Constant IE pop ups and an unremovable virus

Fallenxiii · 06-07-2008, 03:30 AM

Hi,
I accidently installed a program the other day, no idea what it was! Since i've been getting pop ups whenever i use internet explorer. I've tried various ways of stopping them but i've had no luck so far. Also my anti virus software(shield deluxe) keeps picking up a trojan called Rootkit.Win32.Agent.to and it's always located in a file called tunmpp.sys, and can never remove it.

Here's my hijackthis log, any help would be great :-)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:30, on 07/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Optimizer\trayicon.exe
C:\Program Files\AOL 9.0\aoltray.exe
c:\program files\common files\aol\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1205853596\ee\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - (no file)
O2 - BHO: (no name) - {26B7FF6F-A62E-43D1-9A82-769AC394B3D8} - C:\Program Files\Common Files\vaxuzaj89104.dll
O2 - BHO: (no name) - {3055295A-CCDD-44B2-9F73-D8E8E626E5C1} - C:\WINDOWS\system32\iifefca.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B9C02ECE-F41A-4362-BB65-6B441807FF6A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E1BFB528-4CEF-4198-A5A6-29B3058F8DF5} - C:\WINDOWS\system32\gebya.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe
O4 - HKCU\..\Run: [PC_OPT] C:\Program Files\PC Optimizer\trayicon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - Winlogon Notify: iifefca - iifefca.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9837 bytes

and here's my DSS scan

Deckard's System Scanner v20071014.68
Run by Jack on 2008-06-07 10:44:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
47: 2008-06-07 09:44:42 UTC - RP47 - Deckard's System Scanner Restore Point
46: 2008-06-07 09:42:51 UTC - RP46 - Installed Windows XP KB892130.
45: 2008-06-07 09:42:09 UTC - RP45 - Software Distribution Service 3.0
44: 2008-06-06 14:39:58 UTC - RP44 - Software Distribution Service 3.0
43: 2008-06-05 15:29:43 UTC - RP43 - System Checkpoint

-- First Restore Point --
1: 2008-04-26 21:41:54 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Jack.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:12, on 07/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Optimizer\trayicon.exe
C:\Program Files\AOL 9.0\aoltray.exe
c:\program files\common files\aol\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1205853596\ee\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jack\Local Settings\Temporary Internet Files\Content.IE5\1CRUEN2F\dss[1].exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jack.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - (no file)
O2 - BHO: (no name) - {26B7FF6F-A62E-43D1-9A82-769AC394B3D8} - C:\Program Files\Common Files\vaxuzaj89104.dll
O2 - BHO: (no name) - {3055295A-CCDD-44B2-9F73-D8E8E626E5C1} - C:\WINDOWS\system32\iifefca.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B9C02ECE-F41A-4362-BB65-6B441807FF6A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E1BFB528-4CEF-4198-A5A6-29B3058F8DF5} - C:\WINDOWS\system32\gebya.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe
O4 - HKCU\..\Run: [PC_OPT] C:\Program Files\PC Optimizer\trayicon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - Winlogon Notify: iifefca - iifefca.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10340 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 tunmpp - c:\windows\system32\drivers\tunmpp.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 AR5211 (TP-LINK Wireless Network Adapter Service) - c:\windows\system32\drivers\ar5211.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter>

S2 GF0012 (GASIA Filter Driver) - c:\windows\system32\drivers\gf0012.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module>

S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1102&DEV_0007&SUBSYS_10131102&REV_00\4&1A82106&0&3078
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1102&DEV_0007&SUBSYS_10131102&REV_00\4&1A82106&0&3078
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\12B8C7311D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\12B8C7311D800
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&2C129357&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&2C129357&0&00
Service: NVENETFD

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&D0990A6&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #2
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&D0990A6&0&00
Service: NVENETFD

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia N95 8GB
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N95 8GB
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

-- Scheduled Tasks -------------------------------------------------------------

2008-06-07 09:01:04 330 --ah---c- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-02 23:12:00 284 --a----c- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-05-07 and 2008-06-07 -----------------------------

2008-06-07 10:35:15 0 d------c- C:\Program Files\Panda Security
2008-06-07 10:35:14 0 d------c- C:\WINDOWS\LastGood
2008-06-07 09:53:08 0 d------c- C:\Program Files\Trend Micro
2008-06-06 20:50:09 0 d------c- C:\Program Files\PC Optimizer
2008-06-06 20:41:59 0 d------c- C:\Documents and Settings\All Users.WINDOWS\Application Data\PCPitstop
2008-05-17 14:07:22 0 d------c- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
2008-05-17 14:07:15 0 d------c- C:\Program Files\Common Files\Adobe
2008-05-15 20:30:40 0 d------c- C:\WINDOWS\.jagex_cache_32
2008-05-14 21:45:11 43520 --a----c- C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-14 21:26:46 0 d------c- C:\Program Files\THQ
2008-05-14 21:26:46 0 d------c- C:\Extras
2008-05-14 21:26:46 0 d------c- C:\Autorun

-- Find3M Report ---------------------------------------------------------------

2008-06-07 10:03:30 0 d------c- C:\Documents and Settings\Jack\Application Data\LimeWire
2008-06-06 20:59:51 0 d------c- C:\Program Files\AOL 9.0
2008-05-17 14:26:06 0 d------c- C:\Documents and Settings\Jack\Application Data\Neopets Toolbar
2008-05-17 14:25:02 0 d------c- C:\Program Files\PartyGaming
2008-05-17 14:10:21 0 d------c- C:\Documents and Settings\Jack\Application Data\Adobe
2008-05-17 14:07:15 0 d------c- C:\Program Files\Common Files
2008-05-02 18:47:11 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-04-28 14:49:23 0 d------c- C:\Program Files\VDOTool
2008-04-28 14:39:04 0 d------c- C:\Program Files\Common Files\InstallShield
2008-04-28 13:27:02 664 --a----c- C:\WINDOWS\system32\d3d9caps.dat
2008-04-28 12:39:19 0 d------c- C:\Program Files\Common Files\AOL
2008-04-27 15:58:04 0 d------c- C:\Program Files\AOL Companion
2008-04-27 15:57:01 0 d------c- C:\Program Files\Learn2.com
2008-04-27 15:56:57 0 d------c- C:\Program Files\Common Files\aolshare
2008-04-22 10:59:14 0 d------c- C:\Program Files\Apple Software Update
2008-04-21 21:51:15 0 d------c- C:\Program Files\DivX
2008-04-17 13:21:04 4107159 --a----c- C:\Documents and Settings\Jack\Application Data\NMM-MetaData.db
2008-04-14 15:39:17 0 d------c- C:\Program Files\PCSecurityShield
2008-04-14 15:19:04 0 d--h---c- C:\Documents and Settings\Jack\Application Data\GTek
2008-04-14 13:48:55 0 d------c- C:\Program Files\Windows Media Connect 2
2008-04-08 18:13:27 0 d------c- C:\Documents and Settings\Jack\Application Data\Sun
2008-04-08 12:35:22 0 d------c- C:\Program Files\iTunes
2008-04-08 12:35:16 0 d------c- C:\Program Files\iPod
2008-04-08 12:34:40 0 d------c- C:\Program Files\QuickTime
2008-03-31 22:25:48 823296 --a----c- C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:48 823296 --a----c- C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:46 802816 --a----c- C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 22:25:46 831488 --a----c- C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 22:25:46 682496 --a----c- C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-23 22:42:01 6530 --ahs--c- C:\WINDOWS\system32\klnmp.ini2
2008-03-23 19:00:58 147456 --a----c- C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-03-23 18:57:31 0 --a----c- C:\WINDOWS\tk58.exe
2008-03-21 21:30:08 3596288 --a----c- C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 21:28:54 196608 --a----c- C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 21:28:54 81920 --a----c- C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 21:28:20 12288 --a----c- C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-17 15:30:32 335 --a----c- C:\WINDOWS\nsreg.dat
2008-03-11 21:58:02 0 -rahs--c- C:\MSDOS.SYS
2008-03-11 21:58:02 0 -rahs--c- C:\IO.SYS
2008-03-11 21:58:02 0 --a----c- C:\CONFIG.SYS
2008-03-11 21:58:02 0 --a----c- C:\AUTOEXEC.BAT
2008-03-11 21:56:02 21640 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-03-11 21:43:02 62 --ahs---- C:\Documents and Settings\Jack\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B7FF6F-A62E-43D1-9A82-769AC394B3D8}]
08/02/2008 02:07 0 --a--c--- C:\Program Files\Common Files\vaxuzaj89104.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}]
C:\WINDOWS\system32\iifefca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9C02ECE-F41A-4362-BB65-6B441807FF6A}]
C:\WINDOWS\system32\pmnlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BFB528-4CEF-4198-A5A6-29B3058F8DF5}]
C:\WINDOWS\system32\gebya.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 20:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [13/07/2006 09:12]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [19/09/2006 09:07]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [17/03/2008 15:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 23:37]
"nwiz"="nwiz.exe" [12/04/2007 16:44 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/04/2007 16:44]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [02/08/2007 15:30]
"HostManager"="C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe" [26/09/2006 01:52]
"AVP"="C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" [23/08/2007 14:16]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [07/12/2007 16:30]
"Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [23/04/2007 19:19]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/04/2007 16:44]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 13:00]
"AOL Dialer"="C:\Program Files\Common Files\AOL\ACS\AOlDial.exe" [07/12/2007 16:30]
"PC_OPT"="C:\Program Files\PC Optimizer\trayicon.exe" [17/06/2003 23:39]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [27/04/2008 15:50:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}"= C:\WINDOWS\system32\iifefca.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefca]
iifefca.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnlk.dll

*Newly Created Service* - RKPAVPROC

-- End of Deckard's System Scanner: finished at 2008-06-07 10:46:21 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz
CPU 1: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz
CPU 2: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz
CPU 3: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz
Percentage of Memory in Use: 24%
Physical Memory (total/avail): 3070.48 MiB / 2325.13 MiB
Pagefile Memory (total/avail): 4446.23 MiB / 3720.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.07 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 214.4 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-55NCB1 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD800JD-75MSA3 - 74.5 GiB - 0 partitions

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: The Shield Deluxe 2008 v6.0.2.621 () Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"="C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe:*:Enabled:W40k"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Jack\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JACK-DBB9342E56
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jack
LOGONSERVER=\\JACK-DBB9342E56
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f07
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Jack\LOCALS~1\Temp
TMP=C:\DOCUME~1\Jack\LOCALS~1\Temp
USERDOMAIN=JACK-DBB9342E56
USERNAME=Jack
USERPROFILE=C:\Documents and Settings\Jack
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Jack (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AOL Coach Version 1.0(Build:20040229.1 uk) --> "C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe" -lang="en-uk"
AOL UK (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_uk.exe
AOL Uninstaller --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
BBC iPlayer Download Manager --> MsiExec.exe /I {D466F3D9-510C-4729-B7D4-2E70490E4CDF}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Dawn Of War --> MsiExec.exe /X{83F12F73-D52E-40C0-93B1-463C311C4E17}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
High Definition Audio Driver Package - KB888111 --> C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LimeWire PRO 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Logic3 PC USB Game Pad --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E61DC783-7C30-4D38-BFB6-DBC9917AD88E}\setup.exe" -l0x9 -removeonly
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{972B1D9B-0EAD-49E8-B7D6-3B83FD5665B1}
Nokia Lifeblog 2.5 --> MsiExec.exe /I{E94603CA-2996-4154-8EE2-A5FCD4BFB500}
Nokia NSeries Application Installer --> MsiExec.exe /I{FD349381-D79C-4E5C-8980-015DFFB962D5}
Nokia NSeries Content Copier --> MsiExec.exe /X{F779EC8D-6703-4C4A-817C-37B07898E647}
Nokia NSeries Multimedia Player --> MsiExec.exe /I{FA25FAF6-3097-43C9-BBB2-A77CE8AF1881}
Nokia NSeries Music Manager --> MsiExec.exe /I{F89E5AD8-AE47-49B5-B9F9-C498791E6255}
Nokia NSeries One Touch Access --> MsiExec.exe /I{F4EE8763-EAA8-4BC1-8594-8501F5F00414}
Nokia NSeries System Utilities --> MsiExec.exe /X{F1932E56-8A95-40E0-A15B-E06B45969845}
Nokia Nseries Video Manager --> MsiExec.exe /X{2D21ECE3-8EC1-4315-AE4E-1970FB3AF17A}
Nokia Software Launcher --> MsiExec.exe /I{B53F4598-B3D9-41DF-911E-523FA91EE464}
Nokia Software Updater --> MsiExec.exe /X{20BCD471-7897-481D-ACF2-CB9BABF6A6CF}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA ForceWare Network Access Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
NVIDIA WDM Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B023185F-F1EF-4F97-B0BD-AE6D802226D1}\setup.exe"
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC Connectivity Solution --> MsiExec.exe /I{6094AB91-4CC8-498E-9DFF-134CC0B159DE}
PC Optimizer (Shareware Version) --> "C:\Program Files\PC Optimizer\unins000.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" -l0x9 -removeonly
The Shield Deluxe 2008 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
The Shield Deluxe 2008 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
VDOTool 5.1 --> "C:\Program Files\VDOTool\unins000.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\pccswpddriver.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type2055 / Success
Event Submitted/Written: 06/06/2008 09:58:35 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2054 / Error
Event Submitted/Written: 06/06/2008 09:45:13 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2053 / Error
Event Submitted/Written: 06/06/2008 09:44:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [wmplayer.exe!ws!]

Event Record #/Type2044 / Success
Event Submitted/Written: 06/05/2008 03:46:37 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2041 / Error
Event Submitted/Written: 06/04/2008 10:50:22 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [wmplayer.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type17262 / Warning
Event Submitted/Written: 06/07/2008 10:45:28 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JACK-DBB9342E5627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JACK-DBB9342E5627 can't undo changes that you allow.

For more information please see the following:
%JACK-DBB9342E56275

Scan ID: {E953FFF2-22CD-4612-95AE-56F8516F193D}

User: JACK-DBB9342E56\Jack

Name: %JACK-DBB9342E56271

ID: %JACK-DBB9342E56272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JACK-DBB9342E56276

Alert Type: %JACK-DBB9342E56278

Detection Type: 1.1.1593.02

Event Record #/Type17261 / Warning
Event Submitted/Written: 06/07/2008 10:45:28 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JACK-DBB9342E5627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JACK-DBB9342E5627 can't undo changes that you allow.

For more information please see the following:
%JACK-DBB9342E56275

Scan ID: {E0E9EABB-CB4B-41CA-AF2A-B7ACD61F1289}

User: JACK-DBB9342E56\Jack

Name: %JACK-DBB9342E56271

ID: %JACK-DBB9342E56272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JACK-DBB9342E56276

Alert Type: %JACK-DBB9342E56278

Detection Type: 1.1.1593.02

Event Record #/Type17260 / Warning
Event Submitted/Written: 06/07/2008 10:45:28 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JACK-DBB9342E5627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JACK-DBB9342E5627 can't undo changes that you allow.

For more information please see the following:
%JACK-DBB9342E56275

Scan ID: {4CB66B16-BAD8-405E-961D-27AF25F9E6E5}

User: JACK-DBB9342E56\Jack

Name: %JACK-DBB9342E56271

ID: %JACK-DBB9342E56272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JACK-DBB9342E56276

Alert Type: %JACK-DBB9342E56278

Detection Type: 1.1.1593.02

Event Record #/Type17259 / Warning
Event Submitted/Written: 06/07/2008 10:45:26 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JACK-DBB9342E5627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JACK-DBB9342E5627 can't undo changes that you allow.

For more information please see the following:
%JACK-DBB9342E56275

Scan ID: {9326F0BC-037B-46B2-9E29-0EB44CDA2B20}

User: JACK-DBB9342E56\Jack

Name: %JACK-DBB9342E56271

ID: %JACK-DBB9342E56272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JACK-DBB9342E56276

Alert Type: %JACK-DBB9342E56278

Detection Type: 1.1.1593.02

Event Record #/Type17258 / Warning
Event Submitted/Written: 06/07/2008 10:45:26 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JACK-DBB9342E5627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JACK-DBB9342E5627 can't undo changes that you allow.

For more information please see the following:
%JACK-DBB9342E56275

Scan ID: {986772FB-D43F-44AC-96A8-D99181C7CF8E}

User: JACK-DBB9342E56\Jack

Name: %JACK-DBB9342E56271

ID: %JACK-DBB9342E56272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JACK-DBB9342E56276

Alert Type: %JACK-DBB9342E56278

Detection Type: 1.1.1593.02

-- End of Deckard's System Scanner: finished at 2008-06-07 10:46:21 ------------

Fallenxiii · 06-09-2008, 06:01 AM

-Bump-

tetonbob · 06-09-2008, 06:43 PM

Hi -

The Shield Deluxe seems to have rogue affiliations. I would completely uninstall it, and let us provide you with a better, FREE antivirus.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.

Fallenxiii · 06-11-2008, 07:28 AM

Ok i've run ComboFix - here's the log.

ComboFix 08-06-10.3 - Jack 2008-06-11 14:08:15.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2430 [GMT 1:00]
Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-07 20:39 . 2008-06-07 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL Downloads
2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Program Files\Viewpoint
2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-06-07 13:11 . 2008-06-07 13:11 110 --a--c--- C:\WINDOWS\GMouse.ini
2008-06-07 11:41 . 2008-06-07 11:41 53 --a--c--- C:\WINDOWS\system32\drivers\SecdelList.bin
2008-06-07 10:44 . 2008-06-07 10:44 <DIR> d----c--- C:\Deckard
2008-06-07 10:35 . 2008-06-07 10:35 <DIR> d----c--- C:\Program Files\Panda Security
2008-06-07 09:53 . 2008-06-07 09:53 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-06 20:50 . 2008-06-07 11:12 <DIR> d----c--- C:\Program Files\PC Optimizer
2008-06-06 20:41 . 2008-06-06 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\PCPitstop
2008-05-17 14:07 . 2008-05-17 14:07 <DIR> d----c--- C:\Program Files\Common Files\Adobe
2008-05-15 20:30 . 2008-05-21 00:30 <DIR> d----c--- C:\WINDOWS\.jagex_cache_32
2008-05-14 21:45 . 2008-05-14 22:02 43,520 --a--c--- C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-14 21:26 . 2008-05-14 21:26 <DIR> d----c--- C:\Program Files\THQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 13:16 16,601,120 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-11 13:13 644,384 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-11 13:12 167,976 -c----w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-06-11 13:10 61,412 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-11 13:10 223,340 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-11 12:58 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PCSecurityShield
2008-06-08 17:05 --------- dc----w C:\Documents and Settings\Jack\Application Data\LimeWire
2008-06-07 10:14 --------- dc----w C:\Program Files\Windows Media Connect 2
2008-06-06 19:59 --------- dc----w C:\Program Files\AOL 9.0
2008-05-30 14:29 88,774 -c--a-w C:\WINDOWS\system32\drivers\klick.dat
2008-05-28 17:17 96,966 -c--a-w C:\WINDOWS\system32\drivers\klin.dat
2008-05-17 13:26 --------- dc----w C:\Documents and Settings\Jack\Application Data\Neopets Toolbar
2008-05-02 17:47 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-04-28 13:49 --------- dc----w C:\Program Files\VDOTool
2008-04-28 13:39 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-04-28 11:39 --------- dc----w C:\Program Files\Common Files\AOL
2008-04-27 14:58 --------- dc----w C:\Program Files\AOL Companion
2008-04-27 14:56 --------- dc----w C:\Program Files\Common Files\aolshare
2008-04-27 14:56 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-04-22 09:59 --------- dc----w C:\Program Files\Apple Software Update
2008-04-21 20:51 --------- dc----w C:\Program Files\DivX
2008-04-17 12:12 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Suite
2008-04-15 12:30 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki
2008-04-14 14:39 --------- dc----w C:\Program Files\PCSecurityShield
2008-03-31 21:25 831,488 -c--a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 -c--a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 -c--a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 18:00 147,456 -c--a-w C:\WINDOWS\system32\vbzip10.dll
2008-03-21 20:30 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 129,784 -c----w C:\WINDOWS\system32\pxafs.dll
2008-03-21 20:30 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-08 01:07 0 -c--a-w C:\Program Files\Common Files\vaxuzaj89104.dll
2005-07-29 16:24 0 -csha-r C:\WINDOWS\SmFjayBIdXRjaGluc29u\mAI3uV1Kxrl3u35RwZ6R.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B7FF6F-A62E-43D1-9A82-769AC394B3D8}]
2008-02-08 02:07 0 --a--c--- C:\Program Files\Common Files\vaxuzaj89104.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9C02ECE-F41A-4362-BB65-6B441807FF6A}]
C:\WINDOWS\system32\pmnlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BFB528-4CEF-4198-A5A6-29B3058F8DF5}]
C:\WINDOWS\system32\gebya.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
"AOL Dialer"="C:\Program Files\Common Files\AOL\ACS\AOlDial.exe" [2007-12-07 16:30 71008]
"PC_OPT"="C:\Program Files\PC Optimizer\trayicon.exe" [2003-06-17 23:39 71168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07 827392]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-03-17 15:31 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 15:30 3096576]
"HostManager"="C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe" [2006-09-26 01:52 50736]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 16:30 71008]
"Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [2007-04-23 19:19 2165536]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVP"="C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" [2007-08-23 14:16 200768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2008-04-27 15:50:35 156784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefca]
iifefca.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"C:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2008\\avp.exe"=

R1 tunmpp;tunmpp;C:\WINDOWS\system32\drivers\tunmpp.sys [2008-03-23 18:57]
S2 GF0012;GASIA Filter Driver;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2006-05-19 14:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 22:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-11 13:15:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 14:13:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1205853596\ee\anotify.exe
.
**************************************************************************
.
Completion time: 2008-06-11 14:22:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-11 13:22:23

Pre-Run: 230,128,492,544 bytes free
Post-Run: 230,153,945,088 bytes free

165 --- E O F --- 2008-05-30 14:30:16

And here's the Hijack this log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:27:36, on 11/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Optimizer\trayicon.exe
C:\Program Files\AOL 9.0\aoltray.exe
c:\program files\common files\aol\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1205853596\ee\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26B7FF6F-A62E-43D1-9A82-769AC394B3D8} - C:\Program Files\Common Files\vaxuzaj89104.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B9C02ECE-F41A-4362-BB65-6B441807FF6A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E1BFB528-4CEF-4198-A5A6-29B3058F8DF5} - C:\WINDOWS\system32\gebya.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe
O4 - HKCU\..\Run: [PC_OPT] C:\Program Files\PC Optimizer\trayicon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - Winlogon Notify: iifefca - iifefca.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8595 bytes

I am still getting pop ups, not sure if ComboFix was meant to fix that....?

tetonbob · 06-11-2008, 08:12 AM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Quote:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

This machine does not have the Windows XP Recovery Console installed.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Please do this:

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

For you, it's the file at this link:

http://www.microsoft.com/downloads/d...displaylang=en

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on No.

When complete, a log named CF_RC.txt will open. Please post the contents of that log in your next reply, after following these next steps:

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/257174-constant-ie-pop-ups-unremovable-virus.html

File::
C:\WINDOWS\system32\drivers\core.cache.dsk

Folder::
C:\WINDOWS\SmFjayBIdXRjaGluc29u

Driver::
tunmpp

Collect::
C:\WINDOWS\system32\drivers\tunmpp.sys
C:\Program Files\Common Files\vaxuzaj89104.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B7FF6F-A62E-43D1-9A82-769AC394B3D8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9C02ECE-F41A-4362-BB65-6B441807FF6A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BFB528-4CEF-4198-A5A6-29B3058F8DF5}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefca]

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

---------------------------------------------------------------------------------------------
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Fallenxiii · 06-17-2008, 09:35 AM

Combofix log

ComboFix 08-06-10.3 - Jack 2008-06-17 16:30:02.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2568 [GMT 1:00]
Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jack\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-16 13:38 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-16 13:38 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 20:39 . 2008-06-07 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL Downloads
2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Program Files\Viewpoint
2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-06-07 13:11 . 2008-06-07 13:11 110 --a--c--- C:\WINDOWS\GMouse.ini
2008-06-07 11:41 . 2008-06-07 11:41 53 --a--c--- C:\WINDOWS\system32\drivers\SecdelList.bin
2008-06-07 10:44 . 2008-06-07 10:44 <DIR> d----c--- C:\Deckard
2008-06-07 10:35 . 2008-06-07 10:35 <DIR> d----c--- C:\Program Files\Panda Security
2008-06-07 09:53 . 2008-06-07 09:53 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-06 20:50 . 2008-06-07 11:12 <DIR> d----c--- C:\Program Files\PC Optimizer
2008-06-06 20:41 . 2008-06-06 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\PCPitstop
2008-05-17 14:07 . 2008-05-17 14:07 <DIR> d----c--- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 15:31 665,632 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-17 15:31 16,855,584 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-17 15:24 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PCSecurityShield
2008-06-17 15:20 63,308 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-17 15:20 226,508 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-08 17:05 --------- dc----w C:\Documents and Settings\Jack\Application Data\LimeWire
2008-06-07 10:14 --------- dc----w C:\Program Files\Windows Media Connect 2
2008-06-06 19:59 --------- dc----w C:\Program Files\AOL 9.0
2008-05-30 14:29 88,774 -c--a-w C:\WINDOWS\system32\drivers\klick.dat
2008-05-28 17:17 96,966 -c--a-w C:\WINDOWS\system32\drivers\klin.dat
2008-05-17 13:26 --------- dc----w C:\Documents and Settings\Jack\Application Data\Neopets Toolbar
2008-05-14 21:02 43,520 -c--a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-14 20:26 --------- dc----w C:\Program Files\THQ
2008-05-08 12:28 202,752 -c--a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2008-05-02 17:47 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-04-28 13:49 --------- dc----w C:\Program Files\VDOTool
2008-04-28 13:39 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-04-28 11:39 --------- dc----w C:\Program Files\Common Files\AOL
2008-04-27 14:58 --------- dc----w C:\Program Files\AOL Companion
2008-04-27 14:56 --------- dc----w C:\Program Files\Common Files\aolshare
2008-04-27 14:56 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-04-23 04:16 826,368 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-04-22 09:59 --------- dc----w C:\Program Files\Apple Software Update
2008-04-21 20:51 --------- dc----w C:\Program Files\DivX
2008-04-17 12:12 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Suite
2008-03-31 21:25 831,488 -c--a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 -c--a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 -c--a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 18:00 147,456 -c--a-w C:\WINDOWS\system32\vbzip10.dll
2008-03-21 20:30 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 129,784 -c----w C:\WINDOWS\system32\pxafs.dll
2008-03-21 20:30 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot_2008-06-16_15.06.36.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-16 13:56:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 15:24:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
"AOL Dialer"="C:\Program Files\Common Files\AOL\ACS\AOlDial.exe" [2007-12-07 16:30 71008]
"PC_OPT"="C:\Program Files\PC Optimizer\trayicon.exe" [2003-06-17 23:39 71168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07 827392]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-03-17 15:31 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 15:30 3096576]
"HostManager"="C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe" [2006-09-26 01:52 50736]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 16:30 71008]
"Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [2007-04-23 19:19 2165536]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2008-04-27 15:50:35 156784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"C:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2008\\avp.exe"=

S2 GF0012;GASIA Filter Driver;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2006-05-19 14:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 22:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-17 15:27:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 16:31:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-17 16:32:37
ComboFix-quarantined-files.txt 2008-06-17 15:32:35
ComboFix2.txt 2008-06-16 16:01:47
ComboFix3.txt 2008-06-16 14:07:27
ComboFix4.txt 2008-06-16 13:01:33
ComboFix5.txt 2008-06-11 13:22:29

Pre-Run: 229,927,591,936 bytes free
Post-Run: 229,914,324,992 bytes free

144 --- E O F --- 2008-06-16 13:02:41

and the Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:34:19, on 17/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.0\aoltray.exe
c:\program files\common files\aol\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1205853596\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe
O4 - HKCU\..\Run: [PC_OPT] C:\Program Files\PC Optimizer\trayicon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8169 bytes

Well the problem seems to have been solved

Thanks for the help

tetonbob · 06-17-2008, 09:43 AM

We will still have some steps to take care of, to ensure the infection is truly vanquished, and help ensure no remnants are present.

Did you have some trouble with ComboFix? I see it's been run several times.

Please post this log:

C:\Qoobox\ComboFix5.txt

Fallenxiii · 06-17-2008, 10:46 AM

Hi,
ComboFix didn't bring the logs up on a few occasions.

Here's the one you requested, but for some reason it says I don't have the recovery console installed although i definatly installed it.

ComboFix 08-06-10.3 - Jack 2008-06-11 14:08:15.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2430 [GMT 1:00]
Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-07 20:39 . 2008-06-07 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL Downloads
2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Program Files\Viewpoint
2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-06-07 13:11 . 2008-06-07 13:11 110 --a--c--- C:\WINDOWS\GMouse.ini
2008-06-07 11:41 . 2008-06-07 11:41 53 --a--c--- C:\WINDOWS\system32\drivers\SecdelList.bin
2008-06-07 10:44 . 2008-06-07 10:44 <DIR> d----c--- C:\Deckard
2008-06-07 10:35 . 2008-06-07 10:35 <DIR> d----c--- C:\Program Files\Panda Security
2008-06-07 09:53 . 2008-06-07 09:53 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-06 20:50 . 2008-06-07 11:12 <DIR> d----c--- C:\Program Files\PC Optimizer
2008-06-06 20:41 . 2008-06-06 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\PCPitstop
2008-05-17 14:07 . 2008-05-17 14:07 <DIR> d----c--- C:\Program Files\Common Files\Adobe
2008-05-15 20:30 . 2008-05-21 00:30 <DIR> d----c--- C:\WINDOWS\.jagex_cache_32
2008-05-14 21:45 . 2008-05-14 22:02 43,520 --a--c--- C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-14 21:26 . 2008-05-14 21:26 <DIR> d----c--- C:\Program Files\THQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 13:16 16,601,120 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-11 13:13 644,384 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-11 13:12 167,976 -c----w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-06-11 13:10 61,412 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-11 13:10 223,340 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-11 12:58 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PCSecurityShield
2008-06-08 17:05 --------- dc----w C:\Documents and Settings\Jack\Application Data\LimeWire
2008-06-07 10:14 --------- dc----w C:\Program Files\Windows Media Connect 2
2008-06-06 19:59 --------- dc----w C:\Program Files\AOL 9.0
2008-05-30 14:29 88,774 -c--a-w C:\WINDOWS\system32\drivers\klick.dat
2008-05-28 17:17 96,966 -c--a-w C:\WINDOWS\system32\drivers\klin.dat
2008-05-17 13:26 --------- dc----w C:\Documents and Settings\Jack\Application Data\Neopets Toolbar
2008-05-02 17:47 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-04-28 13:49 --------- dc----w C:\Program Files\VDOTool
2008-04-28 13:39 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-04-28 11:39 --------- dc----w C:\Program Files\Common Files\AOL
2008-04-27 14:58 --------- dc----w C:\Program Files\AOL Companion
2008-04-27 14:56 --------- dc----w C:\Program Files\Common Files\aolshare
2008-04-27 14:56 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-04-22 09:59 --------- dc----w C:\Program Files\Apple Software Update
2008-04-21 20:51 --------- dc----w C:\Program Files\DivX
2008-04-17 12:12 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Suite
2008-04-15 12:30 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki
2008-04-14 14:39 --------- dc----w C:\Program Files\PCSecurityShield
2008-03-31 21:25 831,488 -c--a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 -c--a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 -c--a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 18:00 147,456 -c--a-w C:\WINDOWS\system32\vbzip10.dll
2008-03-21 20:30 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 129,784 -c----w C:\WINDOWS\system32\pxafs.dll
2008-03-21 20:30 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-08 01:07 0 -c--a-w C:\Program Files\Common Files\vaxuzaj89104.dll
2005-07-29 16:24 0 -csha-r C:\WINDOWS\SmFjayBIdXRjaGluc29u\mAI3uV1Kxrl3u35RwZ6R.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B7FF6F-A62E-43D1-9A82-769AC394B3D8}]
2008-02-08 02:07 0 --a--c--- C:\Program Files\Common Files\vaxuzaj89104.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9C02ECE-F41A-4362-BB65-6B441807FF6A}]
C:\WINDOWS\system32\pmnlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BFB528-4CEF-4198-A5A6-29B3058F8DF5}]
C:\WINDOWS\system32\gebya.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
"AOL Dialer"="C:\Program Files\Common Files\AOL\ACS\AOlDial.exe" [2007-12-07 16:30 71008]
"PC_OPT"="C:\Program Files\PC Optimizer\trayicon.exe" [2003-06-17 23:39 71168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07 827392]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-03-17 15:31 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 15:30 3096576]
"HostManager"="C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe" [2006-09-26 01:52 50736]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 16:30 71008]
"Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [2007-04-23 19:19 2165536]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVP"="C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" [2007-08-23 14:16 200768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2008-04-27 15:50:35 156784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefca]
iifefca.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"C:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2008\\avp.exe"=

R1 tunmpp;tunmpp;C:\WINDOWS\system32\drivers\tunmpp.sys [2008-03-23 18:57]
S2 GF0012;GASIA Filter Driver;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2006-05-19 14:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 22:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-11 13:15:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 14:13:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1205853596\ee\anotify.exe
.
**************************************************************************
.
Completion time: 2008-06-11 14:22:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-11 13:22:23

Pre-Run: 230,128,492,544 bytes free
Post-Run: 230,153,945,088 bytes free

165 --- E O F --- 2008-05-30 14:30:16

tetonbob · 06-17-2008, 12:20 PM

Ok, thanks...it does appear that the targeted files and service were removed one of those passes.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log, and also let me know how things are now.

Fallenxiii · 06-17-2008, 02:44 PM

Ok, i've installed the new java version. Everything seems to be running great, no pop ups at all!

So can i uninstall Combofix and Hijack this now?

here's the online scan

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3195 (20080617)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=d1d3a7ec373094408efc7b6eb5900fee
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-06-17 08:39:55
# local_time=2008-06-17 09:39:55 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=158229
# found=0
# scan_time=1140

and here's the hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:43:24, on 17/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Optimizer\trayicon.exe
C:\Program Files\AOL 9.0\aoltray.exe
c:\program files\common files\aol\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1205853596\ee\aolsoftware.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Documents and Settings\Jack\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe
O4 - HKCU\..\Run: [PC_OPT] C:\Program Files\PC Optimizer\trayicon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8218 bytes

tetonbob · 06-17-2008, 04:24 PM

Your logs appear clean.You should be good to go. We still have a few items to address.

Yes, you can uninstall HijackThis. This next step will uninstall ComboFix and some associated files and folders.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
FIREWALL
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Fallenxiii · 06-18-2008, 01:22 AM

Great stuff, all done! Thanks for all the help

tetonbob · 06-18-2008, 01:11 PM

You're quite welcome!

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

06-07-2008, 03:30 AM	#1 (permalink)
Fallenxiii Registered User Join Date: Jun 2008 Posts: 7 OS: XP	Constant IE pop ups and an unremovable virus Hi, I accidently installed a program the other day, no idea what it was! Since i've been getting pop ups whenever i use internet explorer. I've tried various ways of stopping them but i've had no luck so far. Also my anti virus software(shield deluxe) keeps picking up a trojan called Rootkit.Win32.Agent.to and it's always located in a file called tunmpp.sys, and can never remove it. Here's my hijackthis log, any help would be great :-) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:27:30, on 07/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\vsnpstd3.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\VDOTool\TBPanel.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PC Optimizer\trayicon.exe C:\Program Files\AOL 9.0\aoltray.exe c:\program files\common files\aol\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe c:\program files\common files\aol\1205853596\ee\aolsoftware.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - (no file) O2 - BHO: (no name) - {26B7FF6F-A62E-43D1-9A82-769AC394B3D8} - C:\Program Files\Common Files\vaxuzaj89104.dll O2 - BHO: (no name) - {3055295A-CCDD-44B2-9F73-D8E8E626E5C1} - C:\WINDOWS\system32\iifefca.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {B9C02ECE-F41A-4362-BB65-6B441807FF6A} - C:\WINDOWS\system32\pmnlk.dll (file missing) O2 - BHO: (no name) - {E1BFB528-4CEF-4198-A5A6-29B3058F8DF5} - C:\WINDOWS\system32\gebya.dll (file missing) O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe O4 - HKCU\..\Run: [PC_OPT] C:\Program Files\PC Optimizer\trayicon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O20 - Winlogon Notify: iifefca - iifefca.dll (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 9837 bytes and here's my DSS scan Deckard's System Scanner v20071014.68 Run by Jack on 2008-06-07 10:44:38 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 47: 2008-06-07 09:44:42 UTC - RP47 - Deckard's System Scanner Restore Point 46: 2008-06-07 09:42:51 UTC - RP46 - Installed Windows XP KB892130. 45: 2008-06-07 09:42:09 UTC - RP45 - Software Distribution Service 3.0 44: 2008-06-06 14:39:58 UTC - RP44 - Software Distribution Service 3.0 43: 2008-06-05 15:29:43 UTC - RP43 - System Checkpoint -- First Restore Point -- 1: 2008-04-26 21:41:54 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Jack.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:45:12, on 07/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\vsnpstd3.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\VDOTool\TBPanel.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PC Optimizer\trayicon.exe C:\Program Files\AOL 9.0\aoltray.exe c:\program files\common files\aol\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe c:\program files\common files\aol\1205853596\ee\aolsoftware.exe C:\WINDOWS\System32\alg.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Jack\Local Settings\Temporary Internet Files\Content.IE5\1CRUEN2F\dss[1].exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Jack.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - (no file) O2 - BHO: (no name) - {26B7FF6F-A62E-43D1-9A82-769AC394B3D8} - C:\Program Files\Common Files\vaxuzaj89104.dll O2 - BHO: (no name) - {3055295A-CCDD-44B2-9F73-D8E8E626E5C1} - C:\WINDOWS\system32\iifefca.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {B9C02ECE-F41A-4362-BB65-6B441807FF6A} - C:\WINDOWS\system32\pmnlk.dll (file missing) O2 - BHO: (no name) - {E1BFB528-4CEF-4198-A5A6-29B3058F8DF5} - C:\WINDOWS\system32\gebya.dll (file missing) O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe O4 - HKCU\..\Run: [PC_OPT] C:\Program Files\PC Optimizer\trayicon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O20 - Winlogon Notify: iifefca - iifefca.dll (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 10340 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 tunmpp - c:\windows\system32\drivers\tunmpp.sys R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> R3 AR5211 (TP-LINK Wireless Network Adapter Service) - c:\windows\system32\drivers\ar5211.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter> S2 GF0012 (GASIA Filter Driver) - c:\windows\system32\drivers\gf0012.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module> S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing) S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Multimedia Audio Controller Device ID: PCI\VEN_1102&DEV_0007&SUBSYS_10131102&REV_00\4&1A82106&0&3078 Manufacturer: Name: Multimedia Audio Controller PNP Device ID: PCI\VEN_1102&DEV_0007&SUBSYS_10131102&REV_00\4&1A82106&0&3078 Service: Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\12B8C7311D800 Manufacturer: Microsoft Name: 1394 Net Adapter PNP Device ID: V1394\NIC1394\12B8C7311D800 Service: NIC1394 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: NVIDIA nForce Networking Controller Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&2C129357&0&00 Manufacturer: NVIDIA Name: NVIDIA nForce Networking Controller PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&2C129357&0&00 Service: NVENETFD Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: NVIDIA nForce Networking Controller Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&D0990A6&0&00 Manufacturer: NVIDIA Name: NVIDIA nForce Networking Controller #2 PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&D0990A6&0&00 Service: NVENETFD Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Description: Nokia N95 8GB Device ID: ROOT\WPD\0000 Manufacturer: Nokia Name: Nokia N95 8GB PNP Device ID: ROOT\WPD\0000 Service: WUDFRd -- Scheduled Tasks ------------------------------------------------------------- 2008-06-07 09:01:04 330 --ah---c- C:\WINDOWS\Tasks\MP Scheduled Scan.job 2008-06-02 23:12:00 284 --a----c- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-05-07 and 2008-06-07 ----------------------------- 2008-06-07 10:35:15 0 d------c- C:\Program Files\Panda Security 2008-06-07 10:35:14 0 d------c- C:\WINDOWS\LastGood 2008-06-07 09:53:08 0 d------c- C:\Program Files\Trend Micro 2008-06-06 20:50:09 0 d------c- C:\Program Files\PC Optimizer 2008-06-06 20:41:59 0 d------c- C:\Documents and Settings\All Users.WINDOWS\Application Data\PCPitstop 2008-05-17 14:07:22 0 d------c- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe 2008-05-17 14:07:15 0 d------c- C:\Program Files\Common Files\Adobe 2008-05-15 20:30:40 0 d------c- C:\WINDOWS\.jagex_cache_32 2008-05-14 21:45:11 43520 --a----c- C:\WINDOWS\system32\CmdLineExt03.dll 2008-05-14 21:26:46 0 d------c- C:\Program Files\THQ 2008-05-14 21:26:46 0 d------c- C:\Extras 2008-05-14 21:26:46 0 d------c- C:\Autorun -- Find3M Report --------------------------------------------------------------- 2008-06-07 10:03:30 0 d------c- C:\Documents and Settings\Jack\Application Data\LimeWire 2008-06-06 20:59:51 0 d------c- C:\Program Files\AOL 9.0 2008-05-17 14:26:06 0 d------c- C:\Documents and Settings\Jack\Application Data\Neopets Toolbar 2008-05-17 14:25:02 0 d------c- C:\Program Files\PartyGaming 2008-05-17 14:10:21 0 d------c- C:\Documents and Settings\Jack\Application Data\Adobe 2008-05-17 14:07:15 0 d------c- C:\Program Files\Common Files 2008-05-02 18:47:11 0 d--h---c- C:\Program Files\InstallShield Installation Information 2008-04-28 14:49:23 0 d------c- C:\Program Files\VDOTool 2008-04-28 14:39:04 0 d------c- C:\Program Files\Common Files\InstallShield 2008-04-28 13:27:02 664 --a----c- C:\WINDOWS\system32\d3d9caps.dat 2008-04-28 12:39:19 0 d------c- C:\Program Files\Common Files\AOL 2008-04-27 15:58:04 0 d------c- C:\Program Files\AOL Companion 2008-04-27 15:57:01 0 d------c- C:\Program Files\Learn2.com 2008-04-27 15:56:57 0 d------c- C:\Program Files\Common Files\aolshare 2008-04-22 10:59:14 0 d------c- C:\Program Files\Apple Software Update 2008-04-21 21:51:15 0 d------c- C:\Program Files\DivX 2008-04-17 13:21:04 4107159 --a----c- C:\Documents and Settings\Jack\Application Data\NMM-MetaData.db 2008-04-14 15:39:17 0 d------c- C:\Program Files\PCSecurityShield 2008-04-14 15:19:04 0 d--h---c- C:\Documents and Settings\Jack\Application Data\GTek 2008-04-14 13:48:55 0 d------c- C:\Program Files\Windows Media Connect 2 2008-04-08 18:13:27 0 d------c- C:\Documents and Settings\Jack\Application Data\Sun 2008-04-08 12:35:22 0 d------c- C:\Program Files\iTunes 2008-04-08 12:35:16 0 d------c- C:\Program Files\iPod 2008-04-08 12:34:40 0 d------c- C:\Program Files\QuickTime 2008-03-31 22:25:48 823296 --a----c- C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2008-03-31 22:25:48 823296 --a----c- C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2008-03-31 22:25:46 802816 --a----c- C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2008-03-31 22:25:46 831488 --a----c- C:\WINDOWS\system32\divx_xx0a.dll 2008-03-31 22:25:46 682496 --a----c- C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2008-03-23 22:42:01 6530 --ahs--c- C:\WINDOWS\system32\klnmp.ini2 2008-03-23 19:00:58 147456 --a----c- C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ> 2008-03-23 18:57:31 0 --a----c- C:\WINDOWS\tk58.exe 2008-03-21 21:30:08 3596288 --a----c- C:\WINDOWS\system32\qt-dx331.dll 2008-03-21 21:28:54 196608 --a----c- C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2008-03-21 21:28:54 81920 --a----c- C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2008-03-21 21:28:20 12288 --a----c- C:\WINDOWS\system32\DivXWMPExtType.dll 2008-03-17 15:30:32 335 --a----c- C:\WINDOWS\nsreg.dat 2008-03-11 21:58:02 0 -rahs--c- C:\MSDOS.SYS 2008-03-11 21:58:02 0 -rahs--c- C:\IO.SYS 2008-03-11 21:58:02 0 --a----c- C:\CONFIG.SYS 2008-03-11 21:58:02 0 --a----c- C:\AUTOEXEC.BAT 2008-03-11 21:56:02 21640 --a----c- C:\WINDOWS\system32\emptyregdb.dat 2008-03-11 21:43:02 62 --ahs---- C:\Documents and Settings\Jack\Application Data\desktop.ini -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B7FF6F-A62E-43D1-9A82-769AC394B3D8}] 08/02/2008 02:07 0 --a--c--- C:\Program Files\Common Files\vaxuzaj89104.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}] C:\WINDOWS\system32\iifefca.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9C02ECE-F41A-4362-BB65-6B441807FF6A}] C:\WINDOWS\system32\pmnlk.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BFB528-4CEF-4198-A5A6-29B3058F8DF5}] C:\WINDOWS\system32\gebya.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 20:20] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [13/07/2006 09:12] "snpstd3"="C:\WINDOWS\vsnpstd3.exe" [19/09/2006 09:07] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [17/03/2008 15:31] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 23:37] "nwiz"="nwiz.exe" [12/04/2007 16:44 C:\WINDOWS\system32\nwiz.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/04/2007 16:44] "NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [02/08/2007 15:30] "HostManager"="C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe" [26/09/2006 01:52] "AVP"="C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" [23/08/2007 14:16] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [07/12/2007 16:30] "Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [23/04/2007 19:19] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/04/2007 16:44] "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 13:00] "AOL Dialer"="C:\Program Files\Common Files\AOL\ACS\AOlDial.exe" [07/12/2007 16:30] "PC_OPT"="C:\Program Files\PC Optimizer\trayicon.exe" [17/06/2003 23:39] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [27/04/2008 15:50:35] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}"= C:\WINDOWS\system32\iifefca.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefca] iifefca.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnlk.dll Newly Created Service - RKPAVPROC -- End of Deckard's System Scanner: finished at 2008-06-07 10:46:21 ------------ Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz CPU 1: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz CPU 2: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz CPU 3: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz Percentage of Memory in Use: 24% Physical Memory (total/avail): 3070.48 MiB / 2325.13 MiB Pagefile Memory (total/avail): 4446.23 MiB / 3720.95 MiB Virtual Memory (total/avail): 2047.88 MiB / 1942.07 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 232.88 GiB total, 214.4 GiB free. D: is CDROM (CDFS) \\.\PHYSICALDRIVE0 - WDC WD2500JS-55NCB1 - 232.88 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 232.88 GiB - C: \\.\PHYSICALDRIVE1 - WDC WD800JD-75MSA3 - 74.5 GiB - 0 partitions -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. AV: The Shield Deluxe 2008 v6.0.2.621 () Disabled [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe::Enabled:AOL" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe::Disabled:@xpsp2res.dll,-22019" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe::Enabled:Delivery Manager Service" "C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe::Enabled:AOL" "C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"="C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe::Enabled:W40k" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS APPDATA=C:\Documents and Settings\Jack\Application Data CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=JACK-DBB9342E56 ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Jack LOGONSERVER=\\JACK-DBB9342E56 NUMBER_OF_PROCESSORS=4 OS=Windows_NT Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 7, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0f07 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Jack\LOCALS~1\Temp TMP=C:\DOCUME~1\Jack\LOCALS~1\Temp USERDOMAIN=JACK-DBB9342E56 USERNAME=Jack USERPROFILE=C:\Documents and Settings\Jack windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Jack (admin)* -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log AOL Coach Version 1.0(Build:20040229.1 uk) --> "C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe" -lang="en-uk" AOL UK (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_uk.exe AOL Uninstaller --> C:\Program Files\Common Files\AOL\uninstaller.exe AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543} Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F} BBC iPlayer Download Manager --> MsiExec.exe /I {D466F3D9-510C-4729-B7D4-2E70490E4CDF} Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE} Dawn Of War --> MsiExec.exe /X{83F12F73-D52E-40C0-93B1-463C311C4E17} DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe" High Definition Audio Driver Package - KB888111 --> C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033 iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B} Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040} Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050} Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe LimeWire PRO 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe" Logic3 PC USB Game Pad --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E61DC783-7C30-4D38-BFB6-DBC9917AD88E}\setup.exe" -l0x9 -removeonly Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe" Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84} Nokia Connectivity Cable Driver --> MsiExec.exe /X{972B1D9B-0EAD-49E8-B7D6-3B83FD5665B1} Nokia Lifeblog 2.5 --> MsiExec.exe /I{E94603CA-2996-4154-8EE2-A5FCD4BFB500} Nokia NSeries Application Installer --> MsiExec.exe /I{FD349381-D79C-4E5C-8980-015DFFB962D5} Nokia NSeries Content Copier --> MsiExec.exe /X{F779EC8D-6703-4C4A-817C-37B07898E647} Nokia NSeries Multimedia Player --> MsiExec.exe /I{FA25FAF6-3097-43C9-BBB2-A77CE8AF1881} Nokia NSeries Music Manager --> MsiExec.exe /I{F89E5AD8-AE47-49B5-B9F9-C498791E6255} Nokia NSeries One Touch Access --> MsiExec.exe /I{F4EE8763-EAA8-4BC1-8594-8501F5F00414} Nokia NSeries System Utilities --> MsiExec.exe /X{F1932E56-8A95-40E0-A15B-E06B45969845} Nokia Nseries Video Manager --> MsiExec.exe /X{2D21ECE3-8EC1-4315-AE4E-1970FB3AF17A} Nokia Software Launcher --> MsiExec.exe /I{B53F4598-B3D9-41DF-911E-523FA91EE464} Nokia Software Updater --> MsiExec.exe /X{20BCD471-7897-481D-ACF2-CB9BABF6A6CF} NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI NVIDIA ForceWare Network Access Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033 NVIDIA WDM Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B023185F-F1EF-4F97-B0BD-AE6D802226D1}\setup.exe" Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe PC Connectivity Solution --> MsiExec.exe /I{6094AB91-4CC8-498E-9DFF-134CC0B159DE} PC Optimizer (Shareware Version) --> "C:\Program Files\PC Optimizer\unins000.exe" QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD} RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks\|RealPlayer\|6.0 SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" -l0x9 -removeonly The Shield Deluxe 2008 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920} The Shield Deluxe 2008 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920} VDOTool 5.1 --> "C:\Program Files\VDOTool\unins000.exe" Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\pccswpddriver.inf Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0} Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986} Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type2055 / Success Event Submitted/Written: 06/06/2008 09:58:35 PM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type2054 / Error Event Submitted/Written: 06/06/2008 09:45:13 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type2053 / Error Event Submitted/Written: 06/06/2008 09:44:56 PM Event ID/Source: 1000 / Application Error Event Description: Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea. Processing media-specific event for [wmplayer.exe!ws!] Event Record #/Type2044 / Success Event Submitted/Written: 06/05/2008 03:46:37 PM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type2041 / Error Event Submitted/Written: 06/04/2008 10:50:22 PM Event ID/Source: 1000 / Application Error Event Description: Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea. Processing media-specific event for [wmplayer.exe!ws!] -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type17262 / Warning Event Submitted/Written: 06/07/2008 10:45:28 AM Event ID/Source: 3004 / WinDefend Event Description: %JACK-DBB9342E5627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JACK-DBB9342E5627 can't undo changes that you allow. For more information please see the following: %JACK-DBB9342E56275 Scan ID: {E953FFF2-22CD-4612-95AE-56F8516F193D} User: JACK-DBB9342E56\Jack Name: %JACK-DBB9342E56271 ID: %JACK-DBB9342E56272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %JACK-DBB9342E56276 Alert Type: %JACK-DBB9342E56278 Detection Type: 1.1.1593.02 Event Record #/Type17261 / Warning Event Submitted/Written: 06/07/2008 10:45:28 AM Event ID/Source: 3004 / WinDefend Event Description: %JACK-DBB9342E5627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JACK-DBB9342E5627 can't undo changes that you allow. For more information please see the following: %JACK-DBB9342E56275 Scan ID: {E0E9EABB-CB4B-41CA-AF2A-B7ACD61F1289} User: JACK-DBB9342E56\Jack Name: %JACK-DBB9342E56271 ID: %JACK-DBB9342E56272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %JACK-DBB9342E56276 Alert Type: %JACK-DBB9342E56278 Detection Type: 1.1.1593.02 Event Record #/Type17260 / Warning Event Submitted/Written: 06/07/2008 10:45:28 AM Event ID/Source: 3004 / WinDefend Event Description: %JACK-DBB9342E5627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JACK-DBB9342E5627 can't undo changes that you allow. For more information please see the following: %JACK-DBB9342E56275 Scan ID: {4CB66B16-BAD8-405E-961D-27AF25F9E6E5} User: JACK-DBB9342E56\Jack Name: %JACK-DBB9342E56271 ID: %JACK-DBB9342E56272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %JACK-DBB9342E56276 Alert Type: %JACK-DBB9342E56278 Detection Type: 1.1.1593.02 Event Record #/Type17259 / Warning Event Submitted/Written: 06/07/2008 10:45:26 AM Event ID/Source: 3004 / WinDefend Event Description: %JACK-DBB9342E5627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JACK-DBB9342E5627 can't undo changes that you allow. For more information please see the following: %JACK-DBB9342E56275 Scan ID: {9326F0BC-037B-46B2-9E29-0EB44CDA2B20} User: JACK-DBB9342E56\Jack Name: %JACK-DBB9342E56271 ID: %JACK-DBB9342E56272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %JACK-DBB9342E56276 Alert Type: %JACK-DBB9342E56278 Detection Type: 1.1.1593.02 Event Record #/Type17258 / Warning Event Submitted/Written: 06/07/2008 10:45:26 AM Event ID/Source: 3004 / WinDefend Event Description: %JACK-DBB9342E5627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JACK-DBB9342E5627 can't undo changes that you allow. For more information please see the following: %JACK-DBB9342E56275 Scan ID: {986772FB-D43F-44AC-96A8-D99181C7CF8E} User: JACK-DBB9342E56\Jack Name: %JACK-DBB9342E56271 ID: %JACK-DBB9342E56272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %JACK-DBB9342E56276 Alert Type: %JACK-DBB9342E56278 Detection Type: 1.1.1593.02 -- End of Deckard's System Scanner: finished at 2008-06-07 10:46:21 ------------ Last edited by amateur; 06-07-2008 at 04:57 AM. Reason: posts merged to retain 0-reply status

06-09-2008, 06:01 AM	#2 (permalink)
Fallenxiii Registered User Join Date: Jun 2008 Posts: 7 OS: XP	Re: Constant IE pop ups and an unremovable virus -Bump-

06-09-2008, 06:43 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: Constant IE pop ups and an unremovable virus Hi - The Shield Deluxe seems to have rogue affiliations. I would completely uninstall it, and let us provide you with a better, FREE antivirus. Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. If you have any questions along the way, STOP and ask them before proceeding. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 06-09-2008 at 06:48 PM.

06-11-2008, 07:28 AM	#4 (permalink)
Fallenxiii Registered User Join Date: Jun 2008 Posts: 7 OS: XP	Re: Constant IE pop ups and an unremovable virus Ok i've run ComboFix - here's the log. ComboFix 08-06-10.3 - Jack 2008-06-11 14:08:15.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2430 [GMT 1:00] Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 ))))))))))))))))))))))))))))))) . 2008-06-07 20:39 . 2008-06-07 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL Downloads 2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Program Files\Viewpoint 2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint 2008-06-07 13:11 . 2008-06-07 13:11 110 --a--c--- C:\WINDOWS\GMouse.ini 2008-06-07 11:41 . 2008-06-07 11:41 53 --a--c--- C:\WINDOWS\system32\drivers\SecdelList.bin 2008-06-07 10:44 . 2008-06-07 10:44 <DIR> d----c--- C:\Deckard 2008-06-07 10:35 . 2008-06-07 10:35 <DIR> d----c--- C:\Program Files\Panda Security 2008-06-07 09:53 . 2008-06-07 09:53 <DIR> d----c--- C:\Program Files\Trend Micro 2008-06-06 20:50 . 2008-06-07 11:12 <DIR> d----c--- C:\Program Files\PC Optimizer 2008-06-06 20:41 . 2008-06-06 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\PCPitstop 2008-05-17 14:07 . 2008-05-17 14:07 <DIR> d----c--- C:\Program Files\Common Files\Adobe 2008-05-15 20:30 . 2008-05-21 00:30 <DIR> d----c--- C:\WINDOWS\.jagex_cache_32 2008-05-14 21:45 . 2008-05-14 22:02 43,520 --a--c--- C:\WINDOWS\system32\CmdLineExt03.dll 2008-05-14 21:26 . 2008-05-14 21:26 <DIR> d----c--- C:\Program Files\THQ . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-11 13:16 16,601,120 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-11 13:13 644,384 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-11 13:12 167,976 -c----w C:\WINDOWS\system32\drivers\core.cache.dsk 2008-06-11 13:10 61,412 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-11 13:10 223,340 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-11 12:58 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PCSecurityShield 2008-06-08 17:05 --------- dc----w C:\Documents and Settings\Jack\Application Data\LimeWire 2008-06-07 10:14 --------- dc----w C:\Program Files\Windows Media Connect 2 2008-06-06 19:59 --------- dc----w C:\Program Files\AOL 9.0 2008-05-30 14:29 88,774 -c--a-w C:\WINDOWS\system32\drivers\klick.dat 2008-05-28 17:17 96,966 -c--a-w C:\WINDOWS\system32\drivers\klin.dat 2008-05-17 13:26 --------- dc----w C:\Documents and Settings\Jack\Application Data\Neopets Toolbar 2008-05-02 17:47 --------- dc-h--w C:\Program Files\InstallShield Installation Information 2008-04-28 13:49 --------- dc----w C:\Program Files\VDOTool 2008-04-28 13:39 --------- dc----w C:\Program Files\Common Files\InstallShield 2008-04-28 11:39 --------- dc----w C:\Program Files\Common Files\AOL 2008-04-27 14:58 --------- dc----w C:\Program Files\AOL Companion 2008-04-27 14:56 --------- dc----w C:\Program Files\Common Files\aolshare 2008-04-27 14:56 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL 2008-04-22 09:59 --------- dc----w C:\Program Files\Apple Software Update 2008-04-21 20:51 --------- dc----w C:\Program Files\DivX 2008-04-17 12:12 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Suite 2008-04-15 12:30 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki 2008-04-14 14:39 --------- dc----w C:\Program Files\PCSecurityShield 2008-03-31 21:25 831,488 -c--a-w C:\WINDOWS\system32\divx_xx0a.dll 2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx0c.dll 2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx07.dll 2008-03-31 21:25 802,816 -c--a-w C:\WINDOWS\system32\divx_xx11.dll 2008-03-31 21:25 682,496 -c--a-w C:\WINDOWS\system32\DivX.dll 2008-03-31 21:25 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll 2008-03-23 18:00 147,456 -c--a-w C:\WINDOWS\system32\vbzip10.dll 2008-03-21 20:30 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe 2008-03-21 20:30 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll 2008-03-21 20:30 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll 2008-03-21 20:30 129,784 -c----w C:\WINDOWS\system32\pxafs.dll 2008-03-21 20:30 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll 2008-03-21 20:28 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll 2008-03-21 20:28 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll 2008-03-21 20:28 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll 2008-03-21 20:28 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll 2008-03-21 20:28 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll 2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll 2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll 2008-03-21 20:28 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll 2008-03-21 20:28 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-02-08 01:07 0 -c--a-w C:\Program Files\Common Files\vaxuzaj89104.dll 2005-07-29 16:24 0 -csha-r C:\WINDOWS\SmFjayBIdXRjaGluc29u\mAI3uV1Kxrl3u35RwZ6R.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B7FF6F-A62E-43D1-9A82-769AC394B3D8}] 2008-02-08 02:07 0 --a--c--- C:\Program Files\Common Files\vaxuzaj89104.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9C02ECE-F41A-4362-BB65-6B441807FF6A}] C:\WINDOWS\system32\pmnlk.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BFB528-4CEF-4198-A5A6-29B3058F8DF5}] C:\WINDOWS\system32\gebya.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360] "AOL Dialer"="C:\Program Files\Common Files\AOL\ACS\AOlDial.exe" [2007-12-07 16:30 71008] "PC_OPT"="C:\Program Files\PC Optimizer\trayicon.exe" [2003-06-17 23:39 71168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07 827392] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-03-17 15:31 26112] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] "nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568] "NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 15:30 3096576] "HostManager"="C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe" [2006-09-26 01:52 50736] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 16:30 71008] "Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [2007-04-23 19:19 2165536] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "AVP"="C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" [2007-08-23 14:16 200768] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2008-04-27 15:50:35 156784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefca] iifefca.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\AOL 9.0\\waol.exe"= "C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"= "C:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2008\\avp.exe"= R1 tunmpp;tunmpp;C:\WINDOWS\system32\drivers\tunmpp.sys [2008-03-23 18:57] S2 GF0012;GASIA Filter Driver;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2006-05-19 14:15] . Contents of the 'Scheduled Tasks' folder "2008-06-02 22:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-11 13:15:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-11 14:13:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\AOL\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1205853596\ee\anotify.exe . ************************************************************************ . Completion time: 2008-06-11 14:22:28 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-11 13:22:23 Pre-Run: 230,128,492,544 bytes free Post-Run: 230,153,945,088 bytes free 165 --- E O F --- 2008-05-30 14:30:16 And here's the Hijack this log - Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:27:36, on 11/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\vsnpstd3.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe C:\Program Files\VDOTool\TBPanel.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PC Optimizer\trayicon.exe C:\Program Files\AOL 9.0\aoltray.exe c:\program files\common files\aol\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe c:\program files\common files\aol\1205853596\ee\aolsoftware.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {26B7FF6F-A62E-43D1-9A82-769AC394B3D8} - C:\Program Files\Common Files\vaxuzaj89104.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {B9C02ECE-F41A-4362-BB65-6B441807FF6A} - C:\WINDOWS\system32\pmnlk.dll (file missing) O2 - BHO: (no name) - {E1BFB528-4CEF-4198-A5A6-29B3058F8DF5} - C:\WINDOWS\system32\gebya.dll (file missing) O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe O4 - HKCU\..\Run: [PC_OPT] C:\Program Files\PC Optimizer\trayicon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O20 - Winlogon Notify: iifefca - iifefca.dll (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 8595 bytes I am still getting pop ups, not sure if ComboFix was meant to fix that....?

06-17-2008, 09:35 AM	#6 (permalink)
Fallenxiii Registered User Join Date: Jun 2008 Posts: 7 OS: XP	Re: Constant IE pop ups and an unremovable virus Combofix log ComboFix 08-06-10.3 - Jack 2008-06-17 16:30:02.7 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2568 [GMT 1:00] Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Jack\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\drivers\core.cache.dsk . ((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 ))))))))))))))))))))))))))))))) . 2008-06-16 13:38 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-16 13:38 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-07 20:39 . 2008-06-07 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL Downloads 2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Program Files\Viewpoint 2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint 2008-06-07 13:11 . 2008-06-07 13:11 110 --a--c--- C:\WINDOWS\GMouse.ini 2008-06-07 11:41 . 2008-06-07 11:41 53 --a--c--- C:\WINDOWS\system32\drivers\SecdelList.bin 2008-06-07 10:44 . 2008-06-07 10:44 <DIR> d----c--- C:\Deckard 2008-06-07 10:35 . 2008-06-07 10:35 <DIR> d----c--- C:\Program Files\Panda Security 2008-06-07 09:53 . 2008-06-07 09:53 <DIR> d----c--- C:\Program Files\Trend Micro 2008-06-06 20:50 . 2008-06-07 11:12 <DIR> d----c--- C:\Program Files\PC Optimizer 2008-06-06 20:41 . 2008-06-06 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\PCPitstop 2008-05-17 14:07 . 2008-05-17 14:07 <DIR> d----c--- C:\Program Files\Common Files\Adobe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-17 15:31 665,632 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-17 15:31 16,855,584 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-17 15:24 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PCSecurityShield 2008-06-17 15:20 63,308 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-17 15:20 226,508 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-08 17:05 --------- dc----w C:\Documents and Settings\Jack\Application Data\LimeWire 2008-06-07 10:14 --------- dc----w C:\Program Files\Windows Media Connect 2 2008-06-06 19:59 --------- dc----w C:\Program Files\AOL 9.0 2008-05-30 14:29 88,774 -c--a-w C:\WINDOWS\system32\drivers\klick.dat 2008-05-28 17:17 96,966 -c--a-w C:\WINDOWS\system32\drivers\klin.dat 2008-05-17 13:26 --------- dc----w C:\Documents and Settings\Jack\Application Data\Neopets Toolbar 2008-05-14 21:02 43,520 -c--a-w C:\WINDOWS\system32\CmdLineExt03.dll 2008-05-14 20:26 --------- dc----w C:\Program Files\THQ 2008-05-08 12:28 202,752 -c--a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:18 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll 2008-05-02 17:47 --------- dc-h--w C:\Program Files\InstallShield Installation Information 2008-04-28 13:49 --------- dc----w C:\Program Files\VDOTool 2008-04-28 13:39 --------- dc----w C:\Program Files\Common Files\InstallShield 2008-04-28 11:39 --------- dc----w C:\Program Files\Common Files\AOL 2008-04-27 14:58 --------- dc----w C:\Program Files\AOL Companion 2008-04-27 14:56 --------- dc----w C:\Program Files\Common Files\aolshare 2008-04-27 14:56 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL 2008-04-23 04:16 826,368 -c--a-w C:\WINDOWS\system32\wininet.dll 2008-04-22 09:59 --------- dc----w C:\Program Files\Apple Software Update 2008-04-21 20:51 --------- dc----w C:\Program Files\DivX 2008-04-17 12:12 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Suite 2008-03-31 21:25 831,488 -c--a-w C:\WINDOWS\system32\divx_xx0a.dll 2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx0c.dll 2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx07.dll 2008-03-31 21:25 802,816 -c--a-w C:\WINDOWS\system32\divx_xx11.dll 2008-03-31 21:25 682,496 -c--a-w C:\WINDOWS\system32\DivX.dll 2008-03-31 21:25 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll 2008-03-23 18:00 147,456 -c--a-w C:\WINDOWS\system32\vbzip10.dll 2008-03-21 20:30 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe 2008-03-21 20:30 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll 2008-03-21 20:30 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll 2008-03-21 20:30 129,784 -c----w C:\WINDOWS\system32\pxafs.dll 2008-03-21 20:30 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll 2008-03-21 20:28 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll 2008-03-21 20:28 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll 2008-03-21 20:28 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll 2008-03-21 20:28 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll 2008-03-21 20:28 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll 2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll 2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll 2008-03-21 20:28 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll 2008-03-21 20:28 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys . ((((((((((((((((((((((((((((( snapshot_2008-06-16_15.06.36.15 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-16 13:56:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-17 15:24:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360] "AOL Dialer"="C:\Program Files\Common Files\AOL\ACS\AOlDial.exe" [2007-12-07 16:30 71008] "PC_OPT"="C:\Program Files\PC Optimizer\trayicon.exe" [2003-06-17 23:39 71168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07 827392] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-03-17 15:31 26112] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] "nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568] "NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 15:30 3096576] "HostManager"="C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe" [2006-09-26 01:52 50736] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 16:30 71008] "Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [2007-04-23 19:19 2165536] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2008-04-27 15:50:35 156784] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\AOL 9.0\\waol.exe"= "C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"= "C:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2008\\avp.exe"= S2 GF0012;GASIA Filter Driver;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2006-05-19 14:15] . Contents of the 'Scheduled Tasks' folder "2008-06-02 22:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-17 15:27:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-17 16:31:23 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-06-17 16:32:37 ComboFix-quarantined-files.txt 2008-06-17 15:32:35 ComboFix2.txt 2008-06-16 16:01:47 ComboFix3.txt 2008-06-16 14:07:27 ComboFix4.txt 2008-06-16 13:01:33 ComboFix5.txt 2008-06-11 13:22:29 Pre-Run: 229,927,591,936 bytes free Post-Run: 229,914,324,992 bytes free 144 --- E O F --- 2008-06-16 13:02:41 and the Hijack this log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:34:19, on 17/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe C:\Program Files\VDOTool\TBPanel.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AOL 9.0\aoltray.exe c:\program files\common files\aol\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe c:\program files\common files\aol\1205853596\ee\aolsoftware.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe O4 - HKCU\..\Run: [PC_OPT] C:\Program Files\PC Optimizer\trayicon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 8169 bytes Well the problem seems to have been solved Thanks for the help

06-17-2008, 09:43 AM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: Constant IE pop ups and an unremovable virus We will still have some steps to take care of, to ensure the infection is truly vanquished, and help ensure no remnants are present. Did you have some trouble with ComboFix? I see it's been run several times. Please post this log: C:\Qoobox\ComboFix5.txt __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-17-2008, 10:46 AM	#8 (permalink)
Fallenxiii Registered User Join Date: Jun 2008 Posts: 7 OS: XP	Re: Constant IE pop ups and an unremovable virus Hi, ComboFix didn't bring the logs up on a few occasions. Here's the one you requested, but for some reason it says I don't have the recovery console installed although i definatly installed it. ComboFix 08-06-10.3 - Jack 2008-06-11 14:08:15.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2430 [GMT 1:00] Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 ))))))))))))))))))))))))))))))) . 2008-06-07 20:39 . 2008-06-07 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL Downloads 2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Program Files\Viewpoint 2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint 2008-06-07 13:11 . 2008-06-07 13:11 110 --a--c--- C:\WINDOWS\GMouse.ini 2008-06-07 11:41 . 2008-06-07 11:41 53 --a--c--- C:\WINDOWS\system32\drivers\SecdelList.bin 2008-06-07 10:44 . 2008-06-07 10:44 <DIR> d----c--- C:\Deckard 2008-06-07 10:35 . 2008-06-07 10:35 <DIR> d----c--- C:\Program Files\Panda Security 2008-06-07 09:53 . 2008-06-07 09:53 <DIR> d----c--- C:\Program Files\Trend Micro 2008-06-06 20:50 . 2008-06-07 11:12 <DIR> d----c--- C:\Program Files\PC Optimizer 2008-06-06 20:41 . 2008-06-06 20:41 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\PCPitstop 2008-05-17 14:07 . 2008-05-17 14:07 <DIR> d----c--- C:\Program Files\Common Files\Adobe 2008-05-15 20:30 . 2008-05-21 00:30 <DIR> d----c--- C:\WINDOWS\.jagex_cache_32 2008-05-14 21:45 . 2008-05-14 22:02 43,520 --a--c--- C:\WINDOWS\system32\CmdLineExt03.dll 2008-05-14 21:26 . 2008-05-14 21:26 <DIR> d----c--- C:\Program Files\THQ . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-11 13:16 16,601,120 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-11 13:13 644,384 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-11 13:12 167,976 -c----w C:\WINDOWS\system32\drivers\core.cache.dsk 2008-06-11 13:10 61,412 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-11 13:10 223,340 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-11 12:58 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PCSecurityShield 2008-06-08 17:05 --------- dc----w C:\Documents and Settings\Jack\Application Data\LimeWire 2008-06-07 10:14 --------- dc----w C:\Program Files\Windows Media Connect 2 2008-06-06 19:59 --------- dc----w C:\Program Files\AOL 9.0 2008-05-30 14:29 88,774 -c--a-w C:\WINDOWS\system32\drivers\klick.dat 2008-05-28 17:17 96,966 -c--a-w C:\WINDOWS\system32\drivers\klin.dat 2008-05-17 13:26 --------- dc----w C:\Documents and Settings\Jack\Application Data\Neopets Toolbar 2008-05-02 17:47 --------- dc-h--w C:\Program Files\InstallShield Installation Information 2008-04-28 13:49 --------- dc----w C:\Program Files\VDOTool 2008-04-28 13:39 --------- dc----w C:\Program Files\Common Files\InstallShield 2008-04-28 11:39 --------- dc----w C:\Program Files\Common Files\AOL 2008-04-27 14:58 --------- dc----w C:\Program Files\AOL Companion 2008-04-27 14:56 --------- dc----w C:\Program Files\Common Files\aolshare 2008-04-27 14:56 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL 2008-04-22 09:59 --------- dc----w C:\Program Files\Apple Software Update 2008-04-21 20:51 --------- dc----w C:\Program Files\DivX 2008-04-17 12:12 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Suite 2008-04-15 12:30 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki 2008-04-14 14:39 --------- dc----w C:\Program Files\PCSecurityShield 2008-03-31 21:25 831,488 -c--a-w C:\WINDOWS\system32\divx_xx0a.dll 2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx0c.dll 2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx07.dll 2008-03-31 21:25 802,816 -c--a-w C:\WINDOWS\system32\divx_xx11.dll 2008-03-31 21:25 682,496 -c--a-w C:\WINDOWS\system32\DivX.dll 2008-03-31 21:25 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll 2008-03-23 18:00 147,456 -c--a-w C:\WINDOWS\system32\vbzip10.dll 2008-03-21 20:30 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe 2008-03-21 20:30 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll 2008-03-21 20:30 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll 2008-03-21 20:30 129,784 -c----w C:\WINDOWS\system32\pxafs.dll 2008-03-21 20:30 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll 2008-03-21 20:28 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll 2008-03-21 20:28 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll 2008-03-21 20:28 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll 2008-03-21 20:28 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll 2008-03-21 20:28 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll 2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll 2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll 2008-03-21 20:28 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll 2008-03-21 20:28 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-02-08 01:07 0 -c--a-w C:\Program Files\Common Files\vaxuzaj89104.dll 2005-07-29 16:24 0 -csha-r C:\WINDOWS\SmFjayBIdXRjaGluc29u\mAI3uV1Kxrl3u35RwZ6R.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B7FF6F-A62E-43D1-9A82-769AC394B3D8}] 2008-02-08 02:07 0 --a--c--- C:\Program Files\Common Files\vaxuzaj89104.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9C02ECE-F41A-4362-BB65-6B441807FF6A}] C:\WINDOWS\system32\pmnlk.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BFB528-4CEF-4198-A5A6-29B3058F8DF5}] C:\WINDOWS\system32\gebya.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360] "AOL Dialer"="C:\Program Files\Common Files\AOL\ACS\AOlDial.exe" [2007-12-07 16:30 71008] "PC_OPT"="C:\Program Files\PC Optimizer\trayicon.exe" [2003-06-17 23:39 71168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07 827392] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-03-17 15:31 26112] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] "nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568] "NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 15:30 3096576] "HostManager"="C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe" [2006-09-26 01:52 50736] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 16:30 71008] "Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [2007-04-23 19:19 2165536] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "AVP"="C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" [2007-08-23 14:16 200768] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2008-04-27 15:50:35 156784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefca] iifefca.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\AOL 9.0\\waol.exe"= "C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"= "C:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2008\\avp.exe"= R1 tunmpp;tunmpp;C:\WINDOWS\system32\drivers\tunmpp.sys [2008-03-23 18:57] S2 GF0012;GASIA Filter Driver;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2006-05-19 14:15] . Contents of the 'Scheduled Tasks' folder "2008-06-02 22:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-11 13:15:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-11 14:13:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\AOL\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1205853596\ee\anotify.exe . ************************************************************************ . Completion time: 2008-06-11 14:22:28 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-11 13:22:23 Pre-Run: 230,128,492,544 bytes free Post-Run: 230,153,945,088 bytes free 165 --- E O F --- 2008-05-30 14:30:16

06-17-2008, 12:20 PM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: Constant IE pop ups and an unremovable virus Ok, thanks...it does appear that the targeted files and service were removed one of those passes. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop. Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- Go here to run an online scannner from ESET. Note: You will need to use Internet explorer for this scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic, along with a new HijackThis log, and also let me know how things are now. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-17-2008, 02:44 PM	#10 (permalink)
Fallenxiii Registered User Join Date: Jun 2008 Posts: 7 OS: XP	Re: Constant IE pop ups and an unremovable virus Ok, i've installed the new java version. Everything seems to be running great, no pop ups at all! So can i uninstall Combofix and Hijack this now? here's the online scan # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3195 (20080617) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=d1d3a7ec373094408efc7b6eb5900fee # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-06-17 08:39:55 # local_time=2008-06-17 09:39:55 (+0000, GMT Standard Time) # country="United Kingdom" # osver=5.1.2600 NT Service Pack 2 # scanned=158229 # found=0 # scan_time=1140 and here's the hijack this log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:43:24, on 17/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\WINDOWS\vsnpstd3.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\VDOTool\TBPanel.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PC Optimizer\trayicon.exe C:\Program Files\AOL 9.0\aoltray.exe c:\program files\common files\aol\1205853596\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe c:\program files\common files\aol\1205853596\ee\aolsoftware.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Documents and Settings\Jack\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205853596\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe O4 - HKCU\..\Run: [PC_OPT] C:\Program Files\PC Optimizer\trayicon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 8218 bytes

06-17-2008, 04:24 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: Constant IE pop ups and an unremovable virus Your logs appear clean.You should be good to go. We still have a few items to address. Yes, you can uninstall HijackThis. This next step will uninstall ComboFix and some associated files and folders. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. FIREWALL Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here Do not install more than one firewall program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety. http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-18-2008, 01:22 AM	#12 (permalink)
Fallenxiii Registered User Join Date: Jun 2008 Posts: 7 OS: XP	Re: Constant IE pop ups and an unremovable virus Great stuff, all done! Thanks for all the help

06-18-2008, 01:11 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: Constant IE pop ups and an unremovable virus You're quite welcome! Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009