Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
POP UP GALORE please help with log POP UP GALORE please help with log
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 05-09-2007, 03:01 PM   #1 (permalink)
Registered User
 
Join Date: May 2007
Posts: 16
OS: XP


POP UP GALORE please help with log
Deckard's System Scanner v20070426.43
Run by Manager on 2007-05-09 at 16:57:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-05-09 20:58:12 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Manager.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:58:53 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Manager\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\Manager\Desktop\MYDOWN~1\HIJACK~1\Manager.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {2742E11C-2070-4DBD-A6FC-61D6044B8F4B} - C:\WINDOWS\system32\jkhhf.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CEE8B8FB-559B-4E75-8338-F51FCF0A4779} - C:\WINDOWS\system32\bhuhqjlu.dll (file missing)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\vrnbqmqp.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\evklukgi.dll",realset
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: MediaShield.lnk = C:\WINDOWS\system32\NvRaidMan.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6BB890F0-D981-4354-895F-8AAC5F52FEDC} (WebCamX Control) - http://192.168.1.15/WebCamX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Manager\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: jkhhf - C:\WINDOWS\system32\jkhhf.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


-- File Associations -----------------------------------------------------------

.ini - GetDiz.Document - DefaultIcon - unable to read value
.ini - GetDiz.Document - shell\open\command - "C:\Program Files\GetDiz\GetDiz.exe" "%1"
.txt - GetDiz.Document - DefaultIcon - unable to read value
.txt - GetDiz.Document - shell\open\command - "C:\Program Files\GetDiz\GetDiz.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>

S2 PfDetNT - c:\windows\system32\drivers\pfmodnt.sys (file missing)
S3 hamachi (Hamachi Network Interface) - c:\windows\system32\drivers\hamachi.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2006-08-19 14:09:22 304 --a------ C:\WINDOWS\Tasks\XoftSpy.job


-- Files created between 2007-04-09 and 2007-05-09 -----------------------------

2007-05-09 16:53:13 49204 --a------ C:\WINDOWS\system32\vrnbqmqp.dll
2007-05-09 16:50:22 132660 --a------ C:\WINDOWS\system32\evklukgi.dll
2007-05-08 17:52:30 0 d--hs---- C:\WINDOWS\CSC
2007-05-08 17:51:18 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-08 17:51:18 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-08 17:51:18 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-08 17:51:18 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-08 17:51:18 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-08 17:51:18 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-08 17:51:18 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-08 17:51:18 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-08 17:51:18 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-05-08 17:51:18 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-08 17:51:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-08 17:51:17 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-08 17:51:17 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-08 17:51:17 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-08 15:04:59 894860 ---hs---- C:\WINDOWS\system32\fhhkj.bak2
2007-05-07 16:07:28 1156 --a------ C:\WINDOWS\mozver.dat
2007-05-07 1628 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-07 1622 0 d-------- C:\Documents and Settings\Manager\Application Data\Mozilla
2007-05-07 15:37:01 0 d-------- C:\Program Files\PeerGuardian2
2007-05-07 1543 888757 ---hs---- C:\WINDOWS\system32\fhhkj.ini2
2007-05-07 15:04:47 886218 ---hs---- C:\WINDOWS\system32\fhhkj.bak1
2007-05-07 15:04:30 285268 ---hs---- C:\WINDOWS\system32\jkhhf.dll
2007-05-07 14:19:23 0 d-------- C:\Program Files\Spyware Doctor
2007-05-07 14:02:23 906067 ---hs---- C:\WINDOWS\system32\yycdd.ini2
2007-05-07 13:54:43 0 d-------- C:\Program Files\GetDiz
2007-05-07 13:51:37 278528 --a------ C:\WINDOWS\system32\livesnth.dll <Not Verified; LiveUpdate; LiveSynth>
2007-04-30 10:42:11 2034 --a------ C:\meresurfer_log
2007-04-30 10:42:09 153088 --a------ C:\UNWISE.EXE
2007-04-30 10:17:58 3136 --a------ C:\Documents and Settings\Manager\x_dtrace_log
2007-04-30 10:17:58 14 --a------ C:\Documents and Settings\Manager\getfile.dat
2007-04-28 12:25:48 3137 --a------ C:\WINDOWS\system32\x_dtrace_log
2007-04-28 12:25:48 14 --a------ C:\WINDOWS\system32\getfile.dat
2007-04-25 11:21:23 0 d-------- C:\Documents and Settings\All Users\Application Data\ErrorProtector Free
2007-04-16 10:21:40 0 d-------- C:\Program Files\Common Files\xing shared
2007-04-16 10:21:17 0 d-------- C:\Program Files\Common Files\Real
2007-04-16 10:21:16 0 d-------- C:\Program Files\Real
2007-04-16 10:20:55 0 d-------- C:\Documents and Settings\Manager\Application Data\Real
2007-04-16 10:16:39 0 d-------- C:\My Downloads


-- Find3M Report ---------------------------------------------------------------

2007-05-09 14:35:16 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll <Not Verified; BitComet; BitComet BCTP Helper>
2007-05-09 13:34:48 0 d-------- C:\Documents and Settings\Manager\Application Data\Lavasoft
2007-05-07 14:59:26 0 d-------- C:\Program Files\Yahoo!
2007-05-07 14:03:40 0 d-------- C:\Program Files\Google
2007-05-07 10:13:27 0 d-------- C:\Program Files\MSN Messenger
2007-05-05 12:22:22 0 d-------- C:\Program Files\CASHFLOW
2007-05-05 12:22:09 0 d-------- C:\Program Files\CASHFLOW 202
2007-05-05 12:21:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-02 14:20:06 0 d-------- C:\Program Files\MSN Games
2007-04-02 14:19:51 0 d-------- C:\Program Files\CandleWorks
2007-03-29 16:04:54 4096 --a------ C:\WINDOWS\d3dx.dat
2007-03-23 15:00:12 0 d-------- C:\Documents and Settings\Manager\Application Data\funkitron


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0A87E45F-537A-40B4-B812-E2544C21A09F} C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll [x]
{2742E11C-2070-4DBD-A6FC-61D6044B8F4B} C:\WINDOWS\system32\jkhhf.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{CEE8B8FB-559B-4E75-8338-F51FCF0A4779} C:\WINDOWS\system32\bhuhqjlu.dll [x]
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\vrnbqmqp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NVRaidService"="C:\\WINDOWS\\system32\\nvraidservice.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"C-Media Mixer"="Mixer.exe /startup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\McAfee\\VirusScan Enterprise\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\McAfee\\Common Framework\\UdaterUI.exe\" /StartedFromRunKey"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"SDTray"="C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe"
"WindowsService"="rundll32.exe \"C:\\WINDOWS\\system32\\evklukgi.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhf

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=dword:00000002
"srservice"=dword:00000002
"Schedule"=dword:00000002
"ERSvc"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
Shell\AutoRun\command G:\InsertOtherCD.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
Shell\AutoRun\command H:\Setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c0fa5f2e-15c4-11db-b5bf-00e0815c6630}]
Shell\AutoRun\command F:\setupSNK.exe


-- End of Deckard's System Scanner: finished at 2007-05-09 at 16:59:44 ---------
chan416 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 03:02 PM   #2 (permalink)
Registered User
 
Join Date: May 2007
Posts: 16
OS: XP


Re: POP UP GALORE please help with log
Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Dual Core AMD Opteron(tm) Processor 165
CPU 1: Dual Core AMD Opteron(tm) Processor 165
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 1022.37 MiB / 549.33 MiB
Pagefile Memory (total/avail): 2461.12 MiB / 1913.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1971.7 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 30 GiB total, 23.45 GiB free.
D: is Fixed (NTFS) - 202.88 GiB total, 202.37 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Manager\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SERVER
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Manager
LOGONSERVER=\\SERVER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 35 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2302
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Manager\LOCALS~1\Temp
TMP=C:\DOCUME~1\Manager\LOCALS~1\Temp
USERDOMAIN=SERVER
USERNAME=Manager
USERPROFILE=C:\Documents and Settings\Manager
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Manager (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 9 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BitComet 0.73 --> C:\Program Files\BitComet\uninst.exe
GetDiz 3.0 --> C:\PROGRA~1\GetDiz\UNINST~1\UNWISE.EXE C:\PROGRA~1\GetDiz\UNINST~1\install.log
Hamachi 0.9.9.9 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 1.99.1 --> C:\Documents and Settings\Manager\Desktop\My Download\hijackthis\HijackThis.exe /uninstall
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Magic DVD Player 1.2 --> "C:\Program Files\MagicDVD\unins000.exe"
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 (Beta2) --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
NVIDIA Drivers --> C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI
PCI Audio Driver --> cmuninst.exe
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Spyware Doctor 5.0 --> C:\Program Files\Spyware Doctor\unins000.exe
TransactionServer --> C:\WINDOWS\TransactionServer Uninstaller.exe
TransactionWindow --> C:\WINDOWS\TransactionWindow Uninstaller.exe
ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant --> MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- End of Deckard's System Scanner: finished at 2007-05-09 at 16:59:44 ---------
chan416 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-11-2007, 04:54 AM   #3 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: POP UP GALORE please help with log
Hi chan416,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.


Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon. Read the disclaimer and click OK.
  • Click on the Scan button.
  • Place a checkmark next to the following entries:

    .ini
    .ini
    .txt
    .txt

  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt.
  • Post the contents of that logfile with your next post.


NEXT:

Spyware Doctor's OnGuard protective functionality may interfere with certain fixes we need to make. Please follow these instructions to disable it.

To deactivate Spyware Doctor's OnGuard Tools:
  • From within Spyware Doctor, click the "OnGuard" button on the left side.
  • Uncheck "Activate OnGuard".


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {2742E11C-2070-4DBD-A6FC-61D6044B8F4B} - C:\WINDOWS\system32\jkhhf.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CEE8B8FB-559B-4E75-8338-F51FCF0A4779} - C:\WINDOWS\system32\bhuhqjlu.dll (file missing)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\vrnbqmqp.dll
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\evklukgi.dll",realest
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Manager\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: jkhhf - C:\WINDOWS\system32\jkhhf.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Go to Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

SpyCatcher
SpyCatcher 2006


NEXT:

Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):

    C:\WINDOWS\system32\jkhhf.dll
    C:\WINDOWS\system32\vrnbqmqp.dll
    C:\WINDOWS\system32\evklukgi.dll
    C:\WINDOWS\system32\fhhkj.bak2
    C:\WINDOWS\system32\fhhkj.bak1
    C:\WINDOWS\system32\yycdd.ini2
    C:\Program Files\SpyCatcher 2006

  • Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  • Click the red "MoveIt!" button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:

    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from DAFT.
  2. The log from the ComboFix scan.
  3. The log from OTMoveIt.
  4. A new HijackThis log.

How are things running now? Please let me know of any problems that still persist.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-11-2007, 08:46 AM   #4 (permalink)
Registered User
 
Join Date: May 2007
Posts: 16
OS: XP


Re: POP UP GALORE please help with log
Alo! thanks for respones! here is the daft log

DAFT Log saved on 2007-05-11 10:43:33
-----------------------------------------------------------------------
All associations okay!
chan416 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-11-2007, 08:50 AM   #5 (permalink)
Registered User
 
Join Date: May 2007
Posts: 16
OS: XP


Re: POP UP GALORE please help with log
Ok looks like i got most of it cleaned up! Hopefully, its all gone...


"Manager" - 2007-05-11 11:05:01 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Manager\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\xebigryu.dll
C:\WINDOWS\system32\uyrgibex.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 ))))))))))))))))))))))))))))))))))


2007-05-11 11:03 964,479 ---hs---- C:\WINDOWS\system32\fhhkj.bak2
2007-05-09 16:57 <DIR> d-------- C:\Deckard
2007-05-09 16:48 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-08 17:52 <DIR> d--hs---- C:\WINDOWS\CSC
2007-05-08 17:51 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-07 16:07 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-07 16:06 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-07 15:37 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-05-07 15:06 958,208 ---hs---- C:\WINDOWS\system32\fhhkj.ini2
2007-05-07 15:04 285,268 ---hs---- C:\WINDOWS\system32\jkhhf.dll
2007-05-07 14:19 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-05-07 14:19 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-05-07 14:19 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-07 14:19 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-05-07 14:19 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-05-07 14:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-05-07 13:54 <DIR> d-------- C:\Program Files\GetDiz
2007-05-07 13:51 278,528 --a------ C:\WINDOWS\system32\livesnth.dll
2007-05-07 13:28 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-30 10:42 153,088 --a------ C:\UNWISE.EXE
2007-04-30 10:17 14 --a------ C:\DOCUME~1\Manager\getfile.dat
2007-04-28 12:25 14 --a------ C:\WINDOWS\system32\getfile.dat
2007-04-25 11:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ErrorProtector Free
2007-04-16 10:21 <DIR> d-------- C:\Program Files\Real
2007-04-16 10:21 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-16 10:21 <DIR> d-------- C:\Program Files\Common Files\Real
2007-04-16 10:20 <DIR> d-------- C:\DOCUME~1\Manager\APPLIC~1\Real
2007-04-16 10:16 <DIR> d-------- C:\My Downloads


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-09 21:03:53 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-05-09 17:34:48 -------- d-----w C:\DOCUME~1\Manager\APPLIC~1\Lavasoft
2007-05-07 18:59:26 -------- d-----w C:\Program Files\Yahoo!
2007-05-07 18:03:40 -------- d-----w C:\Program Files\Google
2007-05-07 14:13:27 -------- d-----w C:\Program Files\MSN Messenger
2007-05-05 16:22:22 -------- d-----w C:\Program Files\CASHFLOW
2007-05-05 16:22:09 -------- d-----w C:\Program Files\CASHFLOW 202
2007-05-05 16:21:13 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-02 18:20:06 -------- d-----w C:\Program Files\MSN Games
2007-04-02 18:19:51 -------- d-----w C:\Program Files\CandleWorks
2007-03-29 20:04:54 4,096 ----a-w C:\WINDOWS\d3dx.dat
2007-03-23 19:00:12 -------- d-----w C:\DOCUME~1\Manager\APPLIC~1\funkitron


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{0A87E45F-537A-40B4-B812-E2544C21A09F}"="C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll" [x]
"{26F238D1-1B80-4907-93CE-13D9D190C107}"="C:\WINDOWS\system32\jkhhf.dll"
"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"="C:\Program Files\Yahoo!\Common\yiesrvc.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll"
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"="C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll"
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"
"{CEE8B8FB-559B-4E75-8338-F51FCF0A4779}"="C:\WINDOWS\system32\bhuhqjlu.dll" [x]
"{E2EE5C44-C66D-499d-BEAE-A2A79189A63A}"="C:\WINDOWS\system32\pcoxvrsy.dll" [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NVRaidService"="C:\\WINDOWS\\system32\\nvraidservice.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"C-Media Mixer"="Mixer.exe /startup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\McAfee\\VirusScan Enterprise\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\McAfee\\Common Framework\\UdaterUI.exe\" /StartedFromRunKey"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"SDTray"="C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe"
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\xebigryu.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhf

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=dword:00000002
"srservice"=dword:00000002
"Schedule"=dword:00000002
"ERSvc"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
Shell\AutoRun\command G:\InsertOtherCD.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
Shell\AutoRun\command H:\Setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c0fa5f2e-15c4-11db-b5bf-00e0815c6630}]
Shell\AutoRun\command F:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-11 1125
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-11 1128
C:\ComboFix-quarantined-files.txt ... 2007-05-11 11:06
C:\ComboFix2.txt ... 2007-05-11 10:48
C:\ComboFix3.txt ... 2007-05-09 16:48
Last edited by chan416 : 05-11-2007 at 09:06 AM.
chan416 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-11-2007, 09:09 AM   #6 (permalink)
Registered User
 
Join Date: May 2007
Posts: 16
OS: XP


Re: POP UP GALORE please help with log
File/Folder C:\avenger.zip not found.
File/Folder C:\Avenger not found.
File/Folder C:\avenger.txt not found.
File/Folder C:\bfu.zip not found.
File/Folder C:\BFU not found.
C:\Documents and Settings\Manager\Desktop\combofix.exe moved successfully.
C:\QooBox\Quarantine\Registry_backups moved successfully.
Folder cleanup failed. C:\QooBox\Quarantine\C\WINDOWS\system32 scheduled to be deleted on reboot.
C:\QooBox\Quarantine\C\WINDOWS\DOWNLO~1 moved successfully.
Folder cleanup failed. C:\QooBox\Quarantine\C\WINDOWS scheduled to be deleted on reboot.
Folder cleanup failed. C:\QooBox\Quarantine\C scheduled to be deleted on reboot.
Folder cleanup failed. C:\QooBox\Quarantine scheduled to be deleted on reboot.
Folder cleanup failed. C:\QooBox scheduled to be deleted on reboot.
C:\ComboFix*.txt moved successfully.
C:\WINDOWS\catchme.exe moved successfully.
C:\WINDOWS\nircmd.exe moved successfully.
C:\WINDOWS\system32\swreg.exe moved successfully.
C:\WINDOWS\system32\Swxcacls.exe moved successfully.
C:\WINDOWS\system32\Swsc.exe moved successfully.
C:\Documents and Settings\Manager\Desktop\dss.exe moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Manager\LOCALS~1\Temp\NAILogs moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Manager\LOCALS~1\Temp moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Manager\LOCALS~1 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Manager moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1 moved successfully.
C:\Deckard\System Scanner\backup moved successfully.
C:\Deckard\System Scanner moved successfully.
C:\Deckard moved successfully.
File/Folder C:\FindAWF.exe not found.
File/Folder C:\AWF.txt not found.
File/Folder C:\fixwareout.exe not found.
File/Folder C:\fixwareout not found.
File/Folder C:\fsbl.exe not found.
C:\fsbl*.log moved successfully.
C:\fsbl*.log moved successfully.
C:\Documents and Settings\Manager\Desktop\fsbl*.log moved successfully.
C:\WINDOWS\fsbl*.log moved successfully.
C:\WINDOWS\system32\fsbl*.log moved successfully.
C:\WINDOWS\system32\drivers\fsbl*.log moved successfully.
File/Folder C:\gmer.exe not found.
File/Folder C:\gmer.dll not found.
File/Folder C:\gmer.ini not found.
File/Folder C:\gmer.log not found.
File/Folder C:\gmer_uninstall.cmd not found.
File/Folder C:\gmer.sys not found.
Unable to delete service gmer.
File/Folder C:\haxfix.exe not found.
File/Folder C:\haxfix.txt not found.
File/Folder C:\killbox.exe not found.
File/Folder C:\!Killbox not found.
File move failed. C:\Documents and Settings\Manager\Desktop\OTMoveIt.exe scheduled to be moved on reboot.
C:\_OTMoveIt\MovedFiles\WINDOWS\system32 moved successfully.
C:\_OTMoveIt\MovedFiles\WINDOWS moved successfully.
C:\_OTMoveIt\MovedFiles moved successfully.
C:\_OTMoveIt moved successfully.
File/Folder C:\rustbfix.exe not found.
File/Folder C:\Rustbfix not found.
File/Folder C:\sdfix.exe not found.
File/Folder C:\SDFix not found.
File/Folder C:\SmitfraudFix.exe not found.
File/Folder C:\SmitfraudFix not found.
File/Folder C:\rapport.txt not found.
File/Folder C:\SysInsite not found.
File/Folder C:\VundoFix.exe not found.
File/Folder C:\VundoFix Backups not found.
File/Folder C:\vundofix.txt not found.
File/Folder C:\win32delfkil.exe not found.
File/Folder C:\_backupD not found.
File/Folder C:\windelf.txt not found.
File/Folder C:\winpfind.exe not found.
File/Folder C:\WinPfind not found.
File/Folder C:\winpfind3u.exe not found.
File/Folder C:\WinPFind3u not found.
C:\cleanup.txt moved successfully.
File move failed. C:\Documents and Settings\Manager\Desktop\OTMoveIt.exe scheduled to be moved on reboot.
chan416 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-11-2007, 09:10 AM   #7 (permalink)
Registered User
 
Join Date: May 2007
Posts: 16
OS: XP


Re: POP UP GALORE please help with log
looks good???


Logfile of HijackThis v1.99.1
Scan saved at 11:10:02 AM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Manager\Desktop\My Download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xe.com/
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\xebigryu.dll",realset
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: MediaShield.lnk = C:\WINDOWS\system32\NvRaidMan.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
chan416 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-11-2007, 09:48 AM   #8 (permalink)
Registered User
 
Join Date: May 2007
Posts: 16
OS: XP


Re: POP UP GALORE please help with log
darn still pop up...could it be the vundo ? I just notice that my internet explorer privacy setting was set to low.
Last edited by chan416 : 05-11-2007 at 10:07 AM.
chan416 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-11-2007, 10:51 AM   #9 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: POP UP GALORE please help with log
Hi chan416,

You’re most welcome, chan416.

Yes, it is Vundo and its cousins. It is still present because you hit the wrong button in OTMoveIt. You were supposed to press the red "MoveIt!" button, but you hit the green "CleanUp!" button instead. That’s what the OTMoveIt log is showing.

Take your time with the fix. The "CleanUp!" button will remove all our tools, and you might have to redownload the tools like OTMoveIt again. See if HijackThis and ComboFix are still present in your system.

OK, let’s begin again.

Spyware Doctor's OnGuard protective functionality may interfere with certain fixes we need to make. Please follow these instructions to disable it.

To deactivate Spyware Doctor's OnGuard Tools:
  • From within Spyware Doctor, click the "OnGuard" button on the left side.
  • Uncheck "Activate OnGuard".


NEXT:

If you still have ComboFix run it again and let me see the log that it generates. If you don’t have it, then please download a new copy and run it.


NEXT:

Please run HijackThis and fix this next entry:

O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\xebigryu.dll",realest


NEXT:

Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):

    C:\WINDOWS\system32\fhhkj.bak2
    C:\WINDOWS\system32\fhhkj.ini2
    C:\WINDOWS\system32\jkhhf.dll
    C:\WINDOWS\system32\vrnbqmqp.dll
    C:\WINDOWS\system32\evklukgi.dll
    C:\WINDOWS\system32\fhhkj.bak1
    C:\WINDOWS\system32\yycdd.ini2
    C:\WINDOWS\system32\xebigryu.dll
    C:\Program Files\SpyCatcher 2006

  • Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  • Click the red "MoveIt!" button.
  • Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

Please post the log from OTMoveIt, located here:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from the new ComboFix scan.
  2. The log from OTMoveIt.
  3. A new HijackThis log.

How are things running now? Please let me know of any problems that still persist.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-11-2007, 11:17 AM   #10 (permalink)
Registered User
 
Join Date: May 2007
Posts: 16
OS: XP


Re: POP UP GALORE please help with log
C:\WINDOWS\system32\fhhkj.bak2 moved successfully.
C:\WINDOWS\system32\fhhkj.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\jkhhf.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\jkhhf.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\vrnbqmqp.dll not found.
File/Folder C:\WINDOWS\system32\evklukgi.dll not found.
File/Folder C:\WINDOWS\system32\fhhkj.bak1 not found.
File/Folder C:\WINDOWS\system32\yycdd.ini2 not found.
File/Folder C:\WINDOWS\system32\xebigryu.dll not found.
File/Folder C:\Program Files\SpyCatcher 2006 not found.

Created on 05/11/2007 13:12:31
chan416 is offline  
Digg this Post!Add Post to del.icio.us