Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cid And Ist Detected!


  • This topic is locked This topic is locked
10 replies to this topic

#1 cuppachin

cuppachin

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 08 October 2007 - 09:37 PM

I used PestPatrol(trial) to scan my PC,It found the following:
207.net
CiD Help
DoubleClick
ISTbar
netflame.cc
webtrends
I used Spybot Search and destroy to remove what it found.However adware and other infections comes back everytime when I reboot my computer.
Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:08 AM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Stealth_mode\Local Settings\Application Data\Trend Micro\HCMS\checkup\en-US\checkup.exe
C:\Documents and Settings\Stealth_mode\Local Settings\Application Data\Trend Micro\HCMS\checkup\en-US\checkupsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\DOCUME~1\STEALT~1\LOCALS~1\Temp\RoboForm\RoboTaskBarIcon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\pestpatrol5.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=77392
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\RunOnce: [eISS_licreg] "C:\Program Files\CA\eTrust Internet Security Suite\licreg.exe" /s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11458 bytes


I hope you could help me.Thank you.

Edited by cuppachin, 08 October 2007 - 09:38 PM.

Posted Image

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:47 PM

Posted 08 October 2007 - 10:09 PM

Hello cuppachin,

Welcome to Bleeping Computer :thumbsup:

Could I please see an uninstall list?

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Are you getting popups or anything?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 cuppachin

cuppachin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 08 October 2007 - 10:26 PM

Thanks for the response.Here it is:

A Series of Unfortunate Events
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0
Agere Systems PCI-SV92PP Soft Modem
Alien Shooter
AppCore
AV
Ballistik
Bejeweled 2 Deluxe
Belkin Bluetooth Software
BeTrapped!
Bookworm Deluxe
Bricks of Egypt
CA eTrust PestPatrol Anti-Spyware
ccCommon
Chainz
Chinese Star 2006
Chuzzle
Compaq Connections (remove only)
Compaq Multimedia Keyboard Software
Counter-Strike
Cubis Gold 2
Customer Experience Enhancement
DH Driver Cleaner Professional Edition
DivX Web Player
Easy Internet Sign-up
EPSON PhotoQuicker3.2
EPSON Printer Software
ESC61 Problem Solver
Feeding Frenzy
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HouseCall 6.6
HP Boot Optimizer
HP Software Update
Insaniquarium Deluxe
Inspector-Parker
InterVideo WinDVD Player
J2SE Runtime Environment 5.0 Update 5
Java™ 6 Update 2
Jewel Quest
Jigsaw 365
Kaspersky Online Scanner
Links® Course Challenge – Chateau Whistler
LiveUpdate 3.2 (Symantec Corporation)
Luxor
Magic Ball 2
Magic Inlay
Mah Jong Medley
Mah Jong Quest
MapleStory
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft MPEG-4 VKI Video Codec V1/V2/V3
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.7)
MSRedist
MSXML 6.0 Parser (KB933579)
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
PC-Doctor 5 for Windows
Poker Superstars
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
RealPlayer
Ricochet Lost Worlds
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Shape Solitaire
Slingo
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony Media Manager 2.2
Sony Vegas Pro 8.0
SPBBC 32bit
Spin & Win
Spybot - Search & Destroy
Spyware Doctor 5.1
SpywareBlaster v3.5.1
Steam
SWAT 4
SymNet
System Requirements Lab
Tradewinds 2
Tumblebugs
Unlocker 1.8.5
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
WindowBlinds
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
WinRAR archiver
Wonderland - Secret Worlds
XviD MPEG-4 Video Codec
Yahoo! Install Manager
ZD Soft Screen Video Decoder
Zuma Deluxe

I get popups quite often.And a few keeps saying'"Congratulations!You've won!"

Edited by cuppachin, 08 October 2007 - 10:27 PM.

Posted Image

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:47 PM

Posted 08 October 2007 - 10:35 PM

Hello,

Please download AVG Anti-Spyware Free Edition and save that file to your desktop.

This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the top of the main screen select the "Update" icon, then under the "Manual update" section click the "Start update" button.
  • The update will start and a progress bar will show the updates being installed.
  • Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the "Settings" screen:
    • Click on "Recommended actions" -> select "Quarantine".
    • Under "Reports:" -> select "Do not automatically generate reports".
  • Close AVG Anti-Spyware. Please do NOT run a scan yet!
Next, please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".
Then please run a scan with AVG Anti-Spyware:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
    • Next select the "Save Report" button at the bottom.
    • Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
  • Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 cuppachin

cuppachin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 09 October 2007 - 12:00 AM

Here is the log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:55:54 PM 10/9/2007

+ Scan result:



:mozilla.101:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.103:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.104:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.105:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.136:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.163:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.325:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.369:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.370:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Stealth_mode\Cookies\stealth_mode@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.10:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.11:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.12:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.131:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.132:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.136:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.139:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.13:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.141:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.142:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.143:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.198:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.6:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.7:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.8:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.9:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.228:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Adengage : No action taken.
:mozilla.366:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.367:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.164:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.356:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.454:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.455:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.456:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.457:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.210:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.211:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.212:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.213:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.214:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.215:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.216:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.329:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.330:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.331:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.332:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.347:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.78:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.467:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Cqcounter : No action taken.
:mozilla.258:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.324:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Stealth_mode\Cookies\stealth_mode@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.118:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.119:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.120:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.261:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.262:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.206:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.207:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.208:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.209:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.333:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.334:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.335:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.336:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.337:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.338:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.172:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.289:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.240:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.241:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.242:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.243:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.244:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.166:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Imrworldwide : No action taken.
:mozilla.167:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Imrworldwide : No action taken.
:mozilla.257:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Live : No action taken.
:mozilla.258:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Live : No action taken.
:mozilla.259:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Live : No action taken.
:mozilla.259:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.193:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Netflame : No action taken.
:mozilla.7:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Netflame : No action taken.
:mozilla.8:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Netflame : No action taken.
C:\Documents and Settings\Stealth_mode\Cookies\stealth_mode@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : No action taken.
:mozilla.106:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.98:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
C:\Documents and Settings\Stealth_mode\Cookies\stealth_mode@www.paypal[1].txt -> TrackingCookie.Paypal : No action taken.
:mozilla.202:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.72:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.73:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.74:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.75:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.76:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.77:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.78:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.79:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.80:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.81:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.82:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.79:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.80:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.81:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.82:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.83:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.84:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.190:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.191:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.192:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.193:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.223:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.205:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.206:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.207:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.208:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.209:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.319:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.309:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Trafic : No action taken.
:mozilla.339:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.48:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.580:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\Stealth_mode\Cookies\stealth_mode@m.webtrends[2].txt -> TrackingCookie.Webtrends : No action taken.
:mozilla.245:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.368:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.700:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Yadro : No action taken.
:mozilla.701:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Yadro : No action taken.
:mozilla.115:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.39:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.40:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.41:C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nomtecqq.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.213:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.214:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.215:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.216:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.217:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.218:C:\Documents and Settings\Stealth_mode\Application Data\Mozilla\Firefox\Profiles\g5bule6n.default\cookies.txt -> TrackingCookie.Zedo : No action taken.


::Report end
Posted Image

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:47 PM

Posted 09 October 2007 - 12:35 AM

Hello,

I'm not seeing any sign of anything besides cookies here. But you shouldn't be getting popups, so let's keep looking. :thumbsup:

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 cuppachin

cuppachin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 09 October 2007 - 01:25 AM

I an unable to install it as it says "Evaluation period for this version has expired."
Posted Image

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:47 PM

Posted 09 October 2007 - 10:29 AM

Argh....okay....more than one way to do things.

Download Silent Runners.zip and extract it to a new folder on your Desktop.
  • Run the Silent Runners.vbs file.
  • You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
  • If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
  • This script is not malicious so please allow it.
  • A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
  • Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 cuppachin

cuppachin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 09 October 2007 - 09:30 PM

Here's the text file.

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"PCDrProfiler" = "(empty string)" [file not found]
"HPBootOp" = ""C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run" ["Hewlett-Packard Company"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"osCheck" = ""C:\Program Files\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start" ["InstallShield Software Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"SDTray" = ""C:\Program Files\Spyware Doctor\SDTrayApp.exe"" ["PC Tools"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll" ["Symantec Corporation"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "ShellViewRTF"
-> {HKLM...CLSID} = "ShellViewRTF"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension"
-> {HKLM...CLSID} = "DisplayCplExt Class"
\InProcServer32\(Default) = "C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll" ["Stardock.Net, Inc"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> WBSrv\DLLName = "C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll" ["Stardock Corporation"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

D:\cmdcons\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\I386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\Tools\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\hp\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]


Startup items in "Stealth_mode" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Bluetooth" -> shortcut to: "C:\Program Files\Belkin\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]


Enabled Scheduled Tasks:
------------------------

"Norton Internet Security - Run Full System Scan - Compaq_Owner" -> launches: "C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm" [null data]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2D4D26B-0180-43A4-B05F-462D6D54C789}\
"ButtonText" = "Connection Help"
"MenuText" = "Connection Help"
"Script" = "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
Bluetooth Service, btwdins, "C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
LiveUpdate, LiveUpdate, ""C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\svcntaux.exe" ["PC Tools"]
PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\swdsvc.exe" ["PC Tools"]
Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation."]
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-10-10 10:25:09)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 117 seconds.
---------- (total run time: 192 seconds)


Oh and I just scanned my PC with Spyware Doctor and it found Dialer .J.I'm not using a modem,but am I at risk?
Posted Image

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:47 PM

Posted 11 October 2007 - 10:58 AM

Hello,

Are these that you are reportedly finding in System Restore? Because all I'm seeing are cookies. Let's set a new restore point and see if this stops :

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Let me know how you come out, please.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:47 PM

Posted 19 October 2007 - 02:00 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Good luck in your training at SWI. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users