Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing Annoying Errorsafe Popups


  • This topic is locked This topic is locked
6 replies to this topic

#1 Slacky07

Slacky07

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 07 August 2007 - 11:42 AM

Hi,

Recently these very annoying Errorsafe popups appear every time I open Internet Explorer, both Ad-Aware and AVG seem not to be able to remove it, so I was wondering if someone here could help! Below is my HijackThis log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40:58, on 07/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\AVGANT~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Programs\AdAware\aawservice.exe
D:\Programs\AVGANT~1\avgamsvr.exe
D:\Programs\AVGANT~1\avgupsvc.exe
D:\Programs\AVGANT~1\avgemc.exe
D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcIp.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcLog.exe
D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Programs\AdobeReader\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
D:\Programs\Thunderbird\thunderbird.exe
D:\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {496ba51f-bc13-456b-898b-283a119934a1} - C:\WINDOWS\system32\ati2dll.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmpD.tmp.dll
O4 - HKLM\..\Run: [nTrayFw] D:\Programs\MOTHER~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\Programs\AVGANT~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programs\AdobeReader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\cbxwus.dll",forkonce
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BitTorrent] "D:\Programs\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\Programs\AVGANT~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.com/activex/ImageUploader3.cab
O20 - AppInit_DLLs: c:\windows\system32\sstqqpq.dll
O20 - Winlogon Notify: ati2dll - C:\WINDOWS\SYSTEM32\ati2dll.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\AdAware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcLog.exe

--
End of file - 6330 bytes


I hope you can help,
Thanks in Advance,
Richard

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:17 PM

Posted 07 August 2007 - 12:05 PM

Hello and welcome aboard Slacky07 :thumbsup:

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 Slacky07

Slacky07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 07 August 2007 - 12:40 PM

Here is my Combofix log...


ComboFix 07-08-07.6 - "Richard" 2007-08-07 18:32:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.880 [GMT 1:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Richard\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\Richard\APPLIC~1\tmp38.tmp.exe
C:\DOCUME~1\Richard\APPLIC~1\tmp3A.tmp.exe
C:\DOCUME~1\Richard\APPLIC~1\tmpA.tmp.exe
C:\DOCUME~1\Richard\APPLIC~1\tmpC.tmp.exe
C:\DOCUME~1\Richard\APPLIC~1\tmpD.tmp.exe
C:\WINDOWS\cbxwus.dll
C:\WINDOWS\cegijl.ini
C:\WINDOWS\ljigec.dll
C:\WINDOWS\suwxbc.ini
C:\WINDOWS\system32\ati2dll.dll
C:\WINDOWS\system32\dn94b73905.dat
C:\WINDOWS\system32\tmp3A.tmp.dll
C:\WINDOWS\system32\tmpC.tmp.dll
C:\WINDOWS\system32\tmpD.tmp.dll


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 18:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 16:51 <DIR> d-------- C:\spoolerlogs
2007-08-05 15:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-05 15:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-05 10:23 25,664 --a------ C:\WINDOWS\system32\WuC07ga8.exe
2007-08-03 20:05 <DIR> d-------- C:\Program Files\Doom 3
2007-08-02 21:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-02 21:20 <DIR> d-------- C:\DOCUME~1\Richard\APPLIC~1\Talkback
2007-08-02 21:19 <DIR> d-------- C:\Program Files\DivX
2007-07-29 11:52 <DIR> d--hs---- C:\WINDOWS\CSC
2007-07-27 00:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 00:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-15 09:37 <DIR> d-------- C:\DOCUME~1\Richard\WINDOWS
2007-07-08 20:37 <DIR> d-------- C:\Memory Stick Backup


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-28 09:33 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-28 09:25 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-24 18:24 --------- d-------- C:\Program Files\Sky Broadband
2007-05-08 15:55 70520 --a------ C:\DOCUME~1\Richard\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="D:\Programs\MOTHER~1\NETWOR~1\bin\nTrayFw.exe" []
"AVG7_CC"="D:\Programs\AVGANT~1\avgcc.exe" [2007-04-24 12:17]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 C:\WINDOWS\soundman.exe]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 18:55]
"Adobe Reader Speed Launcher"="D:\Programs\AdobeReader\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:07]
"Steam"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"BitTorrent"="D:\Programs\BitTorrent\bittorrent.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=D:\Programs\AVGANT~1\avgw.exe /RUNONCE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\sstqqpq.dll

R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
S1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
S3 RadProbe;Radeon Probe Driver;C:\WINDOWS\system32\DRIVERS\RadProbe.sys


Contents of the 'Scheduled Tasks' folder
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At10.job
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 10:01:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 11:02:01 C:\WINDOWS\Tasks\At13.job
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 14:01:56 C:\WINDOWS\Tasks\At16.job
2007-08-05 15:01:01 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-07 16:02:01 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-07 17:01:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-06 18:01:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-06 19:01:00 C:\WINDOWS\Tasks\At21.job
2007-08-06 20:01:05 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-06 21:01:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\WuC07ga8.exe
2007-08-05 09:23:13 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\WuC07ga8.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 18:35:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 18:36:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 18:36

--- E O F ---

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:17 PM

Posted 07 August 2007 - 12:48 PM

Please open notepad and copy/paste the text in the quotebox into it

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""

File::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\system32\WuC07ga8.exe
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#5 Slacky07

Slacky07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 07 August 2007 - 02:33 PM

Here is the new log!

ComboFix 07-08-07.6 - "Richard" 2007-08-07 20:29:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1115 [GMT 1:00]
Command switches used :: C:\Documents and Settings\Richard\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\system32\WuC07ga8.exe
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\WuC07ga8.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 18:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 16:51 <DIR> d-------- C:\spoolerlogs
2007-08-05 15:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-05 15:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-03 20:05 <DIR> d-------- C:\Program Files\Doom 3
2007-08-02 21:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-02 21:20 <DIR> d-------- C:\DOCUME~1\Richard\APPLIC~1\Talkback
2007-08-02 21:19 <DIR> d-------- C:\Program Files\DivX
2007-07-29 11:52 <DIR> d--hs---- C:\WINDOWS\CSC
2007-07-27 00:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 00:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-15 09:37 <DIR> d-------- C:\DOCUME~1\Richard\WINDOWS
2007-07-08 20:37 <DIR> d-------- C:\Memory Stick Backup


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-28 09:33 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-28 09:25 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-24 18:24 --------- d-------- C:\Program Files\Sky Broadband
2007-05-08 15:55 70520 --a------ C:\DOCUME~1\Richard\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="D:\Programs\MOTHER~1\NETWOR~1\bin\nTrayFw.exe" []
"AVG7_CC"="D:\Programs\AVGANT~1\avgcc.exe" [2007-04-24 12:17]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 C:\WINDOWS\soundman.exe]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 18:55]
"Adobe Reader Speed Launcher"="D:\Programs\AdobeReader\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:07]
"Steam"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"BitTorrent"="D:\Programs\BitTorrent\bittorrent.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=D:\Programs\AVGANT~1\avgw.exe /RUNONCE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
S1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
S3 RadProbe;Radeon Probe Driver;C:\WINDOWS\system32\DRIVERS\RadProbe.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 20:30:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 20:30:59
C:\ComboFix-quarantined-files.txt ... 2007-08-07 20:30
C:\ComboFix2.txt ... 2007-08-07 18:36

--- E O F ---

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:17 PM

Posted 08 August 2007 - 12:16 AM

Please post a fresh HijackThis log. How's the system running? :thumbsup:
Hi there, stranger!

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:17 PM

Posted 20 August 2007 - 05:44 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users