z1.adserver problem

[derjusty]

Hopefully this will be a quick fix... I have been getting popups with the window title of z1.adserver. One of the apprentices who happens to be my roommate (Peebs85) checked my HJT log but couldn't find the root of the problem. Could someone please help?

Logfile of HijackThis v1.99.1
Scan saved at 7:25:13 PM, on 5/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\91m05yzo.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.114-big.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.114-big.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095872279889
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/...er/MotUtil.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Thank you!

[bry623]

Hello and Welcome to TSF!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\Program Files\MessengerPlus! 3\MsgPlus.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

MessengerPlus


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"



Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\MessengerPlus! 3


Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

[Peebs85]

Hello expert analysts!

As Justin has already pointed out, I have reviewed this log and have come up empty. Uninstalling Messenger Plus will have no effect because the sponser was not installed during the installation of the program (I made sure that he knew not to do that). Also, I have installed the same thing and don't get any popups at all, so I highly doubt that Plus is what's causing the problems.

I figured that a deeper look would need to be taken, but since I am only an apprentice I told him that for the best results he could post here and ask an expert to look at it (which is why he posted here).

He's prepared for taking a deeper look and won't have any problems following directions so feel free to give him some work to do. Best of luck figuring it out guys!

[bry623]

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

[Peebs85]

Sorry, but we used TDS a while ago so the program has expired.
-------------------------------------------------------------------------------------
Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

[derjusty]

The downloaded mwav file does not run properly. A dos window opens briefly and closes. I tried downloading the file again in case it was corrupted, but I got the same result.

[jgvernonco]

Alright, let do this...

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

[derjusty]

StartDreck (build 2.1.7 public stable) - 2005-05-26 @ 10:04:48 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Owner at MRCOMPY

»Registry
»Run Keys
»Current User
»Run
*ATI Launchpad=
*ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe
»RunOnce
»Default User
»Run
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
»RunOnce
»Local Machine
»Run
*hpsysdrv=c:\windows\system\hpsysdrv.exe
*HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe
*MoneyStartUp10.0="c:\Program Files\Microsoft Money\System\Activation.exe"
*WCOLOREAL="C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
*Recguard=C:\WINDOWS\SMINST\RECGUARD.EXE
*ATIModeChange=Ati2mdxx.exe
*LMPDPSRV=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
*IntelliPoint="C:\Program Files\Microsoft IntelliPoint\point32.exe"
*vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
*NeroFilterCheck=C:\WINDOWS\system32\NeroCheck.exe
*REGSHAVE=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe
*PC Alarm Clock Master=
*SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
*MessengerPlus3="C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
*gcasServ="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\System32\ie4uinit.exe
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
*SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2}
`InprocServer32=C:\Program Files\SpywareGuard\dlprotect.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*PCTools Site Guard/{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
`InprocServer32=C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar_en_2.0.114-big.dll
*PCTools Browser Monitor/{B56A7D7D-6927-48C8-A975-17DF180C71AC}
`InprocServer32=C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
*MoneySide.BrowserHelperObject.10/{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
`InprocServer32=c:\Program Files\Microsoft Money\System\mnyviewer.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\SYSTEM32\blank.htm
*Search Page=http://www.google.com
*Start Page=about:blank
+SearchUrl
*provider=gogl
»Default User
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=C:\WINDOWS\SYSTEM32\blank.htm
*Search Bar=
*Search Page=http://www.google.com
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
+SearchUrl
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\wininit.ini
`[Rename]
`NUL=î�|8‘|ÿÿÿÿ2‘|«‘|ë‘|
*C:\WINDOWS\system32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\system32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\system32\atiiprxx.exe
*C:\Program Files\ATI Technologies\ATI Control Panel\atiiprxx.exe
+C:\WINDOWS\system32\hh.exe
*C:\WINDOWS\hh.exe
+C:\WINDOWS\system32\notepad.exe
*C:\WINDOWS\notepad.exe
+C:\WINDOWS\system32\slrundll.exe
*C:\WINDOWS\slrundll.exe
+C:\WINDOWS\system32\taskman.exe
*C:\WINDOWS\taskman.exe
+C:\WINDOWS\system32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+400=\SystemRoot\System32\smss.exe
+448=\??\C:\WINDOWS\system32\csrss.exe
+472=\??\C:\WINDOWS\system32\winlogon.exe
+524=C:\WINDOWS\system32\services.exe
+536=C:\WINDOWS\system32\lsass.exe
+680=C:\WINDOWS\system32\svchost.exe
+744=C:\WINDOWS\system32\svchost.exe
+780=C:\WINDOWS\System32\svchost.exe
+824=C:\WINDOWS\System32\svchost.exe
+940=C:\WINDOWS\System32\svchost.exe
+1088=C:\WINDOWS\system32\LEXBCES.EXE
+1112=C:\WINDOWS\system32\spoolsv.exe
+1124=C:\WINDOWS\system32\LEXPPS.EXE
+1392=C:\WINDOWS\Explorer.EXE
+1480=C:\windows\system\hpsysdrv.exe
+1612=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
+1620=C:\Program Files\Microsoft IntelliPoint\point32.exe
+1632=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
+1708=C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
+1716=C:\Program Files\MessengerPlus! 3\MsgPlus.exe
+1732=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
+1764=C:\WINDOWS\system32\ctfmon.exe
+1788=C:\Program Files\Webshots\WebshotsTray.exe
+1828=C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
+1900=C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
+1932=C:\WINDOWS\system32\inetsrv\inetinfo.exe
+1964=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
+256=C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
+420=C:\WINDOWS\System32\svchost.exe
+452=C:\WINDOWS\System32\wdfmgr.exe
+2164=C:\WINDOWS\System32\alg.exe
+2620=C:\Program Files\Mozilla Firefox\firefox.exe
+2712=C:\WINDOWS\system32\wuauclt.exe
+2780=C:\Program Files\MSN Messenger\msnmsgr.exe
+3024=C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
+3212=c:\Program Files\Microsoft Money\System\urlmap.exe
+3296=C:\Program Files\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

[Peebs85]

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst. I will be back with a fix for your problem as soon as possible.

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

[Peebs85]

Hi Justin,

Other than the following entry in your Startdreck log, it's clean:

*C:\WINDOWS\wininit.ini
`[Rename]
`NUL=î�|8‘|ÿÿÿÿ2‘|«‘|ë‘|

Navigate to this file....C:\WINDOWS\wininit.ini and open it with wordpad.

Delete the entry in red above...and then save it...

Now we need to do a scan for any trojans that may exist. Click on http://www.emsisoft.com/en/software/free/ and download the free version. Post the results of the log.

Good Luck!

[derjusty]

a² Report
Filename Diagnosis
C:\hp\bin\Terminator.exe not-a-virus:RiskWare.Tool.KillApp
C:\Program Files\Netscape\Netscape\Plugins\npwthost.dll AdWare.WildTangent.b

[Peebs85]

Howdy,

Delete the following File indicated in RED if it still exists.

C:\Program Files\Netscape\Netscape\Plugins\npwthost.dll

Download ewido security suite from here… http://www.ewido.net/en/download/

Update it’s database from here.. http://www.ewido.net/en/download/updates/
Run a scan and let it clean the PC. When it's finished...save it's log and post it here.

Also, Open HijackThis>Config>Misc Tools then Click Generate Startup List log and post that here.

Do you have a popup blocker installed (other than the Google Toolbar)?

[derjusty]

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:19:28 PM, 5/29/2005
+ Report-Checksum: AA021CE4

+ Date of database: 5/29/2005
+ Version of scan engine: v3.0

+ Duration: 79 min
+ Scanned Files: 254685
+ Speed: 53.18 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
H:\

+ Scan result:
C:\Documents and Settings\Owner\Cookies\owner@ar.atwola[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup


::Report End






StartupList report, 5/29/2005, 12:22:17 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
MoneyStartUp10.0 = "c:\Program Files\Microsoft Money\System\Activation.exe"
WCOLOREAL = "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
ATIModeChange = Ati2mdxx.exe
LMPDPSRV = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
REGSHAVE = C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
PC Alarm Clock Master =
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
MessengerPlus3 = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ATI Launchpad =
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - c:\program files\google\googletoolbar_en_2.0.114-big.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}
(no name) - c:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.co...?1095872279889

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.co...8044.398587963

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

[Util Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\motutil.dll
CODEBASE = https://isupport4.hp.com/motivedocs/...er/MotUtil.cab

[AV Class]
InProcServer32 = C:\PROGRA~1\PCPITS~1\AV\Pav.dll
CODEBASE = http://www.pcpitstop.com/antivirus/PitPav.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Program Files\ewido\security suite\lang.dll.update => C:\Program Files\ewido\security suite\lang.dll|||

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,332 bytes
Report generated in 0.750 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


No Peebs... I don't have a stand alone popup blocker...

Thanks

[Peebs85]

Hi Justy. You're still looking pretty clean. Let's try this:

Download and install CleanUp http://cleanup.stevengould.org/
Download KillBox http://www.atribune.org/downloads/KillBox.exe
Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop.

Download the remv3.zip at http://forums.skads.org/index.php?showtopic=80 (look for the attachment posted in that second reply). Make a new folder on the root drive C:\ and unzip remv3.zip files into it.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Run CleanUp program now and logoff.

REBOOT TO SAFE MODE. These tools MUST be run in safe mode!
Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.

[derjusty]

The batch is run from -- C:\remv3

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C is PRESARIO
Volume Serial Number is D843-51D3

Directory of C:\WINDOWS\system32

msi.dll
Finished




C:\Documents and Settings\Owner\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\DivXdec.ax: FSg!
C:\WINDOWS\system32\atl71.pdb: dwProvSpec2
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\mfc71.pdb: dwProvSpec2
C:\WINDOWS\system32\MFC71d.pdb: dwProvSpec2
C:\WINDOWS\system32\mfc71u.pdb: dwProvSpec2
C:\WINDOWS\system32\mfc71ud.pdb: dwProvSpec2
C:\WINDOWS\Ejoatzllzk.gzg: geocities.com/opspec22/index.html
C:\WINDOWS\Jknciglp.edp: geocities.com/opspec22/index.html
C:\WINDOWS\Nljgtct.vvo: geocities.com/opspec22/index.html
C:\WINDOWS\Nlwxicgipjv.lxi: geocities.com/opspec22/index.html

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\daemon.dll: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye


thanks peebs

[MicroBell]

Ok..lets try this...

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Open IE..internet options..and delete temp internet files and your cookies.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove MessengerPlus! 3

Run hijackthis and fix the following....

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\system32\mfc71.pdb
C:\WINDOWS\system32\MFC71d.pdb
C:\WINDOWS\system32\mfc71u.pdb
C:\WINDOWS\system32\mfc71ud.pdb
C:\WINDOWS\Ejoatzllzk.gzg
C:\WINDOWS\Jknciglp.edp
C:\WINDOWS\Nljgtct.vvo
C:\WINDOWS\Nlwxicgipjv
C:\WINDOWS\system32\atl71.pdb

Once rebooted..post the log from the following tool and let me know if your still getting those ads.

Please empty any Quarantine folder in your antivirus, empty your recycle bin and purge/delete all recovery items in the spybot program if you use it…BEFORE!!! running this tool.

Download this virus checker and tool from eScan Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4. Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane (Bottom Window)
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file. DO NOT post the log from the “View Log” button as that log does NOT contain the info we are after.

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here

[derjusty]

I had installed Messenger Plus without the sponsor programs... is it still possible that it would cause problems? I uninstalled it anyway, just in case.



Object "cmesys Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\mfc71ud.pdb". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\atl71.pdb". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\mfc71u.pdb". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\mfc71.pdb". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\MFC71d.pdb". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}" refers to invalid object "C:\PROGRA~1\321STU~1\GAMESX~1\mfc42.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}" refers to invalid object "C:\PROGRA~1\321STU~1\GAMESX~1\mfc42.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}" refers to invalid object "C:\PROGRA~1\321STU~1\GAMESX~1\mfc42.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}" refers to invalid object "C:\PROGRA~1\AWS\WEATHE~1\MINIBU~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{442D12A1-2641-11d2-90FB-006008A1F441}" refers to invalid object "a3d.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{92FA2C24-253C-11d2-90FB-006008A1F441}" refers to invalid object "a3dapi.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{94BF6C82-F075-11D4-AB95-000102B2D025}" refers to invalid object "F:\Installer\Core\MDMDptch.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{d8f1eee0-f634-11cf-8700-00a0245d918b}" refers to invalid object "a3d.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD2280A8-51A4-11D2-A601-3078302C2030}" refers to invalid object "C". Action Taken: No Action Taken.
Entry "HKCR\SCRIBBLE.ScribbleCtrl.1" refers to invalid object "{C9460283-3EED-11D0-A647-00A0C91EF7B9}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document.1.0" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Scrflagamenaudio\delete dvd.exe tagged as "not-a-virus:AdWare.Lop.p". Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-36d79f78.zip infected by "Trojan-Downloader.Java.OpenStream.t" Virus! Action Taken: No Action Taken.
File C:\hp\bin\Terminator.exe tagged as not-a-virus:Tool.Win32.KillApp. No Action Taken.
File C:\hp\bin\win32all-146.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP268\A0033736.dll tagged as "not-a-virus:AdWare.WildTangent.b". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP273\A0033903.exe infected by "Trojan-Downloader.Win32.Centim.b" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP301\A0035000.exe infected by "Trojan-Downloader.Win32.Small.zh" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP301\A0035001.exe tagged as "not-a-virus:AdWare.WebRebates.g". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP313\A0035975.dll tagged as "not-a-virus:AdWare.WildTangent.b". Action Taken: No Action Taken.

I havn't had any popups recently, but the computer hasn't had a connection with the internet the whole time either, so it may be a little longer before I notice a definite change.

Thanks

[MicroBell]

Well...lets hope we got it. In the mean time...more cleanup items..

C:\Documents and Settings\All Users\Application Data\Scrflagamenaudio <--delete that folder unless you made it..and know whats in it. It looks like and has been tagged as the LOP infection.

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-36d79f78.zip <--delete that file

I would also suggest you open your java console and clear the cache folder.

[derjusty]

I deleted the files and cleared the cache... I still had a popup afterwards when loading m-w.com

Sorry to be causing so much trouble.. I thought it would be an easy, simple fix...

Do you want me to run any more scans or post any logs?

Thanks

[MicroBell]

Yes...

Please post another RKFiles log...and the log from the following tool...

Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.