Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Random popups and bogged down computer
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-28-2008, 04:09 PM   #1 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 7
OS: XP Service Pack 3


Random popups and bogged down computer
Hey for the past few months I've randomly been getting popups that open in IE even though I only use firefox. It seems completely at random when this happens and sometimes I'll get no popups while surfing and other times I'll get up to 5 at a time. Rarely I even get them while idle for a few hours, which leads me to believe it's just completely random at when they happen. The pop ups all seem to go to generally the same sites although I never really payed attention to which since I just click out of them right away so I can't really tell you any, sorry. Lately I've also been getting some that try to install anti spyware and anti virus software but I know that it's really just installing spyware so I make IE have an error to stop it from installing them since it won't let me simply close them. Again I'm not all too sure which software they're installing or the sites, sorry. Since that has started my computer has seemed to be running a lot slower so I suspect the two are connected so I figured it's finally time to fix the problem. Until now it's been nothing but a minor nuisance. Also I have installed AVG anti virus, ad-aware, SUPERAntiSpyWare, and CCleaner, although none of these have been able to fix the problem.

Thanks in advance to any help you can provide me : )
-Rob


Here's the logs:

DDS (Version 1.0) - NTFSx86
Run by HP_Owner at 16:14:22.48 on Fri 11/28/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.505 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
dURLSearchHooks: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {D0943516-5076-4020-A3B5-AEFAF26AB263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [more mfcd] c:\docume~1\hp_owner\applic~1\progra~1\does acid.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [lxccmon.exe] "c:\program files\lexmark 3300 series\lxccmon.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [LXCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCCtime.dll,_RunDLLEntry@16
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Love default global mess] c:\documents and settings\all users\application data\great coal love default\Roam List.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {F4D5774A-8936-4B25-BD01-57AE389BDF82} = 68.87.64.146,68.87.75.194
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll schannel.dll digest.dll msnsspc.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-19 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-19 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-19 76040]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-10-25 24652]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe" "WUSB54Gv42.exe" [2008-8-15 53307]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-19 875288]
S3 XDva002;XDva002;\??\c:\windows\system32\XDva002.sys []

=============== Created Last 30 ================

2008-11-28 15:46 250 a------- c:\windows\gmer.ini
2008-11-28 14:59 161,792 a------- c:\windows\SWREG.exe
2008-11-28 14:59 98,816 a------- c:\windows\sed.exe
2008-11-28 14:45 <DIR> --d----- c:\program files\trend micro
2008-11-28 13:28 36,864 a------- c:\windows\system32\ascbalon.dll
2008-11-28 13:28 45,056 a------- c:\windows\system32\CreateLog.dll
2008-11-28 13:28 20,480 a------- c:\windows\system32\SysRestore.dll
2008-11-28 13:28 208,896 a------- c:\windows\system32\ConTest.dll
2008-11-28 13:20 <DIR> --d----- c:\program files\RogueRemover FREE
2008-11-25 15:32 <DIR> --d----- c:\program files\iPod
2008-11-25 15:32 <DIR> --d----- c:\program files\iTunes
2008-11-25 15:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 15:21 <DIR> --d----- c:\program files\Bonjour
2008-11-22 10:48 <DIR> --d----- c:\program files\Program shim
2008-11-18 15:36 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Omega Messenger
2008-11-18 15:09 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Tencent
2008-11-18 15:07 <DIR> --d----- c:\program files\common files\Software Update Utility
2008-11-18 15:07 <DIR> --d----- c:\program files\AIM Toolbar
2008-11-18 15:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AIM Toolbar
2008-11-18 15:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-11-12 15:20 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:15 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-04 10:30 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2008-11-22 10:49 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Program shim
2008-11-22 10:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\great coal love default
2008-11-18 15:09 <DIR> --d----- c:\program files\AIM6
2008-11-18 15:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-11-18 15:03 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-11-16 10:33 <DIR> --d----- c:\docume~1\hp_owner\applic~1\uTorrent
2008-11-08 21:27 <DIR> --d----- c:\program files\AIMTunes
2008-11-06 15:35 <DIR> --d----- c:\docume~1\hp_owner\applic~1\AVGTOOLBAR
2008-10-26 00:04 <DIR> --d----- c:\program files\Brainhouse Labs
2008-10-25 22:54 <DIR> --d----- c:\program files\Sun
2008-10-19 21:43 <DIR> --d----- c:\program files\GameSpy Arcade
2008-10-19 19:32 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-10-19 19:32 <DIR> --d----- c:\program files\AVG
2008-10-19 19:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-10-19 10:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2008-10-19 10:43 <DIR> --d----- c:\program files\MSN Messenger
2008-10-19 10:23 <DIR> --d----- c:\program files\Messenger
2008-10-19 10:21 81,903 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-19 10:20 3,072 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphwwbf4duet\plugin\bin\jsharpde\pchealthde.exe
2008-10-19 10:20 98,304 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphwwbf4duet\plugin\bin\PluginCtrl.dll
2008-10-19 10:20 139,264 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphwwbf4duet\plugin\bin\ContentUpdater.exe
2008-10-19 10:20 315,392 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphwwbf4duet\plugin\bin\jsharpde\pchmsxml.dll
2008-10-19 10:20 213,089 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphwwbf4duet\plugin\bin\jsharpde\motive.zip
2008-10-19 10:20 282,624 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphwwbf4duet\plugin\bin\jsharpde\clientutil52.dll
2008-10-19 10:20 69,632 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphwwbf4duet\plugin\bin\msxmlwrapper.dll
2008-10-19 10:20 5,632 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphwwbf4duet\plugin\bin\jsharpde\GUI.dll
2008-10-19 10:10 <DIR> --d----- c:\program files\Windows NT
2008-10-18 16:19 <DIR> --d----- c:\docume~1\hp_owner\applic~1\QQ Games
2008-10-17 14:30 <DIR> --d----- c:\docume~1\hp_owner\applic~1\QQ Games Plugin
2008-10-17 14:29 <DIR> --d----- c:\program files\Tencent
2008-10-14 14:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2008-09-30 20:03 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-18 21:39 <DIR> --d----- c:\docume~1\hp_owner\applic~1\SystemRequirementsLab
2008-09-18 21:21 108,144 a------- c:\windows\system32\CmdLineExt.dll
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-14 16:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NexonUS
2008-09-09 20:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-04 12:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-30 03:48 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Malwarebytes
2008-08-30 03:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-08-29 21:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-08-29 02:43 <DIR> --d----- c:\docume~1\hp_owner\applic~1\TVU Networks
2008-08-29 02:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TVU Networks
2008-08-23 01:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}
2008-08-17 22:57 <DIR> --d----- c:\docume~1\hp_owner\applic~1\vlc
2008-07-16 12:16 <DIR> --d----- c:\docume~1\hp_owner\applic~1\mIRC
2008-05-02 22:12 <DIR> --d----- c:\docume~1\hp_owner\applic~1\LimeWire
2008-02-27 17:50 <DIR> --d----- c:\docume~1\hp_owner\applic~1\SUPERAntiSpyware.com
2008-01-24 23:10 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Grisoft
2007-12-19 13:48 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Xfire
2007-12-17 19:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2007-12-17 01:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2007-12-17 01:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2007-12-07 00:51 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Azureus
2007-08-13 10:13 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Viewpoint
2007-01-11 16:06 <DIR> --d----- c:\docume~1\hp_owner\applic~1\FaxCtr
2006-12-23 11:36 <DIR> --d----- c:\docume~1\hp_owner\applic~1\vexorian
2006-02-27 20:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Autodesk
2005-10-31 01:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak
2005-08-27 18:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FaxCtr
2004-08-12 01:12 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Symantec
2004-08-11 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
1999-07-06 19:00 6 -c-shr-- c:\windows\@desktop@.dat
2006-05-03 04:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 05:47 31,232 ---shr-- c:\windows\system32\msfDX.dll

============= FINISH: 16:15:25.42 ===============
Attached Files
File Type: txt Attach.txt (9.9 KB, 5 views)
File Type: txt gmer.txt (21.8 KB, 3 views)
Bezerkerz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-30-2008, 10:07 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Random popups and bogged down computer
Hello -

It seems you may have run ComboFix. If so, please post it's log, located at C:\ComboFix.txt
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2008, 03:59 PM   #3 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 7
OS: XP Service Pack 3


Re: Random popups and bogged down computer
Yeah I did actually, I was looking around on the internet for a possible fix and came across combo fix and it sounded pretty good so I thought hey, why not give it a try. Seemed to get the virus at first but the popups came back anyway. At startup now it says that I'm missing molidano.dll and a different file I forget which but both are located in the systems32 folder... but everything seems to be working fine.

So anyway, here is the combofix log.

ComboFix 08-11-27.07 - HP_Owner 2008-11-28 15:03:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.663 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\demojesa.dll
c:\windows\system32\molidano.dll
c:\windows\system32\pepimude.dll
c:\windows\system32\sikasiso.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-28 14:45 . 2008-11-28 14:46 <DIR> d-------- C:\rsit
2008-11-28 14:45 . 2008-11-28 14:45 <DIR> d-------- c:\program files\trend micro
2008-11-28 13:28 . 2008-07-29 11:27 208,896 --a------ c:\windows\system32\ConTest.dll
2008-11-28 13:28 . 2008-08-20 17:44 45,056 --a------ c:\windows\system32\CreateLog.dll
2008-11-28 13:28 . 2007-07-03 11:48 36,864 --a------ c:\windows\system32\ascbalon.dll
2008-11-28 13:28 . 2007-07-03 11:48 20,480 --a------ c:\windows\system32\SysRestore.dll
2008-11-28 13:27 . 2008-11-28 13:27 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\InstallShield
2008-11-28 13:20 . 2008-11-28 14:40 <DIR> d-------- c:\program files\RogueRemover FREE
2008-11-25 15:32 . 2008-11-25 15:33 <DIR> d-------- c:\program files\iTunes
2008-11-25 15:32 . 2008-11-25 15:32 <DIR> d-------- c:\program files\iPod
2008-11-25 15:32 . 2008-11-25 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 15:21 . 2008-11-25 15:21 <DIR> d-------- c:\program files\Bonjour
2008-11-22 10:48 . 2008-11-22 10:48 <DIR> d-------- c:\program files\Program shim
2008-11-18 15:36 . 2008-11-18 15:36 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Omega Messenger
2008-11-18 15:09 . 2008-11-18 15:09 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Tencent
2008-11-18 15:07 . 2008-11-18 15:07 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-11-18 15:07 . 2008-11-18 15:07 <DIR> d-------- c:\program files\AIM Toolbar
2008-11-18 15:07 . 2008-11-18 15:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-18 15:06 . 2008-11-18 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-12 15:20 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:15 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 18:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 16:54 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-25 20:19 --------- d-----w c:\program files\QuickTime
2008-11-22 15:49 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Program shim
2008-11-22 15:48 --------- d-----w c:\documents and settings\All Users\Application Data\great coal love default
2008-11-18 20:09 --------- d-----w c:\program files\AIM6
2008-11-18 20:06 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-18 20:04 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-18 20:03 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-16 15:33 --------- d-----w c:\documents and settings\HP_Owner\Application Data\uTorrent
2008-11-09 02:27 --------- d-----w c:\program files\AIMTunes
2008-11-07 04:48 --------- d-----w c:\program files\Warcraft III
2008-11-06 20:35 --------- d-----w c:\documents and settings\HP_Owner\Application Data\AVGTOOLBAR
2008-10-26 05:04 --------- d-----w c:\program files\Brainhouse Labs
2008-10-26 03:54 --------- d-----w c:\program files\Sun
2008-10-26 03:54 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 02:43 --------- d-----w c:\program files\GameSpy Arcade
2008-10-20 00:32 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-20 00:32 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-20 00:32 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-20 00:32 --------- d-----w c:\program files\AVG
2008-10-20 00:31 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-19 15:57 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-10-19 15:43 --------- d-----w c:\program files\MSN Messenger
2008-10-19 15:20 98,304 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\PluginCtrl.dll
2008-10-19 15:20 69,632 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\msxmlwrapper.dll
2008-10-19 15:20 5,632 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\GUI.dll
2008-10-19 15:20 315,392 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\pchmsxml.dll
2008-10-19 15:20 3,072 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\pchealthde.exe
2008-10-19 15:20 282,624 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\clientutil52.dll
2008-10-19 15:20 213,089 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\motive.zip
2008-10-19 15:20 139,264 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\ContentUpdater.exe
2008-10-18 21:19 --------- d-----w c:\documents and settings\HP_Owner\Application Data\QQ Games
2008-10-17 19:30 --------- d-----w c:\documents and settings\HP_Owner\Application Data\QQ Games Plugin
2008-10-17 19:29 --------- d-----w c:\program files\Tencent
2008-10-17 19:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-14 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-01 01:03 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-19 02:21 108,144 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2006-02-23 04:04 1,352,439 -c--a-w c:\program files\secretofmana.zip
1999-07-07 00:00 6 -csh--r c:\windows\@desktop@.dat
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{03402f96-3dc7-4285-bc50-9e81fefafe43}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CLASSES_ROOT\clsid\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
[HKEY_CLASSES_ROOT\AIMTb.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{f8ec99b3-c2ca-4a5f-9505-c049766dc883}]
[HKEY_CLASSES_ROOT\AIMTb.AOLTBSearch]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
2008-10-07 14:09 1275176 --a------ c:\program files\AIM Toolbar\aimtb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{61539ECD-CC67-4437-A03C-9AACCBD14326}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CLASSES_ROOT\clsid\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
[HKEY_CLASSES_ROOT\AIMTb.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{f8ec99b3-c2ca-4a5f-9505-c049766dc883}]
[HKEY_CLASSES_ROOT\AIMTb.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-18 1805552]
"more mfcd"="c:\docume~1\HP_Owner\APPLIC~1\PROGRA~1\does acid.exe" [2008-11-22 823808]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"lxccmon.exe"="c:\program files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 192512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Love default global mess"="c:\documents and settings\All Users\Application Data\great coal love default\Roam List.exe" [2008-11-28 4453376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-27 11:14 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" /s
"iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Warcraft III Battle.net

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-19 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-19 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-19 76040]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-25 24652]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" [2008-08-15 53307]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-19 875288]
S3 XDva002;XDva002;\??\c:\windows\system32\XDva002.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0ac6908-923c-11db-b384-806d6172696f}]
\Shell\AutoRun\command - E:\chooser.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AC1444CA918BFB3E.job
- c:\docume~1\hp_owner\applic~1\progra~1\four upload axis.exe [2008-11-22 10:49]

2008-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{c30d95c8-3883-4020-87ec-437d14ba4b0e} - c:\windows\system32\demojesa.dll
HKCU-Run-Performance Center - c:\program files\Ascentive\Performance Center\ApcMain.exe
HKCU-Run-PC SpeedScan Pro - c:\program files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
HKLM-Run-VTTimer - VTTimer.exe
HKLM-Run-WheelMouse - Amoumain.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\dldgtpez.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\dldgtpez.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdnu.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 15:10:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\lxcccoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
.
**************************************************************************
.
Completion time: 2008-11-28 15:19:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 20:19:30

Pre-Run: 14,017,052,672 bytes free
Post-Run: 13,949,534,208 bytes free

288 --- E O F --- 2008-11-13 21:09:54
Bezerkerz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2008, 06:23 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Random popups and bogged down computer
Please read this post:

http://www.techsupportforum.com/secu...ml#post1830849

Quote:
Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.
Thanks for understanding.

Let's get to work on this...

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    DDS::
    uRun: [more mfcd] c:\docume~1\hp_owner\applic~1\progra~1\does acid.exe
    mRun: [Love default global mess] c:\documents and settings\all users\application data\great coal love default\Roam List.exe

    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    Folder::
    c:\Program Files\Program shim
    c:\docume~1\hp_owner\Applic~1\Program shim
    c:\docume~1\alluse~1\Applic~1\great coal love default

    File::
    c:\windows\system32\ascbalon.dll
    c:\windows\system32\CreateLog.dll
    c:\windows\system32\SysRestore.dll
    c:\windows\system32\ConTest.dll
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe

  3. ComboFix may request an update. Please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.


    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2008, 08:36 PM   #5 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 7
OS: XP Service Pack 3


Re: Random popups and bogged down computer
Thank you so much! Everything seems to be running smoothly so far. The only thing that I'm not all too sure about is on startup just as before a window popped up saying a file was missing in the system32 folder but this time it was wufewoga.dll I don't know if this means anything or if it'll go away after another restart but yeah, just throwing that out there in case it's a problem.

And yeah, it was rather foolish of me to run combo fix without proper instruction hehe I guess I just got a little hastey and didn't feel like asking for help. But I did read that post already, just kind of ran combo fix before I did that and that was before I decided to actually ask for help haha... my bad

Anyways here's the log:

ComboFix 08-12-01.03 - HP_Owner 2008-12-02 22:13:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.820 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\ascbalon.dll
c:\windows\system32\ConTest.dll
c:\windows\system32\CreateLog.dll
c:\windows\system32\SysRestore.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\Applic~1\great coal love default
c:\docume~1\alluse~1\Applic~1\great coal love default\Hide Style.exe
c:\docume~1\alluse~1\Applic~1\great coal love default\Roam List.exe
c:\docume~1\hp_owner\applic~1\progra~1\does acid.exe
c:\docume~1\hp_owner\Applic~1\Program shim
c:\docume~1\hp_owner\Applic~1\Program shim\0
c:\docume~1\hp_owner\Applic~1\Program shim\dacwxwfy.exe
c:\docume~1\hp_owner\Applic~1\Program shim\does acid.exe
c:\docume~1\hp_owner\Applic~1\Program shim\four upload axis.exe
c:\docume~1\hp_owner\Applic~1\Program shim\iidznstq.exe
c:\docume~1\hp_owner\Applic~1\Program shim\kbqwkwel.exe
c:\docume~1\hp_owner\Applic~1\Program shim\mjdypdtd.exe
c:\docume~1\hp_owner\Applic~1\Program shim\njtuatnz.exe
c:\docume~1\hp_owner\Applic~1\Program shim\ohgwhsph.exe
c:\docume~1\hp_owner\Applic~1\Program shim\pldzmbwg.exe
c:\docume~1\hp_owner\Applic~1\Program shim\psmdufob.exe
c:\docume~1\hp_owner\Applic~1\Program shim\tndmeriu.exe
c:\docume~1\hp_owner\Applic~1\Program shim\upytkybd.exe
c:\docume~1\hp_owner\Applic~1\Program shim\xmkgqmio.exe
c:\documents and settings\all users\application data\great coal love default\Roam List.exe
c:\program files\Program shim
c:\windows\system32\ascbalon.dll
c:\windows\system32\bivegedu.dll
c:\windows\system32\ConTest.dll
c:\windows\system32\CreateLog.dll
c:\windows\system32\igobozat.ini
c:\windows\system32\isutemab.ini
c:\windows\system32\luruwono.dll
c:\windows\system32\revulazo.dll
c:\windows\system32\SysRestore.dll
c:\windows\system32\udegevib.ini
c:\windows\system32\uyujozet.ini
c:\windows\system32\yapigifa.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-11-28 15:46 . 2008-11-28 15:46 250 --a------ c:\windows\gmer.ini
2008-11-28 14:45 . 2008-11-28 14:46 <DIR> d-------- C:\rsit
2008-11-28 14:45 . 2008-11-28 14:45 <DIR> d-------- c:\program files\trend micro
2008-11-28 13:27 . 2008-11-28 13:27 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\InstallShield
2008-11-28 13:20 . 2008-11-28 14:40 <DIR> d-------- c:\program files\RogueRemover FREE
2008-11-25 15:32 . 2008-11-25 15:33 <DIR> d-------- c:\program files\iTunes
2008-11-25 15:32 . 2008-11-25 15:32 <DIR> d-------- c:\program files\iPod
2008-11-25 15:32 . 2008-11-25 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 15:21 . 2008-11-25 15:21 <DIR> d-------- c:\program files\Bonjour
2008-11-18 15:36 . 2008-11-18 15:36 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Omega Messenger
2008-11-18 15:09 . 2008-11-18 15:09 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Tencent
2008-11-18 15:07 . 2008-11-18 15:07 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-11-18 15:07 . 2008-11-18 15:07 <DIR> d-------- c:\program files\AIM Toolbar
2008-11-18 15:07 . 2008-11-18 15:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-18 15:06 . 2008-11-18 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-12 15:20 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:15 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-28 18:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-25 20:19 --------- d-----w c:\program files\QuickTime
2008-11-18 20:09 --------- d-----w c:\program files\AIM6
2008-11-18 20:06 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-18 20:04 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-18 20:03 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-16 15:33 --------- d-----w c:\documents and settings\HP_Owner\Application Data\uTorrent
2008-11-09 02:27 --------- d-----w c:\program files\AIMTunes
2008-11-07 04:48 --------- d-----w c:\program files\Warcraft III
2008-11-06 20:35 --------- d-----w c:\documents and settings\HP_Owner\Application Data\AVGTOOLBAR
2008-10-26 05:04 --------- d-----w c:\program files\Brainhouse Labs
2008-10-26 03:54 --------- d-----w c:\program files\Sun
2008-10-26 03:54 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 02:43 --------- d-----w c:\program files\GameSpy Arcade
2008-10-20 00:32 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-20 00:32 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-20 00:32 --------- d-----w c:\program files\AVG
2008-10-20 00:31 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-19 15:57 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-10-19 15:43 --------- d-----w c:\program files\MSN Messenger
2008-10-18 21:19 --------- d-----w c:\documents and settings\HP_Owner\Application Data\QQ Games
2008-10-17 19:30 --------- d-----w c:\documents and settings\HP_Owner\Application Data\QQ Games Plugin
2008-10-17 19:29 --------- d-----w c:\program files\Tencent
2008-10-17 19:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-14 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2006-02-23 04:04 1,352,439 -c--a-w c:\program files\secretofmana.zip
1999-07-07 00:00 6 -csh--r c:\windows\@desktop@.dat
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2008-09-02 21:52 65,076 --sha-w c:\windows\system32\mibevilo.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-08-28 22:24 61,952 --sha-w c:\windows\system32\towozoha.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-28_15.18.52.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-28 20:46:33 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-11-28 20:46:33 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2008-12-02 21:51:19 65,076 --sha-w c:\windows\system32\wibotelo.dll
+ 2008-12-03 03:21:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{03402f96-3dc7-4285-bc50-9e81fefafe43}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CLASSES_ROOT\clsid\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
[HKEY_CLASSES_ROOT\AIMTb.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{f8ec99b3-c2ca-4a5f-9505-c049766dc883}]
[HKEY_CLASSES_ROOT\AIMTb.AOLTBSearch]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
2008-10-07 14:09 1275176 --a------ c:\program files\AIM Toolbar\aimtb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c30d95c8-3883-4020-87ec-437d14ba4b0e}]
c:\windows\system32\revulazo.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{61539ECD-CC67-4437-A03C-9AACCBD14326}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CLASSES_ROOT\clsid\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
[HKEY_CLASSES_ROOT\AIMTb.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{f8ec99b3-c2ca-4a5f-9505-c049766dc883}]
[HKEY_CLASSES_ROOT\AIMTb.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-18 1805552]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"lxccmon.exe"="c:\program files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 192512]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-27 11:14 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" /s
"iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Linksys Wireless-G USB Wireless Network Monitor\\WUSB54Gv42.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\WINDOWS\\system32\\lxcccoms.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Warcraft III Battle.net

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-19 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-26 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-02-26 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-19 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-19 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-19 76040]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-25 24652]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" [2008-08-15 53307]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 XDva002;XDva002;\??\c:\windows\system32\XDva002.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0ac6908-923c-11db-b384-806d6172696f}]
\Shell\AutoRun\command - E:\chooser.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AC1444CA918BFB3E.job
- c:\docume~1\hp_owner\applic~1\progra~1\four upload axis.exe []

2008-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-28 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-rapimijobe - c:\windows\system32\wufewoga.dll
MSConfigStartUp-CTFMON - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 22:21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\lxcccoms.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-12-02 22:30:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-03 03:30:31
ComboFix2.txt 2008-11-28 20:19:46

Pre-Run: 12,256,067,584 bytes free
Post-Run: 12,230,008,832 bytes free

284 --- E O F --- 2008-11-13 21:09:54
Last edited by Bezerkerz; 12-02-2008 at 08:41 PM.
Bezerkerz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2008, 08:49 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Random popups and bogged down computer
Hi -

That error message should be a one time event. It refers to a file and registry entry which were removed.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add or Remove Programs) if they exist:

    CiD Help

    ---------------------------------------------------------------------------------------------
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/hijackthis-log-help/317785-random-popups-bogged-down-computer-post1835509.html#post1835509

    File::
    c:\windows\Tasks\AC1444CA918BFB3E.job

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c30d95c8-3883-4020-87ec-437d14ba4b0e}]

    Collect::
    c:\windows\system32\mibevilo.dll
    c:\windows\system32\towozoha.dll
    c:\windows\system32\wibotelo.dll
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

    If a browser does not open, ComboFix has generated a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
    Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4, and include a link to this topic.

    ---------------------------------------------------------------------------------------------
  6. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
    • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
    • Click the "Download" button to the right.
    • Select the Windows platform from the dropdown menu.
    • Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button.
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked
        • Applications and Applets
          Trace and Log Files
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.

    ---------------------------------------------------------------------------------------------

  7. Please run this online scan to help look for remnants.

    First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

    Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

    Answer Yes, when prompted to install an ActiveX component.
    • The program will then begin downloading the latest definition files.
    • Once the files have been downloaded click on NEXT
    • Locate the Scan Settings button & configure to:
      • Scan using the following Anti-Virus database:
        • Extended
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
    • Click OK & have it scan My Computer
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


    **Note**

    To optimize scanning time and produce a more sensible report for review:
    • Close any open programs
    • Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.


    Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

    ---------------------------------------------------------------------------------------------
  8. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    How is the machine behaving?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2008, 12:19 PM   #7 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Random popups and bogged down computer
Still with me, Bezerkerz?

I generally unsubscribe from threads after 7 days of inactivity. If I don't receive a reply from you within 3 days of this post, this topic will be closed.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2008, 06:34 PM   #8 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 7
OS: XP Service Pack 3


Re: Random popups and bogged down computer
Sorry, I'm still here just been very busy lately, actually just about to do the next step hehe.
Bezerkerz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2008, 07:38 PM   #9 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 7
OS: XP Service Pack 3


Re: Random popups and bogged down computer
Alright so I followed all the steps double checking everything along the way but had a few problems. Everything went well up until after combofix ran, the browser did not open up so I attempted to submit the zip file at that website but the zip file did not exist. I looked to see if there may have been a file just named slightly different by error but there is not. The only files in C:\Qoobox\Quarantine is two text files named catchme and a folder named C and another folder named Registry_backups. Could the correct file possibly be hidden for some reason?

Well I continued on and didn't have any problems with Java. Although I tried to run kaspersky but I had a 404 from your link, I attempted it a few times thinking maybe mozilla is just screwing up for some reason but still no go.

Other than that my computer's been running great, faster and haven't had a popup since the first run through of combofix that you had me do. I'm very pleased so far and grateful for your help : ), thanks.

Here's the log from combofix:

ComboFix 08-12-06.04 - HP_Owner 2008-12-06 20:45:54.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.776 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Tasks\AC1444CA918BFB3E.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\AC1444CA918BFB3E.job

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 20:41 . 2008-12-06 20:41 0 --a------ C:\config.ini
2008-11-28 15:46 . 2008-11-28 15:46 250 --a------ c:\windows\gmer.ini
2008-11-28 14:45 . 2008-11-28 14:46 <DIR> d-------- C:\rsit
2008-11-28 14:45 . 2008-11-28 14:45 <DIR> d-------- c:\program files\trend micro
2008-11-28 13:27 . 2008-11-28 13:27 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\InstallShield
2008-11-28 13:20 . 2008-11-28 14:40 <DIR> d-------- c:\program files\RogueRemover FREE
2008-11-25 15:32 . 2008-11-25 15:33 <DIR> d-------- c:\program files\iTunes
2008-11-25 15:32 . 2008-11-25 15:32 <DIR> d-------- c:\program files\iPod
2008-11-25 15:32 . 2008-11-25 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 15:21 . 2008-11-25 15:21 <DIR> d-------- c:\program files\Bonjour
2008-11-18 15:36 . 2008-11-18 15:36 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Omega Messenger
2008-11-18 15:09 . 2008-11-18 15:09 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Tencent
2008-11-18 15:07 . 2008-11-18 15:07 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-11-18 15:07 . 2008-11-18 15:07 <DIR> d-------- c:\program files\AIM Toolbar
2008-11-18 15:07 . 2008-11-18 15:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-18 15:06 . 2008-11-18 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-12 15:20 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:15 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 01:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 01:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-25 20:19 --------- d-----w c:\program files\QuickTime
2008-11-18 20:09 --------- d-----w c:\program files\AIM6
2008-11-18 20:06 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-18 20:04 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-18 20:03 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-16 15:33 --------- d-----w c:\documents and settings\HP_Owner\Application Data\uTorrent
2008-11-09 02:27 --------- d-----w c:\program files\AIMTunes
2008-11-07 04:48 --------- d-----w c:\program files\Warcraft III
2008-11-06 20:35 --------- d-----w c:\documents and settings\HP_Owner\Application Data\AVGTOOLBAR
2008-10-26 05:04 --------- d-----w c:\program files\Brainhouse Labs
2008-10-26 03:54 --------- d-----w c:\program files\Sun
2008-10-26 03:54 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 02:43 --------- d-----w c:\program files\GameSpy Arcade
2008-10-20 00:32 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-20 00:32 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-20 00:32 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-20 00:32 --------- d-----w c:\program files\AVG
2008-10-20 00:31 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-19 15:57 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-10-19 15:43 --------- d-----w c:\program files\MSN Messenger
2008-10-19 15:20 98,304 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\PluginCtrl.dll
2008-10-19 15:20 69,632 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\msxmlwrapper.dll
2008-10-19 15:20 5,632 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\GUI.dll
2008-10-19 15:20 315,392 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\pchmsxml.dll
2008-10-19 15:20 3,072 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\pchealthde.exe
2008-10-19 15:20 282,624 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\clientutil52.dll
2008-10-19 15:20 213,089 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\motive.zip
2008-10-19 15:20 139,264 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\ContentUpdater.exe
2008-10-17 19:30 --------- d-----w c:\documents and settings\HP_Owner\Application Data\QQ Games Plugin
2008-10-17 19:29 --------- d-----w c:\program files\Tencent
2008-10-17 19:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-14 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-01 01:03 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-19 02:21 108,144 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2006-02-23 04:04 1,352,439 -c--a-w c:\program files\secretofmana.zip
1999-07-07 00:00 6 -csh--r c:\windows\@desktop@.dat
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-28_15.18.52.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-28 20:46:33 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-11-28 20:46:33 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2008-12-05 11:40:10 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{03402f96-3dc7-4285-bc50-9e81fefafe43}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CLASSES_ROOT\clsid\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
[HKEY_CLASSES_ROOT\AIMTb.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{f8ec99b3-c2ca-4a5f-9505-c049766dc883}]
[HKEY_CLASSES_ROOT\AIMTb.AOLTBSearch]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
2008-10-07 14:09 1275176 --a------ c:\program files\AIM Toolbar\aimtb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{61539ECD-CC67-4437-A03C-9AACCBD14326}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CLASSES_ROOT\clsid\{61539ecd-cc67-4437-a03c-9aaccbd14326}]
[HKEY_CLASSES_ROOT\AIMTb.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{f8ec99b3-c2ca-4a5f-9505-c049766dc883}]
[HKEY_CLASSES_ROOT\AIMTb.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-18 1805552]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"lxccmon.exe"="c:\program files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 192512]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-27 11:14 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" /s
"iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Linksys Wireless-G USB Wireless Network Monitor\\WUSB54Gv42.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\WINDOWS\\system32\\lxcccoms.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Warcraft III Battle.net

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-19 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-26 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-02-26 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-19 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-19 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-19 76040]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-25 24652]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" [2008-08-15 53307]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 XDva002;XDva002;\??\c:\windows\system32\XDva002.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0ac6908-923c-11db-b384-806d6172696f}]
\Shell\AutoRun\command - E:\chooser.EXE

*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2008-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-05 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\AIM Toolbar\aimtb.dll
TCP: {F4D5774A-8936-4B25-BD01-57AE389BDF82} = 68.87.64.146,68.87.75.194

c:\windows\system32\mfc42.dll - c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\GameleonGameControlBroker.exe.manifest
c:\windows\system32\GameleonGameControlBroker.exe
c:\windows\system32\Gameleon_logo.bmp
c:\windows\system32\GameleonGameControlJpn.ini
c:\windows\system32\GameleonGameControlEng.ini
c:\windows\system32\GameleonGameControl.ini
c:\windows\system32\GameleonGameControl.ocx
O16 -: {A049E723-858B-4EDB-BAF1-87286429FDA5}
hxxp://deco.gameleon.jp/component/GameleonGameControl.cab
c:\windows\Downloaded Program Files\GameleonGameControl.inf
FireFox -: Profile - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\dldgtpez.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\dldgtpez.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdnu.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 20:50:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
.
Completion time: 2008-12-06 20:52:32
ComboFix-quarantined-files.txt 2008-12-07 01:51:53
ComboFix2.txt 2008-12-03 03:30:44
ComboFix3.txt 2008-11-28 20:19:46

Pre-Run: 13,045,063,680 bytes free
Post-Run: 13,040,144,384 bytes free

268 --- E O F --- 2008-11-13 21:09:54
Bezerkerz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2008, 07:49 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Random popups and bogged down computer
First...

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2008, 10:25 PM   #11 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 7
OS: XP Service Pack 3


Re: Random popups and bogged down computer
2008-01-19 1111 A------- 823,808 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\PROGRA~1\does acid.exe.vir
2008-01-19 1128 A------- 325,120 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\four upload axis.exe.vir
2008-05-07 18:00:16 A------- 477,696 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\psmdufob.exe.vir
2008-05-27 1412 A------- 437,760 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\tndmeriu.exe.vir
2008-06-21 08:23:38 A------- 552,448 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\mjdypdtd.exe.vir
2008-07-22 19:09:23 A------- 696,832 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\njtuatnz.exe.vir
2008-08-15 00:04:22 A------- 501,248 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\iidznstq.exe.vir
2008-08-28 12:07:05 A------- 61,952 C:\Qoobox\Quarantine\C\WINDOWS\system32\demojesa.dll.vir
2008-08-28 12:07:05 A------- 61,952 C:\Qoobox\Quarantine\C\WINDOWS\system32\molidano.dll.vir
2008-08-28 12:07:05 A------- 61,952 C:\Qoobox\Quarantine\C\WINDOWS\system32\pepimude.dll.vir
2008-08-28 12:12:26 A------- 94,772 C:\Qoobox\Quarantine\C\WINDOWS\system32\sikasiso.dll.vir
2008-09-02 16:51:17 A------- 86,580 C:\Qoobox\Quarantine\C\WINDOWS\system32\bivegedu.dll.vir
2008-09-02 16:51:18 A------- 93,748 C:\Qoobox\Quarantine\C\WINDOWS\system32\luruwono.dll.vir
2008-09-02 16:52:33 A------- 65,076 C:\Qoobox\Quarantine\C\WINDOWS\system32\revulazo.dll.vir
2008-09-02 16:52:33 A------- 65,076 C:\Qoobox\Quarantine\C\WINDOWS\system32\yapigifa.dll.vir
2008-09-16 05:51:06 A------- 556,032 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\xmkgqmio.exe.vir
2008-09-26 21:08:36 A------- 539,648 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\pldzmbwg.exe.vir
2008-10-29 22:57:39 A------- 566,784 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\upytkybd.exe.vir
2008-11-12 15:16:15 A------- 542,720 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\dacwxwfy.exe.vir
2008-11-16 08:41:16 A------- 569,856 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\ohgwhsph.exe.vir
2008-11-16 08:41:25 A------- 6,970,880 C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\great coal love default\Hide Style.exe.vir
2008-11-22 10:48:35 A------- 561,664 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\kbqwkwel.exe.vir
2008-11-22 10:48:45 A------- 4,568,576 C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\great coal love default\Roam List.exe.vir
2008-11-22 10:49:23 A------- 280 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\AC1444CA918BFB3E.job.vir
2008-11-22 10:49:23 A------- 1,060 C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\0.vir
2008-11-28 13:28:26 A------- 208,896 C:\Qoobox\Quarantine\C\WINDOWS\system32\ConTest.dll.vir
2008-11-28 13:28:27 A------- 20,480 C:\Qoobox\Quarantine\C\WINDOWS\system32\SysRestore.dll.vir
2008-11-28 13:28:27 A------- 45,056 C:\Qoobox\Quarantine\C\WINDOWS\system32\CreateLog.dll.vir
2008-11-28 13:28:30 A------- 36,864 C:\Qoobox\Quarantine\C\WINDOWS\system32\ascbalon.dll.vir
2008-11-28 14:59:45 A------- 290 C:\Qoobox\Quarantine\catchme.log
2008-11-28 15:07:14 A------- 7,586 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-28 15:07:26 A------- 1,044 C:\Qoobox\Quarantine\Registry_backups\Legacy_TDSSSERV.reg.dat
2008-11-28 15:07:27 A------- 1,268 C:\Qoobox\Quarantine\Registry_backups\Service_TDSSserv.reg.dat
2008-11-28 15:18:52 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-11-28 15:18:52 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-11-28 15:18:52 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-11-28 15:18:54 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{c30d95c8-3883-4020-87ec-437d14ba4b0e}.reg.dat
2008-11-28 15:18:57 A------- 168 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-PC SpeedScan Pro.reg.dat
2008-11-28 15:18:57 A------- 168 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Performance Center.reg.dat
2008-11-28 15:18:58 A------- 383 C:\Qoobox\Quarantine\Registry_backups\HKCU-RunOnce-Shockwave Updater.reg.dat
2008-11-28 15:19:00 A------- 105 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-VTTimer.reg.dat
2008-11-28 15:19:00 A------- 109 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-WheelMouse.reg.dat
2008-11-29 00:12:49 A------- 1,296,222 C:\Qoobox\Quarantine\C\WINDOWS\system32\uyujozet.ini.vir
2008-11-29 13:07:40 A------- 1,296,222 C:\Qoobox\Quarantine\C\WINDOWS\system32\isutemab.ini.vir
2008-11-30 0144 A------- 1,296,222 C:\Qoobox\Quarantine\C\WINDOWS\system32\igobozat.ini.vir
2008-12-02 16:51:58 A------- 1,355,509 C:\Qoobox\Quarantine\C\WINDOWS\system32\udegevib.ini.vir
2008-12-02 22:30:08 A------- 151 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-rapimijobe.reg.dat
2008-12-02 22:30:18 A------- 256 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-CTFMON.reg.dat
2008-12-06 20:45:46 A------- 396 C:\Qoobox\Quarantine\catchme.txt
Bezerkerz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2008, 10:50 PM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Random popups and bogged down computer
Looks like something, perhaps your resident protection, removed those files. No worries, as long as they're gone, it's fine.

My apologies for the bad link. That's for an old kaspersky scan I keep hoping will return.

This one should work for you.

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-09-2008, 05:27 AM   #13 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 7
OS: XP Service Pack 3


Re: Random popups and bogged down computer
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 08, 2008 20:42:14
Records in database: 1444573
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 104224
Threat name: 11
Infected objects: 31
Suspicious objects: 0
Duration of the scan: 02:47:47


File name / Threat name / Threats count
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\.tt1.tmp.vbs.bac_a03148 Infected: Backdoor.Win32.Frauder.eo 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\.tt2.tmp.vbs.bac_a03148 Infected: Backdoor.Win32.Frauder.eo 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\.tt3.tmp.vbs.bac_a03148 Infected: Backdoor.Win32.Frauder.eo 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\.tt9.tmp.exe.bac_a03148 Infected: not-a-virus:FraudTool.Win32.XPAntivirus.ra 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\.ttAE.tmp.vbs.bac_a03148 Infected: Backdoor.Win32.Frauder.eo 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\.ttB1.tmp.exe.bac_a03148 Infected: not-a-virus:FraudTool.Win32.XPAntivirus.ra 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\tdssadw.dl_.bac_a03148 Infected: Rootkit.Win32.Clbd.jg 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\tdssl.dl_.bac_a03148 Infected: Trojan-Downloader.Win32.Small.acpi 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\tdsslog.dl_.bac_a03148 Infected: Backdoor.Win32.UltimateDefender.gen 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\tdssmain.dl_.bac_a03148 Infected: Backdoor.Win32.UltimateDefender.gen 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\tdssserf.dl_.bac_a03148 Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\tdssserv.sy_.bac_a03148 Infected: Backdoor.Win32.Agent.qmx 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\xasdhxgk.exe.bac_a03148 Infected: Trojan.Win32.Obfuscated.gen 1
C:\Program Files\Incomplete\T-5745425-final mission.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.632 1
C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\great coal love default\Hide Style.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\great coal love default\Roam List.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\dacwxwfy.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\four upload axis.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\iidznstq.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\kbqwkwel.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\mjdypdtd.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\njtuatnz.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\ohgwhsph.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\pldzmbwg.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\psmdufob.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\tndmeriu.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\upytkybd.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\Program shim\xmkgqmio.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\DOCUME~1\HP_Owner\APPLIC~1\PROGRA~1\does acid.exe.vir Infected: Trojan.Win32.Obfuscated.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sikasiso.dll.vir Infected: Trojan-Spy.Win32.Agent.fdp 1

The selected area was scanned.
Bezerkerz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-09-2008, 09:23 AM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Random popups and bogged down computer
Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Using Windows Explorer, or Windows Search, locate and delete the following file:

"C:\Program Files\Incomplete\T-5745425-final mission.mp3"

Delete the contents of this folder:

C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine

---------------------------------------------------------------------------------------------

The other items found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-12-2008, 06:02 PM   #15 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Random popups and bogged down computer
Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:53 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85