Getting popups

[GerryRay]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:42 PM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\oI6sL4EX.exe
C:\WINDOWS\TEMP\2F7.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;;localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSFox] C:\DOCUME~1\Gerry\LOCALS~1\Temp\yyy20293.exe
O4 - HKUS\S-1-5-18\..\Run: [Cognac] C:\WINDOWS\TEMP\2F7.tmp.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Cognac] C:\WINDOWS\TEMP\2F7.tmp.exe (User 'Default user')
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1202462704484
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7962 bytes

[tetonbob]

Hello and Welcome.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/secu...oval-help.html

After running through all the steps, you shall have a proper set of logs. Please post them.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

[GerryRay]

I am getting pop-ups and my anti virus said I had a trojan horse, I use AVG. it tried to get rid of it but all the files didn't go away. i ran spybot sd and deleted some stuff tracking things but that didn't fix it. spybot is blocking the urls as they come up but they are still coming. i am getting ads come up every once in awhile though even if my browser isn't open. there was so random sound file playing yesterday and i had to end it in task manager.. it sounded like an infomercial. pretty sure it's a trojan horse.

I ran the gmer.exe twice and both times it crashed and did not work, therefore i didn't add a ark.txt file to the zip file.. is there anything else you would like me to scan with? i have hijack this.





DDS (Version 1.0) - NTFSx86
Run by Gerry at 14:34:59.87 on Mon 12/08/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.461 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\oI6sL4EX.exe
C:\Documents and Settings\Gerry\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
uInternet Settings,ProxyOverride = ams-server*;;localhost
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\progra~1\messen~1\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-8 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-8 26824]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-8 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-8 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-8 76040]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-23 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-23 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-8-23 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-8-23 23680]

=============== Created Last 30 ================

2008-12-07 13:38 <DIR> --d----- C:\Temp
2008-12-07 13:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-07 13:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-07 13:20 <DIR> --d----- c:\program files\Trend Micro
2008-12-07 09:34 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-07 09:25 77,824 a------- c:\windows\system32\oI6sL4EX.exe
2008-12-07 09:25 0 a------- c:\windows\system32\oI6sL4EX.exe.a_a
2008-12-07 09:25 139,268 a------- c:\windows\system32\msxml71.dll
2008-11-21 15:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 15:47 4,816 a------- c:\windows\system32\divxsm.tlb
2008-11-21 15:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 15:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 15:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-12 22:57 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 22:57 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-10 12:23 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 60,032 a------- c:\windows\system32\ZuneBusEnum.exe

==================== Find3M ====================

2008-11-10 12:09 73,728 a------- c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows\system32\ZuneMTPZ.dll
2008-10-24 05:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 06:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 19:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-04 11:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 14:35:55.67 ===============

[tetonbob]

Please try to run the gmer scan in safe mode.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Attach the log you save to your next reply. If still no joy, let me know.

[GerryRay]

Here is the Ark.txt in a zip file. The other File in in the previous zip post..

[tetonbob]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[GerryRay]

these instructions might as well be in japanese cause they are way too confusing. i created a recovery console and tried to boot from it and got to C: then it just sat there i have no idea what i'm doing from there on. i saw the list of commands but what am i supposed to do with commands i don't know how to use?


also is this going to delete all my files on my computer? it doesn't say that anywhere.

[tetonbob]

You "created a recovery console" how? Recovery Console is only for "what if", and only under direction of a trained tech. You should not be booting into it.

If you've installed Recovery Console from your Windows XP CD, now all you need to do is download ComboFix, and double click on it to run it,

[GerryRay]

i went to "how to use recovery console" and it showed me to restart my pc and load from it... but since it's installed i'll just run combofix

[GerryRay]

ok that worked here's the file

ComboFix 08-12-07.04 - Gerry 2008-12-08 20:29:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479 [GMT -6:00]
Running from: c:\documents and settings\Gerry\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\msxml71.dll
c:\windows\system32\oI6sL4EX.exe.a_a

----- BITS: Possible infected sites -----

hxxp://resources.zune.net
.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-08 14:57 . 2008-12-08 14:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-12-08 14:37 . 2008-12-08 15:07 250 --a------ c:\windows\gmer.ini
2008-12-07 13:38 . 2008-12-07 16:07 <DIR> d-------- C:\Temp
2008-12-07 13:22 . 2008-12-07 16:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 13:22 . 2008-12-07 18:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 13:20 . 2008-12-07 13:20 <DIR> d-------- c:\program files\Trend Micro
2008-12-07 09:34 . 2008-12-07 09:34 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-07 09:25 . 2008-12-07 09:45 77,824 --a------ c:\windows\system32\oI6sL4EX.exe
2008-11-21 15:47 . 2008-11-21 15:47 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2008-11-21 15:47 . 2008-11-21 15:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 15:47 . 2008-11-21 15:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 15:46 . 2008-11-21 15:46 1,044,480 --a------ c:\windows\system32\libdivx.dll
2008-11-21 15:46 . 2008-11-21 15:46 200,704 --a------ c:\windows\system32\ssldivx.dll
2008-11-21 15:44 . 2008-11-21 15:44 161,096 --a------ c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 15:44 . 2008-11-21 15:44 12,288 --a------ c:\windows\system32\DivXWMPExtType.dll
2008-11-12 22:57 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 22:57 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 12:23 . 2008-11-10 12:23 243,840 --a------ c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 . 2008-11-10 12:23 60,032 --a------ c:\windows\system32\ZuneBusEnum.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 23:24 --------- d-----w c:\documents and settings\Gerry\Application Data\LimeWire
2008-12-08 23:09 --------- d-----w c:\documents and settings\Gerry\Application Data\uTorrent
2008-12-08 20:39 --------- d-----w c:\program files\dvdSanta
2008-12-07 17:02 --------- d-----w c:\program files\PeerGuardian2
2008-12-07 15:34 --------- d-----w c:\program files\Lavasoft
2008-12-07 15:32 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-07 14:54 --------- d-----w c:\program files\DivX
2008-11-30 00:24 --------- d-----w c:\documents and settings\Gerry\Application Data\dvdcss
2008-11-24 23:56 --------- d-----w c:\program files\Zune
2008-11-10 18:09 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 18:09 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll
2008-11-10 18:09 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll
2008-11-10 18:09 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 18:09 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll
2008-11-10 18:09 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:32 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\progra~1\MESSEN~1\msmsgs.exe" [2008-04-13 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-06-30 188416]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
Domestic Security Version 4.87

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2008-02-25 16:46 16384 c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2003-06-30 21:00 65536 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-11-10 12:23 157312 c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Spooler"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-08 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-08 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-06-08 76040]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-23 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-23 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2008-08-23 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2008-08-23 23680]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-08 c:\windows\Tasks\At1.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At10.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At11.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At12.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At13.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At14.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At15.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At16.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-07 c:\windows\Tasks\At17.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At18.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-09 c:\windows\Tasks\At19.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At2.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-09 c:\windows\Tasks\At20.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-09 c:\windows\Tasks\At21.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At22.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At23.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At24.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At25.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At26.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At27.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At28.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At29.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At3.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At30.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At31.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At32.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At33.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At34.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At35.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At36.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At37.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At38.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At39.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At4.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At40.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-07 c:\windows\Tasks\At41.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At42.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-09 c:\windows\Tasks\At43.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-09 c:\windows\Tasks\At44.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-09 c:\windows\Tasks\At45.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At46.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At47.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At48.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At5.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At6.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At7.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At8.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]

2008-12-08 c:\windows\Tasks\At9.job
- c:\windows\system32\oI6sL4EX.exe [2008-12-07 09:45]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Cognac - c:\docume~1\Gerry\LOCALS~1\Temp\~tmpb.exe
MSConfigStartUp-MSFox - c:\docume~1\Gerry\LOCALS~1\Temp\yyy20293.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
uInternet Settings,ProxyOverride = ams-server*;;localhost
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FireFox -: Profile - c:\documents and settings\Gerry\Application Data\Mozilla\Firefox\Profiles\wul86m5c.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 20:34:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-08 20:35:29
ComboFix-quarantined-files.txt 2008-12-09 02:35:14

Pre-Run: 41,209,339,904 bytes free
Post-Run: 41,613,832,192 bytes free

275 --- E O F --- 2008-11-13 22:08:51

[tetonbob]

Good work.

Next....

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/hijackthis-log-help/321168-getting-popups.html#post1846494
   
   File::
   c:\windows\Tasks\At1.job
   c:\windows\Tasks\At10.job
   c:\windows\Tasks\At11.job
   c:\windows\Tasks\At12.job
   c:\windows\Tasks\At13.job
   c:\windows\Tasks\At14.job
   c:\windows\Tasks\At15.job
   c:\windows\Tasks\At16.job
   c:\windows\Tasks\At17.job
   c:\windows\Tasks\At18.job
   c:\windows\Tasks\At19.job
   c:\windows\Tasks\At2.job
   c:\windows\Tasks\At20.job
   c:\windows\Tasks\At21.job
   c:\windows\Tasks\At22.job
   c:\windows\Tasks\At23.job
   c:\windows\Tasks\At24.job
   c:\windows\Tasks\At25.job
   c:\windows\Tasks\At26.job
   c:\windows\Tasks\At27.job
   c:\windows\Tasks\At28.job
   c:\windows\Tasks\At29.job
   c:\windows\Tasks\At3.job
   c:\windows\Tasks\At30.job
   c:\windows\Tasks\At31.job
   c:\windows\Tasks\At32.job
   c:\windows\Tasks\At33.job
   c:\windows\Tasks\At34.job
   c:\windows\Tasks\At35.job
   c:\windows\Tasks\At36.job
   c:\windows\Tasks\At37.job
   c:\windows\Tasks\At38.job
   c:\windows\Tasks\At39.job
   c:\windows\Tasks\At4.job
   c:\windows\Tasks\At40.job
   c:\windows\Tasks\At41.job
   c:\windows\Tasks\At42.job
   c:\windows\Tasks\At43.job
   c:\windows\Tasks\At44.job
   c:\windows\Tasks\At45.job
   c:\windows\Tasks\At46.job
   c:\windows\Tasks\At47.job
   c:\windows\Tasks\At48.job
   c:\windows\Tasks\At5.job
   c:\windows\Tasks\At6.job
   c:\windows\Tasks\At7.job
   c:\windows\Tasks\At8.job
   c:\windows\Tasks\At9.job
   
   Collect::
   c:\windows\system32\oI6sL4EX.exe
   
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
   
   If a browser does not open, ComboFix has generated a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
   Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4, and include a link to this topic.
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------
   
6. P2P - I see you have P2P software ( Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.
   
   Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
   
   Please see this topic for more information:
   
   http://www.techsupportforum.com/secu...e-sharing.html
   
   I would strongly recommend that you uninstall this. You can do so via Control Panel >> Add or Remove Programs.
   
   ---------------------------------------------------------------------------------------------
   
7. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
   • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
   • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
   • Click the "Download" button to the right.
   • Select the Windows platform from the dropdown menu.
   • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
   • Click on the link to download Windows Offline Installation and save the file to your desktop.
   • Close any programs you may have running - especially your web browser.
   • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
   • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
   • Click the Remove or Change/Remove button.
   • Repeat as many times as necessary to remove each Java versions.
   • Reboot your computer once all Java components are removed.
   • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
   • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
     • On the General tab, under Temporary Internet Files, click the Settings button.
     • Next, click on the Delete Files button
     • There are two options in the window to clear the cache - Leave BOTH Checked
       • Applications and Applets
         Trace and Log Files
     • Click OK on Delete Temporary Files Window
       Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
     • Click OK to leave the Temporary Files Window
     • Click OK to leave the Java Control Panel.
   
   ---------------------------------------------------------------------------------------------
   
8. Please perform this online scan to help look for remnants
   
   Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner
   
   **Note**
   
   To optimize scanning time and produce a more sensible report for review:
   • Close any open programs
   • Turn off the real time scanner of any existing antivirus program while performing the online scan.
   
   Click Accept, when prompted to download and install the program files and database of malware definitions.
   • Click Run at the Security prompt.
   • The program will then begin downloading and installing and will also update the database.
   • Please be patient as this can take several minutes.
   • Once the update is complete, click on Settings. Uncheck Mail databases.
   • Next, click on My Computer under the green Scan bar to the left to start the scan.
   • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
   • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
   • Click View scan report at the bottom.
   • Click the Save Report As... button.
   • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
   
   ---------------------------------------------------------------------------------------------
   
   How is the machine behaving?
   
   ---------------------------------------------------------------------------------------------

[GerryRay]

I attached the ComboFix and Kasp logs. I think the computer is running ok. I deleted the file from my computer that was in the Kasp log.

[tetonbob]

Looks good.

If you've already deleted the kasperksy finds....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[GerryRay]

Alright I installed all that stuff.. does spyblaster run automatically or do i need to start it every time i turn my computer on?

[tetonbob]

Hi

SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. This includes general spyware and malicious dialers. It also blocks a list of known spyware related cookies in IE. SpywareBlaster should be run periodically, say once a week, to check for updates to its database. Other than that it doesn't need to be running to provide protection, so there are no processes run either at startup or in the background.

[tetonbob]

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.