|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
01-12-2008, 04:58 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 12
OS: xp sp2
|
Internet explore opening popup adds at random
for the past couple days IE has been opening ads at random intervals while I surf.
I've updated windows and run the following scans/cleaners - Spybot S&D Ad-aware ATF Cleaner CCleaner AVG antivirus AVG antispyware Vundofix Combofix Superantispyware Pandascan after all of those and about 500 removed cookies/programs/viruses I still get random IE windows. Any help would be greatly appreciated. Hijackthis log - Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:50:07 PM, on 1/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\stsystra.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\msiexec.exe C:\Documents and Settings\Kizlan\Desktop\Kizlan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\S-1-5-21-3699079700-3893557144-322250815-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-3699079700-3893557144-322250815-1006\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?') O4 - HKUS\S-1-5-21-3699079700-3893557144-322250815-1006\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?') O4 - HKUS\S-1-5-21-3699079700-3893557144-322250815-1006\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User '?') O4 - HKUS\S-1-5-21-3699079700-3893557144-322250815-1006\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://forums.worldofwarcraft.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200089204515 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 8535 bytes |
|
     |
| Sponsored Links |
|
01-17-2008, 02:09 AM
|
#2 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,232
OS: Vista
|
Re: Internet explore opening popup adds at random
Hi, if you still need help, please post a fresh HijackThis log.
__________________
UNITE and ASAP since 2006  If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
01-17-2008, 08:23 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 12
OS: xp sp2
|
Re: Internet explore opening popup adds at random
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:20 PM, on 1/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\msiexec.exe C:\Documents and Settings\Kizlan\Desktop\Kizlan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file) O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\S-1-5-21-3699079700-3893557144-322250815-1006\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?') O4 - HKUS\S-1-5-21-3699079700-3893557144-322250815-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://forums.worldofwarcraft.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200089204515 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{227B7B06-981F-40E2-8E59-E61C95BB4D04}: NameServer = 207.69.188.187 207.69.188.186 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7615 bytes |
|
|
|
|
01-18-2008, 03:53 PM
|
#4 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,232
OS: Vista
|
Re: Internet explore opening popup adds at random
Hi,
Download Deckard's System Scanner to your Desktop. Note: You must be logged onto an account with administrator privileges. 1. Close all applications and windows. 2. Double-click on dss.exe to run it, and follow the prompts. 3. When the scan is complete, a text file will open - main.txt.txt<<this one will be maximized and extra.txt <<this one will be minimized. 4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt.txt in your next reply. 6. Please copy and paste the contents of main.txt and extra.txt to your post. Download this tool to your desktop: http://www.uploads.ejvindh.net/rootchk.exe Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread. If you already have "rootchk" please delete that one & grab the above one. It is updated often. Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
01-19-2008, 11:35 AM
|
#5 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 12
OS: xp sp2
|
Re: Internet explore opening popup adds at random
Thank you so much for taking the time to help me. I had posted this problem on several boards, but didn't get a response on them.
Main.txt-------- Deckard's System Scanner v20071014.68 Run by Kizlan on 2008-01-20 13:23:21 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Unable to create WMI object; The operation completed successfully. Backed up registry hives. Performed disk cleanup. System Drive C: has 9.38 GiB (less than 15%) free. -- HijackThis (run as Kizlan.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:24:52 PM, on 1/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\msiexec.exe C:\Documents and Settings\Kizlan\Desktop\dss.exe C:\DOCUME~1\Kizlan\Desktop\Kizlan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file) O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\S-1-5-21-3699079700-3893557144-322250815-1006\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?') O4 - HKUS\S-1-5-21-3699079700-3893557144-322250815-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://forums.worldofwarcraft.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200089204515 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7480 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- 1 avg7coree - c:\windows\system32\drivers\avg7coree.sys 3 BW2NDIS5 - system32\drivers\bw2ndis5.sys (file missing) 3 catchme - c:\docume~1\kizlan\locals~1\temp\catchme.sys (file missing) 3 ElbyCDFL - c:\windows\system32\drivers\elbycdfl.sys <Not Verified; SlySoft, Inc.; CloneCD> 2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools> 3 keurhjbavoio - c:\windows\system32\drivers\keurhjbavoio.sys <Not Verified; Panda Software International; RKPavProc Driver> 1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT> 1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver> 3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> 1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys 3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware> 1 SASKUTIL - c:\program files\superantispyware\saskutil.sys 3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus> 3 SetupSys (Conexant Setup API) - c:\windows\system32\drivers\setupsys.sys <Not Verified; Conexant; Diagnostic Interface> 3 SWMX00 (Sierra Wireless USB MUX Driver (#00)) - system32\drivers\swmx00.sys (file missing) 3 SWNC5E00 (Sierra Wireless MUX NDIS Driver (#00)) - system32\drivers\swnc5e00.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- 3 MHN - c:\windows\system32\svchost.exe 3 NMIndexingService - c:\program files\common files\ahead\lib\nmindexingservice.exe 3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe -- Device Manager: Disabled ---------------------------------------------------- Unable to create WMI object. -- Scheduled Tasks ------------------------------------------------------------- 2008-01-20 12:54:01 344 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job 2006-06-12 08:30:00 256 --a------ C:\WINDOWS\Tasks\abc.job -- Files created between 2007-12-20 and 2008-01-20 ----------------------------- 2008-01-17 13:00:58 0 d-------- C:\Documents and Settings\Rifter\Application Data\Grisoft 2008-01-16 03:02:00 0 d-------- C:\WINDOWS\LastGood 2008-01-14 13:18:18 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7 2008-01-13 15:04:18 0 dr-h----- C:\Documents and Settings\Kizlan\Recent 2008-01-12 12:15:38 0 d-------- C:\Documents and Settings\Kizlan\Application Data\Grisoft 2008-01-12 11  20 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com2008-01-12 11 11 0 d-------- C:\Program Files\SUPERAntiSpyware2008-01-12 11 11 0 d-------- C:\Documents and Settings\Kizlan\Application Data\SUPERAntiSpyware.com2008-01-11 22:55:23 0 d-------- C:\Program Files\SpywareBlaster 2008-01-11 20:13:15 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus> 2008-01-11 20:07:58 8576 --a------ C:\WINDOWS\system32\drivers\keurhjbavoio.sys <Not Verified; Panda Software International; RKPavProc Driver> 2008-01-11 19:52:37 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-01-11 19:25:51 0 d-------- C:\Documents and Settings\Kizlan\Application Data\Uniblue 2008-01-11 19 26 0 d-------- C:\Documents and Settings\Kizlan\.housecall6.62008-01-11 15:54:26 0 d-------- C:\VundoFix Backups 2008-01-11 15:49:16 495616 --a------ C:\WINDOWS\system32\hphmon05 .exe <Not Verified; Hewlett-Packard; HP Photosmart> 2008-01-11 12:52:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-01-11 10:30:24 86016 --a------ C:\WINDOWS\system32\drivers\avg7coree.sys 2007-12-30 02:13:41 0 d-------- C:\Program Files\Rosetta Stone 2007-12-29 14:04:17 0 d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir -- Find3M Report --------------------------------------------------------------- 2008-01-16 17:12:03 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll 2008-01-15 20:35:08 0 d-------- C:\Program Files\GetRight 2008-01-14 15:04:07 0 d-------- C:\Documents and Settings\Kizlan\Application Data\Canon 2008-01-12 11:05:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-01-11 22:07:34 0 d-------- C:\Program Files\MagicISO 2008-01-11 21:55:53 0 d-------- C:\Program Files\7-Zip 2008-01-11 17:02:06 0 d-------- C:\Program Files\Common Files 2007-12-30 02:14:51 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-12-13 11:25:35 0 d-------- C:\Program Files\WoW UI Designer 2007-12-12 21:42:09 1208 --a------ C:\drmHeader.bin 2007-12-08 15:47:38 0 d-------- C:\Program Files\Hero Editor 2007-12-08 15:47:03 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows> 2007-12-06 16:49:07 31223 --a------ C:\WINDOWS\DIIUnin.dat 2007-12-01 06:25:45 0 d-------- C:\Documents and Settings\Kizlan\Application Data\Macromedia 2007-12-01 06:24:21 6421 --a------ C:\WINDOWS\mozver.dat 2007-11-21 22:39:40 0 d-------- C:\Program Files\DAEMON Tools -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 10:20 PM C:\WINDOWS\stsystra.exe] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [01/11/2008 04:45 PM] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 12:56 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/11/2008 04:45 PM] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/11/2008 04:45 PM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Plextor!\PlexTools Professional.lnk backup=C:\WINDOWS\pss\PlexTools Professional.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05] C:\WINDOWS\system32\hphmon05.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetscapeClient] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AOL ACS"=2 (0x2) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2eef52-2005-11db-ab27-00038a000015}] AutoRun\command- G:\setupSNK.exe -- End of Deckard's System Scanner: finished at 2008-01-20 13:25:32 ------------ Extra.txt------------ Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Unable to create WMI object. Architecture: X86; Language: English Percentage of Memory in Use: 45% Physical Memory (total/avail): 1022.09 MiB / 556.41 MiB Pagefile Memory (total/avail): 2458.03 MiB / 1993.09 MiB Virtual Memory (total/avail): 2047.88 MiB / 1938.01 MiB C: is Fixed (NTFS) - 144.31 GiB total, 9.38 GiB free. D: is CDROM (CDFS) E: is CDROM (No Media) F: is Removable (No Media) -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. Unable to create WMI object. -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Kizlan\Application Data CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=MECHAGODZILLA ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Kizlan LOGONSERVER=\\MECHAGODZILLA NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Intel\DMIX;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\Ahead\Lib\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0404 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Kizlan\LOCALS~1\Temp TMP=C:\DOCUME~1\Kizlan\LOCALS~1\Temp USERDOMAIN=MECHAGODZILLA USERNAME=Kizlan USERPROFILE=C:\Documents and Settings\Kizlan windir=C:\WINDOWS __COMPAT_LAYER=EnableNXShowUI -- User Profiles --------------------------------------------------------------- Kizlan (admin) Rifter (admin) Mom (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER --> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL --> C:\WINDOWS\UNRecode.exe /UNINSTALL --> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf #1 Video Converter 3.8.9 --> "C:\Program Files\NO1 Video Converter\unins000.exe" 7-Zip 4.26 beta --> "C:\Program Files\7-Zip\Uninstall.exe" ABC (remove only) --> C:\Program Files\ABC\Uninstall.exe ACDSee 8 --> MsiExec.exe /I{AE80641A-0C8D-4670-A518-B4EC154B1027} Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{786547F9-59BB-4FA3-B2D8-327FF1F14870} Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002} Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C} ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0 ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean AutoREALM Version 2.2 --> "C:\Dragonstone Archives\RPG Stuff\AutoRealm\unins000.exe" AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL Baldur's Gate(TM) II - Shadows of Amn(TM) Bonus CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{014585C8-7557-11D4-9ABA-006067325E47}\setup.exe" Bejeweled 2 Deluxe 1.0 --> C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\Install.log" BitComet 0.93 --> C:\Program Files\BitComet\uninst.exe BitTorrent 4.0.4 --> "C:\Program Files\BitTorrent\uninstall.exe" Black and White --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E51B4CD9-A0A6-4324-B26A-31B3F2DE26CE}\setup.exe" CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" CloneCD --> "C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD" CloneDVD 3.6 --> "C:\Program Files\CloneDVD\unins000.exe" Combined Community Codec Pack 2006-07-28 (Remove Only) --> C:\Program Files\Combined Community Codec Pack\Uninstall.exe Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76} Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37} Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC} Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat Diner Dash --> C:\Games\GAMEHO~1\DINERD~1\UNWISE.EXE /U C:\Games\GAMEHO~1\DINERD~1\INSTALL.LOG Direct Show Ogg Vorbis Filter (remove only) --> "C:\WINDOWS\system32\OggDSuninst.exe" DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe" DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe" Express WebPictures 1.85 --> "C:\Program Files\Express WebPictures\unins000.exe" Fallout2 --> C:\WINDOWS\ipuninst.exe -fC:\Games\BlackIsle\Fallout2\uninst.log Flash Player Pro V3.2 --> "C:\Program Files\Flash Player Pro\unins000.exe" FLV Player 1.3.3 --> "C:\Program Files\FLVPlayer\uninstall.exe" Game Elements Game Controller --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC4036AB-B5B9-4DE8-90F9-FE5E17A42EAA}\setup.exe" -l0x9 GameGuard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9280CD93-B2D6-4D02-B53B-8FC5CF3B6D78}\Setup.exe" -l0x9 GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe" GetRight --> C:\Program Files\GetRight\GETRIGHT.EXE /UNINSTALL Hero Editor V0.96 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Hero Editor\ST6UNST.LOG" High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe HijackThis 2.0.2 --> "C:\Documents and Settings\Kizlan\Desktop\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe" HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70} HP Software Update --> MsiExec.exe /X{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12} ILLUSION Sexy???3 --> MsiExec.exe /X{6E7F60B4-F1E9-473F-A6BA-1C1C73A63592} Intel Matrix Storage Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST Intel(R) PRO Network Connections 11.2.0.69 --> MsiExec.exe /i{2222B364-0854-4265-B32E-A142DB9DC7BB} ARPREMOVE=1 Intel(R) PROSafe for Wired Connections --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095} Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395} Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC} Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961} Jasc Paint Shop Pro Studio.01 , Dell Edition 1.0.1.1 Patch --> C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030} Jigs@w Puzzle 2 --> C:\Program Files\Tibo Software\Jigs@w Puzzle 2\uninstall.exe Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c} Magic ISO Maker v5.3 (build 0225) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG Mahjongg Master 5 --> C:\PROGRA~1\eGames\MAHJON~1\UNWISE.EXE C:\PROGRA~1\eGames\MAHJON~1\INSTALL.LOG Matroska Pack - Lazy Man's MKV 0.9.7 --> "C:\Program Files\LD-Anime\unins000.exe" Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe" Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9} Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7} Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel Mozilla Firefox (2.0.0.7) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst Nero 7 Premium --> MsiExec.exe /X{26D3E377-1DCA-4043-9410-B4A9BACF1033} neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe" NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText Oblivion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly Oblivion - BTmod 2.20 --> C:\Games\Bethesda Softworks\Oblivion\Data\BTmod-Uninstall.exe Oblivion - Horse Armor Pack --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABEBD00-299D-4DCA-967F-B912163AB5EA}\setup.exe" -l0x9 -removeonly Oblivion - Knights of the Nine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14C87AA7-08E6-419F-A165-998EBE5023D7}\setup.exe" -l0x9 -removeonly Oblivion - Mehrunes Razor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF295F5C-7B57-47AA-8889-6B3E8E214E89}\setup.exe" -l0x9 -removeonly Oblivion - Orrery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC425CFC-EE78-4A91-AA25-3BFA65B75364}\setup.exe" -l0x9 -removeonly Oblivion - Spell Tomes --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D919E6-F019-4E15-BFBE-4A85EF19DA57}\setup.exe" -l0x9 -removeonly Oblivion - Thieves Den --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FFFFFD17-B460-41EB-93F1-C48ABAD63828}\setup.exe" -l0x9 -removeonly Oblivion - Vile Lair --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}\setup.exe" -l0x9 -removeonly Oblivion - Wizard's Tower --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F2E3D62-8B8C-448F-8900-451325E50948}\setup.exe" -l0x9 -removeonly Oblivion mod manager 0.9.23 --> "C:\Games\Bethesda Softworks\Oblivion\obmm\uninstall\unins000.exe" Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe" Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\setup\hpzscr01.exe -datfile hphscr01.dat PlexTools Professional V2.35 --> MsiExec.exe /X{410D4391-66A5-48E4-AD3A-D13E0648C425} PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall QuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1 Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA} QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log Rapidshare Unlimited 2.0 --> C:\Program Files\Rapidshare Unlimited\Uninstall.exe Real Alternative 1.49 --> "C:\Program Files\Real Alternative\unins000.exe" Reg Organizer 4.20 beta 1 --> "C:\Program Files\Reg Organizer\unins000.exe" Rosetta Stone 2.2.0.0A --> "C:\Program Files\InstallShield Installation Information\{6ABA3523-4F11-4787-8839-C249BBF0B8D1}\setup.exe" -runfromtemp -l0x0409 -removeonly Rosetta Stone 2.2.0.0A --> MsiExec.exe /X{6ABA3523-4F11-4787-8839-C249BBF0B8D1} Security Task Manager 1.6f --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager" Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe" Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" Sid Meier's Alpha Centauri --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Firaxis Games\Sid Meier's Alpha Centauri\Uninst.isu" Skype 3.0 --> "C:\Program Files\Skype\Phone\unins000.exe" Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03} Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011} Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe" Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat StepMania (remove only) --> "C:\Program Files\StepMania\uninstall.exe" SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} Swiff Player 1.1 --> "C:\Program Files\GlobFX Technologies\Swiff Player\unins000.exe" TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe" TES Construction Set --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Games\Morrowind\CSUninstall\Setup.exe" -l0x9 The Sims 2 --> C:\Games\The Sims 2\EAUninstall.exe Total Video Converter 2.603 --> "C:\Program Files\Total Video Converter\unins000.exe" TotalAccess Smart Installer --> C:\Program Files\EarthLink\TotalAccess Smart Installer\UnSMI.exe Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall TubeHunter Ultra --> MsiExec.exe /I{3A4BEF94-179B-43DC-8380-76EEC6DB5EF4} TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F} TurboTax Premier Investments 2006 --> C:\Program Files\TurboTax\Premier 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Premier 2006\Uninstall.log" -NoGui TurboTools PE --> C:\WINDOWS\unvise32.exe C:\Program Files\TurboTools PE\uninstal.log Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F} Warcraft II BNE --> C:\WINDOWS\W2BNEUnin.exe C:\WINDOWS\W2BNEUnin.dat Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4" WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate WildBlue Optimizer Ver 2006-10-30 --> "C:\Program Files\WildBlue\unins000.exe" Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe" Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe" Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe X-Change 3 --> C:\WINDOWS\unvise32.exe C:\Games\X-Change 3\uninstal.log XviD 1.1 final uninstall --> "C:\Program Files\XviD\unins001.exe" -- Application Event Log ------------------------------------------------------- Event Record #/Type5893 / Error Event Submitted/Written: 01/20/2008 01:25:15 PM Event ID/Source: 11 / crypt32 Event Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. Event Record #/Type5891 / Warning Event Submitted/Written: 01/20/2008 01:22:53 PM Event ID/Source: 1001 / MsiInstaller Event Description: Detection of product '{91130409-6000-11D3-8CFE-0150048383C9}', feature 'HandWritingFiles' failed during request for component '{E6BFD503-3A35-4B78-BAB5-9570EDDEF81C}' Event Record #/Type5890 / Warning Event Submitted/Written: 01/20/2008 01:22:53 PM Event ID/Source: 1004 / MsiInstaller Event Description: Detection of product '{91130409-6000-11D3-8CFE-0150048383C9}', feature 'CiceroFiles', component '{D3146E44-B39F-4D61-93CD-07241D982881}' failed. The resource 'C:\WINDOWS\system32\CTFMON.EXE' does not exist. Event Record #/Type5888 / Warning Event Submitted/Written: 01/20/2008 01:22:53 PM Event ID/Source: 1001 / MsiInstaller Event Description: Detection of product '{91130409-6000-11D3-8CFE-0150048383C9}', feature 'HandWritingFiles' failed during request for component '{E6BFD503-3A35-4B78-BAB5-9570EDDEF81C}' Event Record #/Type5887 / Warning Event Submitted/Written: 01/20/2008 01:22:53 PM Event ID/Source: 1004 / MsiInstaller Event Description: Detection of product '{91130409-6000-11D3-8CFE-0150048383C9}', feature 'CiceroFiles', component '{D3146E44-B39F-4D61-93CD-07241D982881}' failed. The resource 'C:\WINDOWS\system32\CTFMON.EXE' does not exist. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type66492 / Error Event Submitted/Written: 01/19/2008 10:10:28 PM Event ID/Source: 10010 / DCOM Event Description: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout. Event Record #/Type66491 / Error Event Submitted/Written: 01/19/2008 10:08:28 PM Event ID/Source: 10010 / DCOM Event Description: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout. Event Record #/Type66490 / Error Event Submitted/Written: 01/19/2008 09:59:32 PM Event ID/Source: 10010 / DCOM Event Description: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout. Event Record #/Type66489 / Error Event Submitted/Written: 01/19/2008 09:26:00 PM Event ID/Source: 10010 / DCOM Event Description: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout. Event Record #/Type66488 / Error Event Submitted/Written: 01/19/2008 09:11:14 PM Event ID/Source: 10010 / DCOM Event Description: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout. -- End of Deckard's System Scanner: finished at 2008-01-20 13:25:32 ------------ Rootlog.txt--------- ********************************* ROOTCHK-(28-12-07)-LOG, by ejvindh Sun 01/20/2008 13:29:37.28 The rootkits that are detected by this tool were not found. ********************************* ROOTCHK-LOG-end catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-20 13:29:38 Windows 5.1.2600 Service Pack 2 scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:22,37,d7,2e,18,18,44,77,1f,1f,d1,cc,a2,f1,a1,59,19,bc,1b,24,e7,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,de,0a,a4,d1,d7,c6,d3,34,0a,ca,2d,79,9e,ee,8e,eb,10,.. "khjeh"=hex:d0,da,57,05,e6,d0,c7,6c,b8,d0,5e,10,db,f7,41,0b,7c,cc,fd,06,8f,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:05,f5,d1,ec,bc,31,18,94,bd,78,2c,61,cb,1a,62,6f,74,03,d4,10,77,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:22,37,d7,2e,18,18,44,77,1f,1f,d1,cc,a2,f1,a1,59,19,bc,1b,24,e7,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,de,0a,a4,d1,d7,c6,d3,34,0a,ca,2d,79,9e,ee,8e,eb,10,.. "khjeh"=hex:d0,da,57,05,e6,d0,c7,6c,b8,d0,5e,10,db,f7,41,0b,7c,cc,fd,06,8f,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:05,f5,d1,ec,bc,31,18,94,bd,78,2c,61,cb,1a,62,6f,74,03,d4,10,77,.. scanning hidden registry entries ... scanning hidden files ... hidden processes: 0 hidden services: 0 hidden files: 0 |
|
|
|
|
01-19-2008, 04:50 PM
|
#6 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,232
OS: Vista
|
Re: Internet explore opening popup adds at random
Hi,
Before we continue, I want to check on what dll loads that suspicious service in your machine.. download RegSearch Tool by Bobbi Flekman Unzip it to your desktop In the search box, enter the keywords below one by one & click "Ok". usprserv User Privilege Service Notepad will open with some text in it (the file will also be saved in the program's folder as well). Post this text in your next reply
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
01-20-2008, 09:32 AM
|
#7 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 12
OS: xp sp2
|
Re: Internet explore opening popup adds at random
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 1/21/2008 11:29:30 AM for strings: ; 'usprserv' ; 'user privilege service' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\usprserv] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\usprserv] "DisplayName"="User Privilege Service" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\usprserv\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usprserv] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usprserv] "DisplayName"="User Privilege Service" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usprserv\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv] "DisplayName"="User Privilege Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv\Security] ; End Of The Log... |
|
|
|
|
01-20-2008, 11:46 PM
|
#8 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,232
OS: Vista
|
Re: Internet explore opening popup adds at random
Hi,
I forgot to tell you earlier.. Before we proceed further, I want you to post to the other threads that you created in other forums stating that you are now receiving help so that you will not waste other helpers' time. Post back when that's done.
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
01-21-2008, 05:02 AM
|
#10 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,232
OS: Vista
|
Re: Internet explore opening popup adds at random
Hi,
Thanks for doing that. One more info I need to check before we continue.. *Click start > run > copy and paste: reg query "HKLM\SYSTEM\CurrentControlSet\Services\usprserv\Parameters" /v ServiceDll >"%userprofile%\desktop\check.txt" A file named check.txt will be created in your desktop, if no file is created, let me know. Please post the contents of check.txt if it was created. *I would like you to scan a file for me. Please go HERE. Copy and paste the following file path in to the box. c:\windows\system32\svchost.exe Then click submit. Please post the results to your next reply. If Jotti is too busy, you can go HERE and do the same as above.
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. Last edited by Angelfire777; 01-21-2008 at 05:03 AM. |
|
|
|
|
01-21-2008, 11:18 AM
|
#11 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 12
OS: xp sp2
|
Re: Internet explore opening popup adds at random
No text file was created.
results from Jotti's - File: svchost.exe Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5: 8f078ae4ed187aaabc0a305146de6716 Packers detected: - Bit9 reports: No threat detected (more info) All scanners in the lower section found nothing |
|
|
|
|
01-22-2008, 06:52 AM
|
#12 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,232
OS: Vista
|
Re: Internet explore opening popup adds at random
Hi,
*A few optionals that I would recommend be uninstalled. BitComet 0.93 BitTorrent 4.0.4 Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system. if you decide to remove them, click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found. _______ Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold. O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) If you or your system admin didn't set this entry, please fix it: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis. ________ I would like you to scan a file for me. Please go HERE. Copy and paste the following file path in to the box. C:\WINDOWS\system32\OggDSuninst.exe Then click submit. Please post the results to your next reply. If Jotti is too busy, you can go HERE and do the same as above. ________ Your Java is out of date.... Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components.
________ *Click start > run > copy and paste: rundll32 wbemupgd, UpgradeRepository *Open notepad. Copy and paste the text inside the Code Box below into Notepad Choose File > Save As and under "Save as type", choose "All Files". Type WMI.bat in the File name and save it to your desktop. Code:
@echo off rd /s /q "C:\VundoFix Backups" cd /d %windir%\system32\wbem for %%i in (*.dll) do RegSvr32 -s %%i for %%i in (*.exe) do %%i /RegServer notepad %windir%\system32\wbem\logs\setup.log exit _______ I'll try to disable that weird service running in your system. Please observe if something will not work after doing this. click start > run > copy and paste: sc config usprserv start= disabled Reboot your system. On your next reply, please include a
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. Last edited by Angelfire777; 01-22-2008 at 06:53 AM. |
|
|
|
|
01-22-2008, 06:52 PM
|
#13 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 12
OS: xp sp2
|
Re: Internet explore opening popup adds at random
As far as I can tell there hasn't been any change. The programs I usually run still run and the popups still happen, although it's functioning normally a noticable amount faster.
Fresh DSS log - Deckard's System Scanner v20071014.68 Run by Kizlan on 2008-01-23 20:38:34 Computer is in Normal Mode. -------------------------------------------------------------------------------- System Drive C: has 8.82 GiB (less than 15%) free. -- HijackThis (run as Kizlan.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:38:43 PM, on 1/23/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\MsiExec.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\MsiExec.exe C:\WINDOWS\system32\MsiExec.exe C:\Documents and Settings\Kizlan\Desktop\dss.exe C:\DOCUME~1\Kizlan\Desktop\Kizlan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://forums.worldofwarcraft.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200089204515 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7283 bytes -- Files created between 2007-12-23 and 2008-01-23 ----------------------------- 2008-01-23 20:08:14 0 d-------- C:\Program Files\Java 2008-01-23 20:08:10 0 d-------- C:\Program Files\Common Files\Java 2008-01-17 13:00:58 0 d-------- C:\Documents and Settings\Rifter\Application Data\Grisoft 2008-01-14 13:18:18 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7 2008-01-13 15:04:18 0 dr-h----- C:\Documents and Settings\Kizlan\Recent 2008-01-12 12:15:38 0 d-------- C:\Documents and Settings\Kizlan\Application Data\Grisoft 2008-01-12 11 20 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com2008-01-12 11 11 0 d-------- C:\Program Files\SUPERAntiSpyware2008-01-12 11 11 0 d-------- C:\Documents and Settings\Kizlan\Application Data\SUPERAntiSpyware.com2008-01-11 22:55:23 0 d-------- C:\Program Files\SpywareBlaster 2008-01-11 20:13:15 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus> 2008-01-11 20:07:58 8576 --a------ C:\WINDOWS\system32\drivers\keurhjbavoio.sys <Not Verified; Panda Software International; RKPavProc Driver> 2008-01-11 19:52:37 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-01-11 19:25:51 0 d-------- C:\Documents and Settings\Kizlan\Application Data\Uniblue 2008-01-11 19 26 0 d-------- C:\Documents and Settings\Kizlan\.housecall6.62008-01-11 15:49:16 495616 --a------ C:\WINDOWS\system32\hphmon05 .exe <Not Verified; Hewlett-Packard; HP Photosmart> 2008-01-11 12:52:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-01-11 10:30:24 86016 --a------ C:\WINDOWS\system32\drivers\avg7coree.sys 2007-12-30 02:13:41 0 d-------- C:\Program Files\Rosetta Stone 2007-12-29 14:04:17 0 d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir -- Find3M Report --------------------------------------------------------------- 2008-01-23 20:08:10 0 d-------- C:\Program Files\Common Files 2008-01-20 23:57:14 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll 2008-01-15 20:35:08 0 d-------- C:\Program Files\GetRight 2008-01-14 15:04:07 0 d-------- C:\Documents and Settings\Kizlan\Application Data\Canon 2008-01-12 11:05:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-01-11 22:07:34 0 d-------- C:\Program Files\MagicISO 2008-01-11 21:55:53 0 d-------- C:\Program Files\7-Zip 2007-12-30 02:14:51 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-12-13 11:25:35 0 d-------- C:\Program Files\WoW UI Designer 2007-12-12 21:42:09 1208 --a------ C:\drmHeader.bin 2007-12-08 15:47:38 0 d-------- C:\Program Files\Hero Editor 2007-12-08 15:47:03 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows> 2007-12-06 16:49:07 31223 --a------ C:\WINDOWS\DIIUnin.dat 2007-12-01 06:25:45 0 d-------- C:\Documents and Settings\Kizlan\Application Data\Macromedia 2007-12-01 06:24:21 6421 --a------ C:\WINDOWS\mozver.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 10:20 PM C:\WINDOWS\stsystra.exe] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [01/11/2008 04:45 PM] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 12:56 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/11/2008 04:45 PM] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/11/2008 04:45 PM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Plextor!\PlexTools Professional.lnk backup=C:\WINDOWS\pss\PlexTools Professional.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05] C:\WINDOWS\system32\hphmon05.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetscapeClient] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AOL ACS"=2 (0x2) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2eef52-2005-11db-ab27-00038a000015}] AutoRun\command- G:\setupSNK.exe -- End of Deckard's System Scanner: finished at 2008-01-23 20:39:16 ------------ Jotti's result - File: OggDSuninst.exe Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5: c51f878b37c7e66d3782bed018f4f515 Packers detected: - Bit9 reports: No threat detected (more info) Notepad - (Wed Jan 23 20:23:49 2008): ================================================================================ (Wed Jan 23 20:23:49 2008): Beginning WBEM Service Pack Installation (Wed Jan 23 20:23:49 2008): Current build of wbemupgd.dll is 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) (Wed Jan 23 20:23:49 2008): Current build of wbemcore.dll is 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) (Wed Jan 23 20:23:49 2008): Failing Connecting to Namespace [root\default] with result [80041014] (Wed Jan 23 20:23:49 2008): One or more core modules is not registered; registering. (Wed Jan 23 20:23:51 2008): Failing Connecting to Namespace [root\default] with result [80041014] (Wed Jan 23 20:23:51 2008): Failing Connecting to Namespace [root\default] with result [80041014] (Wed Jan 23 20:23:51 2008): Failing Connecting to Namespace [root\default] with result [80041014] (Wed Jan 23 20:23:51 2008): Inconsistent repository detected; it will be recreated (Wed Jan 23 20:23:51 2008): ERROR: wbemupgd.dll: The WMI repository has failed to upgrade. The repository has been backed up to C:\WINDOWS\system32\WBEM\Repository.001 and a new one created. (Wed Jan 23 20:23:51 2008): Beginning MOF load (Wed Jan 23 20:23:51 2008): Processing C:\WINDOWS\system32\WBEM\cimwin32.mof (Wed Jan 23 20:23:55 2008): Processing C:\WINDOWS\system32\WBEM\cimwin32.mfl (Wed Jan 23 20:23:57 2008): Processing C:\WINDOWS\system32\WBEM\system.mof (Wed Jan 23 20:23:58 2008): Processing C:\WINDOWS\system32\WBEM\wmipcima.mof (Wed Jan 23 20:23:58 2008): Processing C:\WINDOWS\system32\WBEM\wmipcima.mfl (Wed Jan 23 20:23:58 2008): Processing C:\WINDOWS\system32\WBEM\regevent.mof (Wed Jan 23 20:23:58 2008): Processing C:\WINDOWS\system32\WBEM\regevent.mfl (Wed Jan 23 20:23:58 2008): Processing C:\WINDOWS\system32\WBEM\ntevt.mof (Wed Jan 23 20:23:59 2008): Processing C:\WINDOWS\system32\WBEM\ntevt.mfl (Wed Jan 23 20:23:59 2008): Processing C:\WINDOWS\system32\WBEM\secrcw32.mof (Wed Jan 23 20:23:59 2008): Processing C:\WINDOWS\system32\WBEM\secrcw32.mfl (Wed Jan 23 20:23:59 2008): Processing C:\WINDOWS\system32\WBEM\dsprov.mof (Wed Jan 23 20:24:00 2008): Processing C:\WINDOWS\system32\WBEM\dsprov.mfl (Wed Jan 23 20:24:00 2008): Processing C:\WINDOWS\system32\WBEM\msi.mof (Wed Jan 23 20:24:00 2008): Processing C:\WINDOWS\system32\WBEM\msi.mfl (Wed Jan 23 20:24:00 2008): Processing C:\WINDOWS\system32\WBEM\policman.mof (Wed Jan 23 20:24:00 2008): Processing C:\WINDOWS\system32\WBEM\policman.mfl (Wed Jan 23 20:24:00 2008): Processing C:\WINDOWS\system32\WBEM\subscrpt.mof (Wed Jan 23 20:24:01 2008): Processing C:\WINDOWS\system32\WBEM\wmi.mof (Wed Jan 23 20:24:02 2008): Processing C:\WINDOWS\system32\WBEM\wmi.mfl (Wed Jan 23 20:24:02 2008): Processing C:\WINDOWS\system32\WBEM\scm.mof (Wed Jan 23 20:24:02 2008): Processing C:\WINDOWS\system32\WBEM\fevprov.mof (Wed Jan 23 20:24:02 2008): Processing C:\WINDOWS\system32\WBEM\fevprov.mfl (Wed Jan 23 20:24:02 2008): Processing C:\WINDOWS\system32\WBEM\wmitimep.mof (Wed Jan 23 20:24:02 2008): Processing C:\WINDOWS\system32\WBEM\wmitimep.mfl (Wed Jan 23 20:24:02 2008): Processing C:\WINDOWS\system32\WBEM\wmipdskq.mof (Wed Jan 23 20:24:02 2008): Processing C:\WINDOWS\system32\WBEM\wmipdskq.mfl (Wed Jan 23 20:24:02 2008): Processing C:\WINDOWS\system32\WBEM\wmipicmp.mof (Wed Jan 23 20:24:03 2008): Processing C:\WINDOWS\system32\WBEM\wmipicmp.mfl (Wed Jan 23 20:24:03 2008): Processing C:\WINDOWS\system32\WBEM\wmipiprt.mof (Wed Jan 23 20:24:03 2008): Processing C:\WINDOWS\system32\WBEM\wmipiprt.mfl (Wed Jan 23 20:24:03 2008): Processing C:\WINDOWS\system32\WBEM\wmipjobj.mof (Wed Jan 23 20:24:03 2008): Processing C:\WINDOWS\system32\WBEM\wmipjobj.mfl (Wed Jan 23 20:24:03 2008): Processing C:\WINDOWS\system32\WBEM\wmipsess.mof (Wed Jan 23 20:24:03 2008): Processing C:\WINDOWS\system32\WBEM\wmipsess.mfl (Wed Jan 23 20:24:03 2008): Processing C:\WINDOWS\system32\WBEM\krnlprov.mof (Wed Jan 23 20:24:04 2008): Processing C:\WINDOWS\system32\WBEM\krnlprov.mfl (Wed Jan 23 20:24:04 2008): Processing C:\WINDOWS\system32\WBEM\cli.mof (Wed Jan 23 20:24:04 2008): Processing C:\WINDOWS\system32\WBEM\tscfgwmi.mof (Wed Jan 23 20:24:05 2008): Processing C:\WINDOWS\system32\WBEM\tscfgwmi.mfl (Wed Jan 23 20:24:05 2008): Processing C:\WINDOWS\system32\WBEM\licwmi.mof (Wed Jan 23 20:24:05 2008): Processing C:\WINDOWS\system32\WBEM\licwmi.mfl (Wed Jan 23 20:24:06 2008): Processing C:\WINDOWS\system32\WBEM\evntrprv.mof (Wed Jan 23 20:24:06 2008): Processing C:\WINDOWS\system32\WBEM\hnetcfg.mof (Wed Jan 23 20:24:07 2008): Processing C:\WINDOWS\system32\WBEM\sr.mof (Wed Jan 23 20:24:07 2008): Processing C:\WINDOWS\system32\WBEM\CmdEvTgProv.mof (Wed Jan 23 20:24:07 2008): Processing C:\WINDOWS\system32\WBEM\dgnet.mof (Wed Jan 23 20:24:08 2008): Processing C:\WINDOWS\system32\WBEM\whqlprov.mof (Wed Jan 23 20:24:08 2008): Processing C:\WINDOWS\system32\WBEM\ieinfo5.mof (Wed Jan 23 20:24:08 2008): MOF load completed. (Wed Jan 23 20:24:08 2008): Beginning MOF load (Wed Jan 23 20:24:08 2008): Processing C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\netfxcfgprovm.mof (Wed Jan 23 20:24:11 2008): Processing C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\netfxcfgprov.mfl (Wed Jan 23 20:24:11 2008): Processing C:\WINDOWS\SYSTEM32\WBEM\RSOP.MOF (Wed Jan 23 20:24:12 2008): Processing C:\WINDOWS\SYSTEM32\WBEM\RSOP.MFL (Wed Jan 23 20:24:12 2008): Processing C:\WINDOWS\SYSTEM32\WBEM\SCERSOP.MOF (Wed Jan 23 20:24:12 2008): Processing C:\WINDOWS\SYSTEM32\WBEM\WSCENTER.MOF (Wed Jan 23 20:24:12 2008): Processing C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET.MOF (Wed Jan 23 20:24:12 2008): ERROR: An error occurred while compiling the following MOF file: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET.MOF Please refer to C:\WINDOWS\system32\WBEM\Logs\mofcomp.log for more detailed information. (Wed Jan 23 20:24:12 2008): Processing C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\OINFOP11.MOF (Wed Jan 23 20:24:13 2008): Processing C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\OINFOP11.MOF (Wed Jan 23 20:24:13 2008): Processing C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF (Wed Jan 23 20:24:13 2008): ERROR: An error occurred while compiling the following MOF file: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF Please refer to C:\WINDOWS\system32\WBEM\Logs\mofcomp.log for more detailed information. (Wed Jan 23 20:24:13 2008): MOF load completed. (Wed Jan 23 20:24:13 2008): ERROR: The following External MOF file(s) failed to load: (Wed Jan 23 20:24:13 2008): ERROR: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET.MOF (Wed Jan 23 20:24:13 2008): ERROR: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF (Wed Jan 23 20:24:13 2008): Wbemupgd.dll Service Security upgrade succeeded (XP SP update). (Wed Jan 23 20:24:13 2008): WBEM Service Pack Installation completed. (Wed Jan 23 20:24:13 2008): ================================================================================ (Wed Jan 23 20:26:45 2008): ================================================================================ (Wed Jan 23 20:26:45 2008): Beginning Wbemupgd.dll Registration (Wed Jan 23 20:26:45 2008): Current build of wbemupgd.dll is 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) (Wed Jan 23 20:26:45 2008): Beginning Core Upgrade (Wed Jan 23 20:26:45 2008): Beginning MOF load (Wed Jan 23 20:26:45 2008): Processing C:\WINDOWS\system32\WBEM\cimwin32.mof (Wed Jan 23 20:26:48 2008): Processing C:\WINDOWS\system32\WBEM\cimwin32.mfl (Wed Jan 23 20:26:50 2008): Processing C:\WINDOWS\system32\WBEM\system.mof (Wed Jan 23 20:26:50 2008): Processing C:\WINDOWS\system32\WBEM\wmipcima.mof (Wed Jan 23 20:26:50 2008): Processing C:\WINDOWS\system32\WBEM\wmipcima.mfl (Wed Jan 23 20:26:50 2008): Processing C:\WINDOWS\system32\WBEM\regevent.mof (Wed Jan 23 20:26:51 2008): Processing C:\WINDOWS\system32\WBEM\regevent.mfl (Wed Jan 23 20:26:51 2008): Processing C:\WINDOWS\system32\WBEM\ntevt.mof (Wed Jan 23 20:26:51 2008): Processing C:\WINDOWS\system32\WBEM\ntevt.mfl (Wed Jan 23 20:26:51 2008): Processing C:\WINDOWS\system32\WBEM\secrcw32.mof (Wed Jan 23 20:26:51 2008): Processing C:\WINDOWS\system32\WBEM\secrcw32.mfl (Wed Jan 23 20:26:51 2008): Processing C:\WINDOWS\system32\WBEM\dsprov.mof (Wed Jan 23 20:26:51 2008): Processing C:\WINDOWS\system32\WBEM\dsprov.mfl (Wed Jan 23 20:26:51 2008): Processing C:\WINDOWS\system32\WBEM\msi.mof (Wed Jan 23 20:26:51 2008): Processing C:\WINDOWS\system32\WBEM\msi.mfl (Wed Jan 23 20:26:52 2008): Processing C:\WINDOWS\system32\WBEM\policman.mof (Wed Jan 23 20:26:52 2008): Processing C:\WINDOWS\system32\WBEM\policman.mfl (Wed Jan 23 20:26:52 2008): Processing C:\WINDOWS\system32\WBEM\subscrpt.mof (Wed Jan 23 20:26:52 2008): Processing C:\WINDOWS\system32\WBEM\wmi.mof (Wed Jan 23 20:26:58 2008): Processing C:\WINDOWS\system32\WBEM\wmi.mfl (Wed Jan 23 20:26:58 2008): Processing C:\WINDOWS\system32\WBEM\scm.mof (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\fevprov.mof (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\fevprov.mfl (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\wmitimep.mof (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\wmitimep.mfl (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\wmipdskq.mof (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\wmipdskq.mfl (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\wmipicmp.mof (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\wmipicmp.mfl (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\wmipiprt.mof (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\wmipiprt.mfl (Wed Jan 23 20:26:59 2008): Processing C:\WINDOWS\system32\WBEM\wmipjobj.mof (Wed Jan 23 20:27:00 2008): Processing C:\WINDOWS\system32\WBEM\wmipjobj.mfl (Wed Jan 23 20:27:00 2008): Processing C:\WINDOWS\system32\WBEM\wmipsess.mof (Wed Jan 23 20:27:00 2008): Processing C:\WINDOWS\system32\WBEM\wmipsess.mfl (Wed Jan 23 20:27:00 2008): Processing C:\WINDOWS\system32\WBEM\krnlprov.mof (Wed Jan 23 20:27:00 2008): Processing C:\WINDOWS\system32\WBEM\krnlprov.mfl (Wed Jan 23 20:27:00 2008): Processing C:\WINDOWS\system32\WBEM\cli.mof (Wed Jan 23 20:27:00 2008): Processing C:\WINDOWS\system32\WBEM\tscfgwmi.mof (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\system32\WBEM\tscfgwmi.mfl (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\system32\WBEM\licwmi.mof (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\system32\WBEM\licwmi.mfl (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\system32\WBEM\evntrprv.mof (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\system32\WBEM\hnetcfg.mof (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\system32\WBEM\sr.mof (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\system32\WBEM\CmdEvTgProv.mof (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\system32\WBEM\dgnet.mof (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\system32\WBEM\whqlprov.mof (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\system32\WBEM\ieinfo5.mof (Wed Jan 23 20:27:01 2008): MOF load completed. (Wed Jan 23 20:27:01 2008): Beginning MOF load (Wed Jan 23 20:27:01 2008): Processing C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\netfxcfgprovm.mof (Wed Jan 23 20:27:03 2008): Processing C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\netfxcfgprov.mfl (Wed Jan 23 20:27:04 2008): Processing C:\WINDOWS\SYSTEM32\WBEM\RSOP.MOF (Wed Jan 23 20:27:04 2008): Processing C:\WINDOWS\SYSTEM32\WBEM\RSOP.MFL (Wed Jan 23 20:27:05 2008): Processing C:\WINDOWS\SYSTEM32\WBEM\SCERSOP.MOF (Wed Jan 23 20:27:05 2008): Processing C:\WINDOWS\SYSTEM32\WBEM\WSCENTER.MOF (Wed Jan 23 20:27:05 2008): Processing C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET.MOF (Wed Jan 23 20:27:05 2008): Processing C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\OINFOP11.MOF (Wed Jan 23 20:27:05 2008): Processing C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\OINFOP11.MOF (Wed Jan 23 20:27:06 2008): Processing C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF (Wed Jan 23 20:27:06 2008): MOF load completed. (Wed Jan 23 20:27:06 2008): Core Upgrade completed. (Wed Jan 23 20:27:06 2008): Wbemupgd.dll Service Security upgrade succeeded. (Wed Jan 23 20:27:06 2008): Beginning WMI(WDM) Namespace Init (Wed Jan 23 20:27:06 2008): WMI(WDM) Namespace Init Completed (Wed Jan 23 20:27:06 2008): ESS enabled (Wed Jan 23 20:27:06 2008): ODBC Driver <system32>\wbemdr32.dll not present (Wed Jan 23 20:27:06 2008): Successfully verified WBEM OBDC adapter (incompatible version removed if it was detected). (Wed Jan 23 20:27:06 2008): Wbemupgd.dll Registration completed. (Wed Jan 23 20:27:06 2008): ================================================================================ |
|
|
|
|
01-23-2008, 01:45 AM
|
#14 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,232
OS: Vista
|
Re: Internet explore opening popup adds at random
Hi,
Download combofix.exe
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
01-24-2008, 02:42 AM
|
#15 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 12
OS: xp sp2
|
Re: Internet explore opening popup adds at random
Combofix log
ComboFix 08-01-23.2 - Kizlan 2008-01-25 4:08:24.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.654 [GMT -6:00] Running from: C:\Documents and Settings\Kizlan\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\temp\tn3 C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 ))))))))))))))))))))))))))))))) . 2008-01-25 04:19 . 2008-01-25 04:19 <DIR> d-------- C:\Temp\tn3 2008-01-23 20:08 . 2008-01-23 20:08 <DIR> d-------- C:\Program Files\Java 2008-01-23 20:08 . 2008-01-23 20:08 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-23 20:08 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-01-20 13:23 . 2008-01-20 13:23 <DIR> d-------- C:\Deckard 2008-01-14 12:42 . 2008-01-25 04:22 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk 2008-01-13 15:58 . 2008-01-15 18:56 4,566 --a------ C:\WINDOWS\imsins.BAK 2008-01-13 15:55 . 2007-07-09 07:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-01-12 14:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-12 12:15 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-12 11:06 . 2008-01-14 13:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-01-11 22:55 . 2008-01-11 22:59 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-11 20:13 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-11 20:07 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\keurhjbavoio.sys 2008-01-11 19:52 . 2008-01-11 22:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-11 19:52 . 2008-01-11 19:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-11 19:52 . 2008-01-11 19:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-11 19:52 . 2008-01-11 19:52 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-11 15:49 . 2008-01-11 15:51 495,616 --a------ C:\WINDOWS\system32\hphmon05 .exe 2008-01-11 10:30 . 2008-01-11 10:30 86,016 --a------ C:\WINDOWS\system32\drivers\avg7coree.sys 2007-12-30 02:13 . 2007-12-30 02:13 <DIR> d-------- C:\Program Files\Rosetta Stone . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-16 02:35 --------- d-----w C:\Program Files\GetRight 2008-01-12 17:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-12 04:07 --------- d-----w C:\Program Files\MagicISO 2008-01-12 03:55 --------- d-----w C:\Program Files\7-Zip 2007-12-30 08:14 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-13 17:25 --------- d-----w C:\Program Files\WoW UI Designer 2007-12-13 03:42 1,208 ----a-w C:\drmHeader.bin 2007-12-08 21:47 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-12-08 21:47 249,856 ------w C:\WINDOWS\Setup1.exe 2007-12-08 21:47 --------- d-----w C:\Program Files\Hero Editor 2005-10-11 11:12 251 ----a-w C:\Program Files\wt3d.ini 2001-10-20 06:23 135,168 ----a-w C:\Program Files\POREdit_1_9.exe . Code:
<pre> ----a-w 495,616 2008-01-11 21:51:59 C:\WINDOWS\system32\hphmon05 .exe ----a-w 176,128 2008-01-11 21:51:58 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe </pre> ((((((((((((((((((((((((((((( snapshot_2008-01-14_12.28.16.65 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-12 20:28:22 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-25 10:07:57 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-12 20:28:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-25 10:07:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-12 20:28:22 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat + 2008-01-25 10:07:57 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat - 2008-01-12 20:28:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-25 10:07:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-12 20:28:22 14,213,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat + 2008-01-25 10:07:58 14,422,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat - 2008-01-12 20:28:23 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-25 10:07:58 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat - 2006-11-08 03:01:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe + 2007-08-14 00:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe - 2006-11-07 09:26:44 71,680 ----a-w C:\WINDOWS\system32\admparse.dll + 2007-08-14 00:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll - 2008-01-10 23:51:09 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll + 2008-01-21 05:57:14 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll - 2006-11-07 09:26:44 71,680 ------w C:\WINDOWS\system32\dllcache\admparse.dll + 2007-08-14 00:39:20 71,680 ----a-w C:\WINDOWS\system32\dllcache\admparse.dll - 2006-11-08 03:03:36 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll + 2007-08-14 00:54:10 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll - 2006-10-17 17:58:06 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll + 2007-08-14 00:35:46 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll - 2006-10-17 17:44:36 60,416 ------w C:\WINDOWS\system32\dllcache\hmmapi.dll + 2007-08-14 00:18:02 60,416 ----a-w C:\WINDOWS\system32\dllcache\hmmapi.dll - 2006-10-17 18:04:50 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe + 2007-08-14 00:44:02 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe - 2006-10-17 18 00 78,336 ------w C:\WINDOWS\system32\dllcache\ieencode.dll+ 2007-08-14 00:45:18 78,336 ----a-w C:\WINDOWS\system32\dllcache\ieencode.dll - 2006-11-08 03:03:36 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll + 2007-08-14 00:54:10 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll - 2006-11-07 09:26:42 55,296 ------w C:\WINDOWS\system32\dllcache\iesetup.dll + 2007-08-14 00:39:12 55,296 ----a-w C:\WINDOWS\system32\dllcache\iesetup.dll - 2006-10-17 17:57:58 36,352 ------w C:\WINDOWS\system32\dllcache\imgutil.dll + 2007-08-14 00:36:06 36,352 ----a-w C:\WINDOWS\system32\dllcache\imgutil.dll - 2006-11-07 09:26:24 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll + 2007-08-14 00:39:02 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll - 2006-10-17 18:00:00 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll + 2007-08-14 00:38:04 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll - 2006-10-17 18:05:10 40,960 ------w C:\WINDOWS\system32\dllcache\licmgr10.dll + 2007-08-14 00:44:18 40,960 ----a-w C:\WINDOWS\system32\dllcache\licmgr10.dll - 2006-10-17 17:56:10 45,568 ------w C:\WINDOWS\system32\dllcache\mshta.exe + 2007-08-14 00:32:30 45,568 ----a-w C:\WINDOWS\system32\dllcache\mshta.exe - 2006-10-17 17:28:56 48,128 ------w C:\WINDOWS\system32\dllcache\mshtmler.dll + 2007-08-14 00:01:12 48,128 ----a-w C:\WINDOWS\system32\dllcache\mshtmler.dll - 2006-11-08 03:03:36 156,160 ------w C:\WINDOWS\system32\dllcache\msls31.dll + 2007-08-14 00:54:10 156,160 ----a-w C:\WINDOWS\system32\dllcache\msls31.dll - 2006-10-17 17:58:08 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll + 2007-08-14 00:36:12 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll - 2006-11-08 03:03:36 413,696 ------w C:\WINDOWS\system32\dllcache\vbscript.dll + 2007-08-14 00:54:10 413,696 ----a-w C:\WINDOWS\system32\dllcache\vbscript.dll - 2006-10-17 17:58:06 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll + 2007-08-14 00:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll - 2006-10-17 18 00 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll+ 2007-08-14 00:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll - 2006-11-08 03:03:36 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll + 2007-08-14 00:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll - 2006-11-07 09:26:42 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll + 2007-08-14 00:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll - 2006-11-08 03:03:36 180,736 ------w C:\WINDOWS\system32\ieui.dll + 2007-08-14 00:54:10 180,736 ----a-w C:\WINDOWS\system32\ieui.dll - 2006-10-17 17:57:58 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll + 2007-08-14 00:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll - 2006-11-07 09:26:24 92,672 ----a-w C:\WINDOWS\system32\inseng.dll + 2007-08-14 00:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll - 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\system32\java.exe + 2007-12-14 06:57:22 135,168 ----a-w C:\WINDOWS\system32\java.exe - 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\system32\javaw.exe + 2007-12-14 06:57:24 135,168 ----a-w C:\WINDOWS\system32\javaw.exe + 2007-12-14 07:59:16 139,264 ----a-w C:\WINDOWS\system32\javaws.exe - 2006-10-17 18:00:00 491,520 ----a-w C:\WINDOWS\system32\jscript.dll + 2007-08-14 00:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll - 2006-10-17 18:05:10 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll + 2007-08-14 00:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll - 2006-10-17 17:58:32 12,288 ------w C:\WINDOWS\system32\msfeedssync.exe + 2007-08-14 00:36:40 12,288 ----a-w C:\WINDOWS\system32\msfeedssync.exe - 2006-10-17 17:56:10 45,568 ----a-w C:\WINDOWS\system32\mshta.exe + 2007-08-14 00:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe - 2006-10-17 17:28:56 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll + 2007-08-14 00:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll - 2006-11-08 03:03:36 156,160 ----a-w C:\WINDOWS\system32\msls31.dll + 2007-08-14 00:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll - 2008-01-14 09:03:10 63,860 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-01-24 02:37:24 63,860 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-01-14 09:03:10 405,310 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-01-24 02:37:24 405,310 ----a-w C:\WINDOWS\system32\perfh009.dat - 2006-10-17 17:58:08 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll + 2007-08-14 00:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll - 2006-11-08 03:03:36 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll + 2007-08-14 00:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll - 2006-10-17 18:05:58 206,336 ------w C:\WINDOWS\system32\WinFXDocObj.exe + 2007-08-14 00:45:16 206,336 ----a-w C:\WINDOWS\system32\WinFXDocObj.exe . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-11 16:45 204288] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-11 16:45 90112] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-01-11 16:45 139264] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [ ] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [ ] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56 64512] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 02:11 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Plextor!\PlexTools Professional.lnk backup=C:\WINDOWS\pss\PlexTools Professional.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2008-01-11 16:45 152872 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] --a------ 2005-05-19 07:47 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-11-17 05:53 171464 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] --a------ 2004-08-22 16:05 81920 C:\Program Files\D-Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2005-02-23 15:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05] C:\WINDOWS\system32\hphmon05.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2004-09-14 07:50 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetscapeClient] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] --a------ 2004-11-11 09:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --a------ 2005-05-31 00:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] --a------ 2008-01-11 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AOL ACS"=2 (0x2) R1 avg7coree;avg7coree;C:\WINDOWS\system32\drivers\avg7coree.sys [2008-01-11 10:30] R3 SetupSys;Conexant Setup API;C:\WINDOWS\system32\drivers\SetupSys.sys [2001-01-09 08:58] S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [] S3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys [] S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2eef52-2005-11db-ab27-00038a000015}] \Shell\AutoRun\command - G:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder "2006-06-12 14:30:00 C:\WINDOWS\Tasks\abc.job" - C:\Program Files\ABC\abc.exe "2008-01-25 06:54:02 C:\WINDOWS\Tasks\HP Usg Daily.job" - C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-25 04:23:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Hijackthis log-- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 04:41, on 2008-01-25 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\msiexec.exe C:\Documents and Settings\Kizlan\Desktop\Kizlan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://forums.worldofwarcraft.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200089204515 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7190 bytes |
|
|
|
|
01-24-2008, 03:01 AM
|
#16 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,232
OS: Vista
|
Re: Internet explore opening popup adds at random
Hi,
Combofix Deletions
Code:
Killall:: File:: C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\avg7coree.sys Folder:: C:\Temp\tn3 RENV:: ----a-w 495,616 2008-01-11 21:51:59 C:\WINDOWS\system32\hphmon05 .exe ----a-w 176,128 2008-01-11 21:51:58 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe Driver:: avg7coree usprserv
Please do an online scan with Kaspersky WebScanner Warning: If you had kaspersky online scanner installed before 10-5-2007, please uninstall it as kaspersky released a new version. Previous version had a serious flaw which could result in a buffer overflow. You will be promted to install an ActiveX component from Kaspersky, Click Yes.
On your next reply, please include a
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
01-26-2008, 12:40 PM
|
#17 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 12
OS: xp sp2
|
Re: Internet explore opening popup adds at random
The popups stopped after running Combofix! Thank you so much!
 I'll post the logs anyway in case there's something else I should do. Thank you so much for all the help. Combofix--- ComboFix 08-01-23.2 - Kizlan 2008-01-26 5:36:45.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -6:00] Running from: C:\Documents and Settings\Kizlan\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Kizlan\Desktop\CFscript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE C:\WINDOWS\system32\drivers\avg7coree.sys C:\WINDOWS\system32\drivers\core.cache.dsk . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\temp\tn3 C:\WINDOWS\system32\drivers\avg7coree.sys C:\WINDOWS\system32\drivers\core.cache.dsk . ---- Previous Run ------- . C:\temp\tn3 C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_AVG7COREE -------\avg7coree -------\usprserv ((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 ))))))))))))))))))))))))))))))) . 2008-01-23 20:08 . 2008-01-23 20:08 <DIR> d-------- C:\Program Files\Java 2008-01-23 20:08 . 2008-01-23 20:08 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-23 20:08 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-01-20 13:23 . 2008-01-20 13:23 <DIR> d-------- C:\Deckard 2008-01-13 15:58 . 2008-01-15 18:56 4,566 --a------ C:\WINDOWS\imsins.BAK 2008-01-13 15:55 . 2007-07-09 07:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-01-12 14:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-12 12:15 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-12 11:06 . 2008-01-14 13:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-01-11 22:55 . 2008-01-11 22:59 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-11 20:13 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-11 20:07 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\keurhjbavoio.sys 2008-01-11 19:52 . 2008-01-11 22:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-11 19:52 . 2008-01-11 19:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-11 19:52 . 2008-01-11 19:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-11 19:52 . 2008-01-11 19:52 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-11 15:49 . 2008-01-11 15:51 495,616 --a------ C:\WINDOWS\system32\hphmon05.exe 2007-12-30 02:13 . 2007-12-30 02:13 <DIR> d-------- C:\Program Files\Rosetta Stone . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-16 02:35 --------- d-----w C:\Program Files\GetRight 2008-01-12 17:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-12 04:07 --------- d-----w C:\Program Files\MagicISO 2008-01-12 03:55 --------- d-----w C:\Program Files\7-Zip 2007-12-30 08:14 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-13 17:25 --------- d-----w C:\Program Files\WoW UI Designer 2007-12-13 03:42 1,208 ----a-w C:\drmHeader.bin 2007-12-08 21:47 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-12-08 21:47 249,856 ------w C:\WINDOWS\Setup1.exe 2007-12-08 21:47 --------- d-----w C:\Program Files\Hero Editor 2005-10-11 11:12 251 ----a-w C:\Program Files\wt3d.ini 2001-10-20 06:23 135,168 ----a-w C:\Program Files\POREdit_1_9.exe . ((((((((((((((((((((((((((((( snapshot_2008-01-25_ 4.34.35.12 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-25 10:07:57 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-26 11:36:03 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-25 10:07:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-26 11:36:03 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-25 10:07:57 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat + 2008-01-26 11:36:03 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat - 2008-01-25 10:07:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-26 11:36:03 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-25 10:07:58 14,422,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat + 2008-01-26 11:36:04 14,422,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat - 2008-01-25 10:07:58 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-26 11:36:04 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-11 21:51:58 176,128 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-11 16:45 204288] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-11 16:45 90112] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-01-11 16:45 139264] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2008-01-11 15:51 176128] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [ ] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56 64512] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 02:11 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Plextor!\PlexTools Professional.lnk backup=C:\WINDOWS\pss\PlexTools Professional.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2008-01-11 16:45 152872 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] --a------ 2005-05-19 07:47 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-11-17 05:53 171464 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] --a------ 2004-08-22 16:05 81920 C:\Program Files\D-Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2005-02-23 15:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05] --a------ 2008-01-11 15:51 495616 C:\WINDOWS\system32\hphmon05.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2004-09-14 07:50 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetscapeClient] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] --a------ 2004-11-11 09:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --a------ 2005-05-31 00:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] --a------ 2008-01-11 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AOL ACS"=2 (0x2) R3 SetupSys;Conexant Setup API;C:\WINDOWS\system32\drivers\SetupSys.sys [2001-01-09 08:58] S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [] S3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys [] S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2eef52-2005-11db-ab27-00038a000015}] \Shell\AutoRun\command - G:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder "2006-06-12 14:30:00 C:\WINDOWS\Tasks\abc.job" - C:\Program Files\ABC\abc.exe "2008-01-26 10:54:01 C:\WINDOWS\Tasks\HP Usg Daily.job" - C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-26 05:50:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Hijackthis---- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:21, on 2008-01-27 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Kizlan\Desktop\Kizlan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://forums.worldofwarcraft.com O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200089204515 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7327 bytes Kaspersky---- ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT 2008-01-27 13:19 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 26/01/2008 Kaspersky Anti-Virus database records: 533283 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 209156 Number of viruses found: 1 Number of infected objects: 1 Number of suspicious objects: 0 Duration of the scan process: 04 53Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d95aa2f180bc129c7def779ef8985b4_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\Kizlan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped C:\Documents and Settings\Kizlan\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Kizlan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Kizlan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Kizlan\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Kizlan\Local Settings\Temp\Perflib_Perfdata_b54.dat Object is locked skipped C:\Documents and Settings\Kizlan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Kizlan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Kizlan\ntuser.dat Object is locked skipped C:\Documents and Settings\Kizlan\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP19\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem #2.txt Object is locked skipped C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D5228191-F6FF-4733-A89D-987D79A8A96D}.crmlog Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. |
|
|
|
|
01-26-2008, 03:48 PM
|
#18 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,232
OS: Vista
|
Re: Internet explore opening popup adds at random
Hi,
Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System  Download the file & save it as it's originally named, next to ComboFix.exe.  Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log. Please do not reboot your machine until we have reviewed the log.
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. Last edited by Angelfire777; 01-26-2008 at 03:53 PM. |
|
|
|
|
01-29-2008, 04:13 AM
|
#19 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 12
OS: xp sp2
|
Re: Internet explore opening popup adds at random
Sorry for the delay on this one. I wanted to be sure I did this when I was sure I wouldn't need to restart the system.
CF-RC.txt ---- WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons |
|
|
|
|
01-30-2008, 01:07 AM
|
#20 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,232
OS: Vista
|
Re: Internet explore opening popup adds at random
Looks good. Please post a fresh HijackThis log.
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
| Thread Tools | |
|
|
