Several popups, issues running reports... please help

sonyaflower · 11-08-2008, 06:53 PM

I have been having problems with popups coming non-stop for the past three weeks. I ran the free version of Ad-Ware, but they still continue. I deleted Limewire, which I am certain was the cause of this issue (it was downloaded by my son). I downloaded both GMER.EXE and RSIT.EXE and began the steps to scan my computer.

While I am running GMER.EXE, the "blue screen of death" stating that a serious error occurs and gives me an error code of "PAGE_FAULT_IN_NONPAGED_AREA." I can't get past that. I am not sure what to do.

Can anyone please help me figure out what steps I need to do to get my issue fixed?

Thanks in advance!

Sonya

sonyaflower · 11-09-2008, 12:41 PM

I've continued working to try to this situation resolved, but still haven't been successful. I have managed to slow the rate I am receiving pop-ups, but they are still coming, and still annoying. I'm attaching a copy of my Hijack log... hope that is OK to do.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:18 PM, on 11/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\Program Files\ppcbooster\ppcbooster.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [MBBalloon] C:\Program Files\HOTALBUMMyBOX\MBBalloon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: lsass.lnk = ?
O4 - Startup: ppcbooster.lnk = C:\Program Files\ppcbooster\ppcbooster.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MediaChecker.lnk = C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/BookWorm/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/BookWorm/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14447 bytes

Ried · 11-10-2008, 07:30 AM

Hello sonyaflower,

The HijackThis is not telling us enough. Please download dds.scr and save it to your desktop.

Double click dds.scr to run the tool.

When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

-----------------------------------------------------

Please include the contents of the following in your next reply:

dds.txt

Attach the following report to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on teh composition page. Browse to where you saved the file, and click Upload.

Attach.txt

sonyaflower · 11-10-2008, 06:36 PM

Hi Ried,

I attached the Attach.txt report. Here is the DDS.txt report:

DDS (Version 1.0) - NTFSx86
Run by Steve at 18:37:18.23 on Mon 11/10/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.125 [GMT -6:00]

=============== Created Last 30 ================

2008-11-09 07:15 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-09 07:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-09 07:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-11-09 07:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-11-09 07:07 <DIR> --d----- c:\docume~1\steve\applic~1\SUPERAntiSpyware.com
2008-11-09 06:53 <DIR> --d----- c:\program files\Trend Micro
2008-11-08 10:38 250 a------- c:\windows\gmer.ini
2008-10-23 15:31 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 23:31 262,144 a------- C:\ntuser.dat
2008-10-22 23:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Yahoo! Companion
2008-10-20 17:07 <DIR> --d----- c:\docume~1\steve\applic~1\MxBoost
2008-10-20 17:05 <DIR> --d----- c:\program files\Maxthon2
2008-10-15 14:55 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 14:55 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 14:55 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 14:55 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 14:54 333,824 -------- c:\windows\system32\dllcache\srv.sys
2008-10-15 14:50 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-10-13 20:24 <DIR> --d----- c:\docume~1\steve\applic~1\.wyzo
2008-10-13 20:17 70,603 a------- c:\windows\vntb9283.exe
2008-10-13 20:15 70,603 a------- c:\windows\dwtb2837.exe
2008-10-13 20:15 <DIR> --d----- c:\program files\ppcbooster
2008-10-13 20:15 77,913 a------- c:\windows\system32\qvvetjtfuikuh.exe

================== Find3M ==================

2008-11-10 12:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-09 19:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-11-09 12:56 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-10-25 17:15 <DIR> --d----- c:\program files\LimeWire
2008-10-25 17:07 <DIR> --d----- c:\docume~1\steve\applic~1\LimeWire
2008-10-22 23:31 <DIR> --d----- c:\program files\Yahoo!
2008-10-15 20:22 <DIR> --d----- c:\program files\Hero Editor
2008-10-15 20:22 <DIR> --d----- c:\program files\PopCap Games
2008-10-05 08:25 <DIR> --d----- c:\program files\Messenger
2008-10-05 08:22 77,915 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-05 08:14 <DIR> --d----- c:\program files\Windows NT
2008-10-03 11:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-15 06:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-13 21:11 <DIR> --d----- c:\program files\HOTALBUMMyBOX
2008-09-01 21:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-08-27 02:24 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-08-25 02:38 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 02:37 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-22 23:56 635,848 -------- c:\windows\system32\dllcache\iexplore.exe
2008-08-22 23:54 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-08-14 04:09 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2008-08-14 04:04 138,496 -------- c:\windows\system32\dllcache\afd.sys
2008-08-14 03:33 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2008-08-05 15:09 <DIR> --d----- c:\docume~1\steve\applic~1\W Photo Studio Viewer
2008-08-05 14:20 <DIR> --d----- c:\docume~1\steve\applic~1\Walgreens
2008-05-29 06:06 <DIR> --d----- c:\docume~1\steve\applic~1\Command & Conquer 3 Tiberium Wars
2008-05-29 06:02 <DIR> --d-hr-- c:\docume~1\steve\applic~1\SecuROM
2008-04-28 19:59 <DIR> --d----- c:\docume~1\steve\applic~1\SpinTop
2008-03-24 20:31 <DIR> --d----- c:\docume~1\steve\applic~1\AdobeAUM
2008-01-16 17:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AOL
2008-01-16 17:24 <DIR> --d----- c:\docume~1\steve\applic~1\AOL
2007-12-20 12:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SupportSoft
2007-12-18 22:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2007-12-06 21:13 <DIR> --d----- c:\docume~1\steve\applic~1\Symantec
2007-12-06 21:01 <DIR> --d----- c:\docume~1\steve\applic~1\Simple Star
2007-12-04 11:57 <DIR> --d----- c:\docume~1\steve\applic~1\SlipStream
2007-12-04 11:57 <DIR> --d----- c:\docume~1\steve\applic~1\Jasc Software Inc
2007-09-05 20:54 <DIR> --d----- c:\docume~1\steve\applic~1\MSNInstaller
2007-04-27 07:04 <DIR> --d----- c:\docume~1\steve\applic~1\Viewpoint
2007-04-27 06:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2006-09-17 19:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ScanSoft
2006-08-06 14:09 <DIR> --d----- c:\docume~1\steve\applic~1\Ulead Systems
2006-07-20 19:20 <DIR> --d----- c:\docume~1\steve\applic~1\VideoEgg
2006-07-20 19:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\VideoEgg
2006-06-12 08:41 <DIR> --d----- c:\docume~1\steve\applic~1\Creative
2006-05-16 21:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Windows Genuine Advantage
2005-05-20 14:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2005-05-20 13:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Microsoft Internet Explorer provided by CenturyTel
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\walgre~1\walgre~1\data\xtras\mssysmgr.exe
uRun: [lsass]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ymetray] "c:\program files\yahoo!\yahoo! music engine\YahooMusicEngine.exe" -preload
mRun: [Ulead AutoDetector] c:\program files\ulead systems\ulead photo explorer 8.0 se basic\Monitor.exe
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [OneTouch Monitor] c:\program files\visioneer onetouch\OneTouchMon.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [lsass]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [MBBalloon] c:\program files\hotalbummybox\MBBalloon.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\lsass.lnk -
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\ppcbooster.lnk - c:\program files\ppcbooster\ppcbooster.exe
uPolicies-system: NoAdminPage = 1
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui -igfxsrvc.dll
SSODL: {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ==============

S2 Ca536av;DV 5100M(Video);c:\windows\system32\drivers\Ca536av.sys
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys
R3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\gt680x.sys
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys
S3 USBCamera;DV 5100M(Still);c:\windows\system32\drivers\Bulk536.sys
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\drivers\usb8023.sys
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\ccSvcHst.exe

============= FINISH: 18:37:54.93 ===============

Ried · 11-10-2008, 09:44 PM

Thank you. : )

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

sonyaflower · 11-10-2008, 10:33 PM

Ried,

Again, so many thanks for your quick replies and help. Here is the ComboFix log...

ComboFix 08-11-10.01 - Steve 2008-11-10 23:14:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.112 [GMT -6:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ppcbooster
c:\program files\ppcbooster\ppcbooster-uninst.exe
c:\program files\ppcbooster\ppcbooster.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-09 07:15 . 2008-11-10 12:17 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-09 07:15 . 2008-11-10 12:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-09 07:08 . 2008-11-09 07:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2008-11-09 06:53 . 2008-11-09 06:53 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 10:38 . 2008-11-08 10:48 250 --a------ c:\windows\gmer.ini
2008-10-25 17:10 . 2008-10-25 17:11 <DIR> d-------- c:\documents and settings\Cody\Music
2008-10-23 15:31 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-22 23:31 . 2008-10-22 23:31 262,144 --a------ C:\ntuser.dat
2008-10-22 23:30 . 2008-10-25 14:26 <DIR> d-------- c:\documents and settings\Steve\Application Data\Yahoo!
2008-10-22 23:30 . 2008-10-22 23:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-20 17:07 . 2008-10-21 12:42 <DIR> d-------- c:\documents and settings\Steve\Application Data\MxBoost
2008-10-20 17:05 . 2008-10-27 20:01 <DIR> d-------- c:\program files\Maxthon2
2008-10-15 14:55 . 2008-08-14 04:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-15 14:55 . 2008-08-14 04:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-15 14:55 . 2008-08-14 03:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-15 14:55 . 2008-08-14 03:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-15 14:54 . 2008-09-08 04:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-10-15 14:50 . 2008-09-15 06:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-10-13 20:24 . 2008-10-13 20:24 <DIR> d-------- c:\documents and settings\Steve\Application Data\.wyzo
2008-10-13 20:17 . 2008-10-13 20:17 70,603 --a------ c:\windows\vntb9283.exe
2008-10-13 20:15 . 2008-11-03 21:22 77,913 --a------ c:\windows\SYSTEM32\qvvetjtfuikuh.exe
2008-10-13 20:15 . 2008-10-13 20:17 70,603 --a------ c:\windows\dwtb2837.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 05:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-11 04:27 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-10 18:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-30 16:47 25,182 ----a-w c:\documents and settings\Steve\Application Data\wklnhst.dat
2008-10-25 23:15 --------- d-----w c:\program files\LimeWire
2008-10-25 23:07 --------- d-----w c:\documents and settings\Steve\Application Data\LimeWire
2008-10-23 05:31 --------- d-----w c:\program files\Yahoo!
2008-10-16 02:22 --------- d-----w c:\program files\PopCap Games
2008-10-16 02:22 --------- d-----w c:\program files\Hero Editor
2008-09-14 03:11 --------- d-----w c:\program files\HOTALBUMMyBOX
2008-06-18 13:36 95,928 -c--a-w c:\documents and settings\Steve\Application Data\GDIPFONTCACHEV1.DAT
2007-07-20 02:57 1,012 -c--a-w c:\documents and settings\Cody\Application Data\wklnhst.dat
2006-12-20 05:51 142 -c--a-w c:\documents and settings\Ryan\Application Data\wklnhst.dat
2003-08-29 18:12 61,440 -c--a-w c:\windows\INF\i386\Viz7300.dll
2003-08-29 18:12 17,376 -c--a-w c:\windows\INF\i386\Gt680x.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 04:46 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2005-05-19 176128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-05-20 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-20 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ymetray"="c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [2006-10-03 6104568]
"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-09-23 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-11-20 106496]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2006-10-31 20752]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\SYSTEM32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-02-13 915096]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Ulead Photo Express 4.0 SE Calendar Checker .lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2005-07-19 69632]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2006-10-03 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\Drivers\PzWDM.sys [2008-03-03 15172]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\gt680x.sys [2003-08-29 17376]
S2 Ca536av;DV 5100M(Video);c:\windows\system32\Drivers\Ca536av.sys [ ]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
S3 USBCamera;DV 5100M(Still);c:\windows\system32\Drivers\Bulk536.sys [ ]

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-10-28 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Steve.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\rwz6juxw.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\VideoEgg\Loader\2364\npvideoegg-loader.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 23:20:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\PopularSites.xml.bin 11054 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Redirectors.xml.bin 88705 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Resources.xml.bin 556 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\SafeList.xml.bin 709905 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\SearchServices.xml.bin 22840 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Throttle.xml.bin 454 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\TrustedDomains.xml.bin 265388 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\URLAnalysis.xml.bin 985009 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Identifiers.xml.bin 3427635 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Indicators.xml.bin 77358 bytes

scan completed successfully
hidden files: 10

**************************************************************************
.
Completion time: 2008-11-10 23:27:42
ComboFix-quarantined-files.txt 2008-11-11 05:27:20

Pre-Run: 53,666,988,032 bytes free
Post-Run: 53,831,909,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

182 --- E O F --- 2008-10-24 03:50:47

Ried · 11-11-2008, 08:20 PM

You're welcome, sonyaflower. : )

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/310886-several-popups-issues-running-reports-please-help-post1797013.html#post1797013

Collect::
c:\windows\vntb9283.exe
c:\windows\SYSTEM32\qvvetjtfuikuh.exe

File::
c:\windows\dwtb2837.exe

Folder::
c:\documents and settings\Steve\Application Data\.wyzo

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------

Please post the C:\ComboFix.txt along with an update on system behavior.

sonyaflower · 11-13-2008, 10:10 AM

Hey Ried,

I didn't want you to think I forgot about you. I had to go back to school, so I won't be able to get to the fixing until I go home in a couple weeks. I'll report back then - if that is OK.

Thanks,
Sonya

Ried · 11-13-2008, 08:15 PM

Thanks for letting me know. I'll remain subscribed.

Will anyone be using this computer while you're gone? Until you've at least carried out the last step, it's best to keep this computer off the internet.

sonyaflower · 11-28-2008, 07:29 PM

Hi Ried,

The computer was used very litter over this past dead time. I've been on the computer the last couple days and there have been ZERO pop-ups.

I had to install a new version of ComboFix, and I hope this gives us the right information we're looking for:

ComboFix 08-11-10.01 - Steve 2008-11-10 23:14:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.112 [GMT -6:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ppcbooster
c:\program files\ppcbooster\ppcbooster-uninst.exe
c:\program files\ppcbooster\ppcbooster.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-09 07:15 . 2008-11-10 12:17 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-09 07:15 . 2008-11-10 12:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-09 07:08 . 2008-11-09 07:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2008-11-09 06:53 . 2008-11-09 06:53 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 10:38 . 2008-11-08 10:48 250 --a------ c:\windows\gmer.ini
2008-10-25 17:10 . 2008-10-25 17:11 <DIR> d-------- c:\documents and settings\Cody\Music
2008-10-23 15:31 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-22 23:31 . 2008-10-22 23:31 262,144 --a------ C:\ntuser.dat
2008-10-22 23:30 . 2008-10-25 14:26 <DIR> d-------- c:\documents and settings\Steve\Application Data\Yahoo!
2008-10-22 23:30 . 2008-10-22 23:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-20 17:07 . 2008-10-21 12:42 <DIR> d-------- c:\documents and settings\Steve\Application Data\MxBoost
2008-10-20 17:05 . 2008-10-27 20:01 <DIR> d-------- c:\program files\Maxthon2
2008-10-15 14:55 . 2008-08-14 04:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-15 14:55 . 2008-08-14 04:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-15 14:55 . 2008-08-14 03:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-15 14:55 . 2008-08-14 03:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-15 14:54 . 2008-09-08 04:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-10-15 14:50 . 2008-09-15 06:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-10-13 20:24 . 2008-10-13 20:24 <DIR> d-------- c:\documents and settings\Steve\Application Data\.wyzo
2008-10-13 20:17 . 2008-10-13 20:17 70,603 --a------ c:\windows\vntb9283.exe
2008-10-13 20:15 . 2008-11-03 21:22 77,913 --a------ c:\windows\SYSTEM32\qvvetjtfuikuh.exe
2008-10-13 20:15 . 2008-10-13 20:17 70,603 --a------ c:\windows\dwtb2837.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 05:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-11 04:27 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-10 18:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-30 16:47 25,182 ----a-w c:\documents and settings\Steve\Application Data\wklnhst.dat
2008-10-25 23:15 --------- d-----w c:\program files\LimeWire
2008-10-25 23:07 --------- d-----w c:\documents and settings\Steve\Application Data\LimeWire
2008-10-23 05:31 --------- d-----w c:\program files\Yahoo!
2008-10-16 02:22 --------- d-----w c:\program files\PopCap Games
2008-10-16 02:22 --------- d-----w c:\program files\Hero Editor
2008-09-14 03:11 --------- d-----w c:\program files\HOTALBUMMyBOX
2008-06-18 13:36 95,928 -c--a-w c:\documents and settings\Steve\Application Data\GDIPFONTCACHEV1.DAT
2007-07-20 02:57 1,012 -c--a-w c:\documents and settings\Cody\Application Data\wklnhst.dat
2006-12-20 05:51 142 -c--a-w c:\documents and settings\Ryan\Application Data\wklnhst.dat
2003-08-29 18:12 61,440 -c--a-w c:\windows\INF\i386\Viz7300.dll
2003-08-29 18:12 17,376 -c--a-w c:\windows\INF\i386\Gt680x.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 04:46 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2005-05-19 176128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-05-20 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-20 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ymetray"="c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [2006-10-03 6104568]
"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-09-23 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-11-20 106496]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2006-10-31 20752]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\SYSTEM32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-02-13 915096]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Ulead Photo Express 4.0 SE Calendar Checker .lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2005-07-19 69632]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2006-10-03 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\Drivers\PzWDM.sys [2008-03-03 15172]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\gt680x.sys [2003-08-29 17376]
S2 Ca536av;DV 5100M(Video);c:\windows\system32\Drivers\Ca536av.sys [ ]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
S3 USBCamera;DV 5100M(Still);c:\windows\system32\Drivers\Bulk536.sys [ ]

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-10-28 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Steve.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\rwz6juxw.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\VideoEgg\Loader\2364\npvideoegg-loader.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 23:20:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\PopularSites.xml.bin 11054 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Redirectors.xml.bin 88705 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Resources.xml.bin 556 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\SafeList.xml.bin 709905 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\SearchServices.xml.bin 22840 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Throttle.xml.bin 454 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\TrustedDomains.xml.bin 265388 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\URLAnalysis.xml.bin 985009 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Identifiers.xml.bin 3427635 bytes
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Indicators.xml.bin 77358 bytes

scan completed successfully
hidden files: 10

**************************************************************************
.
Completion time: 2008-11-10 23:27:42
ComboFix-quarantined-files.txt 2008-11-11 05:27:20

Pre-Run: 53,666,988,032 bytes free
Post-Run: 53,831,909,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

182 --- E O F --- 2008-10-24 03:50:47

Ried · 11-28-2008, 08:12 PM

You did the correct thing in updating Combofix, and welcome back.

However...

I needed you to create and run a CFScript. Kindly refer back to Post #7 and follow those steps.

After ComboFix has completed, post the C:\ComboFix.txt in your next reply.

sonyaflower · 11-29-2008, 06:47 PM

Hi Ried,

Hope you had a good Thanksgiving. I followed the instructions in post #7, but no matter what I do, I am not gettting the end part where an internet browser opens. I am not sure what I am doing wrong. Regardless, here is a post of my ComboFix.txt log...

ComboFix 08-11-29.03 - Steve 2008-11-29 19:38:03.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.125 [GMT -6:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\dwtb2837.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-17 19:12 . 2008-11-17 19:12 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-13 21:51 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-11-13 21:50 . 2008-09-04 11:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-09 07:15 . 2008-11-10 12:17 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-09 07:15 . 2008-11-10 12:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-09 07:08 . 2008-11-09 07:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2008-11-09 06:53 . 2008-11-09 06:53 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 10:38 . 2008-11-08 10:48 250 --a------ c:\windows\gmer.ini
2008-10-25 17:10 . 2008-10-25 17:11 <DIR> d-------- c:\documents and settings\Cody\Music
2008-10-23 15:31 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-22 23:31 . 2008-10-22 23:31 262,144 --a------ C:\ntuser.dat
2008-10-22 23:30 . 2008-10-25 14:26 <DIR> d-------- c:\documents and settings\Steve\Application Data\Yahoo!
2008-10-22 23:30 . 2008-10-22 23:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-20 17:07 . 2008-10-21 12:42 <DIR> d-------- c:\documents and settings\Steve\Application Data\MxBoost
2008-10-20 17:05 . 2008-10-27 20:01 <DIR> d-------- c:\program files\Maxthon2
2008-10-15 14:55 . 2008-08-14 04:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-15 14:55 . 2008-08-14 04:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-15 14:55 . 2008-08-14 03:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-15 14:55 . 2008-08-14 03:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-15 14:54 . 2008-09-08 04:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-10-15 14:50 . 2008-09-15 06:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-10-07 20:32 . 2008-10-25 17:15 <DIR> d-------- c:\program files\LimeWire
2008-10-05 19:53 . 2008-10-05 19:53 <DIR> d-------- C:\Valve
2008-10-05 08:19 . 2008-10-05 08:19 <DIR> d-------- c:\windows\SYSTEM32\scripting
2008-10-05 08:19 . 2008-10-05 08:19 <DIR> d-------- c:\windows\SYSTEM32\en
2008-10-05 08:19 . 2008-10-05 08:19 <DIR> d-------- c:\windows\SYSTEM32\bits
2008-10-05 08:19 . 2008-10-05 08:19 <DIR> d-------- c:\windows\l2schemas
2008-10-05 08:15 . 2008-10-05 08:19 <DIR> d-------- c:\windows\ServicePackFiles
2008-10-05 08:03 . 2008-10-05 08:03 <DIR> d-------- c:\windows\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 00:33 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-21 04:18 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-19 00:54 25,502 ----a-w c:\documents and settings\Steve\Application Data\wklnhst.dat
2008-11-10 18:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-25 23:07 --------- d-----w c:\documents and settings\Steve\Application Data\LimeWire
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 05:31 --------- d-----w c:\program files\Yahoo!
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 02:22 --------- d-----w c:\program files\PopCap Games
2008-10-16 02:22 --------- d-----w c:\program files\Hero Editor
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-08-27 08:24 3,593,216 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\SYSTEM32\DLLCACHE\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2008-06-18 13:36 95,928 -c--a-w c:\documents and settings\Steve\Application Data\GDIPFONTCACHEV1.DAT
2007-07-20 02:57 1,012 -c--a-w c:\documents and settings\Cody\Application Data\wklnhst.dat
2006-12-20 05:51 142 -c--a-w c:\documents and settings\Ryan\Application Data\wklnhst.dat
2003-08-29 18:12 61,440 -c--a-w c:\windows\INF\i386\Viz7300.dll
2003-08-29 18:12 17,376 -c--a-w c:\windows\INF\i386\Gt680x.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 04:46 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2005-05-19 176128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-05-20 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-20 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ymetray"="c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [2006-10-03 6104568]
"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-09-23 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-11-20 106496]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2006-10-31 20752]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\SYSTEM32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-02-13 915096]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Ulead Photo Express 4.0 SE Calendar Checker .lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2005-07-19 69632]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2006-10-03 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\Drivers\PzWDM.sys [2008-03-03 15172]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352]
R3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\gt680x.sys [2006-09-17 17376]
S2 Ca536av;DV 5100M(Video);c:\windows\system32\Drivers\Ca536av.sys []
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2004-08-04 12800]
S3 USBCamera;DV 5100M(Still);c:\windows\system32\Drivers\Bulk536.sys []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-29 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-11-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Steve.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 19:40:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-29 19:41:51
ComboFix-quarantined-files.txt 2008-11-30 01:41:32
ComboFix2.txt 2008-11-30 01:31:20
ComboFix3.txt 2008-11-30 01:22:12
ComboFix4.txt 2008-11-30 01:14:21
ComboFix5.txt 2008-11-30 01:37:10

Pre-Run: 52,947,877,888 bytes free
Post-Run: 52,934,864,896 bytes free

194 --- E O F --- 2008-11-21 05:28:22

Ried · 11-29-2008, 06:51 PM

This is odd. The 2 files I wanted to collect were present in the ComboFix.txt you posted when you returned, but I do not see them in this latest run, nor in the deletions list.

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents of that report.

sonyaflower · 11-29-2008, 06:56 PM

Ried,

Per your instructions, here is the report:

2008-10-08 09:28:14 A------- 24,576 C:\Qoobox\Quarantine\C\Program Files\ppcbooster\ppcbooster.exe.vir
2008-10-13 20:15:34 A------- 77,913 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qvvetjtfuikuh.exe.vir
2008-10-13 20:15:49 A------- 56,649 C:\Qoobox\Quarantine\C\Program Files\ppcbooster\ppcbooster-uninst.exe.vir
2008-10-13 20:15:49 A------- 70,603 C:\Qoobox\Quarantine\C\WINDOWS\dwtb2837.exe.vir
2008-10-13 20:15:50 A------- 990 C:\Qoobox\Quarantine\C\Documents and Settings\Steve\Start Menu\Programs\Startup\ppcbooster.lnk.vir
2008-10-13 20:17:23 A------- 70,603 C:\Qoobox\Quarantine\C\WINDOWS\vntb9283.exe.vir
2008-11-10 23:08:02 A------- 684 C:\Qoobox\Quarantine\catchme.log
2008-11-10 23:18:14 A------- 9,163 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-10 23:26:38 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-11-10 23:26:38 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-11-10 23:26:38 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-11-28 18:34:37 A------- 136,427 C:\Qoobox\Quarantine\[4]-Submit_2008-11-28@18.34.zip
2008-11-29 18:42:15 A------- 1,040 C:\Qoobox\Quarantine\catchme.txt

Ried · 11-29-2008, 06:59 PM

Something was indeed collected.

Please visit this site and follow the instructions for uploading the C:\Qoobox\Quarantine\[4]-Submit_2008-11-28@18.34.zip . All you need do is copy/paste the text I bolded for you, into the 'Browse to file to submit' box, then click 'Send File'.

Please let me know once it's been uploaded.

sonyaflower · 11-29-2008, 07:03 PM

Ok, I uploaded it... I hope

Still so grateful for your help.

Ried · 11-29-2008, 07:07 PM

Upload received and files are within. Thank you, it's much appreciated.

Your system should be doing fine now, still, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

sonyaflower · 11-29-2008, 09:48 PM

Phew, that report was a long one. Here are the results...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 30, 2008 00:29:43
Records in database: 1428286
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 83624
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:56:29

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15317EEE.exe Infected: IM-Worm.Win32.VB.dy 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\171F68B5.tmp Infected: Trojan-Downloader.Win32.IstBar.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\172212B1.tmp Infected: Trojan-Downloader.Win32.Adload.jm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23EF5B23.tmp Infected: Trojan-Downloader.Win32.Adload.jm 1
C:\Documents and Settings\Cody\Incomplete\T-3545425-tonight will be the night i fall for you.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1

The selected area was scanned.

Ried · 11-29-2008, 09:59 PM

It is.

Delete this file: (which incidentally, is a source of the infection you sustained)

C:\Documents and Settings\Cody\Incomplete\T-3545425-tonight will be the night i fall for you.mp3

Please note: Even if you are using a "safe" P2P program, it is only the program itself that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares, thus, engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections.

Clear out Norton's Quarantine folder. If you're unsure on how to do it, you can use Symantec's guide.

--------------------------------------------------------

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

11-08-2008, 06:53 PM	#1 (permalink)
sonyaflower Registered User Join Date: Jan 2006 Location: Wisconsin Posts: 25 OS: Windows XP Home Edition	Several popups, issues running reports... please help I have been having problems with popups coming non-stop for the past three weeks. I ran the free version of Ad-Ware, but they still continue. I deleted Limewire, which I am certain was the cause of this issue (it was downloaded by my son). I downloaded both GMER.EXE and RSIT.EXE and began the steps to scan my computer. While I am running GMER.EXE, the "blue screen of death" stating that a serious error occurs and gives me an error code of "PAGE_FAULT_IN_NONPAGED_AREA." I can't get past that. I am not sure what to do. Can anyone please help me figure out what steps I need to do to get my issue fixed? Thanks in advance! Sonya

11-09-2008, 12:41 PM	#2 (permalink)
sonyaflower Registered User Join Date: Jan 2006 Location: Wisconsin Posts: 25 OS: Windows XP Home Edition	Re: Several popups, issues running reports... please help I've continued working to try to this situation resolved, but still haven't been successful. I have managed to slow the rate I am receiving pop-ups, but they are still coming, and still annoying. I'm attaching a copy of my Hijack log... hope that is OK to do. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:37:18 PM, on 11/9/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\Visioneer OneTouch\OneTouchMon.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\DellSupport\DSAgnt.exe C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe C:\Program Files\ppcbooster\ppcbooster.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60327 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O1 - Hosts: 1.1.1.1 ftp.f-secure.com O1 - Hosts: 1.1.1.1 ftp.sophos.com O1 - Hosts: 1.1.1.1 support.microsoft.com O1 - Hosts: 1.1.1.1 viruslist.com O1 - Hosts: 1.1.1.1 free.grisoft.com O1 - Hosts: 1.1.1.1 housecall.trendmicro.com O1 - Hosts: 1.1.1.1 www.pandasoftware.com O1 - Hosts: 1.1.1.1 usa.kaspersky.com O1 - Hosts: 1.1.1.1 ewido.net O1 - Hosts: 1.1.1.1 www.ewido.net O1 - Hosts: 1.1.1.1 www.zonelabs.com O1 - Hosts: 1.1.1.1 bitdefender.com O1 - Hosts: 1.1.1.1 www.bitdefender.com O1 - Hosts: 1.1.1.1 download.bitdefender.com O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com O1 - Hosts: 1.1.1.1 spywareinfo.com O1 - Hosts: 1.1.1.1 www.spywareinfo.com O1 - Hosts: 1.1.1.1 www.merijn.org O1 - Hosts: 1.1.1.1 sysinternals.com O1 - Hosts: 1.1.1.1 www.sysinternals.com O1 - Hosts: 1.1.1.1 onguardonline.gov O1 - Hosts: 1.1.1.1 www.onguardonline.gov O1 - Hosts: 1.1.1.1 avast.com O1 - Hosts: 1.1.1.1 www.avast.com O1 - Hosts: 1.1.1.1 safety.live.com O1 - Hosts: 1.1.1.1 www.paretologic.com O1 - Hosts: 1.1.1.1 paretologic.com O1 - Hosts: 1.1.1.1 virusscan.jotti.org O1 - Hosts: 1.1.1.1 services.google.com O1 - Hosts: 1.1.1.1 www.webroot.com O1 - Hosts: 1.1.1.1 webroot.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [MBBalloon] C:\Program Files\HOTALBUMMyBOX\MBBalloon.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: lsass.lnk = ? O4 - Startup: ppcbooster.lnk = C:\Program Files\ppcbooster\ppcbooster.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: MediaChecker.lnk = C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/BookWorm/Images/stg_drm.ocx O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/BookWorm/Images/armhelper.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 14447 bytes

11-10-2008, 07:30 AM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Re: Several popups, issues running reports... please help Hello sonyaflower, The HijackThis is not telling us enough. Please download dds.scr and save it to your desktop. Double click dds.scr to run the tool. When done, DDS.txt will open. Click Yes at the next prompt for Optional Scan. Save both reports to your desktop. ----------------------------------------------------- Please include the contents of the following in your next reply: dds.txt *Attach* the following report to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on teh composition page. Browse to where you saved the file, and click Upload. Attach.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 11-10-2008 at 08:42 AM.

11-10-2008, 09:44 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Re: Several popups, issues running reports... please help Thank you. : ) It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. ************************************************* Download ComboFix from one of these locations: Link 1 Link 2 Link 3** * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-10-2008, 10:33 PM	#6 (permalink)
sonyaflower Registered User Join Date: Jan 2006 Location: Wisconsin Posts: 25 OS: Windows XP Home Edition	Re: Several popups, issues running reports... please help Ried, Again, so many thanks for your quick replies and help. Here is the ComboFix log... ComboFix 08-11-10.01 - Steve 2008-11-10 23:14:31.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.112 [GMT -6:00] Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\ppcbooster c:\program files\ppcbooster\ppcbooster-uninst.exe c:\program files\ppcbooster\ppcbooster.exe . ((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 ))))))))))))))))))))))))))))))) . 2008-11-09 07:15 . 2008-11-10 12:17 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-09 07:15 . 2008-11-10 12:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-09 07:08 . 2008-11-09 07:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com 2008-11-09 06:53 . 2008-11-09 06:53 <DIR> d-------- c:\program files\Trend Micro 2008-11-08 10:38 . 2008-11-08 10:48 250 --a------ c:\windows\gmer.ini 2008-10-25 17:10 . 2008-10-25 17:11 <DIR> d-------- c:\documents and settings\Cody\Music 2008-10-23 15:31 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll 2008-10-22 23:31 . 2008-10-22 23:31 262,144 --a------ C:\ntuser.dat 2008-10-22 23:30 . 2008-10-25 14:26 <DIR> d-------- c:\documents and settings\Steve\Application Data\Yahoo! 2008-10-22 23:30 . 2008-10-22 23:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2008-10-20 17:07 . 2008-10-21 12:42 <DIR> d-------- c:\documents and settings\Steve\Application Data\MxBoost 2008-10-20 17:05 . 2008-10-27 20:01 <DIR> d-------- c:\program files\Maxthon2 2008-10-15 14:55 . 2008-08-14 04:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe 2008-10-15 14:55 . 2008-08-14 04:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2008-10-15 14:55 . 2008-08-14 03:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2008-10-15 14:55 . 2008-08-14 03:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe 2008-10-15 14:54 . 2008-09-08 04:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys 2008-10-15 14:50 . 2008-09-15 06:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys 2008-10-13 20:24 . 2008-10-13 20:24 <DIR> d-------- c:\documents and settings\Steve\Application Data\.wyzo 2008-10-13 20:17 . 2008-10-13 20:17 70,603 --a------ c:\windows\vntb9283.exe 2008-10-13 20:15 . 2008-11-03 21:22 77,913 --a------ c:\windows\SYSTEM32\qvvetjtfuikuh.exe 2008-10-13 20:15 . 2008-10-13 20:17 70,603 --a------ c:\windows\dwtb2837.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-11 05:19 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-11-11 04:27 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-11-10 18:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-10-30 16:47 25,182 ----a-w c:\documents and settings\Steve\Application Data\wklnhst.dat 2008-10-25 23:15 --------- d-----w c:\program files\LimeWire 2008-10-25 23:07 --------- d-----w c:\documents and settings\Steve\Application Data\LimeWire 2008-10-23 05:31 --------- d-----w c:\program files\Yahoo! 2008-10-16 02:22 --------- d-----w c:\program files\PopCap Games 2008-10-16 02:22 --------- d-----w c:\program files\Hero Editor 2008-09-14 03:11 --------- d-----w c:\program files\HOTALBUMMyBOX 2008-06-18 13:36 95,928 -c--a-w c:\documents and settings\Steve\Application Data\GDIPFONTCACHEV1.DAT 2007-07-20 02:57 1,012 -c--a-w c:\documents and settings\Cody\Application Data\wklnhst.dat 2006-12-20 05:51 142 -c--a-w c:\documents and settings\Ryan\Application Data\wklnhst.dat 2003-08-29 18:12 61,440 -c--a-w c:\windows\INF\i386\Viz7300.dll 2003-08-29 18:12 17,376 -c--a-w c:\windows\INF\i386\Gt680x.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}] 2008-07-28 04:46 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2005-05-19 176128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-05-20 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-20 98304] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ymetray"="c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [2006-10-03 6104568] "Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056] "PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-09-23 45108] "IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864] "OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-11-20 106496] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2006-10-31 20752] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\SYSTEM32\narrator.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-02-13 915096] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] Ulead Photo Express 4.0 SE Calendar Checker .lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2005-07-19 69632] ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2006-10-03 54776] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.SP54"= SP5X_32.DLL "VIDC.SP55"= SP5X_32.DLL "VIDC.SP56"= SP5X_32.DLL "VIDC.SP57"= SP5X_32.DLL "VIDC.SP58"= SP5X_32.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= R0 PzWDM;PzWDM;c:\windows\system32\Drivers\PzWDM.sys [2008-03-03 15172] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352] R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888] R3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\gt680x.sys [2003-08-29 17376] S2 Ca536av;DV 5100M(Video);c:\windows\system32\Drivers\Ca536av.sys [ ] S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800] S3 USBCamera;DV 5100M(Still);c:\windows\system32\Drivers\Bulk536.sys [ ] Newly Created Service - COMHOST Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-11-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20] 2008-10-28 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Steve.job - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19] . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\rwz6juxw.default\ FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\VideoEgg\Loader\2364\npvideoegg-loader.dll FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-10 23:20:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\PopularSites.xml.bin 11054 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Redirectors.xml.bin 88705 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Resources.xml.bin 556 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\SafeList.xml.bin 709905 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\SearchServices.xml.bin 22840 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Throttle.xml.bin 454 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\TrustedDomains.xml.bin 265388 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\URLAnalysis.xml.bin 985009 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Identifiers.xml.bin 3427635 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Indicators.xml.bin 77358 bytes scan completed successfully hidden files: 10 ************************************************************************ . Completion time: 2008-11-10 23:27:42 ComboFix-quarantined-files.txt 2008-11-11 05:27:20 Pre-Run: 53,666,988,032 bytes free Post-Run: 53,831,909,376 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 182 --- E O F --- 2008-10-24 03:50:47

11-13-2008, 10:10 AM	#8 (permalink)
sonyaflower Registered User Join Date: Jan 2006 Location: Wisconsin Posts: 25 OS: Windows XP Home Edition	Re: Several popups, issues running reports... please help Hey Ried, I didn't want you to think I forgot about you. I had to go back to school, so I won't be able to get to the fixing until I go home in a couple weeks. I'll report back then - if that is OK. Thanks, Sonya

11-13-2008, 08:15 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Re: Several popups, issues running reports... please help Thanks for letting me know. I'll remain subscribed. Will anyone be using this computer while you're gone? Until you've at least carried out the last step, it's best to keep this computer off the internet. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-28-2008, 07:29 PM	#10 (permalink)
sonyaflower Registered User Join Date: Jan 2006 Location: Wisconsin Posts: 25 OS: Windows XP Home Edition	Re: Several popups, issues running reports... please help Hi Ried, The computer was used very litter over this past dead time. I've been on the computer the last couple days and there have been ZERO pop-ups. I had to install a new version of ComboFix, and I hope this gives us the right information we're looking for: ComboFix 08-11-10.01 - Steve 2008-11-10 23:14:31.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.112 [GMT -6:00] Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\ppcbooster c:\program files\ppcbooster\ppcbooster-uninst.exe c:\program files\ppcbooster\ppcbooster.exe . ((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 ))))))))))))))))))))))))))))))) . 2008-11-09 07:15 . 2008-11-10 12:17 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-09 07:15 . 2008-11-10 12:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-09 07:08 . 2008-11-09 07:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com 2008-11-09 06:53 . 2008-11-09 06:53 <DIR> d-------- c:\program files\Trend Micro 2008-11-08 10:38 . 2008-11-08 10:48 250 --a------ c:\windows\gmer.ini 2008-10-25 17:10 . 2008-10-25 17:11 <DIR> d-------- c:\documents and settings\Cody\Music 2008-10-23 15:31 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll 2008-10-22 23:31 . 2008-10-22 23:31 262,144 --a------ C:\ntuser.dat 2008-10-22 23:30 . 2008-10-25 14:26 <DIR> d-------- c:\documents and settings\Steve\Application Data\Yahoo! 2008-10-22 23:30 . 2008-10-22 23:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2008-10-20 17:07 . 2008-10-21 12:42 <DIR> d-------- c:\documents and settings\Steve\Application Data\MxBoost 2008-10-20 17:05 . 2008-10-27 20:01 <DIR> d-------- c:\program files\Maxthon2 2008-10-15 14:55 . 2008-08-14 04:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe 2008-10-15 14:55 . 2008-08-14 04:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2008-10-15 14:55 . 2008-08-14 03:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2008-10-15 14:55 . 2008-08-14 03:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe 2008-10-15 14:54 . 2008-09-08 04:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys 2008-10-15 14:50 . 2008-09-15 06:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys 2008-10-13 20:24 . 2008-10-13 20:24 <DIR> d-------- c:\documents and settings\Steve\Application Data\.wyzo 2008-10-13 20:17 . 2008-10-13 20:17 70,603 --a------ c:\windows\vntb9283.exe 2008-10-13 20:15 . 2008-11-03 21:22 77,913 --a------ c:\windows\SYSTEM32\qvvetjtfuikuh.exe 2008-10-13 20:15 . 2008-10-13 20:17 70,603 --a------ c:\windows\dwtb2837.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-11 05:19 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-11-11 04:27 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-11-10 18:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-10-30 16:47 25,182 ----a-w c:\documents and settings\Steve\Application Data\wklnhst.dat 2008-10-25 23:15 --------- d-----w c:\program files\LimeWire 2008-10-25 23:07 --------- d-----w c:\documents and settings\Steve\Application Data\LimeWire 2008-10-23 05:31 --------- d-----w c:\program files\Yahoo! 2008-10-16 02:22 --------- d-----w c:\program files\PopCap Games 2008-10-16 02:22 --------- d-----w c:\program files\Hero Editor 2008-09-14 03:11 --------- d-----w c:\program files\HOTALBUMMyBOX 2008-06-18 13:36 95,928 -c--a-w c:\documents and settings\Steve\Application Data\GDIPFONTCACHEV1.DAT 2007-07-20 02:57 1,012 -c--a-w c:\documents and settings\Cody\Application Data\wklnhst.dat 2006-12-20 05:51 142 -c--a-w c:\documents and settings\Ryan\Application Data\wklnhst.dat 2003-08-29 18:12 61,440 -c--a-w c:\windows\INF\i386\Viz7300.dll 2003-08-29 18:12 17,376 -c--a-w c:\windows\INF\i386\Gt680x.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}] 2008-07-28 04:46 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2005-05-19 176128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-05-20 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-20 98304] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ymetray"="c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [2006-10-03 6104568] "Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056] "PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-09-23 45108] "IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864] "OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-11-20 106496] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2006-10-31 20752] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\SYSTEM32\narrator.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-02-13 915096] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] Ulead Photo Express 4.0 SE Calendar Checker .lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2005-07-19 69632] ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2006-10-03 54776] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.SP54"= SP5X_32.DLL "VIDC.SP55"= SP5X_32.DLL "VIDC.SP56"= SP5X_32.DLL "VIDC.SP57"= SP5X_32.DLL "VIDC.SP58"= SP5X_32.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= R0 PzWDM;PzWDM;c:\windows\system32\Drivers\PzWDM.sys [2008-03-03 15172] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352] R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888] R3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\gt680x.sys [2003-08-29 17376] S2 Ca536av;DV 5100M(Video);c:\windows\system32\Drivers\Ca536av.sys [ ] S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800] S3 USBCamera;DV 5100M(Still);c:\windows\system32\Drivers\Bulk536.sys [ ] Newly Created Service - COMHOST Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-11-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20] 2008-10-28 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Steve.job - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19] . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\rwz6juxw.default\ FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\VideoEgg\Loader\2364\npvideoegg-loader.dll FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-10 23:20:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\PopularSites.xml.bin 11054 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Redirectors.xml.bin 88705 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Resources.xml.bin 556 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\SafeList.xml.bin 709905 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\SearchServices.xml.bin 22840 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Throttle.xml.bin 454 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\TrustedDomains.xml.bin 265388 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\URLAnalysis.xml.bin 985009 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Identifiers.xml.bin 3427635 bytes c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\BinHub\Indicators.xml.bin 77358 bytes scan completed successfully hidden files: 10 ************************************************************************ . Completion time: 2008-11-10 23:27:42 ComboFix-quarantined-files.txt 2008-11-11 05:27:20 Pre-Run: 53,666,988,032 bytes free Post-Run: 53,831,909,376 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 182 --- E O F --- 2008-10-24 03:50:47

11-28-2008, 08:12 PM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Re: Several popups, issues running reports... please help You did the correct thing in updating Combofix, and welcome back. However... I needed you to create and run a CFScript. Kindly refer back to Post #7 and follow those steps. After ComboFix has completed, post the C:\ComboFix.txt in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-29-2008, 06:47 PM	#12 (permalink)
sonyaflower Registered User Join Date: Jan 2006 Location: Wisconsin Posts: 25 OS: Windows XP Home Edition	Re: Several popups, issues running reports... please help Hi Ried, Hope you had a good Thanksgiving. I followed the instructions in post #7, but no matter what I do, I am not gettting the end part where an internet browser opens. I am not sure what I am doing wrong. Regardless, here is a post of my ComboFix.txt log... ComboFix 08-11-29.03 - Steve 2008-11-29 19:38:03.8 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.125 [GMT -6:00] Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\dwtb2837.exe . ((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 ))))))))))))))))))))))))))))))) . 2008-11-17 19:12 . 2008-11-17 19:12 <DIR> d-------- c:\program files\Windows Media Connect 2 2008-11-13 21:51 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys 2008-11-13 21:50 . 2008-09-04 11:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll 2008-11-09 07:15 . 2008-11-10 12:17 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-09 07:15 . 2008-11-10 12:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-09 07:08 . 2008-11-09 07:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-11-09 07:07 . 2008-11-10 12:14 <DIR> d-------- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com 2008-11-09 06:53 . 2008-11-09 06:53 <DIR> d-------- c:\program files\Trend Micro 2008-11-08 10:38 . 2008-11-08 10:48 250 --a------ c:\windows\gmer.ini 2008-10-25 17:10 . 2008-10-25 17:11 <DIR> d-------- c:\documents and settings\Cody\Music 2008-10-23 15:31 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll 2008-10-22 23:31 . 2008-10-22 23:31 262,144 --a------ C:\ntuser.dat 2008-10-22 23:30 . 2008-10-25 14:26 <DIR> d-------- c:\documents and settings\Steve\Application Data\Yahoo! 2008-10-22 23:30 . 2008-10-22 23:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2008-10-20 17:07 . 2008-10-21 12:42 <DIR> d-------- c:\documents and settings\Steve\Application Data\MxBoost 2008-10-20 17:05 . 2008-10-27 20:01 <DIR> d-------- c:\program files\Maxthon2 2008-10-15 14:55 . 2008-08-14 04:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe 2008-10-15 14:55 . 2008-08-14 04:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2008-10-15 14:55 . 2008-08-14 03:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2008-10-15 14:55 . 2008-08-14 03:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe 2008-10-15 14:54 . 2008-09-08 04:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys 2008-10-15 14:50 . 2008-09-15 06:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys 2008-10-07 20:32 . 2008-10-25 17:15 <DIR> d-------- c:\program files\LimeWire 2008-10-05 19:53 . 2008-10-05 19:53 <DIR> d-------- C:\Valve 2008-10-05 08:19 . 2008-10-05 08:19 <DIR> d-------- c:\windows\SYSTEM32\scripting 2008-10-05 08:19 . 2008-10-05 08:19 <DIR> d-------- c:\windows\SYSTEM32\en 2008-10-05 08:19 . 2008-10-05 08:19 <DIR> d-------- c:\windows\SYSTEM32\bits 2008-10-05 08:19 . 2008-10-05 08:19 <DIR> d-------- c:\windows\l2schemas 2008-10-05 08:15 . 2008-10-05 08:19 <DIR> d-------- c:\windows\ServicePackFiles 2008-10-05 08:03 . 2008-10-05 08:03 <DIR> d-------- c:\windows\EHome . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-30 00:33 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-11-21 04:18 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-11-19 00:54 25,502 ----a-w c:\documents and settings\Steve\Application Data\wklnhst.dat 2008-11-10 18:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-10-25 23:07 --------- d-----w c:\documents and settings\Steve\Application Data\LimeWire 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-23 05:31 --------- d-----w c:\program files\Yahoo! 2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll 2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll 2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll 2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll 2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll 2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll 2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll 2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll 2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll 2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll 2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe 2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe 2008-10-16 20:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll 2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll 2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll 2008-10-16 20:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll 2008-10-16 20:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll 2008-10-16 02:22 --------- d-----w c:\program files\PopCap Games 2008-10-16 02:22 --------- d-----w c:\program files\Hero Editor 2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll 2008-09-30 22:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll 2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll 2008-08-27 08:24 3,593,216 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll 2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe 2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe 2008-08-23 05:54 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll 2008-08-14 10:09 2,145,280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w c:\windows\SYSTEM32\DLLCACHE\afd.sys 2008-08-14 09:33 2,023,936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe 2008-06-18 13:36 95,928 -c--a-w c:\documents and settings\Steve\Application Data\GDIPFONTCACHEV1.DAT 2007-07-20 02:57 1,012 -c--a-w c:\documents and settings\Cody\Application Data\wklnhst.dat 2006-12-20 05:51 142 -c--a-w c:\documents and settings\Ryan\Application Data\wklnhst.dat 2003-08-29 18:12 61,440 -c--a-w c:\windows\INF\i386\Viz7300.dll 2003-08-29 18:12 17,376 -c--a-w c:\windows\INF\i386\Gt680x.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}] 2008-07-28 04:46 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2005-05-19 176128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-05-20 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-20 98304] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ymetray"="c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [2006-10-03 6104568] "Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056] "PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-09-23 45108] "IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864] "OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-11-20 106496] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2006-10-31 20752] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\SYSTEM32\narrator.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-02-13 915096] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] Ulead Photo Express 4.0 SE Calendar Checker .lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2005-07-19 69632] ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2006-10-03 54776] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.SP54"= SP5X_32.DLL "VIDC.SP55"= SP5X_32.DLL "VIDC.SP56"= SP5X_32.DLL "VIDC.SP57"= SP5X_32.DLL "VIDC.SP58"= SP5X_32.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= R0 PzWDM;PzWDM;c:\windows\system32\Drivers\PzWDM.sys [2008-03-03 15172] R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352] R3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\gt680x.sys [2006-09-17 17376] S2 Ca536av;DV 5100M(Video);c:\windows\system32\Drivers\Ca536av.sys [] S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888] S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2004-08-04 12800] S3 USBCamera;DV 5100M(Still);c:\windows\system32\Drivers\Bulk536.sys [] Newly Created Service - COMHOST . Contents of the 'Scheduled Tasks' folder 2008-11-29 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20] 2008-11-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Steve.job - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-29 19:40:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-29 19:41:51 ComboFix-quarantined-files.txt 2008-11-30 01:41:32 ComboFix2.txt 2008-11-30 01:31:20 ComboFix3.txt 2008-11-30 01:22:12 ComboFix4.txt 2008-11-30 01:14:21 ComboFix5.txt 2008-11-30 01:37:10 Pre-Run: 52,947,877,888 bytes free Post-Run: 52,934,864,896 bytes free 194 --- E O F --- 2008-11-21 05:28:22

11-29-2008, 06:51 PM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Re: Several popups, issues running reports... please help This is odd. The 2 files I wanted to collect were present in the ComboFix.txt you posted when you returned, but I do not see them in this latest run, nor in the deletions list. Click Start>Run and copy/paste the following bolded text into the Run box and click OK: C:\Qoobox\ComboFix-quarantined-files.txt A report should pop open for you. Please post the contents of that report. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-29-2008, 06:56 PM	#14 (permalink)
sonyaflower Registered User Join Date: Jan 2006 Location: Wisconsin Posts: 25 OS: Windows XP Home Edition	Re: Several popups, issues running reports... please help Ried, Per your instructions, here is the report: 2008-10-08 09:28:14 A------- 24,576 C:\Qoobox\Quarantine\C\Program Files\ppcbooster\ppcbooster.exe.vir 2008-10-13 20:15:34 A------- 77,913 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qvvetjtfuikuh.exe.vir 2008-10-13 20:15:49 A------- 56,649 C:\Qoobox\Quarantine\C\Program Files\ppcbooster\ppcbooster-uninst.exe.vir 2008-10-13 20:15:49 A------- 70,603 C:\Qoobox\Quarantine\C\WINDOWS\dwtb2837.exe.vir 2008-10-13 20:15:50 A------- 990 C:\Qoobox\Quarantine\C\Documents and Settings\Steve\Start Menu\Programs\Startup\ppcbooster.lnk.vir 2008-10-13 20:17:23 A------- 70,603 C:\Qoobox\Quarantine\C\WINDOWS\vntb9283.exe.vir 2008-11-10 23:08:02 A------- 684 C:\Qoobox\Quarantine\catchme.log 2008-11-10 23:18:14 A------- 9,163 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-11-10 23:26:38 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-11-10 23:26:38 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-11-10 23:26:38 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat 2008-11-28 18:34:37 A------- 136,427 C:\Qoobox\Quarantine\[4]-Submit_2008-11-28@18.34.zip 2008-11-29 18:42:15 A------- 1,040 C:\Qoobox\Quarantine\catchme.txt

11-29-2008, 06:59 PM	#15 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Re: Several popups, issues running reports... please help Something was indeed collected. Please visit this site and follow the instructions for uploading the C:\Qoobox\Quarantine\[4]-Submit_2008-11-28@18.34.zip . All you need do is copy/paste the text I bolded for you, into the 'Browse to file to submit' box, then click 'Send File'. Please let me know once it's been uploaded. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 11-29-2008 at 07:03 PM.

11-29-2008, 07:03 PM	#16 (permalink)
sonyaflower Registered User Join Date: Jan 2006 Location: Wisconsin Posts: 25 OS: Windows XP Home Edition	Re: Several popups, issues running reports... please help Ok, I uploaded it... I hope Still so grateful for your help.

11-29-2008, 07:07 PM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Re: Several popups, issues running reports... please help Upload received and files are within. Thank you, it's much appreciated. Your system should be doing fine now, still, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan 3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-29-2008, 09:48 PM	#18 (permalink)
sonyaflower Registered User Join Date: Jan 2006 Location: Wisconsin Posts: 25 OS: Windows XP Home Edition	Re: Several popups, issues running reports... please help Phew, that report was a long one. Here are the results... -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, November 29, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, November 30, 2008 00:29:43 Records in database: 1428286 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 83624 Threat name: 4 Infected objects: 5 Suspicious objects: 0 Duration of the scan: 01:56:29 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15317EEE.exe Infected: IM-Worm.Win32.VB.dy 1 C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\171F68B5.tmp Infected: Trojan-Downloader.Win32.IstBar.gen 1 C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\172212B1.tmp Infected: Trojan-Downloader.Win32.Adload.jm 1 C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23EF5B23.tmp Infected: Trojan-Downloader.Win32.Adload.jm 1 C:\Documents and Settings\Cody\Incomplete\T-3545425-tonight will be the night i fall for you.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 The selected area was scanned.

11-29-2008, 09:59 PM	#19 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Re: Several popups, issues running reports... please help It is. Delete this file: (which incidentally, is a source of the infection you sustained) C:\Documents and Settings\Cody\Incomplete\T-3545425-tonight will be the night i fall for you.mp3 Please note: Even if you are using a "safe" P2P program, it is only the program itself that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares, thus, engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. Clear out Norton's Quarantine folder. If you're unsure on how to do it, you can use Symantec's guide. -------------------------------------------------------- Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page. IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? Think Prevention Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. Kindly respond one more time and let me know if we may consider this thread resolved. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."