uninstall Application>
2008-04-09 18:52:27 253952 --a------ C:\WINDOWS\AArrange.exe <Not Verified; Acer Inc.; DesktopAutoArrange.exe>
2008-04-09 18:52:25 0 d--hs---- C:\system volume information

-- Find3M Report ---------------------------------------------------------------

2008-04-09 18:52:52 903 --a------ C:\WINDOWS\HotFix.bat
2008-04-09 18:52:52 991 --a------ C:\WINDOWS\CLEANUP.CMD

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01A33D85-4706-452A-B71A-99510ADA8C0C}]
C:\WINDOWS\system32\geBtUkjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29A61B58-CE5F-484B-A9FF-ED09B06455BA}]
09/04/2008 11:05 PM 270336 --a------ C:\WINDOWS\system32\byXNfCsp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e3284da-d4ef-49c1-94f1-5262be4a0545}]
14/04/2008 12:45 PM 92224 --a------ C:\WINDOWS\system32\hqroaypf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [05/08/2005 01:56 PM]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [14/04/2006 10:35 PM]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [11/05/2005 05:15 PM]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [31/03/2006 04:39 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [10/08/2004 08:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [10/08/2004 08:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [10/08/2004 08:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [10/08/2004 08:00 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [10/05/2006 11:12 AM]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [30/05/2006 12:11 PM]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [15/03/2006 10:12 PM]
"RTHDCPL"="RTHDCPL.EXE" [27/06/2006 11:54 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 03:04 AM C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 03:43 AM C:\WINDOWS\Alcmtr.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/03/2006 01:07 PM]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [23/06/2006 06:59 AM]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [01/06/2006 02:40 PM]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [26/10/2007 03:42 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2007 01:59 AM]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [14/01/2007 03:11 AM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [14/10/2003 10:22 AM]
"BM59482e98"="C:\WINDOWS\system32\ypdvjytd.dll" [14/04/2008 12:33 PM]
"5a7b1d04"="C:\WINDOWS\system32\hbrxkxeg.dll" [14/04/2008 12:42 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 08:00 PM]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [23/04/2007 04:51 PM]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [12/10/2007 04:30 PM]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [12/10/2007 04:30 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [12/04/2008 12:39 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 12:24 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [27/03/2006 11:37:58 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01A33D85-4706-452A-B71A-99510ADA8C0C}"= C:\WINDOWS\system32\geBtUkjj.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtUkjj]
geBtUkjj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXNfCsp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=C:\WINDOWS\pss\Status Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM59482e98]
Rundll32.exe "C:\WINDOWS\system32\yywtlnkt.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-04-14 18:51:46 ------------

sjb007 · 04-16-2008, 09:27 AM

Howdy mikeshi88

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Thanks.

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

Please download Malwarebytes Anti-Malware (MBAM) and save it to your desktop.
alternate download link 1
alternate download link 2

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next......

Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure that combofix is saved to (and run from) your desktop

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Post back with the results from MBAM and Combofix in your next reply

mikeshi88 · 04-16-2008, 05:24 PM

Thanks for your help. I have re-installed my system and Norton. Popping up ADs don't appear anymore. Thx again.

sjb007 · 04-16-2008, 09:30 PM

Hi there

Thanks for letting me know your current situation

I have included my all clear speech for you to read to help prevent future infections.

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there
Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more infomration on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing
Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is SUPERAntiSpyware or
AVG Antispyware - Please note that these products can also be run as free without a licience but the background protection will not be active.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

Good luck and happy surfing.

Regards

04-16-2008, 09:27 AM	#2 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 586 OS: Mandriva 2008.1 My System	Re: Malware and popping up AD Howdy mikeshi88 Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Thanks. If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point. Please follow these directions in the order they are set out for you. Please download Malwarebytes Anti-Malware (MBAM) and save it to your desktop. alternate download link 1 alternate download link 2 Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator") When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. On the Scanner tab: Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Next...... Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *Please ensure that combofix is saved to (and run from) your desktop* When the tool is finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Post back with the results from MBAM and Combofix in your next reply __________________ *Patience is a Virtue* Proud Member of ASAP & UNITE If we have helped you then please consider donating Please note that we are all volunteers here, our charge is Zero All donations that are received go towards maintaining the forums

04-16-2008, 05:24 PM	#3 (permalink)
mikeshi88 Registered User Join Date: Apr 2008 Posts: 3 OS: xp	Re: Malware and popping up AD Thanks for your help. I have re-installed my system and Norton. Popping up ADs don't appear anymore. Thx again.

04-16-2008, 09:30 PM	#4 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 586 OS: Mandriva 2008.1 My System	Re: Malware and popping up AD Hi there Thanks for letting me know your current situation I have included my all clear speech for you to read to help prevent future infections. Update windows on a regular basis - If you do not have automatic updates enabled then Visit Microsoft's Update Page and update your computer from there Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions. Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more infomration on firewalls read this article here Make your Internet Explorer more secure - This can be done by following these simple instructions: Open Internet Explorer, click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialise and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Safer Browsing Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes. Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects) Use an alternative browser Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser. Computer Maintenance Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis. Scan your computer regularly for malware Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These two products can be installed together without any complications. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is SUPERAntiSpyware or AVG Antispyware - Please note that these products can also be run as free without a licience but the background protection will not be active. I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet. -> So How Did I Get Infected In First Place - By TonyKlein -> How to prevent Malware - By miekiemoes -> I'm not pulling your leg, honest - By Sandi Hardmeie Good luck and happy surfing. Regards __________________ *Patience is a Virtue* Proud Member of ASAP & UNITE If we have helped you then please consider donating Please note that we are all volunteers here, our charge is Zero All donations that are received go towards maintaining the forums