Pop Ups

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Pop Ups, removal of pop ups

Options

REINOMARK View Member Profile	May 13 2008, 01:58 PM Post #1
New Member Group: Members Posts: 6 Joined: 13-May 08 Member No.: 208,745	hi hope someone can help i have been invaded by pop ups in the last 2 days...none b4...prob something i unzipped from limewire..dumb i know i've run spy-bot and adaware to no avail. here is my hijack log file from today. thanks, mark Attached File(s) hijackthis_LOG.txt ( 8.39k ) Number of downloads: 11

miekiemoes View Member Profile	May 14 2008, 01:29 AM Post #2
Malware Killer Dog Group: HJT Team Posts: 15,009 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first.. I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed! This is somewhat suicidal in today's digital world. That's why I want you to install one first!! * Please install Avira Antivirus: http://www.free-av.com/ This is a free Antivirus. Perform a full scan with Avira and let it delete everything it is finding. Then reboot. After reboot, open your Avira and select "reports". There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog. Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection. Also, please do not attach your logs, but copy and paste them in the thread instead. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

REINOMARK View Member Profile	May 17 2008, 11:28 AM Post #3
New Member Group: Members Posts: 6 Joined: 13-May 08 Member No.: 208,745	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:24:52 AM, on 5/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\AOL\1142528435\ee\aolsoftware.exe C:\Program Files\Common Files\AOL\1142528435\ee\aolsoftware.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\America Online 9.0a\waol.exe C:\Program Files\America Online 9.0a\shellmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID} O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\MARK\STARTM~1\Programs\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [windowmess] C:\DOCUME~1\MARK\APPLIC~1\REMOTE~1\DupePileCdrom.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing) O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127163068921 O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O24 - Desktop Component 0: (no name) - http://fantasygames.mlb.com/images/crs/spl...b_teamlogos.gif --TRIED TO POST THE ANTIVAR LOG BUT IT WAS WAY TOO LONG W/ LOTS OF DETECTIONS,,THAT WERE QUARANTINED. RAN SCAN AGAIN THE NEXT DAY W/ NO DETECTIONS...BUT STILL GETTING POP-UPS. THANKS MARK End of file - 9011 bytes This post has been edited by REINOMARK: May 17 2008, 11:32 AM

miekiemoes View Member Profile	May 17 2008, 11:47 AM Post #4
Malware Killer Dog Group: HJT Team Posts: 15,009 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hello, QUOTE --TRIED TO POST THE ANTIVAR LOG BUT IT WAS WAY TOO LONG W/ LOTS OF DETECTIONS,,THAT WERE QUARANTINED. RAN SCAN AGAIN THE NEXT DAY W/ NO DETECTIONS...BUT STILL GETTING POP-UPS. Please upload the logfile from Avira here: http://www.bleepingcomputer.com/submit-malware.php?channel=8 Then, Go to start > controlpanel > software > add/remove programs and look if you have one or more of next programs installed and uninstall them: Messenger Plus! Live & Sponsor (CiD) DivoCodec Bitroll Bitgrabber Bitdownload Get-Torrent CiD Help / CiD Manager Download Plugin for Internet Explorer Netpumper Search Plugin Torrent101 WinZix W3player Zone Media This because they are bundled with the malware you are dealing with (swizzor aka lop). This will uninstall the malware application. In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window. In case it says that the file was not found, doublecheck again if you entered the exact command. If still the same, proceed with next steps. In case you can't find them, * Go to start > run and copy and paste next command below in the field: (Please make sure you copy and paste it exactly* as you'll find below)* "C:\DOCUME~1\MARK\APPLIC~1\REMOTE~1\DupePileCdrom.exe" -uninstall Hit enter. Then reboot. Important! After reboot, * Download Deljob.exe and save it on your desktop. Doubleclick Deljob.exe. A log, (logit.txt) should open afterwards. This log will be present on your desktop Post the contents of the logfile in your next reply together with a new Hijackthislog. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

miekiemoes View Member Profile	May 18 2008, 01:00 AM Post #6
Malware Killer Dog Group: HJT Team Posts: 15,009 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, Did you read this? QUOTE Please upload the logfile from Avira here: http://www.bleepingcomputer.com/submit-malware.php?channel=8 Also, since other malware is present in your log, most probably leftovers - I want to make sure that this infection is gone as well, so.. * Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

REINOMARK View Member Profile	May 22 2008, 11:54 PM Post #7
New Member Group: Members Posts: 6 Joined: 13-May 08 Member No.: 208,745	thanks miekiemoes i posted the two new logs on the link you provided mark

miekiemoes View Member Profile	May 23 2008, 12:00 AM Post #8
Malware Killer Dog Group: HJT Team Posts: 15,009 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, You uploaded your HijackThislog. So please reread my instructions again. You had to upload the log from Avira and perform a scan with Combofix and copy and paste the combofix log in your next reply. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

REINOMARK View Member Profile	May 23 2008, 01:12 AM Post #9
New Member Group: Members Posts: 6 Joined: 13-May 08 Member No.: 208,745	sorry, thought I copied both... here's the combofix log thx, mark ComboFix 08-05-21.3 - MARK 2008-05-22 14:15:31.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.228 [GMT -7:00] Running from: C:\Documents and Settings\MARK\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\MARK\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Mozilla Firefox\plugins\npclntax.dll C:\Program Files\winupdates C:\WINDOWS\Fonts\' C:\WINDOWS\system32\bszip.dll C:\WINDOWS\system32\cmd.com C:\WINDOWS\system32\netstat.com C:\WINDOWS\system32\ping.com C:\WINDOWS\system32\regedit.com C:\WINDOWS\system32\taskkill.com C:\WINDOWS\system32\tasklist.com C:\WINDOWS\system32\tracert.com . ((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 ))))))))))))))))))))))))))))))) . 2008-05-22 08:23 . 2008-05-22 08:23 40 --a------ C:\WINDOWS\webica.ini 2008-05-17 09:24 . 2008-05-17 09:24 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-14 00:18 . 2008-05-14 00:18 <DIR> d-------- C:\Program Files\Avira 2008-05-14 00:18 . 2008-05-14 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-05-13 13:36 . 2008-05-13 13:36 <DIR> d-------- C:\Program Files\InterMute 2008-05-13 09:03 . 2008-05-13 23:53 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-05-13 09:03 . 2008-05-22 14:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-11 09:07 . 2008-05-11 09:07 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll 2008-05-11 09:05 . 2008-05-17 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\great coal love default 2008-05-11 09:04 . 2008-05-11 09:19 <DIR> d-------- C:\Program Files\BitDownload . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-18 17:30 119,496 ----a-w C:\Documents and Settings\MARK\Application Data\GDIPFONTCACHEV1.DAT 2008-05-17 06:29 --------- d-----w C:\Program Files\Dell 2008-05-17 06:26 --------- d--h--w C:\Documents and Settings\MARK\Application Data\Move Networks 2008-05-14 07:31 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-01 05:31 9,728 -csha-w C:\Program Files\Thumbs.db 2008-04-29 16:32 --------- d-----w C:\Program Files\America Online 9.0a 2008-04-11 23:17 --------- d-----w C:\Documents and Settings\MAX\Application Data\Gtek 2008-04-01 18:24 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-03-26 12:31 --------- d-----w C:\Documents and Settings\JULIE\Application Data\Gtek 2007-09-25 07:22 35,704 ----a-w C:\Documents and Settings\MARK\Application Data\wklnhst.dat 2007-05-29 05:04 545,752 -c--a-w C:\Program Files\sgc10_rdr80_DLM_en_US.exe 2007-05-04 03:36 559,856 -c--a-w C:\Program Files\WindowsXP-KB906569-v2-x86-ENU.exe 2006-08-19 05:35 534,112 -c--a-w C:\Program Files\psa30se_ytb612_a708_DLM_en_us.exe 2006-08-01 06:08 100,288 ----a-w C:\Documents and Settings\MAX\Application Data\GDIPFONTCACHEV1.DAT 2006-06-05 02:27 11,078 ----a-w C:\Documents and Settings\JULIE\Application Data\wklnhst.dat 2006-06-04 04:13 2,126 -c--a-w C:\Documents and Settings\CASEY\Application Data\wklnhst.dat 2006-06-04 04:10 99,504 -c--a-w C:\Documents and Settings\CASEY\Application Data\GDIPFONTCACHEV1.DAT 2006-06-02 02:16 2,990 ----a-w C:\Documents and Settings\MAX\Application Data\wklnhst.dat 2006-05-30 01:02 99,504 ----a-w C:\Documents and Settings\JULIE\Application Data\GDIPFONTCACHEV1.DAT 2005-12-02 20:53 20,921,040 -c--a-w C:\Program Files\AdbeRdr705_enu_full.exe 2005-10-27 17:05 4,878,136 -c--a-w C:\Program Files\Firefox Setup 1.0.7.exe 2005-10-27 17:04 6,034,480 -c--a-w C:\Program Files\Thunderbird Setup 1.0.7.exe 2005-10-04 15:17 353,298 -c--a-w C:\Program Files\LimeWireWin.exe 2005-09-01 17:09 10,420,936 -c--a-w C:\Program Files\xlviewer.exe 2005-06-02 00:42 7,170,500 -c--a-w C:\Program Files\atlas.rcf 2005-06-02 00:12 4,914 -c--a-w C:\Program Files\DeIsL1.isu 2005-04-09 06:37 4,985,856 -c--a-w C:\Program Files\DellPSPA521Patch_English.exe 2000-02-23 10:38 14,483 -c--a-w C:\Program Files\readme.txt 1998-08-20 16:50 804,352 -c--a-w C:\Program Files\roadie32.dll 1998-06-24 14:43 46,080 -c--a-w C:\Program Files\teaser.exe 1997-06-03 03:31 108,032 -c--a-w C:\Program Files\sh32w32.dll 1997-05-07 15:41 666,112 -c--a-w C:\Program Files\rwmath32.exe 1997-05-07 15:39 54,272 -c--a-w C:\Program Files\atmsg32.dll 1997-05-05 18:23 42,496 -c--a-w C:\Program Files\cport32.dll 1997-05-05 12:59 436,224 -c--a-w C:\Program Files\atres32.dll 1997-04-24 14:36 85,504 -c--a-w C:\Program Files\atsnd32.dll 1997-04-21 12:24 766 -c--a-w C:\Program Files\Website.ico 1997-04-10 09:23 316 -c--a-w C:\Program Files\teaser.ini 1997-04-08 17:25 83,968 -c--a-w C:\Program Files\atfio32.dll 1997-02-28 16:05 99,478 -c--a-w C:\Program Files\teaser.bmp 1997-02-26 14:30 766 -c--a-w C:\Program Files\UNRWM.ico 1997-02-26 14:14 766 -c--a-w C:\Program Files\RWM.ico 1997-01-09 18:51 54,784 -c--a-w C:\Program Files\atmidi32.dll 1996-06-17 16:14 266,240 -c--a-w C:\Program Files\msvcrt.dll 1996-06-14 21:20 74,752 -c--a-w C:\Program Files\msvcirt.dll 2008-01-04 06:17 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 06:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 13:18 68856] "FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 01:13 1591808] "EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784] "AOL Fast Start"="C:\Program Files\America Online 9.0a\AOL.exe" [2005-07-25 22:30 50776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05 122939] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401] "Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-16 13:00 531272] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248] Microsoft Office.lnk - C:\Office10\OSA.EXE [2001-02-13 01:01:04 83360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2006-09-25 17:52 50736 C:\Program Files\Common Files\AOL\1142528435\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2004-09-13 16:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate] --a------ 2006-11-16 13:42 183367 C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-06-17 13:18 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"= "C:\\Program Files\\America Online 9.0\\waol.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\LimeWire\\LimeWire 4.0.4\\LimeWire.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"= "C:\\Program Files\\America Online 9.0a\\waol.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Common Files\\AOL\\1142528435\\ee\\aolsoftware.exe"= "C:\\Program Files\\Common Files\\AOL\\1142528435\\ee\\aim6.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"= "C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "C:\\Program Files\\Common Files\\AOL\\1142528435\\ee\\AOLOpenRide.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP::Disabled:@xpsp2res.dll,-22009 "67:UDP"= 67:UDP:DHCP Discovery Service S3 RIOUNIV;Rio universal USB driver;C:\WINDOWS\system32\Drivers\RIOUNIV.sys [2005-07-04 16:38] S3 RmAx;RMAXUSB;C:\WINDOWS\system32\Drivers\RmAx.sys [2005-09-04 18:42] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\setup.exe . Contents of the 'Scheduled Tasks' folder "2008-05-18 06:53:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-05-17 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (MAIN-MARK).job" - c:\program files\mcafee.com\vso\mcmnhdlr.exe . *********************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-22 14:25:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\WINDOWS\SYSTEM32\FXSSVC.EXE C:\Program Files\America Online 9.0a\waol.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\America Online 9.0a\shellmon.exe . ************************************************************************ Completion time: 2008-05-22 14:41:13 - machine was rebooted [MARK] ComboFix-quarantined-files.txt 2008-05-22 21:41:09 Pre-Run: 45,872,287,744 bytes free Post-Run: 46,482,305,024 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 207 --- E O F --- 2008-05-16 00:44:47

miekiemoes View Member Profile	May 23 2008, 06:27 PM Post #10
Malware Killer Dog Group: HJT Team Posts: 15,009 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, What problems are you currently still having? -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.