|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-25-2007, 07:11 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 86
OS: WinXP
|
Popup ads starting to show on my laptop
I'm afraid my computer is infected with some pretty bad spyware. I ran spybot, but it was unable to remove all of the problems on my computer. I still get frequent popups while I am online.
The following is my DSS log: Deckard's System Scanner v20070711.54 Run by husko on 2007-07-25 at 08:53:03 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 87: 2007-07-25 12:53:23 UTC - RP521 - Deckard's System Scanner Restore Point 86: 2007-07-25 06:45:58 UTC - RP520 - System Checkpoint 85: 2007-07-24 06:21:35 UTC - RP519 - System Checkpoint 84: 2007-07-23 06:13:35 UTC - RP518 - System Checkpoint 83: 2007-07-22 00:37:08 UTC - RP517 - System Checkpoint -- First Restore Point -- 1: 2007-04-27 05:58:33 UTC - RP435 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-07-25 08:54:56 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\WLTRYSVC.EXE C:\WINDOWS\system32\BCMWLTRY.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\BAsfIpM.exe C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\explorer.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe C:\WINDOWS\system32\WLTRAY.EXE C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe C:\Program Files\Apoint\ApntEx.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\??stem\services.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\??stem32\fast.exe C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Husko\Desktop\dss.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/segmentation...97&service=AIM R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {333A13A9-8369-889A-4B66-8B8DB126D3CA} - C:\WINDOWS\system32\rxlv.dll O2 - BHO: (no name) - {7D53A523-15A2-44F4-8F33-45AB380E8559} - C:\WINDOWS\system32\vturs.dll O2 - BHO: (no name) - {A0DCD109-AF10-4CC9-BE40-E00739555DF6} - C:\Program Files\Internet Explorer\sademoxu83122.dll O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\yayvvuv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\services.exe" -vt yazb O4 - HKCU\..\Run: [Nnxszate] C:\WINDOWS\??stem32\fast.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth.lnk = C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra 'Tools' menuitem: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: Send To &Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\Software\..\Telephony: DomainName = susqu.edu O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = susqu.edu O17 - HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: Domain = susqu.edu O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = susqu.edu O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll O20 - Winlogon Notify: yayvvuv - C:\WINDOWS\system32\yayvvuv.dll O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\BAsfIpM.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - "C:\Program Files\iPod\bin\iPodService.exe" O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver> R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3> R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.2900> R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.2900> R3 Appdrv - c:\program files\dell\nicconfigsvc\appdrv.sys <Not Verified; Dell Inc; Application Driver> R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> S3 TnIDriver - c:\docume~1\husko\locals~1\temp\tni284.tmp (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service> R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc> -- Scheduled Tasks ------------------------------------------------------------- 2007-07-25 00:40:32 406 --a------ C:\WINDOWS\Tasks\Pareto UNS.job -- Files created between 2007-06-25 and 2007-07-25 ----------------------------- 2007-07-25 01:24:27 8576 --a------ C:\WINDOWS\system32\drivers\fkskekiimsws.sys <Not Verified; Panda Software International; RKPavProc Driver> 2007-07-25 01:15:29 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-07-25 01:15:26 0 d-------- C:\WINDOWS\LastGood 2007-07-25 00:40:24 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware 2007-07-25 00:40:11 0 d-------- C:\Program Files\ParetoLogic 2007-07-25 00:23:27 0 d-------- C:\Program Files\Enigma Software Group 2007-07-24 21:34:10 6466 ---hs---- C:\WINDOWS\system32\srutv.bak1 2007-07-24 21:33:30 228960 --a------ C:\WINDOWS\system32\vturs.dll 2007-07-24 21:30:36 2 --a------ C:\WINDOWS\system32\wnstssv32.exe 2007-07-24 21:30:06 0 d-------- C:\Program Files\Outerinfo 2007-07-24 21:30:05 0 d-------- C:\WINDOWS\??stem32 2007-07-24 21:29:54 60928 --a------ C:\WINDOWS\system32\rxlv.dll 2007-07-24 21:28:36 0 d-------- C:\WINDOWS\system32\T7 2007-07-24 21:28:36 0 d-------- C:\WINDOWS\system32\T11 2007-07-24 21:28:35 0 d-------- C:\WINDOWS\system32\T5 2007-07-24 21:28:35 0 d-------- C:\WINDOWS\system32\T3 2007-07-24 21:28:34 0 d-------- C:\WINDOWS\system32\win 2007-07-24 21:28:34 0 d-------- C:\WINDOWS\system32\T1 2007-07-24 21:28:31 0 d-------- C:\Program Files\Common Files\??stem 2007-07-24 21:28:30 39424 --a------ C:\WINDOWS\retadpu572.exe 2007-07-24 21:27:59 0 d-------- C:\WINDOWS\system32\b02FdUe 2007-07-24 21:27:58 31254 -----n--- C:\WINDOWS\system32\yayvvuv.dll 2007-07-05 20:15:58 0 d-------- C:\CloneDVDTemp 2007-07-05 20:11:33 0 d-------- C:\Documents and Settings\Husko\Application Data\SlySoft 2007-07-05 20:11:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes 2007-07-05 20  52 0 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft2007-07-05 20 37 0 d-------- C:\Program Files\CloneDVD22007-07-05 17:59:32 0 d-------- C:\Program Files\AnyDVD 2007-07-05 17:30:25 0 d-------- C:\Documents and Settings\Husko\Application Data\Elaborate Bytes 2007-07-05 16:51:43 0 d-------- C:\DVDburner -- Find3M Report --------------------------------------------------------------- 2007-07-25 02:08:47 0 d-------- C:\Program Files\Microsoft AntiSpyware 2007-07-25 02:08:18 0 d-------- C:\Program Files\iTunes 2007-07-25 02:07:22 0 d-------- C:\Program Files\Common Files\??stem 2007-07-25 02:04:28 0 d-------- C:\Program Files\Apoint 2007-07-25 02:04:24 0 d-------- C:\Program Files\AIM 2007-07-25 01:11:38 0 d-------- C:\Program Files\Viewpoint 2007-07-24 21:29:55 0 d-------- C:\Program Files\Online Services 2007-06-27 17:31:45 0 d-------- C:\Program Files\Starcraft 2007-06-08 01:20:35 0 d-------- C:\Program Files\LimeWire -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {333A13A9-8369-889A-4B66-8B8DB126D3CA} C:\WINDOWS\system32\rxlv.dll {7D53A523-15A2-44F4-8F33-45AB380E8559} C:\WINDOWS\system32\vturs.dll {A0DCD109-AF10-4CC9-BE40-E00739555DF6} C:\Program Files\Internet Explorer\sademoxu83122.dll {DCD53738-C4F9-414A-A03C-C7405A4AC844} C:\WINDOWS\system32\yayvvuv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "Dell Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY" "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl" "Tair"="\"C:\\PROGRA~1\\COMMON~1\\STEM~1\\services.exe\" -vt yazb" "Nnxszate"="C:\\WINDOWS\\??stem32\\fast.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook" "{DCD53738-C4F9-414A-A03C-C7405A4AC844}"="" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturs HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvvuv HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_FKSKEKIIMSWS *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RKPAVPROC *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SDTHOOK Any help with this problem would be greatly appreciated. Thank you. Last edited by Husko; 07-25-2007 at 07:13 AM. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
07-25-2007, 05:21 PM
|
#2 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3
|
Re: Popup ads starting to show on my laptop
Hi and welcome...
Lets start with this...... Please download VundoFix.exe to your desktop.
Follow that by doing this..... Download this file : http://www.techsupportforum.com/sect...s/ComboFix.exe Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall
__________________
Eddy Last edited by Pancake; 07-25-2007 at 05:32 PM. |
|
|
|
|
07-25-2007, 05:58 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 86
OS: WinXP
|
Re: Popup ads starting to show on my laptop
I would just like to say I greatly appreciate all help with the situation. Vundofix had to restart and run again in order to delete two of the files, but it seemed to have no problem on the restart as evidenced by the log at the end of the post. Here are my logs.
Combofix: "husko" - 2007-07-25 19:38:45 [GMT -4:00] - ComboFix 07-07-24 - Service Pack 2 NTFS ADS removed - system32: deleted 5392 bytes in 1 streams. (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\yayvvuv.dll C:\WINDOWS\system32\yayvvuv.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\stem~1 C:\Program Files\Common Files\stem~1\services.exe C:\Program Files\Internet Explorer\sademoxu83122.dll C:\Program Files\outerinfo C:\Program Files\outerinfo\Terms.rtf C:\WINDOWS\retadpu572.exe C:\WINDOWS\stem32~1 C:\WINDOWS\stem32~1\fast.exe C:\WINDOWS\system32\b02FdUe C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe C:\WINDOWS\system32\drivers\fad.sys C:\WINDOWS\system32\rxlv.dll C:\WINDOWS\system32\T1 C:\WINDOWS\system32\T1\kmhp83122.exe C:\WINDOWS\system32\T11 C:\WINDOWS\system32\T3 C:\WINDOWS\system32\T5 C:\WINDOWS\system32\T7 C:\WINDOWS\system32\win C:\WINDOWS\system32\wnstssv32.exe C:\WINDOWS\system32\wviikids.exe C:\WINDOWS\wr.txt ((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 ))))))))))))))))))))))))))))))) 2007-07-25 19:40 6,506 --ahs---- C:\WINDOWS\system32\rqtwa.bak1 2007-07-25 19:40 228,960 --a------ C:\WINDOWS\system32\awtqr.dll 2007-07-25 19:37 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-25 19:26 <DIR> d-------- C:\VundoFix Backups 2007-07-25 09:36 126,016 --a------ C:\WINDOWS\system32\rhgekies.dll 2007-07-25 08:52 <DIR> d-------- C:\Deckard 2007-07-25 01:24 8,576 --a------ C:\WINDOWS\system32\drivers\fkskekiimsws.sys 2007-07-25 01:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-07-25 00:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware 2007-07-25 00:23 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-07-24 21:28 <DIR> d-------- C:\temp\0c2 2007-07-24 21:27 <DIR> d-------- C:\temp\brr 2007-07-05 20:15 <DIR> d-------- C:\CloneDVDTemp 2007-07-05 20:11 <DIR> d-------- C:\DOCUME~1\Husko\APPLIC~1\SlySoft 2007-07-05 20:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Elaborate Bytes 2007-07-05 20:06 <DIR> d-------- C:\Program Files\CloneDVD2 2007-07-05 20:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft 2007-07-05 17:59 <DIR> d-------- C:\Program Files\AnyDVD 2007-07-05 17:30 <DIR> d-------- C:\DOCUME~1\Husko\APPLIC~1\Elaborate Bytes 2007-07-05 16:58 <DIR> d-------- C:\temp\dvdbackup 2007-07-05 16:51 <DIR> d-------- C:\DVDburner (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-25 23:48:20 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-07-25 23:36:08 -------- d-----w C:\Program Files\Online Services 2007-07-25 06:08:18 -------- d-----w C:\Program Files\iTunes 2007-07-25 06:04:28 -------- d-----w C:\Program Files\Apoint 2007-07-25 06:04:24 -------- d-----w C:\Program Files\AIM 2007-07-25 05:11:38 -------- d-----w C:\Program Files\Viewpoint 2007-06-27 21:31:45 -------- d-----w C:\Program Files\Starcraft 2007-06-22 13:54:49 99,904 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys 2007-06-20 21:08:56 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll 2007-06-08 05:20:35 -------- d-----w C:\Program Files\LimeWire 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24BC6AF5-EA3F-451D-8D9B-5BE27D30ED09}] 2007-07-25 19:40 228960 --a------ C:\WINDOWS\system32\awtqr.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D53A523-15A2-44F4-8F33-45AB380E8559}] C:\WINDOWS\system32\vturs.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 13:45] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 09:04] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 18:21] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 16:35] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-06 01:42] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35] "Tair"="C:\PROGRA~1\COMMON~1\STEM~1\services.exe" [] "Nnxszate"="C:\WINDOWS\??stem32\fast.exe" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06] Bluetooth.lnk - C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe [2005-09-19 17:02:54] EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-09-17 22:04:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr] C:\WINDOWS\system32\awtqr.dll 2007-07-25 19:40 228960 C:\WINDOWS\system32\awtqr.dll R1 ElbyCDIO;ElbyCDIO Driver;C:\WINDOWS\system32\Drivers\ElbyCDIO.sys R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys R2 BNPagent;Client Security Agent;"C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe" R2 BTSERIAL;Bluetooth Serial Driver;\??\C:\WINDOWS\system32\drivers\btserial.sys R2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\system32\drivers\btslbcsp.sys R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys R3 AnyDVD;AnyDVD;C:\WINDOWS\system32\Drivers\AnyDVD.sys R3 Appdrv;Appdrv;\??\C:\Program Files\Dell\NICCONFIGSVC\Appdrv.sys R3 ElbyDelay;ElbyDelay;C:\WINDOWS\system32\Drivers\ElbyDelay.sys R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys R3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys R3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe S3 BTWDNDIS;Bluetooth LAN Access Server;C:\WINDOWS\system32\DRIVERS\btwdndis.sys S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\Husko\LOCALS~1\Temp\tni284.tmp S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys Contents of the 'Scheduled Tasks' folder 2007-07-25 04:40:32 C:\WINDOWS\tasks\Pareto UNS.job ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-25 19:47:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-25 19:51:06 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-25 19:50 --- E O F --- My Hijackthis log: Deckard's System Scanner v20070711.54 Run by husko on 2007-07-25 at 19:53:53 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as husko.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:54, on 2007-07-25 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM\aim.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Husko\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\husko.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/segmentation...97&service=AIM O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {24BC6AF5-EA3F-451D-8D9B-5BE27D30ED09} - C:\WINDOWS\system32\awtqr.dll O2 - BHO: (no name) - {7D53A523-15A2-44F4-8F33-45AB380E8559} - C:\WINDOWS\system32\vturs.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\services.exe" -vt yazb O4 - HKCU\..\Run: [Nnxszate] C:\WINDOWS\??stem32\fast.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = susqu.edu O17 - HKLM\Software\..\Telephony: DomainName = susqu.edu O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = susqu.edu O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Client Security Agent (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 5795 bytes -- Files created between 2007-06-25 and 2007-07-25 ----------------------------- 2007-07-25 19:54:13 0 d-------- C:\Program Files\Trend Micro 2007-07-25 19:40:22 6506 --ahs---- C:\WINDOWS\system32\rqtwa.bak1 2007-07-25 19:40:10 228960 --a------ C:\WINDOWS\system32\awtqr.dll 2007-07-25 19:26:13 0 d-------- C:\VundoFix Backups 2007-07-25 09:36:45 126016 --a------ C:\WINDOWS\system32\rhgekies.dll 2007-07-25 01:24:27 8576 --a------ C:\WINDOWS\system32\drivers\fkskekiimsws.sys <Not Verified; Panda Software International; RKPavProc Driver> 2007-07-25 01:15:29 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-07-25 00:40:24 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware 2007-07-25 00:23:27 0 d-------- C:\Program Files\Enigma Software Group 2007-07-05 20:15:58 0 d-------- C:\CloneDVDTemp 2007-07-05 20:11:33 0 d-------- C:\Documents and Settings\Husko\Application Data\SlySoft 2007-07-05 20:11:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes 2007-07-05 20 52 0 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft2007-07-05 20 37 0 d-------- C:\Program Files\CloneDVD22007-07-05 17:59:32 0 d-------- C:\Program Files\AnyDVD 2007-07-05 17:30:25 0 d-------- C:\Documents and Settings\Husko\Application Data\Elaborate Bytes 2007-07-05 16:51:43 0 d-------- C:\DVDburner -- Find3M Report --------------------------------------------------------------- 2007-07-25 19:48:20 0 d-------- C:\Program Files\Microsoft AntiSpyware 2007-07-25 19:36:08 0 d-------- C:\Program Files\Online Services 2007-07-25 02:08:18 0 d-------- C:\Program Files\iTunes 2007-07-25 02:04:28 0 d-------- C:\Program Files\Apoint 2007-07-25 02:04:24 0 d-------- C:\Program Files\AIM 2007-07-25 01:11:38 0 d-------- C:\Program Files\Viewpoint 2007-06-27 17:31:45 0 d-------- C:\Program Files\Starcraft 2007-06-08 01:20:35 0 d-------- C:\Program Files\LimeWire -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {24BC6AF5-EA3F-451D-8D9B-5BE27D30ED09} C:\WINDOWS\system32\awtqr.dll {7D53A523-15A2-44F4-8F33-45AB380E8559} C:\WINDOWS\system32\vturs.dll [x] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl" "Tair"="\"C:\\PROGRA~1\\COMMON~1\\STEM~1\\services.exe\" -vt yazb" "Nnxszate"="C:\\WINDOWS\\??stem32\\fast.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_CATCHME -- End of Deckard's System Scanner: finished at 2007-07-25 at 19:55:26 --------- And finally my vundofix text: VundoFix V6.5.6 Checking Java version... Java version is 1.4.2.3 Old versions of java are exploitable and should be removed. Scan started at 7:26:13 PM 7/25/2007 Listing files found while scanning.... C:\windows\system32\hwaqenej.exe C:\windows\system32\owqqtowa.dll C:\WINDOWS\system32\srutv.bak1 C:\WINDOWS\system32\srutv.bak2 C:\WINDOWS\system32\srutv.ini C:\WINDOWS\system32\vturs.dll C:\windows\system32\xjaibldo.exe Beginning removal... Attempting to delete C:\windows\system32\hwaqenej.exe C:\windows\system32\hwaqenej.exe Could not be deleted. Attempting to delete C:\windows\system32\owqqtowa.dll C:\windows\system32\owqqtowa.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\srutv.bak1 C:\WINDOWS\system32\srutv.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\srutv.bak2 C:\WINDOWS\system32\srutv.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\srutv.ini C:\WINDOWS\system32\srutv.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\vturs.dll C:\WINDOWS\system32\vturs.dll Has been deleted! Attempting to delete C:\windows\system32\xjaibldo.exe C:\windows\system32\xjaibldo.exe Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\windows\system32\hwaqenej.exe C:\windows\system32\hwaqenej.exe Has been deleted! Attempting to delete C:\windows\system32\xjaibldo.exe C:\windows\system32\xjaibldo.exe Has been deleted! Performing Repairs to the registry. Done! Once again I thank you for your help in this matter. Last edited by Husko; 07-25-2007 at 06:03 PM. |
|
|
|
|
07-25-2007, 06:23 PM
|
#4 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3
|
Re: Popup ads starting to show on my laptop
Run HJT and remove these entries from the log then reboot..
O2 - BHO: (no name) - {24BC6AF5-EA3F-451D-8D9B-5BE27D30ED09} - C:\WINDOWS\system32\awtqr.dll O2 - BHO: (no name) - {7D53A523-15A2-44F4-8F33-45AB380E8559} - C:\WINDOWS\system32\vturs.dll (file missing) O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\services.exe" -vt yazb O4 - HKCU\..\Run: [Nnxszate] C:\WINDOWS\??stem32\fast.exe O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll It is very important to keep Sun Java up to date to help avoid exploitation by malware . The current version is Java Runtime Environment (JRE) 6.0 Download the latest version of Java Runtime Environment (JRE) 6.0 . Remove all prior versions using Add/Remove Programs, and delete the Java folder in Program Files. Click the link to download the Windows (Offline Installation) package: Save it, do not run it. When the download is complete, close the browser. Proceed with reinstalling Java. Reboot. Post a new log when done and that should finish it..... 
__________________
Eddy |
|
|
|
|
07-25-2007, 06:36 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 86
OS: WinXP
|
Re: Popup ads starting to show on my laptop
O2 - BHO: (no name) - {24BC6AF5-EA3F-451D-8D9B-5BE27D30ED09} - C:\WINDOWS\system32\awtqr.dll
O2 - BHO: (no name) - {7D53A523-15A2-44F4-8F33-45AB380E8559} - C:\WINDOWS\system32\vturs.dll (file missing) O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll Those did not show up in my Hijackthis log. Should I still proceed removing the other files? |
|
|
|
|
07-25-2007, 08:26 PM
|
#7 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3
|
Re: Popup ads starting to show on my laptop
Just to make sure the other files are gone....
Download http://download.bleepingcomputer.com...a/ComboFix.exe and save it to your desktop. **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- Close any open browsers. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please include the C:\ComboFix.txt in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
Eddy |
|
|
|
|
07-25-2007, 08:56 PM
|
#8 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 86
OS: WinXP
|
Re: Popup ads starting to show on my laptop
I'm afraid I'm still getting popups for WinAntivirus every now and then in IE. It redirects me to a new site. Combofix also did not reset my clock back to normal. Also, every time I open a new IE window, the toolbar at the bottom disappears momentarily. I'm not sure if any of that is relevant as of now. I'm just trying to give as much information as possible.
Thank you for your continued help. Deckard's System Scanner v20070711.54 Run by husko on 2007-07-25 at 22:52:21 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as husko.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:52, on 2007-07-25 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\AIM\aim.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\vmyfwrkk.exe C:\WINDOWS\system32\tvqqgjgj.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Husko\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\husko.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/segmentation...97&service=AIM O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {36F29252-D3DE-4259-A742-9E4FF16803A5} - C:\WINDOWS\system32\awtqr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7D53A523-15A2-44F4-8F33-45AB380E8559} - C:\WINDOWS\system32\vturs.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = susqu.edu O17 - HKLM\Software\..\Telephony: DomainName = susqu.edu O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = susqu.edu O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Client Security Agent (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 6059 bytes -- Files created between 2007-06-25 and 2007-07-25 ----------------------------- 2007-07-25 22:50:47 4672 --a------ C:\WINDOWS\system32\tvqqgjgj.exe 2007-07-25 22:50:46 4672 --a------ C:\WINDOWS\system32\vmyfwrkk.exe 2007-07-25 22:47:46 66112 --a------ C:\WINDOWS\system32\lsievahk.exe 2007-07-25 20:58:35 126016 --a------ C:\WINDOWS\system32\wiobkoqo.dll 2007-07-25 19:54:13 0 d-------- C:\Program Files\Trend Micro 2007-07-25 19:40:10 228960 --a------ C:\WINDOWS\system32\awtqr.dll 2007-07-25 19:26:13 0 d-------- C:\VundoFix Backups 2007-07-25 09:36:45 126016 --a------ C:\WINDOWS\system32\rhgekies.dll 2007-07-25 01:24:27 8576 --a------ C:\WINDOWS\system32\drivers\fkskekiimsws.sys <Not Verified; Panda Software International; RKPavProc Driver> 2007-07-25 01:15:29 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-07-25 00:40:24 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware 2007-07-25 00:23:27 0 d-------- C:\Program Files\Enigma Software Group 2007-07-05 20:15:58 0 d-------- C:\CloneDVDTemp 2007-07-05 20:11:33 0 d-------- C:\Documents and Settings\Husko\Application Data\SlySoft 2007-07-05 20:11:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes 2007-07-05 20 52 0 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft2007-07-05 20 37 0 d-------- C:\Program Files\CloneDVD22007-07-05 17:59:32 0 d-------- C:\Program Files\AnyDVD 2007-07-05 17:30:25 0 d-------- C:\Documents and Settings\Husko\Application Data\Elaborate Bytes 2007-07-05 16:51:43 0 d-------- C:\DVDburner -- Find3M Report --------------------------------------------------------------- 2007-07-25 22:46:10 0 d-------- C:\Program Files\Microsoft AntiSpyware 2007-07-25 22:27:33 0 d-------- C:\Program Files\Java 2007-07-25 19:36:08 0 d-------- C:\Program Files\Online Services 2007-07-25 02:08:18 0 d-------- C:\Program Files\iTunes 2007-07-25 02:04:28 0 d-------- C:\Program Files\Apoint 2007-07-25 02:04:24 0 d-------- C:\Program Files\AIM 2007-07-25 01:11:38 0 d-------- C:\Program Files\Viewpoint 2007-06-27 17:31:45 0 d-------- C:\Program Files\Starcraft -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {36F29252-D3DE-4259-A742-9E4FF16803A5} C:\WINDOWS\system32\awtqr.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll {7D53A523-15A2-44F4-8F33-45AB380E8559} C:\WINDOWS\system32\vturs.dll [x] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 -- End of Deckard's System Scanner: finished at 2007-07-25 at 22:53:13 --------- "husko" - 2007-07-25 22:38:29 [GMT -4:00] - ComboFix 07-07-24.5 - Service Pack 2 NTFS * Created a new restore point (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\enpigrrn.exe C:\WINDOWS\system32\hfepdrbw.exe C:\WINDOWS\system32\kvugygls.exe C:\WINDOWS\system32\maghlnfo.exe C:\WINDOWS\system32\nadaafft.exe C:\WINDOWS\system32\sqxuewor.exe C:\WINDOWS\system32\xlyprhcu.exe C:\WINDOWS\system32\ralveddc.dll C:\WINDOWS\system32\wxyccgvt.dll C:\WINDOWS\system32\rqtwa.bak1 C:\WINDOWS\system32\rqtwa.bak2 C:\WINDOWS\system32\rqtwa.ini C:\WINDOWS\system32\rqtwa.ini2 C:\WINDOWS\system32\rqtwa.tmp * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\bcdgbyfo.exe C:\WINDOWS\system32\bsiafggg.exe C:\WINDOWS\system32\dhdmhbuy.exe C:\WINDOWS\system32\eundlmmd.exe C:\WINDOWS\system32\evjtwmmp.exe C:\WINDOWS\system32\ggbafvuv.exe C:\WINDOWS\system32\hrwcpyqd.exe C:\WINDOWS\system32\jbnldiiv.exe C:\WINDOWS\system32\jcjlfxht.exe C:\WINDOWS\system32\klbibcsg.exe C:\WINDOWS\system32\koapomng.exe C:\WINDOWS\system32\lxfsumau.exe C:\WINDOWS\system32\unhwmwhw.exe C:\WINDOWS\system32\utirncdr.exe C:\WINDOWS\system32\uyiyurxq.exe C:\WINDOWS\system32\vtgdgvtw.exe ((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 ))))))))))))))))))))))))))))))) 2007-07-25 20:58 126,016 --a------ C:\WINDOWS\system32\wiobkoqo.dll 2007-07-25 19:54 <DIR> d-------- C:\Program Files\Trend Micro 2007-07-25 19:40 228,960 --a------ C:\WINDOWS\system32\awtqr.dll 2007-07-25 19:37 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-25 19:26 <DIR> d-------- C:\VundoFix Backups 2007-07-25 09:36 126,016 --a------ C:\WINDOWS\system32\rhgekies.dll 2007-07-25 08:52 <DIR> d-------- C:\Deckard 2007-07-25 01:24 8,576 --a------ C:\WINDOWS\system32\drivers\fkskekiimsws.sys 2007-07-25 01:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-07-25 00:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware 2007-07-25 00:23 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-07-24 21:28 <DIR> d-------- C:\temp\0c2 2007-07-24 21:27 <DIR> d-------- C:\temp\brr 2007-07-05 20:15 <DIR> d-------- C:\CloneDVDTemp 2007-07-05 20:11 <DIR> d-------- C:\DOCUME~1\Husko\APPLIC~1\SlySoft 2007-07-05 20:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Elaborate Bytes 2007-07-05 20:06 <DIR> d-------- C:\Program Files\CloneDVD2 2007-07-05 20:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft 2007-07-05 17:59 <DIR> d-------- C:\Program Files\AnyDVD 2007-07-05 17:30 <DIR> d-------- C:\DOCUME~1\Husko\APPLIC~1\Elaborate Bytes 2007-07-05 16:58 <DIR> d-------- C:\temp\dvdbackup 2007-07-05 16:51 <DIR> d-------- C:\DVDburner (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-26 02:46:10 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-07-25 23:36:08 -------- d-----w C:\Program Files\Online Services 2007-07-25 06:08:18 -------- d-----w C:\Program Files\iTunes 2007-07-25 06:04:28 -------- d-----w C:\Program Files\Apoint 2007-07-25 06:04:24 -------- d-----w C:\Program Files\AIM 2007-07-25 05:11:38 -------- d-----w C:\Program Files\Viewpoint 2007-06-27 21:31:45 -------- d-----w C:\Program Files\Starcraft 2007-06-22 13:54:49 99,904 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys 2007-06-20 21:08:56 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36F29252-D3DE-4259-A742-9E4FF16803A5}] 2007-07-25 19:40 228960 --a------ C:\WINDOWS\system32\awtqr.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D53A523-15A2-44F4-8F33-45AB380E8559}] C:\WINDOWS\system32\vturs.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 13:45] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 09:04] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 18:21] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 16:35] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-06 01:42] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06] Bluetooth.lnk - C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe [2005-09-19 17:02:54] EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-09-17 22:04:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr] C:\WINDOWS\system32\awtqr.dll 2007-07-25 19:40 228960 C:\WINDOWS\system32\awtqr.dll R1 ElbyCDIO;ElbyCDIO Driver;C:\WINDOWS\system32\Drivers\ElbyCDIO.sys R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys R2 BNPagent;Client Security Agent;"C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe" R2 BTSERIAL;Bluetooth Serial Driver;\??\C:\WINDOWS\system32\drivers\btserial.sys R2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\system32\drivers\btslbcsp.sys R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys R3 AnyDVD;AnyDVD;C:\WINDOWS\system32\Drivers\AnyDVD.sys R3 Appdrv;Appdrv;\??\C:\Program Files\Dell\NICCONFIGSVC\Appdrv.sys R3 ElbyDelay;ElbyDelay;C:\WINDOWS\system32\Drivers\ElbyDelay.sys R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys R3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys R3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe S3 BTWDNDIS;Bluetooth LAN Access Server;C:\WINDOWS\system32\DRIVERS\btwdndis.sys S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\Husko\LOCALS~1\Temp\tni284.tmp S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys Contents of the 'Scheduled Tasks' folder 2007-07-25 04:40:32 C:\WINDOWS\tasks\Pareto UNS.job ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-25 22:45:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-25 22:49:25 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-25 22:49 C:\ComboFix2.txt ... 2007-07-25 19:51 --- E O F --- Last edited by Husko; 07-25-2007 at 09:16 PM. |
|
|
|
|
07-25-2007, 09:37 PM
|
#10 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home
|
Re: Popup ads starting to show on my laptop
Hello Husko -
Pancake has asked me to drop in... Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file. --------------------------------------------------------------------------------------------- Next, please run a scan with HijackThis (not DSS!) and post it's log.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 07-25-2007 at 09:39 PM. |
|
|
|
|
|
07-25-2007, 09:58 PM
|
#11 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 86
OS: WinXP
|
Re: Popup ads starting to show on my laptop
As I will continue to reiterate, I greatly appreciate all the help and the expedient replies to my problems. I have submitted the requested file. Here are the logs.
"husko" - 2007-07-25 23:43:23 [GMT -4:00] - ComboFix 07-07-24.5 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\Husko\Desktop\CFScript.txt * Created a new restore point (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\tvqqgjgj.exe C:\WINDOWS\system32\vmyfwrkk.exe C:\WINDOWS\system32\shjytatu.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Enigma Software Group C:\Program Files\Enigma Software Group\SpyHunter\support.log C:\temp\0c2 C:\temp\0c2\tmpFF.log C:\temp\brr C:\temp\brr\tmpZTF.log C:\WINDOWS\system32\awtqr.dll C:\WINDOWS\system32\lsievahk.exe C:\WINDOWS\system32\rhgekies.dll C:\WINDOWS\system32\tvqqgjgj.exe C:\WINDOWS\system32\vmyfwrkk.exe C:\WINDOWS\system32\wiobkoqo.dll ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_TNIDRIVER -------\TnIDriver ((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 ))))))))))))))))))))))))))))))) 2007-07-25 22:53 126,016 --a------ C:\WINDOWS\system32\epplqtrm.dll 2007-07-25 19:54 <DIR> d-------- C:\Program Files\Trend Micro 2007-07-25 19:37 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-25 19:26 <DIR> d-------- C:\VundoFix Backups 2007-07-25 08:52 <DIR> d-------- C:\Deckard 2007-07-25 01:24 8,576 --a------ C:\WINDOWS\system32\drivers\fkskekiimsws.sys 2007-07-25 01:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-07-25 00:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware 2007-07-05 20:15 <DIR> d-------- C:\CloneDVDTemp 2007-07-05 20:11 <DIR> d-------- C:\DOCUME~1\Husko\APPLIC~1\SlySoft 2007-07-05 20:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Elaborate Bytes 2007-07-05 20:06 <DIR> d-------- C:\Program Files\CloneDVD2 2007-07-05 20:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft 2007-07-05 17:59 <DIR> d-------- C:\Program Files\AnyDVD 2007-07-05 17:30 <DIR> d-------- C:\DOCUME~1\Husko\APPLIC~1\Elaborate Bytes 2007-07-05 16:58 <DIR> d-------- C:\temp\dvdbackup 2007-07-05 16:51 <DIR> d-------- C:\DVDburner (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-26 03:50:21 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-07-25 23:36:08 -------- d-----w C:\Program Files\Online Services 2007-07-25 06:08:18 -------- d-----w C:\Program Files\iTunes 2007-07-25 06:04:28 -------- d-----w C:\Program Files\Apoint 2007-07-25 06:04:24 -------- d-----w C:\Program Files\AIM 2007-07-25 05:11:38 -------- d-----w C:\Program Files\Viewpoint 2007-06-27 21:31:45 -------- d-----w C:\Program Files\Starcraft 2007-06-22 13:54:49 99,904 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys 2007-06-20 21:08:56 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36F29252-D3DE-4259-A742-9E4FF16803A5}] C:\WINDOWS\system32\awtqr.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 13:45] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 09:04] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 18:21] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 16:35] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-06 01:42] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06] Bluetooth.lnk - C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe [2005-09-19 17:02:54] EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-09-17 22:04:00] R1 ElbyCDIO;ElbyCDIO Driver;C:\WINDOWS\system32\Drivers\ElbyCDIO.sys R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys R2 BNPagent;Client Security Agent;"C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe" R2 BTSERIAL;Bluetooth Serial Driver;\??\C:\WINDOWS\system32\drivers\btserial.sys R2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\system32\drivers\btslbcsp.sys R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys R3 AnyDVD;AnyDVD;C:\WINDOWS\system32\Drivers\AnyDVD.sys R3 Appdrv;Appdrv;\??\C:\Program Files\Dell\NICCONFIGSVC\Appdrv.sys R3 ElbyDelay;ElbyDelay;C:\WINDOWS\system32\Drivers\ElbyDelay.sys R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys R3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys R3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe S3 BTWDNDIS;Bluetooth LAN Access Server;C:\WINDOWS\system32\DRIVERS\btwdndis.sys S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys Contents of the 'Scheduled Tasks' folder 2007-07-25 04:40:32 C:\WINDOWS\tasks\Pareto UNS.job ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-25 23:50:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-25 23:51:29 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-25 23:51 C:\ComboFix2.txt ... 2007-07-25 22:49 C:\ComboFix3.txt ... 2007-07-25 19:51 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:56, on 2007-07-25 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\AIM\aim.exe C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/segmentation...97&service=AIM O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {36F29252-D3DE-4259-A742-9E4FF16803A5} - C:\WINDOWS\system32\awtqr.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = susqu.edu O17 - HKLM\Software\..\Telephony: DomainName = susqu.edu O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = susqu.edu O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Client Security Agent (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 5752 bytes |
|
|
|
|
07-25-2007, 10:03 PM
|
#12 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home
|
Re: Popup ads starting to show on my laptop
Thanks for the upload....let's do one more, please, we have it on the run now.
Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file. --------------------------------------------------------------------------------------------- Post a new HijackThis log.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
07-25-2007, 10:12 PM
|
#13 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 86
OS: WinXP
|
Re: Popup ads starting to show on my laptop
I can feel we it on the run just by the computer is running currently.
"husko" - 2007-07-26 0:05:00 [GMT -4:00] - ComboFix 07-07-24.5 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\Husko\Desktop\CFScript.txt * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\epplqtrm.dll ((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 ))))))))))))))))))))))))))))))) 2007-07-25 19:54 <DIR> d-------- C:\Program Files\Trend Micro 2007-07-25 19:37 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-25 19:26 <DIR> d-------- C:\VundoFix Backups 2007-07-25 08:52 <DIR> d-------- C:\Deckard 2007-07-25 01:24 8,576 --a------ C:\WINDOWS\system32\drivers\fkskekiimsws.sys 2007-07-25 01:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-07-25 00:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware 2007-07-05 20:15 <DIR> d-------- C:\CloneDVDTemp 2007-07-05 20:11 <DIR> d-------- C:\DOCUME~1\Husko\APPLIC~1\SlySoft 2007-07-05 20:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Elaborate Bytes 2007-07-05 20:06 <DIR> d-------- C:\Program Files\CloneDVD2 2007-07-05 20:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft 2007-07-05 17:59 <DIR> d-------- C:\Program Files\AnyDVD 2007-07-05 17:30 <DIR> d-------- C:\DOCUME~1\Husko\APPLIC~1\Elaborate Bytes 2007-07-05 16:58 <DIR> d-------- C:\temp\dvdbackup 2007-07-05 16:51 <DIR> d-------- C:\DVDburner (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-26 03:50:21 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-07-25 23:36:08 -------- d-----w C:\Program Files\Online Services 2007-07-25 06:08:18 -------- d-----w C:\Program Files\iTunes 2007-07-25 06:04:28 -------- d-----w C:\Program Files\Apoint 2007-07-25 06:04:24 -------- d-----w C:\Program Files\AIM 2007-07-25 05:11:38 -------- d-----w C:\Program Files\Viewpoint 2007-06-27 21:31:45 -------- d-----w C:\Program Files\Starcraft 2007-06-22 13:54:49 99,904 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys 2007-06-20 21:08:56 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 13:45] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 09:04] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 18:21] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 16:35] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-06 01:42] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06] Bluetooth.lnk - C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe [2005-09-19 17:02:54] EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-09-17 22:04:00] R1 ElbyCDIO;ElbyCDIO Driver;C:\WINDOWS\system32\Drivers\ElbyCDIO.sys R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys R2 BNPagent;Client Security Agent;"C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe" R2 BTSERIAL;Bluetooth Serial Driver;\??\C:\WINDOWS\system32\drivers\btserial.sys R2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\system32\drivers\btslbcsp.sys R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys R3 AnyDVD;AnyDVD;C:\WINDOWS\system32\Drivers\AnyDVD.sys R3 Appdrv;Appdrv;\??\C:\Program Files\Dell\NICCONFIGSVC\Appdrv.sys R3 ElbyDelay;ElbyDelay;C:\WINDOWS\system32\Drivers\ElbyDelay.sys R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys R3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys R3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe S3 BTWDNDIS;Bluetooth LAN Access Server;C:\WINDOWS\system32\DRIVERS\btwdndis.sys S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys Contents of the 'Scheduled Tasks' folder 2007-07-25 04:40:32 C:\WINDOWS\tasks\Pareto UNS.job ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-26 00 28Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-26 0:07:08 C:\ComboFix-quarantined-files.txt ... 2007-07-26 00:06 C:\ComboFix2.txt ... 2007-07-25 23:51 C:\ComboFix3.txt ... 2007-07-25 22:49 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:09, on 2007-07-26 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\AIM\aim.exe C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/segmentation...97&service=AIM O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = susqu.edu O17 - HKLM\Software\..\Telephony: DomainName = susqu.edu O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = susqu.edu O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Client Security Agent (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 5643 bytes |
|
|
|
|
07-25-2007, 10:17 PM
|
#14 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home
|
Re: Popup ads starting to show on my laptop
Hi Husko -
Thanks for that submission, more Conhook/Vundo Please let me know if the popups have abated, from your current logs, it looks like they should be. I think we've chased it down now...let's use this online scanner to look for remnants (this will take a while, please don't use your machine for anything else while the scan is running): Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
07-25-2007, 11:34 PM
|
#16 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 86
OS: WinXP
|
Re: Popup ads starting to show on my laptop
The scan is finally complete. Here are the results:
------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT 2007-07-26 01:30 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 26/07/2007 Kaspersky Anti-Virus database records: 367888 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: false Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 40380 Number of viruses found: 14 Number of infected objects: 84 Number of suspicious objects: 0 Duration of the scan process: 00:56:34 Infected Object Name / Virus Name / Last Action C:\Deckard\System Scanner\20070725195352\backup\DOCUME~1\Husko\LOCALS~1\Temp\yazzlesnet.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\Deckard\System Scanner\20070725195352\backup\DOCUME~1\Husko\LOCALS~1\Temp\yazzlesnet.exe NSIS: infected - 1 skipped C:\Deckard\System Scanner\20070725195352\backup\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped C:\Documents and Settings\Husko\Application Data\Aim\tvpehlpa\saturnine2272\cert8.db Object is locked skipped C:\Documents and Settings\Husko\Application Data\Aim\tvpehlpa\saturnine2272\key3.db Object is locked skipped C:\Documents and Settings\Husko\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Husko\Desktop\[4]-Submit_2007-07-25_234301.15.zip/lsievahk.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\Documents and Settings\Husko\Desktop\[4]-Submit_2007-07-25_234301.15.zip ZIP: infected - 1 skipped C:\Documents and Settings\Husko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Husko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Husko\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Husko\Local Settings\History\History.IE5\MSHist012007072620070727\index.dat Object is locked skipped C:\Documents and Settings\Husko\Local Settings\Temp\~DF5739.tmp Object is locked skipped C:\Documents and Settings\Husko\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Husko\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Husko\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\QooBox\Quarantine\C\Program Files\Internet Explorer\sademoxu83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.b skipped C:\QooBox\Quarantine\C\WINDOWS\retadpu572.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\QooBox\Quarantine\C\WINDOWS\STEM32~1\fast.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped C:\QooBox\Quarantine\C\WINDOWS\system32\b02FdUe\b02FdUe1065.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped C:\QooBox\Quarantine\C\WINDOWS\system32\bcdgbyfo.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\bsiafggg.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\dhdmhbuy.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\enpigrrn.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\QooBox\Quarantine\C\WINDOWS\system32\eundlmmd.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\evjtwmmp.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\ggbafvuv.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\hfepdrbw.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\QooBox\Quarantine\C\WINDOWS\system32\hrwcpyqd.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\jbnldiiv.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\jcjlfxht.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\klbibcsg.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\koapomng.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\kvugygls.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\QooBox\Quarantine\C\WINDOWS\system32\lsievahk.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\lxfsumau.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\maghlnfo.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\QooBox\Quarantine\C\WINDOWS\system32\nadaafft.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\QooBox\Quarantine\C\WINDOWS\system32\ralveddc.dll.vir Infected: Trojan.Win32.BHO.bd skipped C:\QooBox\Quarantine\C\WINDOWS\system32\rxlv.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped C:\QooBox\Quarantine\C\WINDOWS\system32\shjytatu.dll.vir Infected: Trojan.Win32.BHO.bd skipped C:\QooBox\Quarantine\C\WINDOWS\system32\sqxuewor.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\QooBox\Quarantine\C\WINDOWS\system32\T1\kmhp83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped C:\QooBox\Quarantine\C\WINDOWS\system32\T1\kmhp83122.exe.vir NSIS: infected - 1 skipped C:\QooBox\Quarantine\C\WINDOWS\system32\unhwmwhw.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\utirncdr.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\uyiyurxq.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\vtgdgvtw.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\wviikids.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\QooBox\Quarantine\C\WINDOWS\system32\wxyccgvt.dll.vir Infected: Trojan.Win32.BHO.bd skipped C:\QooBox\Quarantine\C\WINDOWS\system32\xlyprhcu.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\QooBox\Quarantine\C\WINDOWS\system32\yayvvuv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP519\A0025399.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP519\A0025400.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025427.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025428.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025440.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025442.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025443.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025444.dll Infected: not-a-virus:AdWare.Win32.TTC.b skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025446.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025447.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025447.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025448.exe Infected: Trojan-Downloader.Win32.VB.awj skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP521\A0025451.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025740.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025741.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025742.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025743.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025744.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025745.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025746.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025747.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025748.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025749.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025750.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025751.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025752.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025753.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025754.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025755.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025756.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025757.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025758.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025759.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025760.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025761.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025762.dll Infected: Trojan.Win32.BHO.bd skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP524\A0025763.dll Infected: Trojan.Win32.BHO.bd skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP525\A0025866.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP525\A0025871.dll Infected: Trojan.Win32.BHO.bd skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP525\A0025880.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kx skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP526\change.log Object is locked skipped C:\VundoFix Backups\hwaqenej.exe.bad Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\VundoFix Backups\owqqtowa.dll.bad Infected: Trojan.Win32.BHO.bd skipped C:\VundoFix Backups\xjaibldo.exe.bad Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\WINDOWS\CSC\00000001 Object is locked skipped C:\WINDOWS\Debug\Netlogon.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. |
|
|
|
|
07-25-2007, 11:37 PM
|
#17 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home
|
Re: Popup ads starting to show on my laptop
Whilst I review this....
Popups?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
07-25-2007, 11:42 PM
|
#19 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home
|
Re: Popup ads starting to show on my laptop
Excellent news. Great work.
Well done. Your logs appear clean.You should be good to go. We still have a few items to address. C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it Please also delete ComboFix.exe, C:\Deckard, VundoFix.exe, and C:\VundoFix Backups C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while. Reset hidden/system files and folders
Clear & Reset System Restore's Cache
Enable Windows Auto Update
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
07-25-2007, 11:46 PM
|
#20 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home
|
Re: Popup ads starting to show on my laptop
Hi Husko -
I forgot to add these files to the final deletion list: C:\Documents and Settings\Husko\Desktop\[4]-Submit_2007-07-25_234301.15.zip I don't see the other one we created....in Kaspersky log, but if it's on your system, delete it also. Once done, empty recycle bin.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
well done.
