Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cid Pop Ups I Cannot Rid Of


  • Please log in to reply
7 replies to this topic

#1 arthur5221

arthur5221

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 22 July 2007 - 11:35 PM

OKay all i know that happened was i got sick and my computer sat idle for about 4 days. Not a soul touched it. I am the only person with the access passwords is how i know this and i was not on the computer for a single moment while i was sick. Anyways i come back to my computer when i feel better and when i open the firefox browser i get some pop up titled "CiD" and i figured it was a fluke.. then a few moments later i get another one.. then another .. then another and so on. I have tried getting rid of it on my own but i am not very good with getting rid of/ preventing this stuff. A person from another web forum told me this was a great place if i wanted serious help from mature adults. So thanks for any help that can be provided. This is the whole document that Hijack this gave me. Hopefully all that needs to be there is. I followed the instructional on posting for help with these things. I hope i didnt some how miss something. Thanks again to anyone who can help me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:47 AM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Pure Team Open Exit] C:\Documents and Settings\All Users\Application Data\Option Camp Pure Team\obj audio.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5775 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 23 July 2007 - 04:49 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum arthur5221 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Click on Start>Control Panel>Add/Remove Programs.
Uninstall/remove any of the following programs if listed:
Netpumper
Bitroll
Bitgrabber
Bitdownload
Torrent101
CiD Help / CiD Manager
Download Plugin for Internet Explorer
Search Plugin
WinZix
Zone Media

This is because they are often bundled with the malware you are dealing with.
Don't worry if none of them are present.
If you removed any of them please restart your pc.

******************************

Download NoLop.exe to your desktop.

* First close any other programs you have running as this will require a reboot.
* Double click NoLop.exe to run it.
* Then click the button labelled "Search and Destroy".
* When scanning is finished you will be prompted to reboot only if infected,click 'OK'.
* Now click the "REBOOT" Button.
* A Message should popup from NoLop, if not,double click the program again and it will finish.
Post the contents of C:\NoLop.log and a new Hijack This log into your next reply.

If you receive the error,that mscomctl.ocx or one of its dependencies are not correctly registered, please download this file to your 'System32' folder then rerun the program: http://www.boletrice.com/downloads/mscomctl.ocx
Posted Image
Posted Image

#3 arthur5221

arthur5221
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 23 July 2007 - 03:18 PM

::::::NOLOP LOG::::::

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\Adam\Desktop
[7/23/2007]
[4:13:59 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Adam\Application Data\Acccore
C:\Documents and Settings\Adam\Application Data\Adobe
C:\Documents and Settings\Adam\Application Data\Ahead
C:\Documents and Settings\Adam\Application Data\Ati
C:\Documents and Settings\Adam\Application Data\Creative
C:\Documents and Settings\Adam\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Adam\Application Data\Identities
C:\Documents and Settings\Adam\Application Data\Kalinkosoft
C:\Documents and Settings\Adam\Application Data\Macromedia
C:\Documents and Settings\Adam\Application Data\Media Player Classic
C:\Documents and Settings\Adam\Application Data\Microsoft
C:\Documents and Settings\Adam\Application Data\Mozilla
C:\Documents and Settings\Adam\Application Data\Securom
C:\Documents and Settings\Adam\Application Data\Smart Recorder
C:\Documents and Settings\Adam\Application Data\Sun
C:\Documents and Settings\Adam\Application Data\Utorrent
C:\Documents and Settings\Adam\Application Data\Ventrilo
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Aol Ocp
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Option Camp Pure Team
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Adam\Application Data\Acccore
C:\Documents and Settings\Adam\Application Data\Adobe
C:\Documents and Settings\Adam\Application Data\Ahead
C:\Documents and Settings\Adam\Application Data\Ati
C:\Documents and Settings\Adam\Application Data\Creative
C:\Documents and Settings\Adam\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Adam\Application Data\Identities
C:\Documents and Settings\Adam\Application Data\Kalinkosoft
C:\Documents and Settings\Adam\Application Data\Macromedia
C:\Documents and Settings\Adam\Application Data\Media Player Classic
C:\Documents and Settings\Adam\Application Data\Microsoft
C:\Documents and Settings\Adam\Application Data\Mozilla
C:\Documents and Settings\Adam\Application Data\Securom
C:\Documents and Settings\Adam\Application Data\Smart Recorder
C:\Documents and Settings\Adam\Application Data\Sun
C:\Documents and Settings\Adam\Application Data\Utorrent
C:\Documents and Settings\Adam\Application Data\Ventrilo
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Aol Ocp
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Option Camp Pure Team
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Adam\Application Data\Acccore
C:\Documents and Settings\Adam\Application Data\Adobe
C:\Documents and Settings\Adam\Application Data\Ahead
C:\Documents and Settings\Adam\Application Data\Ati
C:\Documents and Settings\Adam\Application Data\Creative
C:\Documents and Settings\Adam\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Adam\Application Data\Identities
C:\Documents and Settings\Adam\Application Data\Kalinkosoft
C:\Documents and Settings\Adam\Application Data\Macromedia
C:\Documents and Settings\Adam\Application Data\Media Player Classic
C:\Documents and Settings\Adam\Application Data\Microsoft
C:\Documents and Settings\Adam\Application Data\Mozilla
C:\Documents and Settings\Adam\Application Data\Securom
C:\Documents and Settings\Adam\Application Data\Smart Recorder
C:\Documents and Settings\Adam\Application Data\Sun
C:\Documents and Settings\Adam\Application Data\Utorrent
C:\Documents and Settings\Adam\Application Data\Ventrilo
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Aol Ocp
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Option Camp Pure Team
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft



:::::Hijack This Log:::::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:07 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Pure Team Open Exit] C:\Documents and Settings\All Users\Application Data\Option Camp Pure Team\obj audio.exe
O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5608 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 23 July 2007 - 04:00 PM

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

----------------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

-----------------------------------------

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

----------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Pure Team Open Exit] C:\Documents and Settings\All Users\Application Data\Option Camp Pure Team\obj audio.exe

Exit Hijackthis,find and delete:
C:\Documents and Settings\All Users\Application Data\Option Camp Pure Team
C:\Documents and Settings\All Users\Application Data\Viewpoint

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 arthur5221

arthur5221
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 23 July 2007 - 06:23 PM

still getting the pop ups :thumbsup:


:::::SUPERANTI SPY:::::

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/23/2007 at 06:20 PM

Application Version : 3.9.1008

Core Rules Database Version : 3272
Trace Rules Database Version: 1283

Scan type : Complete Scan
Total Scan Time : 00:26:42

Memory items scanned : 442
Memory threats detected : 0
Registry items scanned : 5051
Registry threats detected : 0
File items scanned : 37464
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\Adam\Cookies\adam@login.tracking101[2].txt
C:\Documents and Settings\Adam\Cookies\adam@flixbanner.bearshare[1].txt
C:\Documents and Settings\Adam\Cookies\adam@adopt.euroclick[1].txt
C:\Documents and Settings\Adam\Cookies\adam@www.stopzilla[2].txt
C:\Documents and Settings\Adam\Cookies\adam@www.clash-media[2].txt
C:\Documents and Settings\Adam\Cookies\adam@revsci[2].txt
C:\Documents and Settings\Adam\Cookies\adam@adserver.softwareonline[2].txt
C:\Documents and Settings\Adam\Cookies\adam@tacoda[2].txt
C:\Documents and Settings\Adam\Cookies\adam@publishers.clickbooth[2].txt

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE
C:\DOCUMENTS AND SETTINGS\ADAM\MY DOCUMENTS\BEARSHARE.LNK
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\BEARSHARE.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3B518FA8-567B-4E1A-BA93-90B189229680}\RP45\A0004167.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3B518FA8-567B-4E1A-BA93-90B189229680}\RP45\A0004171.LNK


:::::Hijack:::::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:04 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6382 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 24 July 2007 - 04:39 AM

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


-------------------------------------------------------------

Download Deljob.exe and save it on your desktop.
Double click on Deljob.exe.
A log,(logit.txt) should open afterwards.
This log will be present on your desktop.
Post the contents of the logfile into your next reply.

Edited by RichieUK, 24 July 2007 - 04:41 AM.

Posted Image
Posted Image

#7 arthur5221

arthur5221
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 24 July 2007 - 10:47 AM

:::::Combofix Log:::::

"Adam" - 2007-07-24 11:41:19 [GMT -4:00] - ComboFix 07-07-24.5 - Service Pack 2 NTFS
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-24 11:39 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-24 02:46 <DIR> d-------- C:\Program Files\THQ
2007-07-24 00:05 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-07-23 18:25 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-23 18:25 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-23 17:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-23 17:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-23 17:38 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\SUPERAntiSpyware.com
2007-07-23 16:13 318 --a------ C:\delete.bat
2007-07-23 00:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-22 23:38 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-22 01:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-22 01:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-20 16:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-07-20 16:15 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-07-20 13:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-18 14:37 <DIR> d-------- C:\Program Files\WinZix
2007-07-18 14:34 <DIR> d-------- C:\DOCUME~1\Adam\Desktop28weeks
2007-07-17 13:07 131,584 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-07-12 22:23 36,864 --a------ C:\WINDOWS\system32\dxinputdll.dll
2007-07-12 22:23 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\KALiNKOsoft
2007-07-12 22:11 94,208 -r--s---- C:\WINDOWS\system32\msstkprp.dll
2007-07-12 22:11 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-07-12 22:11 57,344 --------- C:\WINDOWS\system32\ADsSecurity.dll
2007-07-12 22:11 53,248 --------- C:\WINDOWS\system32\zlib.dll
2007-07-12 22:11 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll
2007-07-12 15:35 <DIR> d-------- C:\Program Files\Rockstar Games
2007-07-09 18:31 <DIR> d-------- C:\Program Files\MilkShape 3D 1.7.8
2007-07-07 12:45 <DIR> d-------- C:\Program Files\Project64 1.6
2007-07-06 04:34 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\Help
2007-07-03 18:25 <DIR> d-------- C:\Program Files\SNES
2007-06-30 23:19 <DIR> d-------- C:\Program Files\Blender Foundation
2007-06-30 12:40 <DIR> d-------- C:\Program Files\1964
2007-06-29 00:33 <DIR> d-------- C:\Program Files\Microsoft Xbox 360 Accessories
2007-06-28 23:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-28 22:52 <DIR> d-------- C:\DOCUME~1\Adam\.housecall6.6
2007-06-28 16:17 61,984 --a------ C:\WINDOWS\system32\drivers\xusb21.sys
2007-06-28 16:17 1,421,216 --a------ C:\WINDOWS\system32\WdfCoInstaller01001.dll
2007-06-24 14:00 <DIR> d--h----- C:\Program Files\illusion


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 15:36:32 -------- d-----w C:\DOCUME~1\Adam\APPLIC~1\uTorrent
2007-07-24 08:56:19 320 ----a-w C:\WINDOWS\system32\wacom.dat
2007-07-24 08:27:26 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-07-23 21:37:50 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-13 02:11:22 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-03 19:19:16 -------- d-----w C:\Program Files\Diablo II
2007-06-28 20:22:22 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2007-06-28 20:22:20 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2007-06-18 01:21:58 -------- d-----w C:\Program Files\Tablet
2007-06-17 22:19:28 -------- d--h--r C:\DOCUME~1\Adam\APPLIC~1\SecuROM
2007-06-17 22:12:48 -------- d-----w C:\Program Files\CAPCOM
2007-06-17 22:08:07 -------- d-----w C:\Program Files\DAEMON Tools
2007-06-17 22:06:29 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-15 08:28:32 -------- d-----w C:\Program Files\Windows Journal Viewer
2007-06-15 08:12:35 -------- d-----w C:\DOCUME~1\Adam\APPLIC~1\Ventrilo
2007-06-15 03:30:04 -------- d-----w C:\Program Files\MSN Messenger
2007-06-12 05:41:10 -------- d-----w C:\DOCUME~1\Adam\APPLIC~1\Smart Recorder
2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-08 16:10:44 35,681 -c--a-w C:\WINDOWS\DIIUnin.dat
2007-05-08 16:09:50 21,840 -c--a-w C:\WINDOWS\system32\SIntfNT.dll
2007-05-08 16:09:50 17,212 -c--a-w C:\WINDOWS\system32\SIntf32.dll
2007-05-08 16:09:50 12,067 -c--a-w C:\WINDOWS\system32\SIntf16.dll
2007-05-07 23:06:50 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2007-05-07 23:06:50 2,829 -c--a-w C:\WINDOWS\DIIUnin.pif
2007-05-07 02:06:11 335 -c--a-w C:\WINDOWS\nsreg.dat
2007-05-06 22:30:19 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-06 21:25:01 0 --sha-r C:\MSDOS.SYS
2007-05-06 21:25:01 0 --sha-r C:\IO.SYS
2007-05-06 21:25:01 0 ----a-w C:\CONFIG.SYS
2007-05-06 21:25:01 0 ----a-w C:\AUTOEXEC.BAT
2007-05-06 21:22:16 21,640 -c--a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10]
"P17Helper"="P17.dll" [2005-05-02 23:38 C:\WINDOWS\system32\P17.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 04:56 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 C:\WINDOWS\SkyTel.exe]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-11-28 05:22]
"NWEReboot"="" []
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-02-12 17:21]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 13:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-24 11:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Pinnacle Game Profiler"="C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

C:\Documents and Settings\Adam\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\Wtablet\TabUserW.exe [2003-05-29 09:33:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
"C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
"c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun

R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\penclass.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R3 FETNDISB;D-Link PCI Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
R3 xusb21;Xbox 360 Wireless Receiver Driver Service 21;C:\WINDOWS\system32\DRIVERS\xusb21.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 11:42:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-24 11:43:08

--- E O F ---



:::::DelJob Log:::::

--------------------------------------------------------
No LOP jobs found
--------------------------------------------------------
Files remaining after cleaning

--------------------------------------------------------
App data folders

Volume in drive C has no label.
Volume Serial Number is 449E-D032

Directory of C:\Documents and Settings\Adam\Application Data

07/23/2007 06:26 PM <DIR> .
07/23/2007 06:26 PM <DIR> ..
05/06/2007 10:07 PM <DIR> acccore
07/23/2007 08:35 PM <DIR> Adobe
05/11/2007 02:05 PM <DIR> Ahead
05/06/2007 05:47 PM <DIR> ATI
07/24/2007 08:00 AM <DIR> AVG7
05/07/2007 03:45 PM <DIR> Creative
07/06/2007 04:34 AM <DIR> Help
05/06/2007 05:31 PM <DIR> IDENTI~1 Identities
07/12/2007 10:23 PM <DIR> KALINK~1 KALiNKOsoft
05/06/2007 08:19 PM <DIR> MACROM~1 Macromedia
05/07/2007 03:02 PM <DIR> MEDIAP~1 Media Player Classic
07/23/2007 06:25 PM <DIR> MICROS~1 Microsoft
05/25/2007 08:16 PM <DIR> Mozilla
06/17/2007 06:19 PM <DIR> SecuROM
06/12/2007 01:41 AM <DIR> SMARTR~1 Smart Recorder
06/18/2007 01:19 AM <DIR> Sun
07/23/2007 05:38 PM <DIR> SUPERA~1.COM SUPERAntiSpyware.com
07/24/2007 11:36 AM <DIR> uTorrent
06/15/2007 04:12 AM <DIR> Ventrilo
0 File(s) 0 bytes
21 Dir(s) 112,486,170,624 bytes free
Volume in drive C has no label.
Volume Serial Number is 449E-D032

Directory of C:\Documents and Settings\All Users\Application Data

07/23/2007 06:25 PM <DIR> .
07/23/2007 06:25 PM <DIR> ..
07/20/2007 03:55 PM <DIR> Adobe
07/20/2007 04:16 PM <DIR> ADOBES~1 Adobe Systems
05/06/2007 10:06 PM <DIR> AOL
05/06/2007 10:06 PM <DIR> AOLDOW~1 AOL Downloads
05/06/2007 10:06 PM <DIR> AOLOCP~1 AOL OCP
07/24/2007 08:00 AM <DIR> avg7
07/23/2007 06:25 PM <DIR> Grisoft
07/22/2007 01:50 AM <DIR> Lavasoft
07/20/2007 01:46 PM <DIR> McAfee
06/14/2007 11:30 PM <DIR> MICROS~1 Microsoft
06/28/2007 11:30 PM <DIR> SPYBOT~1 Spybot - Search & Destroy
07/23/2007 05:38 PM <DIR> SUPERA~1.COM SUPERAntiSpyware.com
05/07/2007 06:12 PM <DIR> WINDOW~1 Windows Genuine Advantage
0 File(s) 0 bytes
15 Dir(s) 112,486,170,624 bytes free
--------------------------------------------------------

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 24 July 2007 - 11:04 AM

Click on Start/Control Panel/Add or Remove Programs and remove/uninstall WinZix if present.

Find and delete:
C:\Program Files\WinZix

Restart your pc,post a new Hijackthis log.
Let me know whats happening now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users