Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Dozens of Pop-ups and slow computer
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 02-21-2009, 11:25 AM   #1 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Dozens of Pop-ups and slow computer
Hello,

I hope you can help me. This morning when I woke up, my McAfee Security was open saying that something wanted to change the registry. I clicked "block" for about 10 requests, then McAfee showed a message saying it sucessfully removed a virus (the message box closed too quickly for me to see the Virus name). Apparently it didn't remove it, because when I tried to open IE it was running very slow, IE closed down unexpectedly and a pop-up came up. Now the situation is worse and dozens of pop-ups keep opening up at the same time and I can't even close them all. Most don't open to a website, because I think Spyware blaster doesn't allow them to open. Needless to say the computer is really slow and getting on the internet is nearly impossible without all the pop-ups.

My thoughts on where the virus came from: I did get an email from my husband's coworker about Restaurant dot com and when I went there it didn't open, but the computer seemed slower after I followed that link.

Please help. Here is my DDS Log below, and I have attached Attach.txt and ark.txt (zipped into 1 file) as well.

Thank you so much!
Jenny
-----------------------

DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Administrator at 12:58:05.07 on Sat 02/21/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1355 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: McAfee Personal Firewall *enabled*
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\soxpeca.exe
svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5069d240-aec6-4f95-b742-8601258760fd} - c:\windows\system32\hasomola.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [HbDetect.exe] c:\program files\playskool\made for me software\HbDetect.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [CPM690b6d03] Rundll32.exe "c:\windows\system32\batufuke.dll",a
mRun: [bagasuwuwe] Rundll32.exe "c:\windows\system32\pipibuju.dll",s
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\windows\installer\{00000409-78e1-11d2-b60f-006097c998e7}\outicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
Trusted Zone: trymedia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} - hxxp://www.kodakgallery.com/downloads/hmpr/HMPR_WIN_IE_1/axhomepr.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.winkflash.com/photo/loaders/ImageUploader5.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.winkflash.com/photo/loaders/ImageUploader4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\windows\system32\hoyolajo.dll hrhwsl.dll c:\windows\system32\batufuke.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\batufuke.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\batufuke.dll
LSA: Notification Packages = scecli c:\windows\system32\hoyolajo.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-13 201320]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-2 124832]
R2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe [2004-8-9 184320]
R2 defaultlib;Service AntiVir;c:\windows\system32\svchost.exe -k netsvcs [2004-8-9 14336]
R2 eq2soft;Service Eset;c:\windows\system32\svchost.exe -k netsvcs [2004-8-9 14336]
R2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe [2004-8-9 47104]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-13 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-13 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-13 144704]
R2 netmantow;Network Connections.;c:\windows\system32\svchost.exe -k netsvcs [2004-8-9 14336]
R2 soxpeca;soxpeca Service;c:\windows\system32\soxpeca.exe [2004-8-9 47616]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-13 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-13 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-13 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-13 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-13 40488]
S2 softyinforwow1;Sysmtens;c:\windows\system32\svchost.exe -k netsvcs [2004-8-9 14336]
S2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-02-21 12:38 86,016 a------- c:\windows\system32\u122196841.dll
2009-02-21 12:38 77,824 a------- c:\windows\system32\u122154640.dll
2009-02-21 12:38 90,112 a------- c:\windows\system32\200923835.dll
2009-02-21 12:38 59,904 a------- c:\windows\system32\atlsystem62119.exe
2009-02-21 12:38 59,904 a------- c:\windows\system32\atlsystem849649.exe
2009-02-21 08:28 59,904 a------- c:\windows\system32\atlsystem699632.exe
2009-02-21 05:45 129,024 a--sh--- c:\windows\system32\hrhwsl.dll
2009-02-20 18:56 90,112 a------- c:\windows\system32\200925654.dll
2009-02-20 18:56 86,016 a------- c:\windows\system32\u182092155.dll
2009-02-20 18:56 77,824 a------- c:\windows\system32\u182085954.dll
2009-02-20 18:56 65,536 a------- c:\windows\system32\der9449803.dll
2009-02-20 09:08 90,112 a------- c:\windows\system32\20092820.dll
2009-02-20 09:08 86,016 a------- c:\windows\system32\u92015624.dll
2009-02-20 09:08 77,824 a------- c:\windows\system32\u92064024.dll
2009-02-20 09:08 122,880 a------- c:\windows\system32\atlsystem585712.exe
2009-02-19 13:44 77,824 a------- c:\windows\system32\u131935922.dll
2009-02-19 13:44 90,112 a------- c:\windows\system32\200924421.dll
2009-02-19 13:44 65,536 a------- c:\windows\system32\der3339170.dll

==================== Find3M ====================

2009-02-21 05:45 84,992 a--sh--- c:\windows\system32\batufuke.dll
2009-02-21 05:45 129,024 a--sh--- c:\windows\system32\hugeloko.dll
2009-02-21 05:45 79,872 a--sh--- c:\windows\system32\bofuwike.dll
2009-01-05 16:53 102,218 a------- c:\windows\hpoins05.dat
2008-12-13 01:32 578,560 a------- c:\windows\system32\dllcache\user32.dll
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-01-18 20:21 150 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\hasomola.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\hoyolajo.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\pipibuju.dll

============= FINISH: 12:58:52.89 ===============
Attached Files
File Type: zip Attach.zip (4.5 KB, 1 views)
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-22-2009, 03:08 PM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Dozens of Pop-ups and slow computer
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

This is the third time you have brought an infected machine to this forum in as many months. As you read in our:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Also be advised:

It is not our intent to repeatedly remove malware from the same member's machines. The intent of this free service performed by volunteers is to help remove malware from your machine, educate you on how it may have happened, and how to prevent that from happening again. To this end, we provide links to articles and tools which should make your visit to the Virus/Trojan/Spyware Help section of TSF a one time event. Please do enjoy the rest of Tech Support Forum as many times as you like!

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-22-2009, 05:42 PM   #3 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Dozens of Pop-ups and slow computer
Hello,

I am sorry about posting too many times. I did almost everything suggested about prevention except to avoid using IE, which I will absolutely do now. I wish I could pinpoint the time my computer was infected, but I am still not sure. I really thank you so much for all your help and I am truly sorry for bothering you again!

Another thing is that I noticed the logs showed that I have Comodo Firewall, but I uninstalled that once I started using McAfee (which has it's own firewall). I cannot see Comodo on the Add/Remove programs either, so I am unsure how to get rid of it.

Thanks again,
Jenny
-------------------------

ComboFix 09-02-21.01 - HP_Administrator 2009-02-22 19:05:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1447 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
FW: McAfee Personal Firewall *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\200922626.dll
c:\windows\system32\200923835.dll
c:\windows\system32\200924421.dll
c:\windows\system32\200925654.dll
c:\windows\system32\20092820.dll
c:\windows\system32\afisicx.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\hoyolajo.dll
c:\windows\system32\ihagogog.ini
c:\windows\system32\mabidwe.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\udxfytw.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_DEFAULTLIB
-------\Legacy_MABIDWE
-------\Legacy_SOXPECA
-------\Service_afisicx
-------\Service_defaultlib
-------\Service_mabidwe
-------\Service_soxpeca


((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-22 19:10 . 2009-02-22 19:11 1,608,251 ---hs---- c:\windows\system32\ihagogog.ini
2009-02-22 17:46 . 2009-02-22 17:46 129,024 --ahs---- c:\windows\system32\mjwgmr.dll
2009-02-22 12:26 . 2009-02-22 12:26 86,016 --a------ c:\windows\system32\u122221831.dll
2009-02-22 12:26 . 2009-02-22 12:26 77,824 --a------ c:\windows\system32\u122218730.dll
2009-02-22 12:26 . 2009-02-22 12:26 59,392 --a------ c:\windows\system32\atlsystem285497.exe
2009-02-22 12:26 . 2009-02-22 12:26 58,880 --a------ c:\windows\system32\atlsystem257367.exe
2009-02-22 12:26 . 2009-02-22 12:26 58,880 --a------ c:\windows\system32\atlsystem155149.exe
2009-02-22 12:26 . 2009-02-22 12:26 58,880 --a------ c:\windows\system32\atlsystem136313.exe
2009-02-22 05:46 . 2009-02-22 05:46 129,024 --ahs---- c:\windows\system32\dvdniq.dll
2009-02-21 17:46 . 2009-02-21 17:46 129,024 --ahs---- c:\windows\system32\mhcdbu.dll
2009-02-21 12:38 . 2009-02-21 12:38 86,016 --a------ c:\windows\system32\u122196841.dll
2009-02-21 12:38 . 2009-02-21 12:38 77,824 --a------ c:\windows\system32\u122154640.dll
2009-02-21 12:38 . 2009-02-21 12:38 59,904 --a------ c:\windows\system32\atlsystem849649.exe
2009-02-21 12:38 . 2009-02-21 12:38 59,904 --a------ c:\windows\system32\atlsystem62119.exe
2009-02-21 08:28 . 2009-02-21 08:28 59,904 --a------ c:\windows\system32\atlsystem699632.exe
2009-02-21 05:45 . 2009-02-21 05:45 129,024 --ahs---- c:\windows\system32\hrhwsl.dll
2009-02-20 18:56 . 2009-02-20 18:56 86,016 --a------ c:\windows\system32\u182092155.dll
2009-02-20 18:56 . 2009-02-20 18:56 77,824 --a------ c:\windows\system32\u182085954.dll
2009-02-20 18:56 . 2009-02-20 18:56 65,536 --a------ c:\windows\system32\der9449803.dll
2009-02-20 09:08 . 2009-02-20 09:08 122,880 --a------ c:\windows\system32\atlsystem585712.exe
2009-02-20 09:08 . 2009-02-20 09:08 86,016 --a------ c:\windows\system32\u92015624.dll
2009-02-20 09:08 . 2009-02-20 09:08 77,824 --a------ c:\windows\system32\u92064024.dll
2009-02-19 13:44 . 2009-02-19 13:44 77,824 --a------ c:\windows\system32\u131935922.dll
2009-02-19 13:44 . 2009-02-19 13:44 65,536 --a------ c:\windows\system32\der3339170.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 03:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-02-22 03:17 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-22 00:34 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-21 17:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 17:47 --------- d-----w c:\program files\SpywareBlaster
2009-01-30 01:30 --------- d-----w c:\program files\McAfee
2009-01-25 14:18 --------- d-----w c:\program files\Google
2009-01-09 00:26 --------- d-----w c:\program files\JumpStart
2009-01-06 16:20 --------- d-----w c:\program files\QuickTime
2009-01-06 16:20 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2009-01-06 16:19 --------- d-----w c:\program files\Common Files\Knowledge Adventure
2009-01-06 16:19 --------- d-----w c:\documents and settings\All Users\Application Data\Knowledge Adventure
2009-01-06 00:28 --------- d-----w c:\program files\Common Files\JumpStart
2009-01-06 00:28 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2007-01-19 01:21 150 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
1601-01-01 00:12 47,616 --sha-w c:\windows\system32\hasomola.dll
1601-01-01 00:12 47,616 --sha-w c:\windows\system32\pipibuju.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-15_22.18.40.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-11 12:33:59 333,952 ----a-w c:\windows\$hf_mig$\KB958687\SP3QFE\srv.sys
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB958687\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB958687\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB958687\update\spcustom.dll
+ 2007-11-30 11:18:51 755,576 ----a-w c:\windows\$hf_mig$\KB958687\update\update.exe
+ 2007-11-30 11:18:51 382,840 ----a-w c:\windows\$hf_mig$\KB958687\update\updspapi.dll
+ 2008-12-12 17:14:50 3,067,904 ----a-w c:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB960714\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB960714\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB960714\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB960714\update\update.exe
+ 2007-11-30 11:18:51 382,840 ----a-w c:\windows\$hf_mig$\KB960714\update\updspapi.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB958687$\spuninst\spuninst.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB958687$\spuninst\updspapi.dll
+ 2008-09-08 10:41:42 333,824 -c----w c:\windows\$NtUninstallKB958687$\srv.sys
+ 2008-10-16 01:00:11 3,067,904 -c----w c:\windows\$NtUninstallKB960714$\mshtml.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB960714$\spuninst\spuninst.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB960714$\spuninst\updspapi.dll
+ 2009-01-27 21:57:27 160,488 ----a-w c:\windows\Downloaded Program Files\contactx.dll
+ 2007-07-01 00:09:06 175,968 ----a-w c:\windows\Downloaded Program Files\IEAWSDC.DLL
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-15-2009\ERDNT.EXE
+ 2009-01-15 14:17:42 4,816,896 ----a-w c:\windows\ERDNT\AutoBackup\1-15-2009\Users\00000001\NTUSER.DAT
+ 2009-01-15 14:17:43 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-15-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-19-2009\ERDNT.EXE
+ 2009-01-20 02:24:55 4,816,896 ----a-w c:\windows\ERDNT\AutoBackup\1-19-2009\Users\00000001\NTUSER.DAT
+ 2009-01-20 02:24:56 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-19-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-20-2009\ERDNT.EXE
+ 2009-01-20 18:08:02 4,796,416 ----a-w c:\windows\ERDNT\AutoBackup\1-20-2009\Users\00000001\NTUSER.DAT
+ 2009-01-20 18:08:03 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-20-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-22-2009\ERDNT.EXE
+ 2009-01-22 17:13:06 4,812,800 ----a-w c:\windows\ERDNT\AutoBackup\1-22-2009\Users\00000001\NTUSER.DAT
+ 2009-01-22 17:13:06 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-22-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-23-2009\ERDNT.EXE
+ 2009-01-23 14:01:32 4,820,992 ----a-w c:\windows\ERDNT\AutoBackup\1-23-2009\Users\00000001\NTUSER.DAT
+ 2009-01-23 14:01:32 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-23-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-24-2009\ERDNT.EXE
+ 2009-01-24 13:58:29 4,820,992 ----a-w c:\windows\ERDNT\AutoBackup\1-24-2009\Users\00000001\NTUSER.DAT
+ 2009-01-24 13:58:29 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-24-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-26-2009\ERDNT.EXE
+ 2009-01-26 14:07:08 4,825,088 ----a-w c:\windows\ERDNT\AutoBackup\1-26-2009\Users\00000001\NTUSER.DAT
+ 2009-01-26 14:07:08 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-26-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-27-2009\ERDNT.EXE
+ 2009-01-27 13:41:53 4,829,184 ----a-w c:\windows\ERDNT\AutoBackup\1-27-2009\Users\00000001\NTUSER.DAT
+ 2009-01-27 13:41:53 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-27-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-28-2009\ERDNT.EXE
+ 2009-01-28 13:59:45 4,829,184 ----a-w c:\windows\ERDNT\AutoBackup\1-28-2009\Users\00000001\NTUSER.DAT
+ 2009-01-28 13:59:46 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-28-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-29-2009\ERDNT.EXE
+ 2009-01-29 16:22:43 4,829,184 ----a-w c:\windows\ERDNT\AutoBackup\1-29-2009\Users\00000001\NTUSER.DAT
+ 2009-01-29 16:22:43 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-29-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-30-2009\ERDNT.EXE
+ 2009-01-30 14:14:10 4,829,184 ----a-w c:\windows\ERDNT\AutoBackup\1-30-2009\Users\00000001\NTUSER.DAT
+ 2009-01-30 14:14:11 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-30-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-31-2009\ERDNT.EXE
+ 2009-01-31 14:23:42 4,849,664 ----a-w c:\windows\ERDNT\AutoBackup\1-31-2009\Users\00000001\NTUSER.DAT
+ 2009-01-31 14:23:42 192,512 ----a-w c:\windows\ERDNT\AutoBackup\1-31-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-1-2009\ERDNT.EXE
+ 2009-02-01 13:56:30 4,849,664 ----a-w c:\windows\ERDNT\AutoBackup\2-1-2009\Users\00000001\NTUSER.DAT
+ 2009-02-01 13:56:31 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-1-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-10-2009\ERDNT.EXE
+ 2009-02-10 10:35:37 4,861,952 ----a-w c:\windows\ERDNT\AutoBackup\2-10-2009\Users\00000001\NTUSER.DAT
+ 2009-02-10 10:35:38 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-10-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-11-2009\ERDNT.EXE
+ 2009-02-11 14:22:20 4,931,584 ----a-w c:\windows\ERDNT\AutoBackup\2-11-2009\Users\00000001\NTUSER.DAT
+ 2009-02-11 14:22:20 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-11-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-12-2009\ERDNT.EXE
+ 2009-02-12 14:34:54 4,943,872 ----a-w c:\windows\ERDNT\AutoBackup\2-12-2009\Users\00000001\NTUSER.DAT
+ 2009-02-12 14:34:54 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-12-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-13-2009\ERDNT.EXE
+ 2009-02-13 14:34:32 4,956,160 ----a-w c:\windows\ERDNT\AutoBackup\2-13-2009\Users\00000001\NTUSER.DAT
+ 2009-02-13 14:34:32 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-13-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-14-2009\ERDNT.EXE
+ 2009-02-14 13:25:19 4,956,160 ----a-w c:\windows\ERDNT\AutoBackup\2-14-2009\Users\00000001\NTUSER.DAT
+ 2009-02-14 13:25:19 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-14-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-16-2009\ERDNT.EXE
+ 2009-02-16 14:00:26 4,956,160 ----a-w c:\windows\ERDNT\AutoBackup\2-16-2009\Users\00000001\NTUSER.DAT
+ 2009-02-16 14:00:27 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-16-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-17-2009\ERDNT.EXE
+ 2009-02-17 16:28:18 4,976,640 ----a-w c:\windows\ERDNT\AutoBackup\2-17-2009\Users\00000001\NTUSER.DAT
+ 2009-02-17 16:28:19 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-17-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-18-2009\ERDNT.EXE
+ 2009-02-18 12:58:06 5,025,792 ----a-w c:\windows\ERDNT\AutoBackup\2-18-2009\Users\00000001\NTUSER.DAT
+ 2009-02-18 12:58:06 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-18-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-20-2009\ERDNT.EXE
+ 2009-02-20 1454 5,042,176 ----a-w c:\windows\ERDNT\AutoBackup\2-20-2009\Users\00000001\NTUSER.DAT
+ 2009-02-20 1454 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-20-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-21-2009\ERDNT.EXE
+ 2009-02-21 17:37:43 5,042,176 ----a-w c:\windows\ERDNT\AutoBackup\2-21-2009\Users\00000001\NTUSER.DAT
+ 2009-02-21 17:37:43 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-21-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-22-2009\ERDNT.EXE
+ 2009-02-22 17:25:35 5,042,176 ----a-w c:\windows\ERDNT\AutoBackup\2-22-2009\Users\00000001\NTUSER.DAT
+ 2009-02-22 17:25:36 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-22-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-3-2009\ERDNT.EXE
+ 2009-02-03 14:45:36 4,841,472 ----a-w c:\windows\ERDNT\AutoBackup\2-3-2009\Users\00000001\NTUSER.DAT
+ 2009-02-03 14:45:37 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-3-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-5-2009\ERDNT.EXE
+ 2009-02-05 12:28:14 4,841,472 ----a-w c:\windows\ERDNT\AutoBackup\2-5-2009\Users\00000001\NTUSER.DAT
+ 2009-02-05 12:28:14 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-5-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-6-2009\ERDNT.EXE
+ 2009-02-06 14:42:19 4,861,952 ----a-w c:\windows\ERDNT\AutoBackup\2-6-2009\Users\00000001\NTUSER.DAT
+ 2009-02-06 14:42:20 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-6-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-7-2009\ERDNT.EXE
+ 2009-02-07 22:59:23 4,861,952 ----a-w c:\windows\ERDNT\AutoBackup\2-7-2009\Users\00000001\NTUSER.DAT
+ 2009-02-07 22:59:23 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-7-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-8-2009\ERDNT.EXE
+ 2009-02-08 13:59:36 4,870,144 ----a-w c:\windows\ERDNT\AutoBackup\2-8-2009\Users\00000001\NTUSER.DAT
+ 2009-02-08 13:59:36 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-8-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-9-2009\ERDNT.EXE
+ 2009-02-09 14:09:19 4,861,952 ----a-w c:\windows\ERDNT\AutoBackup\2-9-2009\Users\00000001\NTUSER.DAT
+ 2009-02-09 14:09:19 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2-9-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-22\ERDNT.EXE
+ 2009-02-23 00:10:22 5,042,176 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-22\Users\00000001\NTUSER.DAT
+ 2009-02-23 00:10:22 192,512 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-22\Users\00000002\UsrClass.dat
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-04-18 02:13:00 811,008 ----a-w c:\windows\gmer.exe
+ 2008-04-18 02:13:02 811,008 ----a-r c:\windows\gmer.exe
+ 2009-01-05 21:53:15 102,218 ----a-w c:\windows\hpoins05.dat
+ 2005-12-17 05:56:02 17,505 ------w c:\windows\hpomdl07.dat
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2009-02-23 00:11:48 90,112 ----a-w c:\windows\system32\200921146.dll
+ 2009-02-23 00:11:54 58,880 ----a-w c:\windows\system32\atlsystem213489.exe
+ 2009-02-23 00:11:51 58,880 ----a-w c:\windows\system32\atlsystem469190.exe
+ 2009-02-23 00:11:57 59,392 ----a-w c:\windows\system32\atlsystem53261.exe
+ 2009-02-23 00:11:52 58,880 ----a-w c:\windows\system32\atlsystem97272.exe
+ 2009-02-21 10:45:57 84,992 --sha-w c:\windows\system32\batufuke.dll
+ 2009-02-21 10:45:56 79,872 --sha-w c:\windows\system32\bofuwike.dll
- 2008-12-16 03:04:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-22 22:16:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-16 03:04:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-22 22:16:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-22 22:16:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-16 01:00:11 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
- 2008-09-08 10:41:42 333,824 ------w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 ------w c:\windows\system32\dllcache\srv.sys
+ 2008-04-13 19:45:40 32,128 ----a-w c:\windows\system32\dllcache\usbccgp.sys
+ 2005-03-08 04:43:25 51,120 ----a-r c:\windows\system32\drivers\HPZid412.sys
+ 2005-03-08 04:43:26 16,496 ----a-r c:\windows\system32\drivers\HPZipr12.sys
+ 2005-03-08 04:43:27 21,744 ----a-r c:\windows\system32\drivers\HPZius12.sys
- 2008-09-08 10:41:42 333,824 ------w c:\windows\system32\drivers\srv.sys
+ 2008-12-11 10:57:09 333,952 ------w c:\windows\system32\drivers\srv.sys
+ 2008-04-13 19:45:40 32,128 ----a-w c:\windows\system32\drivers\usbccgp.sys
+ 2009-02-22 10:46:39 129,024 --sha-w c:\windows\system32\famujize.dll
+ 2009-02-21 22:46:12 79,872 --sha-w c:\windows\system32\gelazuvi.dll
+ 2009-02-22 22:46:41 79,872 --sha-w c:\windows\system32\gogogahi.dll
+ 2009-02-21 22:46:12 84,992 --sha-w c:\windows\system32\gomukamu.dll
+ 2005-04-08 01:51:15 278,528 ----a-r c:\windows\system32\hpgwiamd.dll
+ 2005-04-08 01:51:07 606,208 ----a-r c:\windows\system32\hpotscl.dll
+ 2005-04-08 01:51:10 258,122 ----a-r c:\windows\system32\hpovst08.dll
+ 2005-03-08 04:39:43 274,432 ----a-r c:\windows\system32\HPZc3212.dll
+ 2005-03-08 04:41:42 196,608 ----a-w c:\windows\system32\hpzcoi12.dll
+ 2005-03-08 04:41:47 393,216 ----a-w c:\windows\system32\hpzcon12.dll
+ 2005-12-17 05:56:21 98,304 ----a-w c:\windows\system32\hpzjsn01.dll
+ 2005-03-08 04:41:42 139,345 ----a-w c:\windows\system32\hpzlnt12.dll
+ 2009-02-21 10:45:56 129,024 --sha-w c:\windows\system32\hugeloko.dll
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10a.exe
+ 2009-01-20 18:43:26 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-10-16 01:00:11 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2004-08-09 21:00:00 240,640 ----a-w c:\windows\system32\msrstart.exe
+ 2004-08-09 21:00:00 240,640 ----a-w c:\windows\system32\nxtepad.exe
+ 2009-02-21 22:46:13 129,024 --sha-w c:\windows\system32\puyinohe.dll
+ 2001-06-19 19:28:31 69,632 ----a-w c:\windows\system32\QuickTime\QTUninst.dll
+ 2001-06-20 21:34:42 49,664 ----a-w c:\windows\system32\QuickTime\QuickTimeUpdateHelper.exe
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2005-04-12 12:50:48 179,931 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpop1512.dat
+ 2005-03-08 04:41:41 212,992 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpz2ku12.dll
+ 2005-03-08 04:41:46 299,008 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzcfg12.exe
+ 2005-03-08 04:41:42 196,608 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzcoi12.dll
+ 2005-03-08 04:41:47 393,216 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzcon12.dll
+ 2005-03-08 04:41:48 659,456 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzeng12.exe
+ 2005-03-08 04:41:49 69,632 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzflt12.dll
+ 2005-03-08 04:41:51 1,597,440 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzimc12.dll
+ 2005-03-08 04:41:54 352,256 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzime12.dll
+ 2005-03-08 04:41:57 2,150,400 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzims12.dll
+ 2005-03-08 04:42:01 225,280 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzjui12.dll
+ 2005-03-08 04:41:42 139,345 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzlnt12.dll
+ 2005-03-08 04:42:02 143,360 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzpcl12.dll
+ 2005-03-08 04:41:43 507,904 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzpm312.dll
+ 2005-03-08 04:42:03 331,776 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzpre12.exe
+ 2005-03-08 04:44:24 3,203,072 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzr3212.dll
+ 2005-03-08 04:42:04 372,736 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzres12.dll
+ 2005-03-08 04:44:26 1,761,280 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzrm312.dll
+ 2005-03-08 04:42:05 679,936 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzslk12.dll
+ 2005-03-18 03:32:53 180,315 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzsnt12.dll
+ 2005-03-08 04:42:06 401,408 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzstc12.exe
+ 2005-03-08 04:42:07 180,224 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzstw12.exe
+ 2005-03-08 04:42:08 61,440 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpztbi12.dll
+ 2005-03-08 04:42:09 176,128 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpztbu12.exe
+ 2005-03-08 04:42:10 7,348,224 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpztbx12.exe
+ 2005-03-08 04:42:17 176,188 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzvip12.dll
+ 2005-04-12 12:50:48 179,931 ----a-r c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpop1512.dat
+ 2005-03-08 04:41:41 212,992 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpz2ku12.dll
+ 2005-03-08 04:41:46 299,008 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzcfg12.exe
+ 2005-03-08 04:41:42 196,608 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzcoi12.dll
+ 2005-03-08 04:41:47 393,216 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzcon12.dll
+ 2005-03-08 04:41:48 659,456 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzeng12.exe
+ 2005-03-08 04:41:49 69,632 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzflt12.dll
+ 2005-03-08 04:41:51 1,597,440 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzimc12.dll
+ 2005-03-08 04:41:54 352,256 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzime12.dll
+ 2005-03-08 04:41:57 2,150,400 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzims12.dll
+ 2005-03-08 04:42:01 225,280 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzjui12.dll
+ 2005-03-08 04:41:42 139,345 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzlnt12.dll
+ 2005-03-08 04:42:02 143,360 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzpcl12.dll
+ 2005-03-08 04:41:43 507,904 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzpm312.dll
+ 2005-03-08 04:42:03 331,776 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzpre12.exe
+ 2005-03-08 04:44:24 3,203,072 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzr3212.dll
+ 2005-03-08 04:42:04 372,736 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzres12.dll
+ 2005-03-08 04:44:26 1,761,280 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzrm312.dll
+ 2005-03-08 04:42:05 679,936 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzslk12.dll
+ 2005-03-18 03:32:53 180,315 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzsnt12.dll
+ 2005-03-08 04:42:06 401,408 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzstc12.exe
+ 2005-03-08 04:42:07 180,224 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzstw12.exe
+ 2005-03-08 04:42:08 61,440 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpztbi12.dll
+ 2005-03-08 04:42:09 176,128 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpztbu12.exe
+ 2005-03-08 04:42:10 7,348,224 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpztbx12.exe
+ 2005-03-08 04:42:17 176,188 ----a-w c:\windows\system32\spool\drivers\w32x86\hppsc_1500_series2609\hpzvip12.dll
+ 2009-02-22 10:46:38 84,992 --sha-w c:\windows\system32\tunayiri.dll
+ 2009-02-23 00:11:50 77,824 ----a-w c:\windows\system32\u19227849.dll
+ 2009-02-23 00:11:56 86,016 ----a-w c:\windows\system32\u192284353.dll
+ 2004-08-09 21:00:00 32,768 ----a-w c:\windows\system32\umtcdtw.sys
+ 2009-02-22 22:46:41 129,024 --sha-w c:\windows\system32\wibakihi.dll
+ 2009-02-22 22:46:42 84,992 --sha-w c:\windows\system32\yorupota.dll
+ 2009-02-23 00:10:50 16,384 ----a-w c:\windows\temp\Cookies\index.dat
+ 2009-02-23 00:10:50 16,384 ----a-w c:\windows\temp\History\History.IE5\index.dat
+ 2009-02-23 00:10:50 32,768 ----a-w c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 1999-11-10 16:05:00 86,016 ----a-w c:\windows\unvise32qt.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5069d240-aec6-4f95-b742-8601258760fd}]
47616 --ahs---- c:\windows\system32\hasomola.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b31802d4-1547-45ca-a756-4215dcea50da}]
2009-02-21 17:46 129024 --ahs---- c:\windows\system32\mhcdbu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-13 68856]
"HbDetect.exe"="c:\program files\Playskool\MADE FOR ME Software\HbDetect.exe" [2006-10-26 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-24 180269]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"bagasuwuwe"="c:\windows\system32\pipibuju.dll" [ 47616]
"CPM690b6d03"="c:\windows\system32\yorupota.dll" [2009-02-22 84992]
"6a385e9f"="c:\windows\system32\gogogahi.dll" [2009-02-22 79872]
"Explorer"="c:\windows\system32\msrstart.exe" [2004-08-09 240640]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-05-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe [2007-09-13 104960]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-08-24 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\yorupota.dll" [2009-02-22 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yorupota.dll [2009-02-22 84992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\yorupota.dll,c:\windows\system32\hoyolajo.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\hoyolajo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\explorer.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 124832]
R2 defaultlib;Service AntiVir;c:\windows\System32\svchost.exe -k netsvcs [2004-08-09 14336]
R2 eq2soft;Service Eset;c:\windows\System32\svchost.exe -k netsvcs [2004-08-09 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-13 203280]
R2 netmantow;Network Connections.;c:\windows\System32\svchost.exe -k netsvcs [2004-08-09 14336]
R2 softyinforwow1;Sysmtens;c:\windows\System32\svchost.exe -k netsvcs [2004-08-09 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DEFAULTLIB

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
netmantow
softyinforwow1
eq2soft
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
Trusted Zone: trymedia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
.
.
------- File Associations -------
.
txtfile="c:\windows\system32\nxtepad.exe" "%1"
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 19:10:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\tpszxyd.sys 240640 bytes executable
c:\windows\system32\u19227849.dll 77824 bytes executable
c:\windows\system32\u192284353.dll 86016 bytes executable
c:\windows\system32\atlsystem469190.exe 58880 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\afisicx]
"ImagePath"="c:\windows\system32\afisicx.exe"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\CTSVCCDA.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Internet Explorer\iexplore.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\atlsystem469190.exe
c:\windows\system32\tpszxyd.sys
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\system32\umtcdtw.sys
c:\windows\system32\mabidwe.exe
c:\windows\system32\soxpeca.exe
.
**************************************************************************
.
Completion time: 2009-02-22 19:14:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 00:13:56
ComboFix2.txt 2008-12-16 03:19:42

Pre-Run: 200,807,825,408 bytes free
Post-Run: 200,830,435,328 bytes free

485 --- E O F --- 2009-02-11 14:44:04
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-22-2009, 07:06 PM   #4 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Dozens of Pop-ups and slow computer
Hello scoricha.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

This machine is heavily infected and will take several rounds, so please stay with me until the end. We'll take care of the firewall problem later.

------------------------------------------------------

Please uninstall the following via the Add or Remove Programs section of your Control Panel if they still exist:

Symantec KB-DocID:2003093015493306

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/348564-dozens-pop-ups-slow-computer.html#post1984718

Collect::
c:\windows\system32\ihagogog.ini
c:\windows\system32\mjwgmr.dll
c:\windows\system32\u122221831.dll
c:\windows\system32\u122218730.dll
c:\windows\system32\atlsystem285497.exe
c:\windows\system32\atlsystem257367.exe
c:\windows\system32\atlsystem155149.exe
c:\windows\system32\atlsystem136313.exe
c:\windows\system32\dvdniq.dll
c:\windows\system32\mhcdbu.dll
c:\windows\system32\u122196841.dll
c:\windows\system32\u122154640.dll
c:\windows\system32\atlsystem849649.exe
c:\windows\system32\atlsystem62119.exe
c:\windows\system32\atlsystem699632.exe
c:\windows\system32\hrhwsl.dll
c:\windows\system32\u182092155.dll
c:\windows\system32\u182085954.dll
c:\windows\system32\der9449803.dll
c:\windows\system32\atlsystem585712.exe
c:\windows\system32\u92015624.dll
c:\windows\system32\u92064024.dll
c:\windows\system32\u131935922.dll
c:\windows\system32\der3339170.dll
c:\windows\system32\hasomola.dll
c:\windows\system32\pipibuju.dll
c:\windows\system32\200921146.dll
c:\windows\system32\atlsystem213489.exe
c:\windows\system32\atlsystem469190.exe
c:\windows\system32\atlsystem53261.exe
c:\windows\system32\atlsystem97272.exe
c:\windows\system32\batufuke.dll
c:\windows\system32\bofuwike.dll
c:\windows\system32\famujize.dll
c:\windows\system32\gelazuvi.dll
c:\windows\system32\gogogahi.dll
c:\windows\system32\gomukamu.dll
c:\windows\system32\hugeloko.dll
c:\windows\system32\msrstart.exe
c:\windows\system32\nxtepad.exe
c:\windows\system32\puyinohe.dll
c:\windows\system32\tunayiri.dll
c:\windows\system32\u19227849.dll
c:\windows\system32\u192284353.dll
c:\windows\system32\umtcdtw.sys
c:\windows\system32\wibakihi.dll
c:\windows\system32\yorupota.dll

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Driver::
defaultlib
eq2soft
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-22-2009, 08:40 PM   #5 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Dozens of Pop-ups and slow computer
Hello,

I cannot find Symantec KB-DocID:2003093015493306 in the Add/Remove Programs. Is it okay to proceed with the rest of your instructions? Also, I had had trouble in the past with the "drag and drop" of the notepad document into Combofix. I have never been able to do that on this computer. If I cannot do this is there another method?

Thanks again for your help,
Jenny
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-22-2009, 08:56 PM   #6 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Dozens of Pop-ups and slow computer
Yes, just skip that step.

If drag and drop doesn't work, do the following:

Go to Start > Run and copy/paste the following into the Run box and click OK:

"%userprofile%\desktop\combofix.exe" "%userprofile%\desktop\cfscript.txt"

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 06:11 AM   #7 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Dozens of Pop-ups and slow computer
Hello,

I had a little difficultly after running Combofix - it stalled on "attempting to create a restore point". I let it run all night, assuming it would run eventually, but when I woke up this morning it was at the same point. I rebooted the computer and re-ran. At first it said I had McAfee Virus-Scan on, which I had just turned off seconds before running Combofix. I went back into McAfee to double-check and it wasn't on, but I also turned off the Firewall too. Then I ran Combofix and it ran without any hangups. Also, I have been noticing some pop-ups after running, which weren't happening since I ran Combofix the previous time.

Here is the Combofix log, below:

Thank you!
Jenny
--------------------------------------
ComboFix 09-02-21.01 - HP_Administrator 2009-02-23 7:55:10.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1539 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\desktop\combofix.exe
Command switches used :: c:\documents and settings\HP_Administrator\desktop\cfscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
FW: McAfee Personal Firewall *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\200921146.dll
c:\windows\system32\200924939.dll
c:\windows\system32\afisicx.exe
c:\windows\system32\atlsystem136313.exe
c:\windows\system32\atlsystem155149.exe
c:\windows\system32\atlsystem257367.exe
c:\windows\system32\atlsystem285497.exe
c:\windows\system32\atlsystem585712.exe
c:\windows\system32\atlsystem62119.exe
c:\windows\system32\atlsystem699632.exe
c:\windows\system32\atlsystem849649.exe
c:\windows\system32\batufuke.dll
c:\windows\system32\bofuwike.dll
c:\windows\system32\comsa32.sys
c:\windows\system32\der3339170.dll
c:\windows\system32\der9449803.dll
c:\windows\system32\dvdniq.dll
c:\windows\system32\famujize.dll
c:\windows\system32\gelazuvi.dll
c:\windows\system32\gogogahi.dll
c:\windows\system32\gomukamu.dll
c:\windows\system32\hasomola.dll
c:\windows\system32\hrhwsl.dll
c:\windows\system32\hugeloko.dll
c:\windows\system32\ihagogog.ini
c:\windows\system32\mabidwe.exe
c:\windows\system32\mhcdbu.dll
c:\windows\system32\mjwgmr.dll
c:\windows\system32\msrstart.exe
c:\windows\system32\nxtepad.exe
c:\windows\system32\oweludak.ini
c:\windows\system32\pipibuju.dll
c:\windows\system32\puyinohe.dll
c:\windows\system32\soxpeca.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\tunayiri.dll
c:\windows\system32\u122154640.dll
c:\windows\system32\u122196841.dll
c:\windows\system32\u122218730.dll
c:\windows\system32\u122221831.dll
c:\windows\system32\u131935922.dll
c:\windows\system32\u182085954.dll
c:\windows\system32\u182092155.dll
c:\windows\system32\u19227849.dll
c:\windows\system32\u192284353.dll
c:\windows\system32\u92015624.dll
c:\windows\system32\u92064024.dll
c:\windows\system32\umtcdtw.sys
c:\windows\system32\wibakihi.dll
c:\windows\system32\yorupota.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_DEFAULTLIB
-------\Legacy_EQ2SOFT
-------\Legacy_MABIDWE
-------\Legacy_SOXPECA
-------\Service_afisicx
-------\Service_defaultlib
-------\Service_eq2soft
-------\Service_mabidwe
-------\Service_soxpeca


((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-23 07:49 . 2009-02-23 07:49 86,016 --a------ c:\windows\system32\u72356244.dll
2009-02-23 07:49 . 2009-02-23 07:49 77,824 --a------ c:\windows\system32\u72351540.dll
2009-02-23 07:49 . 2009-02-23 07:49 59,904 --a------ c:\windows\system32\atlsystem635150.exe
2009-02-23 07:49 . 2009-02-23 07:49 59,904 --a------ c:\windows\system32\atlsystem513704.exe
2009-02-23 07:49 . 2009-02-23 07:49 59,904 --a------ c:\windows\system32\atlsystem325641.exe
2009-02-23 07:49 . 2009-02-23 07:49 59,904 --a------ c:\windows\system32\atlsystem267764.exe
2009-02-23 05:46 . 2009-02-23 05:46 129,024 --ahs---- c:\windows\system32\zidrrf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 01:34 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-22 03:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-02-22 03:17 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-21 17:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 17:47 --------- d-----w c:\program files\SpywareBlaster
2009-01-30 01:30 --------- d-----w c:\program files\McAfee
2009-01-25 14:18 --------- d-----w c:\program files\Google
2009-01-09 00:26 --------- d-----w c:\program files\JumpStart
2009-01-06 16:20 --------- d-----w c:\program files\QuickTime
2009-01-06 16:20 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2009-01-06 16:19 --------- d-----w c:\program files\Common Files\Knowledge Adventure
2009-01-06 16:19 --------- d-----w c:\documents and settings\All Users\Application Data\Knowledge Adventure
2009-01-06 00:28 --------- d-----w c:\program files\Common Files\JumpStart
2009-01-06 00:28 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2007-01-19 01:21 150 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-02-22_19.13.08.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-23\ERDNT.EXE
+ 2009-02-23 12:42:19 5,042,176 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-23\Users\00000001\NTUSER.DAT
+ 2009-02-23 12:42:19 196,608 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-23\Users\00000002\UsrClass.dat
- 2009-02-22 22:16:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-23 11:35:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-22 22:16:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-23 11:35:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-22 22:16:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-23 11:35:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-23 10:46:52 84,992 --sha-w c:\windows\system32\jekehafe.dll
+ 2009-02-23 10:46:52 79,872 --sha-w c:\windows\system32\kadulewo.dll
+ 2009-02-23 10:46:54 129,024 --sha-w c:\windows\system32\liwibaju.dll
+ 2009-02-23 12:58:47 16,384 ----atw c:\windows\temp\Perflib_Perfdata_46c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{635cd97f-5024-4a8e-ada4-699033109c8d}]
2009-02-23 05:46 129024 --ahs---- c:\windows\system32\zidrrf.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-13 68856]
"HbDetect.exe"="c:\program files\Playskool\MADE FOR ME Software\HbDetect.exe" [2006-10-26 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-24 180269]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"CPM690b6d03"="c:\windows\system32\jekehafe.dll" [2009-02-23 84992]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-05-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe [2007-09-13 104960]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-08-24 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\jekehafe.dll" [2009-02-23 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jekehafe.dll [2009-02-23 84992]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Playskool\\MADE FOR ME Software\\HbDetect.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 124832]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-13 203280]
S2 netmantow;Network Connections.;c:\windows\System32\svchost.exe -k netsvcs [2004-08-09 14336]
S2 softyinforwow1;Sysmtens;c:\windows\System32\svchost.exe -k netsvcs [2004-08-09 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
netmantow
softyinforwow1
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5069d240-aec6-4f95-b742-8601258760fd} - c:\windows\system32\hasomola.dll
HKLM-Run-bagasuwuwe - c:\windows\system32\pipibuju.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
Trusted Zone: trymedia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 07:59:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\system32\CTSVCCDA.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-23 8:02:18 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2009-02-23 13:02:16
ComboFix2.txt 2009-02-23 00:14:14
ComboFix3.txt 2008-12-16 03:19:42

Pre-Run: 200,705,953,792 bytes free
Post-Run: 200,716,017,664 bytes free

258 --- E O F --- 2009-02-11 14:44:04
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 06:59 AM   #8 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Dozens of Pop-ups and slow computer
Hello again, scoricha.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

It appears you didn't submit the file for analysis. If you didn't, please do the following:

There should be a file named [4]-Submit_date@time.zip located here:

C:\QooBox\Quarantine\[4]-Submit_Date@Time.zip

Please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

and include this link in the message:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/348564-dozens-pop-ups-slow-computer.html#post1984718

Please let me know if you successfully submitted the file. We'll have to submit another shortly. Thanks.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/348564-dozens-pop-ups-slow-computer.html#post1985502

Collect::
c:\windows\system32\u72356244.dll
c:\windows\system32\u72351540.dll
c:\windows\system32\atlsystem635150.exe
c:\windows\system32\atlsystem513704.exe
c:\windows\system32\atlsystem325641.exe
c:\windows\system32\atlsystem267764.exe
c:\windows\system32\zidrrf.dll
c:\windows\system32\jekehafe.dll
c:\windows\system32\kadulewo.dll
c:\windows\system32\liwibaju.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000

DDS::
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

NetSvc::
netmantow
softyinforwow1

Driver::
netmantow
softyinforwow1
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 11:33 AM   #9 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Dozens of Pop-ups and slow computer
Hello,

I successfully submitted the file for analysis from the previous Combofix run. Here is the log from this run, below. I am not sure if the files were submitted or not, because I didn't see any prompt to send them.

Thank you,
scoricha

--------------------------------------

ComboFix 09-02-21.01 - HP_Administrator 2009-02-23 13:03:24.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1484 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\desktop\combofix.exe
Command switches used :: c:\documents and settings\HP_Administrator\desktop\cfscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
FW: McAfee Personal Firewall *enabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\atlsystem267764.exe
c:\windows\system32\atlsystem325641.exe
c:\windows\system32\atlsystem513704.exe
c:\windows\system32\atlsystem635150.exe
c:\windows\system32\jekehafe.dll
c:\windows\system32\kadulewo.dll
c:\windows\system32\liwibaju.dll
c:\windows\system32\u72351540.dll
c:\windows\system32\u72356244.dll
c:\windows\system32\zidrrf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETMANTOW
-------\Legacy_SOFTYINFORWOW1
-------\Service_netmantow
-------\Service_softyinforwow1


((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 01:34 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-22 03:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-02-22 03:17 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-21 17:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 17:47 --------- d-----w c:\program files\SpywareBlaster
2009-01-30 01:30 --------- d-----w c:\program files\McAfee
2009-01-25 14:18 --------- d-----w c:\program files\Google
2009-01-09 00:26 --------- d-----w c:\program files\JumpStart
2009-01-06 16:20 --------- d-----w c:\program files\QuickTime
2009-01-06 16:20 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2009-01-06 16:19 --------- d-----w c:\program files\Common Files\Knowledge Adventure
2009-01-06 16:19 --------- d-----w c:\documents and settings\All Users\Application Data\Knowledge Adventure
2009-01-06 00:28 --------- d-----w c:\program files\Common Files\JumpStart
2009-01-06 00:28 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2007-01-19 01:21 150 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-02-22_19.13.08.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-23\ERDNT.EXE
+ 2009-02-23 12:42:19 5,042,176 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-23\Users\00000001\NTUSER.DAT
+ 2009-02-23 12:42:19 196,608 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-23\Users\00000002\UsrClass.dat
- 2009-02-22 22:16:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-23 15:54:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-22 22:16:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-23 15:54:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-22 22:16:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-23 15:54:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-23 18:07:38 16,384 ----atw c:\windows\temp\Perflib_Perfdata_758.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-13 68856]
"HbDetect.exe"="c:\program files\Playskool\MADE FOR ME Software\HbDetect.exe" [2006-10-26 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-24 180269]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-05-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe [2007-09-13 104960]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-08-24 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Playskool\\MADE FOR ME Software\\HbDetect.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 124832]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-13 203280]
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{635cd97f-5024-4a8e-ada4-699033109c8d} - c:\windows\system32\zidrrf.dll
HKLM-Run-CPM690b6d03 - c:\windows\system32\jekehafe.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
Trusted Zone: trymedia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 13:08:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Office\Office\OUTLOOK.EXE
c:\windows\arservice.exe
c:\windows\system32\CTSVCCDA.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-23 13:10:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 18:10:22
ComboFix2.txt 2009-02-23 13:02:19
ComboFix3.txt 2009-02-23 00:14:14
ComboFix4.txt 2008-12-16 03:19:42

Pre-Run: 200,785,002,496 bytes free
Post-Run: 200,774,647,808 bytes free

190 --- E O F --- 2009-02-11 14:44:04
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 01:28 PM   #10 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Dozens of Pop-ups and slow computer
Hello again, scoricha. Thanks for submitting the file. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

There should be a file named [4]-Submit_date@time.zip located here:

C:\QooBox\Quarantine\[4]-Submit_Date@Time.zip

Please select the later one, since you already submitted the earlier one.

Please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

and include this link in the message:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/348564-dozens-pop-ups-slow-computer.html#post1985502

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

Let's take care of those firewalls.

I am puzzled that Comodo shows enabled, while McAfee is disabled?

Quote:
FW: COMODO Firewall *enabled*
FW: McAfee Personal Firewall *disabled*
FW: Norton Internet Worm Protection *disabled*
It also shows Norton firewall as installed, though it's not listed in your installed programs. Is that a previous install also? You should only have one firewall installed and running at a time.

Please do the following to de-register any firewall product not installed on you machine:

**Note: Make sure you only delete Comodo and/or Norton products.
  • Go Start > Run and copy/paste wbemtest into the Run box and click 'OK'.
  • Click 'Connect'.
  • Copy/paste root/securitycenter into the box and click 'Connect'.
  • Click 'Query'.
  • Copy/paste SELECT * FROM FirewallProduct under 'Enter Query' and click 'Apply'.
  • If there is more than one result, it means there is more than one Firewall program registered.
  • Double-click on each result to view the properties for that Firewall product.
  • Identify the product(s) registered by scrolling down to 'companyName' then click 'Close'.
  • In the 'Query Result' window, click 'Delete' for any Firewall software that is no longer installed.
  • Click 'Close', then 'Exit'.
------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Search Bar"=-
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 12 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click Continue The page will refresh.
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
    • Delete jre-6u12-windows-i586-p.exe from your desktop.
------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 07:10 PM   #11 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Dozens of Pop-ups and slow computer
Hello,

Okay, I was able to get through all of your instructions, except running the Kapersky online scan. Everytime I try to run the scan, I get an error message: "Program has failed to start. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. [ERROR: java.lang.NullPointerException].

I am guessing this is a Java Error? I am also getting REAL message pop-ups, which are new... Just one more thing that I notice is always slowing down my computer is the "Updates from HP Agent" that seem to Always be running in the background. I tried to change the settings so that I am prompted for any new downloads, but the updates seem to be running constantly. If I "Ctrl-Alt-Del" and End Program, I can get them to stop. Could this be a symptom of the viruses? Other than these issues, my computer seems to be running a TON better - I cannot thank you enough already!

One more thing, I submitted the last ComboFix report for analysis too.

Thank you so much!
Jenny
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 07:36 PM   #12 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Dozens of Pop-ups and slow computer
Thanks for submitting the file.

Try this one:

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet Explorer for this scan.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install.
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked.
  • Click Scan
  • Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
------------------------------------------------------

Quote:
I am also getting REAL message pop-ups, which are new
What do they say? If you couldn't get a report from ESET, run dds again and post DDS.txt in your next reply.

------------------------------------------------------

Quote:
"Updates from HP Agent"
Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c rd /s/q "c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk"

A DOS window will open and close again, this is normal.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 08:00 PM   #13 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Dozens of Pop-ups and slow computer
Hello Chemist,

The ESET scan didn't work either. I even temporarily changes security settings so that it would allow to run, but it would not. The Kapersky scan not working puzzles me, because I was always able to run that one in the past? I hope I didn't screw up when downloading Java. I even re-downloaded the latest version to make sure. I just download Firefox (but I know you said I have to use IE for runnig that one).

The Real Message Player alerts just show hollywood gossip and happenings.

Here is the DDS.txt report, below:

Thanks,
Jenny
-------------------

DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Administrator at 21:52:06.06 on Mon 02/23/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1492 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [HbDetect.exe] c:\program files\playskool\made for me software\HbDetect.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\windows\installer\{00000409-78e1-11d2-b60f-006097c998e7}\outicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
Trusted Zone: trymedia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} - hxxp://www.kodakgallery.com/downloads/hmpr/HMPR_WIN_IE_1/axhomepr.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.winkflash.com/photo/loaders/ImageUploader5.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.winkflash.com/photo/loaders/ImageUploader4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\knc1utqc.default\
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-13 201320]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-2 124832]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-13 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-13 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-12-13 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-13 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-13 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-13 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-13 40488]
S2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-13 33832]

============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-02-23 20:57 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-02-23 20:56 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-05 16:53 102,218 a------- c:\windows\hpoins05.dat
2008-12-13 01:32 578,560 a------- c:\windows\system32\dllcache\user32.dll
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-01-18 20:21 150 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat

============= FINISH: 21:52:34.92 ===============
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 08:35 PM   #14 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Dozens of Pop-ups and slow computer
Hello again, scoricha.

Quote:
I just download Firefox
Kaspersky runs with FF. Maybe try it again?

------------------------------------------------------

Or try this one:

Perform an online scan with Panda ActiveScan
  • Click on Scan Your PC Now
  • A "pop up" window will appear, or a new tab will open.
  • Click on Register
  • Choose the option you like most, but we recommend the Free Registration.
  • Click on Register
  • Enter your e-mail address, and create a password.
  • Select "I do not want to receive any type of information" (unless you want to receive such information)
  • Click on Send
  • Confirm registration, and continue by entering your user name and password, then click on Enter
  • Select Full Scan, then Click on Scan Now
  • Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  • If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
  • Please ignore the offer to buy the program. Click on Export to
  • Export the log and Save it to your Desktop.
  • Please post the contents of that log in your next reply.
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
------------------------------------------------------
  • Download TXT File Association Fix and Save it to your Desktop.
  • Extract the reg file and double-click xp_txt_fix.reg
  • Answer 'Yes' to merge/add it to the registry.
  • X out of the windows.
------------------------------------------------------
  • Download Registry Search Tool (RegSrch.vbs) from here and Save it to your Desktop.
  • (Scroll down the page to Registry Search Tool and click the green download arrow)
  • The RegSrch.zip file should open up on your desktop.
  • Click 'Extract all files' and follow the prompts. Use the 'Browse' button to Save it to your Desktop.
  • Double-click RegSrch.vbs
  • Copy/paste real into the Search bar and click 'OK'.
  • Wait for it to complete the search and click 'OK' at the prompt.
  • Then when wordpad opens, copy/paste the text as a reply into this thread.
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 06:22 AM   #15 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Dozens of Pop-ups and slow computer
Hello Chemist,

I was unable to run the Kapersky scan using Firefox browser either. I received the same error message. I was able to run the Panda Scan. Please see results, below. The "real" search report was too large to post in the reply, so I compressed and attached.

Thank you,
Jenny

Panda Scan Results
----------------

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-02-24 07:42:33
PROTECTIONS: 1
MALWARE: 16
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A8B.tmp
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36A.tmp
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A9A.tmp
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD2.tmp
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@go[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A85.tmp
00377802 Spyware/PeoplePC Spyware No 0 Yes No C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL
00487624 Trj/Banker.LNO Virus/Trojan No 1 Yes Yes C:\hp\recovery\wizard\SWR_Wizard.exe
00530924 Trj/Autoit.AJ Virus/Trojan No 1 Yes Yes C:\Program Files\SBC LightSpeed Self Support Tool\bin\closeAll.exe
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 No No C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe[32788R22FWJFW\List.bat]
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP81\A0021955.bat
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP79\A0021774.bat
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP80\A0021804.bat
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP78\A0020598.bat
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP80\A0021896.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP81\A0022001.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP78\A0020649.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP80\A0021870.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP81\A0021978.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP78\A0020623.sys
05029772 Trj/Downloader.MDW Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\200924421.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\200923835.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\200924939.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\200925654.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\20092820.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\200922626.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location T
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description T
;===================================================================================================================================================================================
;===================================================================================================================================================================================
Attached Files
File Type: zip Real.zip (91.5 KB, 1 views)
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 06:30 AM   #16 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Dozens of Pop-ups and slow computer
Hello Chemist,

I also received an email from Auctiva, which stated that malware was detected on their site on last Thursday, Feb. 19th. I have attached a copy of the email I just received from them (I copied it and pasted into Notepad). This might be where I got the viruses.

This was around the time when the problems started.

Just a thought....

Thanks again,
Jenny
Attached Files
File Type: zip Auctive Email.zip (1.3 KB, 1 views)
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 07:40 AM   #17 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Dozens of Pop-ups and slow computer
Hello again, Jenny. Looks like you figured out where you got it.

Nothing in the Panda scan report really needs attention. You can delete those cookies and empty Yahoo's quarantine folder. .

System Volume Information is where Windows keeps System Restore Points. You have several that are infected, but as long as you don't restore to those points, they can do no harm. Several files have been quarantined in Qoobox, which is ComboFix's quarantine folder. All of these will get deleted when we uninstall ComboFix.

The two entries labeled Trj/Banker and Trj/Auutoit are false positives and are harmless.

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c del /a/f/q "C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL"

A DOS window will open and close again, this is normal.

------------------------------------------------------

Is Real Player a must have? Please read this:

http://www.computing.net/answers/sec...all/11967.html

Winamp might be a better alternative:

http://www.winamp.com/

If you wish to keep Real Player, you should be able to disable the Message Center via right-click on its system tray icon.

Let me know and I will give you some final instructions.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 08:18 AM   #18 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Dozens of Pop-ups and slow computer
Hello Chemist,

Well that is great news! I thought I still had a ton of viruses... I emptied the Yahoo Quarantine folder and deleted the cookies. I cannot find System Volume information folder, but would like to delete those restore points as well. I am afraid I would somehow restore to one of them. Do you know where I can access this folder to delete those items?

I do not need Real Player and would like to get rid of it after reading the article. Should I uninstall and then download Winamp after? Also, now that I am using Firefox, should I uninstall IE or keep it in case I need to use it? Also, I have an older version of MS Outlook, that I use for my access my gmail account. Is this a weakness for malware? Is so, I will just use Firefox to check email. Just one more question - do you know why I cannot run those online scans? Do you think it is a Java issue? I am just curious, because they always worked before all these viruses.

Thank you so much for all your help! I am going to work to prevent any more viruses, by keeping my software up to date (I just updated everything lastnight). I also Spyware Blaster and check for updates a couple times a week.

Thanks again,
Jenny
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 08:52 AM   #19 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Dozens of Pop-ups and slow computer
Hello again, Jenny.

Quote:
I cannot find System Volume information folder, but would like to delete those restore points as well.
Don't worry about those. They will automatically be deleted when we uninstall ComboFix.

Quote:
Should I uninstall and then download Winamp after?
Yes.

Quote:
should I uninstall IE or keep it in case I need to use it?
Keep it.

Quote:
Is this a weakness for malware?
I don't think so.

Quote:
do you know why I cannot run those online scans? Do you think it is a Java issue?
I honestly don't know. I've never encountered that error before. Tried to research it online, but it is over my head.

I suggest you seek expert advice in our Windows XP Support Forum

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable McAfee before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  • IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 10:56 AM   #20 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Dozens of Pop-ups and slow computer
Hi Chemist,

You are never going to get rid of me! Just kidding - I have just one more question. I re-ran the Panda Scan (results posted below) and it shows those restore points again. I have already uninstalled ComboFix. Is this something I can ignore?

Also just wanted to let you know that I took all your suggestions as well.

Thanks so much again for all your help,
Jenny

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-02-24 12:51:53
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00377802 Spyware/PeoplePC Spyware No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP88\A0023067.DLL
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP78\A0020598.bat
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP81\A0021955.bat
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP79\A0021774.bat
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP80\A0021804.bat
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 No No C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe[32788R22FWJFW\List.bat]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP81\A0022001.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP78\A0020649.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP80\A0021896.EXE
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================
scoricha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 08:20 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85