| 123sqn |
| (new user) |
| Wed Feb 06 2008 02:20 PM |
Popup problems
|
I have been getting popups and search engines coming at me from all directions. Please check my highjackthis file and see if you can find the problem.
My thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:48:02, on 06/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} (Virgin Digital MusicNet Class) - http://www.virgindigital.co.uk/activeX/VirginWMA.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F11B7CF3-1652-4ACC-A2C8-0FA76E36D76D}: NameServer = 195.92.195.95 195.92.195.94
O22 - SharedTaskScheduler: cured - {7265100a-17e1-41bf-bd08-63b95a25a9c3} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 9851 bytes
| bricat |
| (HijackThis Helper) |
| Wed Feb 06 2008 04:16 PM |
|
Re: Popup problems
|
Welcome to the Webuser forum.
* Please visit this webpage for instructions for downloading and running ComboFix:
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
| 123sqn |
| (new user) |
| Thu Feb 07 2008 11:35 AM |
|
Re: Popup problems
|
Heres my ComboFix log
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
And heres my new highjackthis file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:15, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} (Virgin Digital MusicNet Class) - http://www.virgindigital.co.uk/activeX/VirginWMA.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F11B7CF3-1652-4ACC-A2C8-0FA76E36D76D}: NameServer = 195.92.195.95 195.92.195.94
O22 - SharedTaskScheduler: cured - {7265100a-17e1-41bf-bd08-63b95a25a9c3} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 9571 bytes
| bricat |
| (HijackThis Helper) |
| Thu Feb 07 2008 01:36 PM |
|
|
|
Re: Popup problems
|
Double click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
| 123sqn |
| (new user) |
| Fri Feb 08 2008 10:21 AM |
|
Re: Popup problems
|
Heres my combofix file..........
ComboFix 08-02.05.3 - Nash 2008-02-08 10:01:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.58 [GMT 0:00]
Running from: C:\Documents and Settings\Nash\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Nash\Application Data\FunWebProducts
C:\Documents and Settings\Nash\Application Data\FunWebProducts\Data\Nash\avatar.dat
C:\Program Files\Helper
C:\Program Files\Video Add-on
C:\Program Files\Video Add-on\uninst.exe
.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.
2008-02-07 11:09 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-06 14:37 . 2008-02-06 14:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-06 13:47 . 2008-02-06 13:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-04 22:34 . 2008-02-04 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-04 22:33 . 2008-02-04 22:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 21:37 . 2008-02-04 21:42 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-04 16:49 . 2008-02-04 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-04 16:48 . 2008-02-04 16:48 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-04 16:48 . 2008-02-04 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-01-24 19:15 . 2008-01-24 19:27 <DIR> d-------- C:\Program Files\MadMagic
2008-01-11 14:11 . 2008-01-11 14:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-11 14:11 . 2008-01-11 14:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-10 09:29 . 2008-01-10 09:29 <DIR> d-------- C:\Documents and Settings\All Users\SonicStage
2008-01-10 09:15 . 2001-09-13 02:15 90,112 --------- C:\WINDOWS\snymsico.dll
2008-01-10 09:15 . 2002-08-08 15:51 38,951 --------- C:\WINDOWS\system32\drivers\NETMDUSB.sys
2008-01-10 09:15 . 2005-10-31 10:46 36,679 --------- C:\WINDOWS\system32\drivers\NETMD052.sys
2008-01-10 09:15 . 2003-11-10 12:31 36,232 --------- C:\WINDOWS\system32\drivers\NETMD033.sys
2008-01-10 09:15 . 2003-04-01 18:55 35,319 --------- C:\WINDOWS\system32\drivers\NETMD031.sys
2008-01-10 09:13 . 2008-01-10 09:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-01-10 09:12 . 2008-01-10 09:15 <DIR> d-------- C:\Program Files\Sony
2008-01-10 09:11 . 2008-01-10 09:15 <DIR> d-------- C:\Program Files\Common Files\Sony Shared
2008-01-10 09:11 . 2008-01-10 09:29 <DIR> d-------- C:\Documents and Settings\Nash\Application Data\Sony Corporation
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 10:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-02-04 23:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 21:42 --------- d-----w C:\Program Files\Web Wipe
2008-01-30 09:53 13,312 --s-a-w C:\WINDOWS\system32\ofcpi.dll
2008-01-19 10:05 --------- d-----w C:\Program Files\iMesh Applications
2008-01-18 15:50 --------- d-----w C:\Program Files\Google
2008-01-05 09:23 --------- d-----w C:\Program Files\Kontiki
2007-12-23 11:19 --------- d-----w C:\Program Files\AMT
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-06-04 10:20 1,581 ----a-w C:\Program Files\Remote Assistance.lnk
2006-08-12 10:08 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-09-21 20:49 792 ----a-w C:\Program Files\Windows Media Player.lnk
2005-03-04 13:21 1,615 ----a-w C:\Program Files\Wanadoo Help.lnk
2005-03-02 15:09 738 ----a-w C:\Program Files\Outlook Express.lnk
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-05-02 16:04 190024]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-11-27 11:58 1032376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 12:33 49152 C:\WINDOWS\system32\VTTimer.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 18:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"EPSON Stylus C46 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.exe" [2004-01-13 18:00 99840]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-05-02 16:04 190024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-09 16:49 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-02 09:49 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 17:30 1115728]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
C:\Documents and Settings\Nash\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [1998-01-07 17:25:40 253520]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 18:55:44 569405]
PI Monitor.lnk - C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe [2005-03-28 18:05:48 86016]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04 238080]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2004-07-26 11:44]
S0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys []
S2 Ca533av;Polaroid Digital Cam Video;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-20 20:37]
S3 Fadpu16E;Fadpu16E;C:\DOCUME~1\Nash\LOCALS~1\Temp\Fadpu16E.sys []
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys []
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-24 20:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{200394a2-f592-11db-9314-000e50129f5a}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab2d89dc-ef4e-11db-9313-000e50129f5a}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3e6dc9a-b148-11dc-9373-000272c53c80}]
\Shell\AutoRun\command - E:\start.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 10:04:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-08 10:05:37
ComboFix-quarantined-files.txt 2008-02-08 10:05:28
.
2008-01-09 03:02:31 --- E O F ---
| bricat |
| (HijackThis Helper) |
| Fri Feb 08 2008 12:16 PM |
|
|
|
Re: Popup problems
|
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Quote:
Killall::
File::
C:\WINDOWS\system32\ofcpi.dll
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please and
let me know how it is running.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
| 123sqn |
| (new user) |
| Sat Feb 09 2008 04:08 PM |
|
Re: Popup problems
|
Heres my new ComboFix log.
ComboFix 08-02.05.3 - Nash 2008-02-09 15:42:06.2 - NTFSx86
Running from: C:\Documents and Settings\Nash\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.
2008-02-08 17:27 . 2008-02-08 17:27 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-02-08 17:26 . 2008-02-08 17:27 <DIR> d-------- C:\Program Files\dETAIL tECHNOLOGIES
2008-02-08 17:22 . 2008-02-08 17:22 <DIR> d-------- C:\TEMP\Pass
2008-02-07 11:09 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-06 14:37 . 2008-02-06 14:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-06 13:47 . 2008-02-06 13:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-04 22:34 . 2008-02-04 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-04 22:33 . 2008-02-04 22:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 21:37 . 2008-02-04 21:42 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-04 16:49 . 2008-02-04 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-04 16:48 . 2008-02-04 16:48 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-04 16:48 . 2008-02-04 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-01-24 19:15 . 2008-01-24 19:27 <DIR> d-------- C:\Program Files\MadMagic
2008-01-10 09:29 . 2008-01-10 09:29 <DIR> d-------- C:\Documents and Settings\All Users\SonicStage
2008-01-10 09:15 . 2001-09-13 02:15 90,112 --------- C:\WINDOWS\snymsico.dll
2008-01-10 09:15 . 2002-08-08 15:51 38,951 --------- C:\WINDOWS\system32\drivers\NETMDUSB.sys
2008-01-10 09:15 . 2005-10-31 10:46 36,679 --------- C:\WINDOWS\system32\drivers\NETMD052.sys
2008-01-10 09:15 . 2003-11-10 12:31 36,232 --------- C:\WINDOWS\system32\drivers\NETMD033.sys
2008-01-10 09:15 . 2003-04-01 18:55 35,319 --------- C:\WINDOWS\system32\drivers\NETMD031.sys
2008-01-10 09:13 . 2008-01-10 09:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-01-10 09:12 . 2008-01-10 09:15 <DIR> d-------- C:\Program Files\Sony
2008-01-10 09:11 . 2008-01-10 09:15 <DIR> d-------- C:\Program Files\Common Files\Sony Shared
2008-01-10 09:11 . 2008-01-10 09:29 <DIR> d-------- C:\Documents and Settings\Nash\Application Data\Sony Corporation
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-02-04 23:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 21:42 --------- d-----w C:\Program Files\Web Wipe
2008-01-30 09:53 13,312 --s-a-w C:\WINDOWS\system32\ofcpi.dll
2008-01-19 10:05 --------- d-----w C:\Program Files\iMesh Applications
2008-01-18 15:50 --------- d-----w C:\Program Files\Google
2008-01-05 09:23 --------- d-----w C:\Program Files\Kontiki
2007-12-23 11:19 --------- d-----w C:\Program Files\AMT
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-06-04 10:20 1,581 ----a-w C:\Program Files\Remote Assistance.lnk
2006-08-12 10:08 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-09-21 20:49 792 ----a-w C:\Program Files\Windows Media Player.lnk
2005-03-04 13:21 1,615 ----a-w C:\Program Files\Wanadoo Help.lnk
2005-03-02 15:09 738 ----a-w C:\Program Files\Outlook Express.lnk
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-05-02 16:04 190024]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-11-27 11:58 1032376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 12:33 49152 C:\WINDOWS\system32\VTTimer.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 18:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"EPSON Stylus C46 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.exe" [2004-01-13 18:00 99840]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-05-02 16:04 190024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-09 16:49 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-02 09:49 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 17:30 1115728]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
C:\Documents and Settings\Nash\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [1998-01-07 17:25:40 253520]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 18:55:44 569405]
PI Monitor.lnk - C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe [2005-03-28 18:05:48 86016]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04 238080]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2004-07-26 11:44]
S0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys []
S2 Ca533av;Polaroid Digital Cam Video;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-20 20:37]
S3 Fadpu16E;Fadpu16E;C:\DOCUME~1\Nash\LOCALS~1\Temp\Fadpu16E.sys []
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys []
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-24 20:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{200394a2-f592-11db-9314-000e50129f5a}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab2d89dc-ef4e-11db-9313-000e50129f5a}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3e6dc9a-b148-11dc-9373-000272c53c80}]
\Shell\AutoRun\command - E:\start.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 15:45:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
Completion time: 2008-02-09 15:46:47
ComboFix-quarantined-files.txt 2008-02-09 15:46:42
ComboFix2.txt 2008-02-08 10:05:38
.
2008-01-09 03:02:31 --- E O F ---
Heres the Highjackthis file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:02:13, on 09/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} (Virgin Digital MusicNet Class) - http://www.virgindigital.co.uk/activeX/VirginWMA.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F11B7CF3-1652-4ACC-A2C8-0FA76E36D76D}: NameServer = 195.92.195.95 195.92.195.94
O22 - SharedTaskScheduler: cured - {7265100a-17e1-41bf-bd08-63b95a25a9c3} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 9498 bytes
| bricat |
| (HijackThis Helper) |
| Sat Feb 09 2008 07:35 PM |
|
|
|
Re: Popup problems
|
Quote:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
unfortunately something has stopped combofix from removing that file, can you try my last instructions again, making sure all of your security programs are disabled.
| 123sqn |
| (new user) |
| Mon Feb 11 2008 03:41 PM |
|
Re: Popup problems
|
I have taken over this task from my son as it is his PC but he does not have enough time on his hands to persue this problem. I have read through all the instructions from the begining so I am fully aware of what has been done.
I did as you have suggested but I am getting a box saying.......
Were you trying to run CFScript?
The name CFScript appears to be incorrectly spelt.
What am I doing wrong?
Thanks.... 'Dad'
| bricat |
| (HijackThis Helper) |
| Mon Feb 11 2008 04:06 PM |
|
|
|
Re: Popup problems
|
are you sure the notepad has been named CFScript.txt
check for any spelling errors.
| 123sqn |
| (new user) |
| Mon Feb 11 2008 05:20 PM |
|
Re: Popup problems
|
Done!!....File was named wrong.
Combofix log......
ComboFix 08-02.05.3 - Nash 2008-02-11 17:01:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.70 [GMT 0:00]
Running from: C:\Documents and Settings\Nash\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nash\Desktop\CFScript.exe
* Created a new restore point
FILE
C:\WINDOWS\system32\ofcpi.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\ofcpi.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.
2008-02-11 16:44 . 2008-02-11 17:08 153,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-11 16:44 . 2008-02-11 17:05 2,732 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-11 16:41 . 2008-02-11 16:41 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-11 16:39 . 2008-02-11 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-11 16:39 . 2008-02-11 16:42 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-11 16:38 . 2008-02-11 16:38 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-11 16:37 . 2008-02-11 17:08 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-11 16:13 . 2008-02-11 16:13 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-02-11 16:13 . 2008-02-11 16:13 83,064 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-11 16:13 . 2008-02-11 16:13 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-09 18:29 . 2008-02-09 18:29 <DIR> d-------- C:\Documents and Settings\Nash\Application Data\Uniblue
2008-02-09 15:29 . 2004-08-04 12:00 388,608 --a------ C:\kmd.exe
2008-02-08 17:27 . 2008-02-08 17:27 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-02-08 17:26 . 2008-02-08 17:27 <DIR> d-------- C:\Program Files\dETAIL tECHNOLOGIES
2008-02-08 17:22 . 2008-02-08 17:22 <DIR> d-------- C:\TEMP\Pass
2008-02-07 11:09 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-06 14:37 . 2008-02-06 14:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-06 13:47 . 2008-02-06 13:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-04 22:34 . 2008-02-04 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-04 22:33 . 2008-02-04 22:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 21:37 . 2008-02-04 21:42 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-04 16:49 . 2008-02-04 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-04 16:48 . 2008-02-04 16:48 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-04 16:48 . 2008-02-04 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-01-24 19:15 . 2008-01-24 19:27 <DIR> d-------- C:\Program Files\MadMagic
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 17:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-02-11 16:13 --------- d-----w C:\Program Files\Comodo
2008-02-11 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-02-04 23:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 21:42 --------- d-----w C:\Program Files\Web Wipe
2008-01-19 10:05 --------- d-----w C:\Program Files\iMesh Applications
2008-01-18 15:50 --------- d-----w C:\Program Files\Google
2008-01-10 09:29 --------- d-----w C:\Documents and Settings\Nash\Application Data\Sony Corporation
2008-01-10 09:15 --------- d-----w C:\Program Files\Sony
2008-01-10 09:15 --------- d-----w C:\Program Files\Common Files\Sony Shared
2008-01-10 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-01-05 09:23 --------- d-----w C:\Program Files\Kontiki
2007-12-23 11:19 --------- d-----w C:\Program Files\AMT
2007-11-14 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-06-04 10:20 1,581 ----a-w C:\Program Files\Remote Assistance.lnk
2006-08-12 10:08 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-09-21 20:49 792 ----a-w C:\Program Files\Windows Media Player.lnk
2005-03-04 13:21 1,615 ----a-w C:\Program Files\Wanadoo Help.lnk
2005-03-02 15:09 738 ----a-w C:\Program Files\Outlook Express.lnk
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-11 16:41 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8B68564D-53FD-4293-B80C-993A9F3988EE}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-11 16:41 262144]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-05-02 16:04 190024]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-11-27 11:58 1032376]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" [2008-02-11 13:14 53248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 12:33 49152 C:\WINDOWS\system32\VTTimer.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 18:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"EPSON Stylus C46 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.exe" [2004-01-13 18:00 99840]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-05-02 16:04 190024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-09 16:49 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-02 09:49 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
C:\Documents and Settings\Nash\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [1998-01-07 17:25:40 253520]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 18:55:44 569405]
PI Monitor.lnk - C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe [2005-03-28 18:05:48 86016]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04 238080]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2004-07-26 11:44]
S0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys []
S2 Ca533av;Polaroid Digital Cam Video;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-20 20:37]
S3 Fadpu16E;Fadpu16E;C:\DOCUME~1\Nash\LOCALS~1\Temp\Fadpu16E.sys []
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys []
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-24 20:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{200394a2-f592-11db-9314-000e50129f5a}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab2d89dc-ef4e-11db-9313-000e50129f5a}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3e6dc9a-b148-11dc-9373-000272c53c80}]
\Shell\AutoRun\command - E:\start.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 17:08:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-02-11 17:14:19 - machine was rebooted [Nash]
ComboFix-quarantined-files.txt 2008-02-11 17:14:11
ComboFix2.txt 2008-02-09 15:46:47
ComboFix3.txt 2008-02-08 10:05:38
.
2008-01-09 03:02:31 --- E O F ---
Highjackthis log.....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:16:20, on 11/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1014020
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} (Virgin Digital MusicNet Class) - http://www.virgindigital.co.uk/activeX/VirginWMA.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F11B7CF3-1652-4ACC-A2C8-0FA76E36D76D}: NameServer = 195.92.195.95 195.92.195.94
O22 - SharedTaskScheduler: cured - {7265100a-17e1-41bf-bd08-63b95a25a9c3} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9916 bytes
Thanks.
| bricat |
| (HijackThis Helper) |
| Mon Feb 11 2008 07:17 PM |
|
|
|
Re: Popup problems
|
that looks clean now.
DISABLE SYSTEM RESTORE
To flush out infected restore points.
Then restart your system restore.(same page).then create a new restore point :-
click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.
this is to ensure that if you have to do a system restore in the future that you don't get all the infections reinstalled again.
Then :-
Download and scan with CCleaner
- Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build. - Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Then select "Cookies"
Move any cookies you wish to retain, e.g. login cookies, in the left-hand window to the right-hand window by highlighting them and clicking the right arrow in the centre. - Then select the items you wish to clean up.
In the Windows Tab:
• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.
In the Applications Tab:
• Clean all entries in the Mozilla Firefox Section.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose. - Click the "Run Cleaner" button.
- A pop up box will appear advising this process will permanently delete files from your system.
- Click "OK" and it will scan and clean your system.
- Click "exit" when done.
then DEFRAG your C:\ drive.
to help speed up your system.
then let us know how the computer is running.
HOW DID I GET INFECTED
| Evacuee |
| (regular) |
| Wed Feb 13 2008 04:27 PM |
|
Re: Popup problems
|
Hi Bricat....I see that my son has not been back to you.
All is okay now and thanks for your efforts.
I loaded CCleaner. Spybot and Firefox for him so perhaps he will not get so much trouble.
| bricat |
| (HijackThis Helper) |
| Wed Feb 13 2008 06:43 PM |
|
|
|
Re: Popup problems
|
Happy to help.