Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help
Reload this Page Popup infection
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Virus/Trojan/Spyware Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
LinkBack Thread Tools
Old 04-24-2009, 10:34 AM   #1 (permalink)
Registered User
 
Join Date: Sep 2008
Posts: 14
OS: XP


Popup infection
Hello and thank you for taking the time to read my post. In my aimless wander around the internet I clicked on some things that I shouldn't have and ended up getting some trojans. I did not knowingly install any .exe files. The popups are all business related. I have also noticed a severe decrease in speed. So if you notice any ways to make the computer more efficient, please let me know! When conducting the GMER I received a notice that a rootkit has altered something. My only option was to click ok.

Here are some examples caught by AVG Free:

"C:\Program Files\Mozilla Firefox\firefox.exe (5116)";"Trojan horse Generic13.ACLK";"Reboot is required to finish the action"

"C:\WINDOWS\system32\salisawo.dll";"Trojan horse Generic13.ACLK";"Reboot is required to finish the action"

Here is the DDS file. I tried to follow the stick, and hope everything is in order.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Lincoln Bartlett at 12:09:35.97 on Fri 04/24/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.1918 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Linc\iPod\bin\iPodSrv.exe
C:\Games\nVidia\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Games\nVidia\System Update\UpdateCenterService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\avgemc.exe
C:\PROGRA~1\AVG\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\avgrsx.exe
C:\Program Files\AVG\avgcsrvx.exe
C:\Program Files\iTunes\iTunes.exe
C:\Linc\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\avgnsx.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\AVG\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Downloads\SpyEraser\SpyEraser.exe
C:\Program Files\AVG\avgui.exe
C:\Program Files\AVG\avgcsrvx.exe
C:\Documents and Settings\Lincoln Bartlett\Desktop\TSF\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AREA51-5500-R1&ai=636E3D33313933343526706F3D504F2D33333634343241
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.accoona.com/search?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avgssie.dll
BHO: {63e8d804-9602-4d3e-a68f-12bb22422f8b} - c:\windows\system32\buvovaye.dll
TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Uniblue SpeedUpMyPC] c:\downloads\speedupmypc 3.5 cracked+serial-maz\crack to this one\speedupmypc 3\SpeedUpMyPC.exe -s
uRun: [NVIDIA nTune] c:\games\nvidia\ntune\nTuneCmd.exe resetprofile
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\linc\programs\fileplanet\download manager\dlm.exe /windowsstart /startifwork
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [EVGAPrecision] "c:\program files\evga precision\EVGAPrecision.exe" /s
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avgtray.exe
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [LXCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCCtime.dll,_RunDLLEntry@16
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [tukalubolu] Rundll32.exe "c:\windows\system32\muhutote.dll",s
mRun: [dcb0219f] rundll32.exe "c:\windows\system32\wezujita.dll",b
mRun: [CPMdf831203] Rundll32.exe "c:\windows\system32\tukebiya.dll",a
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\documents and settings\lincoln bartlett\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\games\partygaming\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217647541078
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WB - c:\program files\alienguise\fastload.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tukebiya.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\tukebiya.dll
LSA: Notification Packages = scecli c:\windows\system32\beyawohe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lincol~1\applic~1\mozilla\firefox\profiles\fvr9e4wo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\avg\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\lincoln bartlett\application data\mozilla\firefox\profiles\fvr9e4wo.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\games\geforce 8800gt\divx\divx content uploader\npUpload.dll
FF - plugin: c:\games\geforce 8800gt\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\games\geforce 8800gt\divx\divx web player\npdivx32.dll
FF - plugin: c:\linc\programs\fileplanet\download manager\npfpdlm.dll
FF - plugin: c:\program files\acrobat 6.0\reader\browser\nppdf32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-3 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-29 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-29 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-29 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avgemc.exe [2008-9-29 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avgwdsvc.exe [2008-9-29 298264]
R2 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-6-29 26488]

=============== Created Last 30 ================


==================== Find3M ====================

2009-04-24 10:28 80,896 a--sh--- c:\windows\system32\wezujita.dll
2009-04-24 10:28 89,600 a--sh--- c:\windows\system32\tukebiya.dll
2009-04-24 10:28 46,592 a--sh--- c:\windows\system32\zipodina.exe
2009-04-23 22:28 46,080 a--sh--- c:\windows\system32\sazosoma.exe
2009-04-23 22:28 89,600 a--sh--- c:\windows\system32\valimuvu.dll
2009-04-23 10:28 89,088 a--sh--- c:\windows\system32\defumave.dll
2009-04-23 10:28 47,616 a--sh--- c:\windows\system32\jejimidu.exe
2009-04-22 22:29 88,576 a--sh--- c:\windows\system32\jenonipe.dll
2009-04-22 22:29 80,384 -------- c:\windows\system32\bayaruja.dll
2009-04-22 10:29 49,664 a--sh--- c:\windows\system32\difinizo.dll
2009-04-22 10:29 88,576 a--sh--- c:\windows\system32\kopilare.dll
2009-04-21 22:25 81,408 -------- c:\windows\system32\gojunasu.dll
2009-04-21 22:25 88,576 a--sh--- c:\windows\system32\fuzikosi.dll
2009-04-21 22:25 47,616 a--sh--- c:\windows\system32\ripawawo.exe
2009-04-06 20:47 138,584 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-06 20:47 189,672 a------- c:\windows\system32\PnkBstrB.exe
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-11 16:31 70,968 a------- c:\windows\system32\PnkBstrA.exe
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-01 10:33 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-28 01:49 87,040 a------- c:\windows\system32\P2BDAO.DLL
2009-01-28 01:49 1,846,784 a------- c:\windows\system32\CRPE32.DLL
2008-12-17 01:31 31,136 ac------ c:\docume~1\lincol~1\applic~1\GDIPFONTCACHEV1.DAT
2008-11-11 18:02 22,328 ac------ c:\docume~1\lincol~1\applic~1\PnkBstrK.sys
2008-05-25 20:06 47,360 ac------ c:\docume~1\lincol~1\applic~1\pcouffin.sys
2008-04-07 00:01 0 ac------ c:\program files\temp01
2008-04-04 18:24 774,144 a------- c:\program files\RngInterstitial.dll
2005-07-28 00:38 513,648 a------- c:\program files\msgr6suite.exe
2009-01-22 10:29 49,664 a--sh--- c:\windows\system32\beyawohe.dll
2009-01-22 10:29 49,664 a--sh--- c:\windows\system32\buvovaye.dll
2009-01-22 10:29 49,664 a--sh--- c:\windows\system32\muhutote.dll

============= FINISH: 12:10:03.32 ===============
Attached Files
File Type: zip Attach.zip (6.7 KB, 3 views)
lrb190 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-25-2009, 12:53 AM   #2 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,286
OS: Windows 7 Premium x64

My System

Re: Popup infection
Howdy there lrb190 and welcome to TSF Forums

I'm Steve and I will be helping you throughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-26-2009, 10:29 AM   #3 (permalink)
Registered User
 
Join Date: Sep 2008
Posts: 14
OS: XP


Re: Popup infection
ComboFix 09-04-25.A3 - Lincoln Bartlett 04/26/2009 12:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2430 [GMT -4:00]
Running from: c:\documents and settings\Lincoln Bartlett\Desktop\desktop2\TSF\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Lincoln Bartlett\eula.txt
c:\program files\Antispyware
c:\program files\Antispyware\Antispyware.url
c:\program files\Antispyware\DataBase.ref
c:\program files\Antispyware\TCL.dll
c:\program files\Antispyware\vistaCPtasks.xml
c:\program files\Antispyware\zlib.dll
c:\windows\system32\ajurayab.ini
c:\windows\system32\atuduwof.ini
c:\windows\system32\defumave.dll
c:\windows\system32\ebapovod.ini
c:\windows\system32\fuzikosi.dll
c:\windows\system32\jenonipe.dll
c:\windows\system32\kopilare.dll
c:\windows\system32\owasilas.ini
c:\windows\system32\sifumobu.exe
c:\windows\system32\valimuvu.dll

----- BITS: Possible infected sites -----

hxxp://216.12.168.130
.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-24 18:42 . 2009-04-24 18:42 -------- d-----w C:\VundoFix Backups
2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\Lincoln Bartlett\Application Data\Malwarebytes
2009-04-24 18:29 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 18:29 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 18:08 . 2009-04-24 18:09 -------- d-----w c:\documents and settings\Lincoln Bartlett\Application Data\Antispyware
2009-04-15 09:35 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:35 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:35 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:35 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 09:35 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:35 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:35 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:35 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:35 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:35 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 09:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:35 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-08 04:14 . 2009-04-08 04:15 -------- d-----w C:\DEATH_RACE
2009-04-01 03:00 . 2009-04-01 03:00 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-30 03:40 . 2009-03-30 03:40 -------- d-----w c:\program files\iTunes
2009-03-30 03:40 . 2009-03-30 03:40 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 15:41 . 2009-01-29 02:56 -------- d-----w c:\program files\dl_Cats
2009-04-26 15:39 . 2005-06-27 19:08 -------- d-----w c:\documents and settings\Lincoln Bartlett\Application Data\AdobeUM
2009-04-24 19:01 . 2009-04-24 18:42 136 ----a-w C:\VundoFix.txt
2009-04-24 16:38 . 2008-09-30 02:41 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-24 16:38 . 2005-06-26 16:41 -------- d-----w c:\program files\Lx_cats
2009-04-23 19:54 . 2008-12-31 02:17 -------- d-----w c:\program files\UltimateBet
2009-04-22 07:30 . 2008-09-30 02:41 -------- d-----w c:\program files\AVG
2009-04-22 02:25 . 2009-01-22 02:25 47616 --sha-w c:\windows\system32\ripawawo.exe
2009-04-20 03:26 . 2005-11-08 02:22 -------- d-----w c:\documents and settings\Lincoln Bartlett\Application Data\Azureus
2009-04-08 04:13 . 2005-07-16 16:40 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-07 00:47 . 2008-03-07 21:36 138584 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-07 00:47 . 2008-03-07 21:36 189672 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-02 18:19 . 2005-06-27 15:32 11343 ----a-w C:\lxcc.log
2009-04-01 00:04 . 2005-08-28 21:57 -------- d-----w c:\program files\Common Files\AOL
2009-04-01 00:04 . 2005-08-28 22:16 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-30 03:40 . 2007-10-27 18:59 -------- d-----w c:\program files\Common Files\Apple
2009-03-26 13:45 . 2005-08-28 22:17 -------- d-----w c:\documents and settings\Lincoln Bartlett\Application Data\AOL
2009-03-16 02:48 . 2006-01-04 21:07 58106 ----a-w C:\log.txt
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:04 . 2009-03-06 03:04 -------- d-----w c:\program files\PDFTK Builder
2009-03-06 03:01 . 2009-03-06 03:01 -------- d-----w c:\program files\FoxIt
2009-03-06 02:49 . 2009-03-06 02:49 -------- d-----w c:\program files\GPLGS
2009-03-06 02:48 . 2009-03-06 02:48 -------- d-----w c:\program files\Acro Software
2009-03-05 15:23 . 2009-03-05 15:23 -------- d-----w c:\program files\PDF to Word
2009-03-02 01:53 . 2008-05-26 00:06 -------- d-----w c:\documents and settings\Lincoln Bartlett\Application Data\Vso
2009-03-01 22:33 . 2009-03-01 22:32 -------- d-----w c:\program files\Website Copier
2009-02-20 08:10 . 2004-08-04 12:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-11 20:31 . 2008-03-07 21:36 70968 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-01 14:33 . 2008-09-30 02:41 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-28 22:38 . 2005-07-28 06:17 19042 ----a-w C:\lxccscan.log
2009-01-28 05:49 . 2009-01-28 05:49 87040 ----a-w c:\windows\system32\P2BDAO.DLL
2009-01-28 05:49 . 2009-01-28 05:49 1846784 ----a-w c:\windows\system32\CRPE32.DLL
2008-12-17 05:31 . 2006-10-13 17:14 31136 -c--a-w c:\documents and settings\Lincoln Bartlett\Application Data\GDIPFONTCACHEV1.DAT
2008-12-11 06:20 . 2005-06-23 18:25 31136 -c--a-w c:\documents and settings\Lincoln Bartlett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-11 01:59 . 2008-12-11 01:59 127216 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-11 22:02 . 2008-06-20 02:54 22328 -c--a-w c:\documents and settings\Lincoln Bartlett\Application Data\PnkBstrK.sys
2008-05-26 00:06 . 2008-05-26 00:06 47360 -c--a-w c:\documents and settings\Lincoln Bartlett\Application Data\pcouffin.sys
2008-04-07 04:01 . 2008-04-07 04:01 0 -c--a-w c:\program files\temp01
2008-04-04 22:24 . 2008-04-04 22:24 774144 ----a-w c:\program files\RngInterstitial.dll
2005-09-16 17:16 . 2005-09-16 17:16 139 -c--a-w c:\documents and settings\Lincoln Bartlett\Local Settings\Application Data\fusioncache.dat
2005-07-28 04:38 . 2005-07-28 04:38 513648 ----a-w c:\program files\msgr6suite.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue SpeedUpMyPC"="c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-05-16 8975904]
"NVIDIA nTune"="c:\games\nVidia\nTune\nTuneCmd.exe" [2008-04-11 110592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"igndlm.exe"="c:\linc\Programs\FilePlanet\Download Manager\dlm.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"EVGAPrecision"="c:\program files\EVGA Precision\EVGAPrecision.exe" [2008-10-27 240656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"AVG8_TRAY"="c:\progra~1\AVG\avgtray.exe" [2009-02-01 1601304]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 73728]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 05:34 24576 ----a-w c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 14:33 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lincoln Bartlett^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E06AXLRD_266765
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E06AXLRD_8949390
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Transponder
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"StarWindService"=2 (0x2)
"InCDsrv"=2 (0x2)
"StyleXPService"=2 (0x2)
"SavRoam"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"TapiSrv"=2 (0x2)
"SamSs"=2 (0x2)
"seclogon"=2 (0x2)
"mnmsrvc"=3 (0x3)
"helpsvc"=2 (0x2)
"HTTPFilter"=3 (0x3)
"ERSvc"=2 (0x2)
"wuauserv"=2 (0x2)
"aspnet_state"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"lxcc_device"=3 (0x3)
"LexBceS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"WMP54GSSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Games\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Games\\Gears of War\\New Folder\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Games\\Assassins Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Games\\Assassins Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Games\\Assassins Creed\\AssassinsCreed_Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\avgemc.exe"=
"c:\\Program Files\\AVG\\avgupd.exe"=
"c:\\Linc\\uTorrent\\uTorrent.exe"=
"c:\\Games\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Games\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Games\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Games\\Chess Master\\game.exe"=
"c:\\WINDOWS\\system32\\dlcdcoms.exe"=
"c:\\Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Games\\Activision\\World at War\\CoDWaW.exe"=
"c:\\Games\\Activision\\World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28960:TCP"= 28960:TCP:COD4 Port
"28960:UDP"= 28960:UDP:COD4
"20656:TCP"= 20656:TCP:BitCometBeta 20656 TCP
"20656:UDP"= 20656:UDP:BitCometBeta 20656 UDP

R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-07-09 26488]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-01 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-02-01 107272]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\avgemc.exe [2009-02-01 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\avgwdsvc.exe [2009-02-01 298264]
S2 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe [2007-01-17 538096]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6259276-fd5f-11dc-a578-0012179dc057}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-20 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\games\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-03-06 14:46]

2008-03-06 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\games\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-03-06 14:46]

2008-03-14 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\downloads\SpyEraser\SpyEraser.exe [2008-03-14 14:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AREA51-5500-R1&ai=636E3D33313933343526706F3D504F2D33333634343241
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.accoona.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Lincoln Bartlett\Application Data\Mozilla\Firefox\Profiles\fvr9e4wo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Lincoln Bartlett\Application Data\Mozilla\Firefox\Profiles\fvr9e4wo.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\games\GeForce 8800GT\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: c:\games\GeForce 8800GT\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\games\GeForce 8800GT\DivX\DivX Web Player\npdivx32.dll
FF - plugin: c:\linc\Programs\FilePlanet\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Acrobat 6.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprpjplug.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3530250525-1830962744-1483249069-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-3530250525-1830962744-1483249069-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f3,4c,ad,d2,1d,5c,bd,fd,35,de,36,20,12,e7,14,74,54,73,f3,41,31,2d,93,
7a,4e,39,77,68,4d,c6,7d,d6,6f,78,5f,24,84,de,60,5a,99,1c,60,8b,d4,2e,37,09,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-3530250525-1830962744-1483249069-1005\Software\SecuROM\License information*]
"datasecu"=hex:d1,3c,86,ab,be,63,c3,bc,5a,5f,f0,ab,cf,33,fa,de,62,3a,32,e3,c9,
ae,6f,f5,08,f1,85,00,fd,5c,0b,e5,13,2c,d7,65,c6,43,38,77,44,02,72,ee,11,b3,\
"rkeysecu"=hex:ff,93,25,b3,a9,97,52,be,12,02,5a,06,5a,07,f9,66

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):2b,24,11,2e,81,c5,2f,97,41,4d,2e,ab,80,92,74,9d,bc,cf,2e,0e,4d,
fb,ef,df,ed,66,0b,d7,1a,4a,17,1d,40,d2,63,aa,b4,f3,82,90,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{739e5cdc-f47d-440c-81f5-2505a5e476ec}]
@Denied: (Full) (Everyone)
"Model"=dword:000000bf
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\AlienGUIse\fastload.dll
.
Completion time: 2009-04-26 12:25
ComboFix-quarantined-files.txt 2009-04-26 16:25
ComboFix2.txt 2008-10-14 00:00

Pre-Run: 14,441,836,544 bytes free
Post-Run: 14,501,183,488 bytes free

319 --- E O F --- 2009-04-16 07:04
Attached Files
File Type: txt log.txt (20.6 KB, 0 views)
lrb190 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-26-2009, 01:10 PM   #4 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,286
OS: Windows 7 Premium x64

My System

Re: Popup infection
Hi lrb190

I notice that this is not your first visit to this forum for help with malware. Your last visit was abandoned by yourself, if this thread goes 3 days without a reply then I will have no hesitation in closing the topic. I do see that you still have not learned your lesson about using cracked software and that you have not heeded the advice given to you by chemist regarding the use of reg cleaners. I also see that you are still using P2P software such as Azerus. We cannot educate those who do not want to be educated, and we are not here to repeatedly clean machines from malware. If your desire is to run an infected machine 24/7 then you are on the right track. At the moment I have a feeling that cleaning this machine is almost pointless as no lessons have been learned from your previous visit, and the advice recommended to you in your previous post has not been followed. I hope you are willing to prove me wrong. The files caught by AVG are at rootkit level and cannot be dealt with without the use of the special tools that we use. One not suprisingly is this one which is in a folder containing cracks - C:\Downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\SpeedUpMyPC.exe. This is a prime example as to the reasons to my harsh speech.


Open Notepad and copy and paste the following in the Code box into Notepad.

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/370005-popup-infection.html

Collect::
C:\WINDOWS\system32\zamogiso.dll
C:\WINDOWS\system32\kefegase.dll
C:\WINDOWS\system32\nevuwutu.dll
c:\windows\system32\ripawawo.exe
speh.sys

File::
c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
c:\windows\Tasks\Uniblue SpyEraser.job

Folder::
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz

Driver::
speh

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue SpeedUpMyPC"=-

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{739e5cdc-f47d-440c-81f5-2505a5e476ec}]
[HKEY_USERS\S-1-5-21-3530250525-1830962744-1483249069-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.



Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.



Click OK.

Combofix will then upload the files automatically. Please do not close Combofix's window.

Do not mouse click on Combofix while it is running. That may cause it to stall.

===============================

Next download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================

I want you to run an online scan at kaspersky. It can take some time, so please be patient and allow it to run it's full course:

**Vista users - right click IE/Firefox icon and run as administrator

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.


  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Post back with:
The new combofix log
The results from Kaspersky

Update me on how things are running....
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-26-2009, 08:04 PM   #5 (permalink)
Registered User
 
Join Date: Sep 2008
Posts: 14
OS: XP


Re: Popup infection
Dear sjb007,

I dearly appologize for any resentment derived from my past posts. All I can say is I was distracted by other priorities and did not finish the cleansing process. I have already seen great improvement from your recommendations. The original problem of popups has been solved. I would still like to complete the cleansing process in order to ensure the safety of my machine. Thank you for your time and dedication.

ComboFix 09-04-25.A3 - Lincoln Bartlett 04/26/2009 15:56:01.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2328 [GMT -4:00]
Running from: C:\Documents and Settings\Lincoln Bartlett\Desktop\desktop2\TSF\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lincoln Bartlett\Desktop\desktop2\TSF\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
c:\windows\Tasks\Uniblue SpyEraser.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Another version!\Serial.txt
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Another version!\speedupmypc3.exe
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\avoid.nfo
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\Defrag.dll
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\lang\english.ini
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\lang\lang.lng
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\SpeedUpMyPC.exe
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\st.dat
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\StartSUMP.exe
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\StartSUMP2.exe
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\sump.chm
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\UBVarSM.dll
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\UBVarSM2.dll
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\unins000.dat
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\unins000.exe
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\SpeedUpMyPC 3\UpdateSUMP.dll
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\ubvarsm.dll
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\Crack To this one\ubvarsm2.dll
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\info.txt
c:\downloads\SpeedUpMyPC 3.5 Cracked+Serial-maz\speedupmypc3.exe
c:\windows\system32\ripawawo.exe
c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
c:\windows\Tasks\Uniblue SpyEraser.job

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-24 18:42:54 . 2009-04-24 18:42:54 0 d-----w C:\VundoFix Backups
2009-04-24 18:29:56 . 2009-04-24 18:29:56 0 d-----w C:\Documents and Settings\Lincoln Bartlett\Application Data\Malwarebytes
2009-04-24 18:29:52 . 2009-04-06 19:32:46 15504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2009-04-24 18:29:49 . 2009-04-06 19:32:54 38496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-04-24 18:29:48 . 2009-04-24 18:29:48 0 d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-24 18:08:54 . 2009-04-24 18:09:20 0 d-----w C:\Documents and Settings\Lincoln Bartlett\Application Data\Antispyware
2009-04-15 09:35:33 . 2009-03-06 14:22:18 284160 -c----w C:\WINDOWS\system32\dllcache\pdh.dll
2009-04-15 09:35:33 . 2009-02-09 12:10:48 473600 -c----w C:\WINDOWS\system32\dllcache\fastprox.dll
2009-04-15 09:35:33 . 2009-02-09 12:10:48 401408 -c----w C:\WINDOWS\system32\dllcache\rpcss.dll
2009-04-15 09:35:33 . 2009-02-06 11:11:05 110592 -c----w C:\WINDOWS\system32\dllcache\services.exe
2009-04-15 09:35:33 . 2009-02-06 10:10:02 227840 -c----w C:\WINDOWS\system32\dllcache\wmiprvse.exe
2009-04-15 09:35:32 . 2009-02-09 12:10:49 729088 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
2009-04-15 09:35:32 . 2009-02-09 12:10:48 714752 -c----w C:\WINDOWS\system32\dllcache\ntdll.dll
2009-04-15 09:35:32 . 2009-02-09 12:10:48 617472 -c----w C:\WINDOWS\system32\dllcache\advapi32.dll
2009-04-15 09:35:32 . 2009-02-09 12:10:48 453120 -c----w C:\WINDOWS\system32\dllcache\wmiprvsd.dll
2009-04-15 09:35:24 . 2009-03-27 06:58:38 1203922 -c----w C:\WINDOWS\system32\dllcache\sysmain.sdb
2009-04-15 09:35:24 . 2008-05-03 11:55:36 2560 ------w C:\WINDOWS\system32\xpsp4res.dll
2009-04-15 09:35:24 . 2008-04-21 12:08:15 215552 -c----w C:\WINDOWS\system32\dllcache\wordpad.exe
2009-04-08 04:14:15 . 2009-04-08 04:15:19 0 d-----w C:\DEATH_RACE
2009-04-01 03:00:58 . 2009-04-01 03:00:58 0 d-----w C:\Program Files\Microsoft Silverlight
2009-03-30 03:40:20 . 2009-03-30 03:40:39 0 d-----w C:\Program Files\iTunes
2009-03-30 03:40:20 . 2009-03-30 03:40:39 0 d-----w C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 15:41:19 . 2009-01-29 02:56:22 0 d-----w C:\Program Files\dl_Cats
2009-04-26 15:39:29 . 2005-06-27 19:08:54 0 d-----w C:\Documents and Settings\Lincoln Bartlett\Application Data\AdobeUM
2009-04-24 19:01:09 . 2009-04-24 18:42:54 136 ----a-w C:\VundoFix.txt
2009-04-24 16:38:26 . 2008-09-30 02:41:02 0 d-----w C:\Documents and Settings\All Users\Application Data\avg8
2009-04-24 16:38:17 . 2005-06-26 16:41:34 0 d-----w C:\Program Files\Lx_cats
2009-04-23 19:54:41 . 2008-12-31 02:17:07 0 d-----w C:\Program Files\UltimateBet
2009-04-22 07:30:34 . 2008-09-30 02:41:02 0 d-----w C:\Program Files\AVG
2009-04-20 03:26:05 . 2005-11-08 02:22:53 0 d-----w C:\Documents and Settings\Lincoln Bartlett\Application Data\Azureus
2009-04-08 04:13:47 . 2005-07-16 16:40:01 0 d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2009-04-07 00:47:20 . 2008-03-07 21:36:35 138584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2009-04-07 00:47:09 . 2008-03-07 21:36:31 189672 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2009-04-02 18:19:34 . 2005-06-27 15:32:12 11343 ----a-w C:\lxcc.log
2009-04-01 00:04:36 . 2005-08-28 21:57:36 0 d-----w C:\Program Files\Common Files\AOL
2009-04-01 00:04:27 . 2005-08-28 22:16:21 0 d-----w C:\Documents and Settings\All Users\Application Data\AOL
2009-03-30 03:40:16 . 2007-10-27 18:59:56 0 d-----w C:\Program Files\Common Files\Apple
2009-03-26 13:45:35 . 2005-08-28 22:17:47 0 d-----w C:\Documents and Settings\Lincoln Bartlett\Application Data\AOL
2009-03-16 02:48:55 . 2006-01-04 21:07:31 58106 ----a-w C:\log.txt
2009-03-06 14:22:18 . 2004-08-04 12:00:00 284160 ----a-w C:\WINDOWS\system32\pdh.dll
2009-03-06 03:04:28 . 2009-03-06 03:04:27 0 d-----w C:\Program Files\PDFTK Builder
2009-03-06 03:01:06 . 2009-03-06 03:01:04 0 d-----w C:\Program Files\FoxIt
2009-03-06 02:49:22 . 2009-03-06 02:49:22 0 d-----w C:\Program Files\GPLGS
2009-03-06 02:48:44 . 2009-03-06 02:48:44 0 d-----w C:\Program Files\Acro Software
2009-03-05 15:23:34 . 2009-03-05 15:23:34 0 d-----w C:\Program Files\PDF to Word
2009-03-02 01:53:15 . 2008-05-26 0001 0 d-----w C:\Documents and Settings\Lincoln Bartlett\Application Data\Vso
2009-03-01 22:33:02 . 2009-03-01 22:32:10 0 d-----w C:\Program Files\Website Copier
2009-02-20 08:10:59 . 2004-08-04 12:00:00 666112 ----a-w C:\WINDOWS\system32\wininet.dll
2009-02-20 08:10:57 . 2004-08-04 12:00:00 81920 ----a-w C:\WINDOWS\system32\ieencode.dll
2009-02-11 20:31:03 . 2008-03-07 21:36:23 70968 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2009-02-09 12:10:49 . 2004-08-04 12:00:00 729088 ----a-w C:\WINDOWS\system32\lsasrv.dll
2009-02-09 12:10:48 . 2004-08-04 12:00:00 714752 ----a-w C:\WINDOWS\system32\ntdll.dll
2009-02-09 12:10:48 . 2004-08-04 12:00:00 617472 ----a-w C:\WINDOWS\system32\advapi32.dll
2009-02-09 12:10:48 . 2004-08-04 12:00:00 401408 ----a-w C:\WINDOWS\system32\rpcss.dll
2009-02-09 11:13:27 . 2004-08-04 12:00:00 1846784 ----a-w C:\WINDOWS\system32\win32k.sys
2009-02-06 11:11:05 . 2004-08-04 12:00:00 110592 ----a-w C:\WINDOWS\system32\services.exe
2009-02-06 1141 . 2004-08-04 12:00:00 2145280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2009-02-06 10:39:08 . 2004-08-04 12:00:00 35328 ----a-w C:\WINDOWS\system32\sc.exe
2009-02-06 10:32:56 . 2004-08-03 22:59:02 2023936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2009-02-03 19:59:07 . 2004-08-04 12:00:00 56832 ----a-w C:\WINDOWS\system32\secur32.dll
2009-02-01 14:33:14 . 2008-09-30 02:41:19 10520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2009-01-28 22:38:25 . 2005-07-28 06:17:28 19042 ----a-w C:\lxccscan.log
2009-01-28 05:49:24 . 2009-01-28 05:49:24 87040 ----a-w C:\WINDOWS\system32\P2BDAO.DLL
2009-01-28 05:49:22 . 2009-01-28 05:49:22 1846784 ----a-w C:\WINDOWS\system32\CRPE32.DLL
2008-12-17 05:31:06 . 2006-10-13 17:14:46 31136 -c--a-w C:\Documents and Settings\Lincoln Bartlett\Application Data\GDIPFONTCACHEV1.DAT
2008-12-11 06:20:36 . 2005-06-23 18:25:20 31136 -c--a-w C:\Documents and Settings\Lincoln Bartlett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-11 01:59:16 . 2008-12-11 01:59:16 127216 ----a-w C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-11 22:02:34 . 2008-06-20 02:54:59 22328 -c--a-w C:\Documents and Settings\Lincoln Bartlett\Application Data\PnkBstrK.sys
2008-05-26 0001 . 2008-05-26 0001 47360 -c--a-w C:\Documents and Settings\Lincoln Bartlett\Application Data\pcouffin.sys
2008-04-07 04:01:43 . 2008-04-07 04:01:43 0 -c--a-w C:\Program Files\temp01
2008-04-04 22:24:46 . 2008-04-04 22:24:59 774144 ----a-w C:\Program Files\RngInterstitial.dll
2005-09-16 17:16:52 . 2005-09-16 17:16:52 139 -c--a-w C:\Documents and Settings\Lincoln Bartlett\Local Settings\Application Data\fusioncache.dat
2005-07-28 04:38:39 . 2005-07-28 04:38:27 513648 ----a-w C:\Program Files\msgr6suite.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Games\nVidia\nTune\nTuneCmd.exe" [2008-04-11 13:44:22 110592]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]
"igndlm.exe"="C:\Linc\Programs\FilePlanet\Download Manager\dlm.exe" [2008-08-01 18:36:32 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2009-01-15 13:19:00 13680640]
"EVGAPrecision"="C:\Program Files\EVGA Precision\EVGAPrecision.exe" [2008-10-27 16:28:24 240656]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 04:50:30 177472]
"AVG8_TRAY"="C:\PROGRA~1\AVG\avgtray.exe" [2009-02-01 14:33:06 1601304]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 21:12:44 73728]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 09:21:54 69632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-01-05 21:18:48 413696]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2009-01-15 13:19:00 86016]
"nwiz"="nwiz.exe" - C:\WINDOWS\system32\nwiz.exe [2009-01-15 13:19:00 1657376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 05:34:52 24576 ----a-w C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 14:33:14 10520 ----a-w C:\WINDOWS\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lincoln Bartlett^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"StarWindService"=2 (0x2)
"InCDsrv"=2 (0x2)
"StyleXPService"=2 (0x2)
"SavRoam"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"TapiSrv"=2 (0x2)
"SamSs"=2 (0x2)
"seclogon"=2 (0x2)
"mnmsrvc"=3 (0x3)
"helpsvc"=2 (0x2)
"HTTPFilter"=3 (0x3)
"ERSvc"=2 (0x2)
"wuauserv"=2 (0x2)
"aspnet_state"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"lxcc_device"=3 (0x3)
"LexBceS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"WMP54GSSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Games\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Games\\Gears of War\\New Folder\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Games\\Assassins Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Games\\Assassins Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Games\\Assassins Creed\\AssassinsCreed_Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\avgemc.exe"=
"C:\\Program Files\\AVG\\avgupd.exe"=
"C:\\Linc\\uTorrent\\uTorrent.exe"=
"C:\\Games\\Far Cry 2\\bin\\FarCry2.exe"=
"C:\\Games\\Far Cry 2\\bin\\FC2Launcher.exe"=
"C:\\Games\\Far Cry 2\\bin\\FC2Editor.exe"=
"C:\\Games\\Chess Master\\game.exe"=
"C:\\WINDOWS\\system32\\dlcdcoms.exe"=
"C:\\Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Games\\Activision\\World at War\\CoDWaW.exe"=
"C:\\Games\\Activision\\World at War\\CoDWaWmp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28960:TCP"= 28960:TCP:COD4 Port
"28960:UDP"= 28960:UDP:COD4
"20656:TCP"= 20656:TCP:BitCometBeta 20656 TCP
"20656:UDP"= 20656:UDP:BitCometBeta 20656 UDP

R2 spupdsvc;Windows Service Pack Installer update service;C:\WINDOWS\system32\spupdsvc.exe [2008-07-09 07:38:27 26488]
S0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 21:24:30 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-02-01 14:33:14 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-02-01 14:33:14 107272]
S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\avgemc.exe [2009-02-01 14:33:12 903960]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\avgwdsvc.exe [2009-02-01 14:33:10 298264]
S2 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2007-01-17 04:34:36 538096]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6259276-fd5f-11dc-a578-0012179dc057}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34:12 . 2008-07-30 16:34:12]

2008-03-06 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- C:\Games\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-03-06 18:11:32 . 2008-01-29 14:46:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AREA51-5500-R1&ai=636E3D33313933343526706F3D504F2D33333634343241
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.accoona.com/search?q=%s
IE: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - C:\Documents and Settings\Lincoln Bartlett\Application Data\Mozilla\Firefox\Profiles\fvr9e4wo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: C:\Program Files\AVG\Firefox\components\avgssff.dll
FF - plugin: C:\Documents and Settings\Lincoln Bartlett\Application Data\Mozilla\Firefox\Profiles\fvr9e4wo.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: C:\Games\GeForce 8800GT\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: C:\Games\GeForce 8800GT\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: C:\Games\GeForce 8800GT\DivX\DivX Web Player\npdivx32.dll
FF - plugin: C:\Linc\Programs\FilePlanet\Download Manager\npfpdlm.dll
FF - plugin: C:\Program Files\Acrobat 6.0\Reader\browser\nppdf32.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: C:\Program Files\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: C:\Program Files\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: C:\Program Files\RealPlayer\Netscape6\nprpjplug.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
LXCCCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3530250525-1830962744-1483249069-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f3,4c,ad,d2,1d,5c,bd,fd,35,de,36,20,12,e7,14,74,54,73,f3,41,31,2d,93,
7a,4e,39,77,68,4d,c6,7d,d6,6f,78,5f,24,84,de,60,5a,99,1c,60,8b,d4,2e,37,09,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-3530250525-1830962744-1483249069-1005\Software\SecuROM\License information*]
"datasecu"=hex:d1,3c,86,ab,be,63,c3,bc,5a,5f,f0,ab,cf,33,fa,de,62,3a,32,e3,c9,
ae,6f,f5,08,f1,85,00,fd,5c,0b,e5,13,2c,d7,65,c6,43,38,77,44,02,72,ee,11,b3,\
"rkeysecu"=hex:ff,93,25,b3,a9,97,52,be,12,02,5a,06,5a,07,f9,66
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
C:\Program Files\AlienGUIse\fastload.dll
.
Completion time: 2009-04-26 15:58:40
ComboFix-quarantined-files.txt 2009-04-26 19:58:38
ComboFix2.txt 2009-04-26 16:25:52
ComboFix3.txt 2008-10-14 00:00:11

Pre-Run: 14,501,228,544 bytes free
Post-Run: 14,453,882,880 bytes free

298 --- E O F --- 2009-04-16 07:04:19
Attached Files
File Type: txt Kaspersky.txt (1.6 KB, 2 views)
File Type: txt ComboFix.txt (20.3 KB, 1 views)
lrb190 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-27-2009, 01:00 AM   #6 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,286
OS: Windows 7 Premium x64

My System

Re: Popup infection
Hi there

Things are looking much better this time around. Still a little bit of work to do though....

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.
There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "JRE 6 Update 13."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove the following versions of Java.

    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 5


    Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

================================================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\Documents and Settings\Lincoln Bartlett\My Documents\Downloads\Programs\fileutil.exe
C:\Documents and Settings\Lincoln Bartlett\Desktop\desktop2\TSF\programs\setupxv.exe

Folder::
C:\VundoFix Backups

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Lincoln Bartlett^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

================================================

I notice that you have Malwarebytes Antimalware (MBAM) installed
I want you to run a scan for me..
First I want you to update MBAM so we have the latest definitions onboard
Please open Malwarebytes Antimalware
Now click on the update tab
Next - Click on the Check for updates button
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.[/list]
================================================

Please post back with:
The log form MBAM
The log from combofix

Also update me on how things are running now....
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-27-2009, 01:27 PM   #7 (permalink)
Registered User
 
Join Date: Sep 2008
Posts: 14
OS: XP


Re: Popup infection
I have installed the new adobe, uninstalled old java and installed new, and attached the two logs. Thank you for the continued help


ComboFix 09-04-27.02 - Lincoln Bartlett 04/27/2009 14:44.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2512 [GMT -4:00]
Running from: c:\documents and settings\Lincoln Bartlett\Desktop\desktop2\TSF\ComboFix.exe
Command switches used :: c:\documents and settings\Lincoln Bartlett\Desktop\desktop2\TSF\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Lincoln Bartlett\Desktop\desktop2\TSF\programs\setupxv.exe
c:\documents and settings\Lincoln Bartlett\My Documents\Downloads\Programs\fileutil.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lincoln Bartlett\My Documents\Downloads\Programs\fileutil.exe
C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-27 18:39 . 2009-04-27 18:38 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-27 13:06 . 2009-04-27 13:06 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-27 12:59 . 2009-04-27 12:59 -------- d-----w c:\documents and settings\Lincoln Bartlett\Local Settings\Application Data\NOS
2009-04-27 12:58 . 2009-04-27 13:05 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-27 12:58 . 2009-04-27 12:58 -------- d-----w c:\program files\NOS
2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\Lincoln Bartlett\Application Data\Malwarebytes
2009-04-24 18:29 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 18:29 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 18:08 . 2009-04-24 18:09 -------- d-----w c:\documents and settings\Lincoln Bartlett\Application Data\Antispyware
2009-04-15 09:35 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:35 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:35 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 09:35 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:35 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:35 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:35 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:35 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:35 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:35 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-01 03:00 . 2009-04-01 03:00 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-30 03:40 . 2009-03-30 03:40 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-30 03:40 . 2009-03-30 03:40 -------- d-----w c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 18:38 . 2005-06-30 19:28 -------- d-----w c:\program files\Java
2009-04-27 13:51 . 2009-01-29 02:56 -------- d-----w c:\program files\dl_Cats
2009-04-27 13:06 . 2005-02-01 07:46 -------- d-----w c:\program files\Common Files\Adobe
2009-04-27 13:05 . 2005-06-25 02:02 -------- d-----w c:\program files\Acrobat 6.0
2009-04-24 16:38 . 2005-06-26 16:41 -------- d-----w c:\program files\Lx_cats
2009-04-23 19:54 . 2008-12-31 02:17 -------- d-----w c:\program files\UltimateBet
2009-04-22 07:30 . 2008-09-30 02:41 -------- d-----w c:\program files\AVG
2009-04-07 00:47 . 2008-03-07 21:36 138584 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-07 00:47 . 2008-03-07 21:36 189672 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-01 00:04 . 2005-08-28 21:57 -------- d-----w c:\program files\Common Files\AOL
2009-03-30 03:40 . 2007-10-27 18:59 -------- d-----w c:\program files\Common Files\Apple
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:04 . 2009-03-06 03:04 -------- d-----w c:\program files\PDFTK Builder
2009-03-06 03:01 . 2009-03-06 03:01 -------- d-----w c:\program files\FoxIt
2009-03-06 02:49 . 2009-03-06 02:49 -------- d-----w c:\program files\GPLGS
2009-03-06 02:48 . 2009-03-06 02:48 -------- d-----w c:\program files\Acro Software
2009-03-05 15:23 . 2009-03-05 15:23 -------- d-----w c:\program files\PDF to Word
2009-03-01 22:33 . 2009-03-01 22:32 -------- d-----w c:\program files\Website Copier
2009-02-20 08:10 . 2004-08-04 12:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-11 20:31 . 2008-03-07 21:36 70968 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-01 14:33 . 2008-09-30 02:41 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-01 14:33 . 2008-09-30 02:41 107272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-01 14:33 . 2008-09-30 02:41 325128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-28 05:49 . 2009-01-28 05:49 87040 ----a-w c:\windows\system32\P2BDAO.DLL
2009-01-28 05:49 . 2009-01-28 05:49 1846784 ----a-w c:\windows\system32\CRPE32.DLL
2008-04-07 04:01 . 2008-04-07 04:01 0 -c--a-w c:\program files\temp01
2008-04-04 22:24 . 2008-04-04 22:24 774144 ----a-w c:\program files\RngInterstitial.dll
2005-07-28 04:38 . 2005-07-28 04:38 513648 ----a-w c:\program files\msgr6suite.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_16.24.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-27 18:25 . 2009-04-27 18:25 16384 c:\windows\temp\Perflib_Perfdata_678.dat
+ 2009-04-27 18:39 . 2009-04-27 18:39 16384 c:\windows\temp\Perflib_Perfdata_4f4.dat
+ 2009-04-27 18:39 . 2009-04-27 18:38 148888 c:\windows\system32\javaws.exe
+ 2009-04-27 18:39 . 2009-04-27 18:38 144792 c:\windows\system32\javaw.exe
+ 2009-04-27 18:39 . 2009-04-27 18:38 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\games\nVidia\nTune\nTuneCmd.exe" [2008-04-11 110592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"igndlm.exe"="c:\linc\Programs\FilePlanet\Download Manager\dlm.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"EVGAPrecision"="c:\program files\EVGA Precision\EVGAPrecision.exe" [2008-10-27 240656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"AVG8_TRAY"="c:\progra~1\AVG\avgtray.exe" [2009-02-01 1601304]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 73728]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-27 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 05:34 24576 ----a-w c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 14:33 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"StarWindService"=2 (0x2)
"InCDsrv"=2 (0x2)
"StyleXPService"=2 (0x2)
"SavRoam"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"TapiSrv"=2 (0x2)
"SamSs"=2 (0x2)
"seclogon"=2 (0x2)
"mnmsrvc"=3 (0x3)
"helpsvc"=2 (0x2)
"HTTPFilter"=3 (0x3)
"ERSvc"=2 (0x2)
"wuauserv"=2 (0x2)
"aspnet_state"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"lxcc_device"=3 (0x3)
"LexBceS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"WMP54GSSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Games\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Games\\Gears of War\\New Folder\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Games\\Assassins Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Games\\Assassins Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Games\\Assassins Creed\\AssassinsCreed_Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\avgemc.exe"=
"c:\\Program Files\\AVG\\avgupd.exe"=
"c:\\Linc\\uTorrent\\uTorrent.exe"=
"c:\\Games\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Games\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Games\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Games\\Chess Master\\game.exe"=
"c:\\WINDOWS\\system32\\dlcdcoms.exe"=
"c:\\Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Games\\Activision\\World at War\\CoDWaW.exe"=
"c:\\Games\\Activision\\World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28960:TCP"= 28960:TCP:COD4 Port
"28960:UDP"= 28960:UDP:COD4
"20656:TCP"= 20656:TCP:BitCometBeta 20656 TCP
"20656:UDP"= 20656:UDP:BitCometBeta 20656 UDP

R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-07-09 26488]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-01 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-02-01 107272]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\avgemc.exe [2009-02-01 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\avgwdsvc.exe [2009-02-01 298264]
S2 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe [2007-01-17 538096]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6259276-fd5f-11dc-a578-0012179dc057}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2008-03-06 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\games\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-03-06 14:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AREA51-5500-R1&ai=636E3D33313933343526706F3D504F2D33333634343241
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.accoona.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Lincoln Bartlett\Application Data\Mozilla\Firefox\Profiles\fvr9e4wo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Lincoln Bartlett\Application Data\Mozilla\Firefox\Profiles\fvr9e4wo.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\games\GeForce 8800GT\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: c:\games\GeForce 8800GT\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\games\GeForce 8800GT\DivX\DivX Web Player\npdivx32.dll
FF - plugin: c:\linc\Programs\FilePlanet\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprpjplug.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3530250525-1830962744-1483249069-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f3,4c,ad,d2,1d,5c,bd,fd,35,de,36,20,12,e7,14,74,54,73,f3,41,31,2d,93,
7a,4e,39,77,68,4d,c6,7d,d6,6f,78,5f,24,84,de,60,5a,99,1c,60,8b,d4,2e,37,09,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-3530250525-1830962744-1483249069-1005\Software\SecuROM\License information*]
"datasecu"=hex:d1,3c,86,ab,be,63,c3,bc,5a,5f,f0,ab,cf,33,fa,de,62,3a,32,e3,c9,
ae,6f,f5,08,f1,85,00,fd,5c,0b,e5,13,2c,d7,65,c6,43,38,77,44,02,72,ee,11,b3,\
"rkeysecu"=hex:ff,93,25,b3,a9,97,52,be,12,02,5a,06,5a,07,f9,66
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\AlienGUIse\fastload.dll
.
Completion time: 2009-04-27 14:47
ComboFix-quarantined-files.txt 2009-04-27 18:47
ComboFix2.txt 2009-04-26 19:58
ComboFix3.txt 2009-04-26 16:25
ComboFix4.txt 2008-10-14 00:00

Pre-Run: 14,593,863,680 bytes free
Post-Run: 14,651,711,488 bytes free

270 --- E O F --- 2009-04-16 07:04
Attached Files
File Type: txt log.txt (17.3 KB, 2 views)
File Type: txt mbam-log-2009-04-27 (15-26-01).txt (1.7 KB, 2 views)
lrb190 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-27-2009, 02:29 PM   #8 (permalink)
Registered User
 
Join Date: Sep 2008
Posts: 14
OS: XP


Re: Popup infection
I did a full Malwarebytes' scan and found a rogue installer. See attachment.
Attached Files
File Type: txt mbam-log-2009-04-27 (16-27-46).txt (966 Bytes, 4 views)
lrb190 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-27-2009, 02:39 PM   #9 (permalink)
Registered User
 
Join Date: Sep 2008
Posts: 14
OS: XP


Re: Popup infection
Additionally, I have a "Removable Disk (H:)" in My Computer that I am not sure what it is. I cannot eject it, and when I double-click it says please insert a disk into Drive H:

I also have two DVD drives: "DVD Drive (D:)" and "DVD-RW Drive (E:)" even though I only have one physical drive. I believe this one is normal, but just checking.
lrb190 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-27-2009, 04:50 PM   #10 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,286
OS: Windows 7 Premium x64

My System

Re: Popup infection
Hi there

What MBAM found in the second log was in the system restore and this would have been flushed out at the end of the fix so it would not have presented a problem. Regarding the removable disk, do you have a card reader, also some programs such as disc replication/copy programs are capable of creating a virtual disc which can also show as a removable drive. This could also tally up with why you have two DVD drives showing.

Just one entry to take care of...

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
Skipfix::

File::
uSearchURL,(Default) = hxxp://www.accoona.com/search?q=%sFolder::
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

How are things running now, anymore problems to report.......
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-27-2009, 10:26 PM   #11 (permalink)
Registered User
 
Join Date: Sep 2008
Posts: 14
OS: XP


Re: Popup infection
I have attached the new combofix log. Things are running much smoother and I have no signs of infections, malware, or foul-play! Thank you so much for your help, I would never have solved this alone. Finally, I am hoping to optimize some of my services and disable unnecessary ones. Is it possible to receive that help on this forum or elsewhere? I read the sticky about 'System Running Slow?' but could not get definite answers on which services I could get rid of.
Attached Files
File Type: txt log.txt (18.6 KB, 2 views)
lrb190 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-28-2009, 12:51 AM   #12 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,286
OS: Windows 7 Premium x64

My System

Re: Popup infection
Hi there

Regarding the disabling of system services - try running through Black Vipers guide here - Black Viper's Windows XP x86 (32-bit) Service Pack 3 Service Configurations it has the options of safe/tweaked/bare bones configurations along with the defaults should you choose to reset them.

Just one reg entry that has decided to make an appearance to take care of with combofix...

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
RegLock::
[HKEY_USERS\S-1-5-21-3530250525-1830962744-1483249069-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

Apart from that just a spot of updating to do....

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.
There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "JRE 6 Update 13."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove the following versions of Java.

    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 5

    Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

IMPORTANT
Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there
Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing
Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 05-02-2009, 04:23 PM   #13 (permalink)
Registered User
 
Join Date: Sep 2008
Posts: 14
OS: XP


Re: Popup infection
I attached the last combofix log (not sure if you wanted to see it). The system is running incredibly better, and I cannot thank you enough for your hard work, help and dedication. I may have been forced to purchase a new system if I didn't have your assistance. I will work hard to avoid this problem in the future!

Thank you!
Attached Files
File Type: txt log.txt (16.2 KB, 3 views)
lrb190 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:32 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85