Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unstoppable Pop Up


  • This topic is locked This topic is locked
9 replies to this topic

#1 mike4764

mike4764

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 02 March 2008 - 11:17 PM

Cant find any evidence of this virus(what ever it is), Even my tech friend cant help me. Seems only to be pop ups.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:30 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Dell Printers\paperport\pptd40nt.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Dell Printers\paperport\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Dell Printers\paperport\IndexSearch.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:14 PM

Posted 03 March 2008 - 02:47 PM

Hello mike4764,

Welcome to Bleeping Computer :blink:

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u4.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download AVG Anti-Spyware Free Edition and save that file to your desktop.

This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the top of the main screen select the "Update" icon, then under the "Manual update" section click the "Start update" button.
  • The update will start and a progress bar will show the updates being installed.
  • Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the "Settings" screen:
    • Click on "Recommended actions" -> select "Quarantine".
    • Under "Reports:" -> select "Do not automatically generate reports".
  • Close AVG Anti-Spyware. Please do NOT run a scan yet!
Next, please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Then please run a scan with AVG Anti-Spyware:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
    • Next select the "Save Report" button at the bottom.
    • Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
  • Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply, along with a new HijackThis log.
How is it running now please? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 mike4764

mike4764
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 03 March 2008 - 07:05 PM

I did everything you said but still get IE popups, if it help this virus came from a Limewire download.
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:51:17 PM 3/3/2008

+ Scan result:



C:\Documents and Settings\STROBELIGHT\Local Settings\Temp\Temporary Directory 1 for tournament scheduler pro.zip\BitDownload-setup.exe -> Adware.Lop : Cleaned.
C:\System Volume Information\_restore{3E630DE7-5F3B-4F5C-851B-9E351BAD557E}\RP6\A0000233.exe -> Downloader.VB.ceh : Cleaned.
:mozilla.10:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.54:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.26:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.27:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.28:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.29:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.30:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.31:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.32:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.36:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.37:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.40:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.23:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.24:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.33:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.34:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.35:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.38:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.39:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.41:C:\Documents and Settings\STROBELIGHT\Application Data\Mozilla\Firefox\Profiles\lwrsromm.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.


::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:46 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Printers\paperport\pptd40nt.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Dell Printers\paperport\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Dell Printers\paperport\IndexSearch.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 6960 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:14 PM

Posted 03 March 2008 - 07:22 PM

Hello,

Then let's use something more powerful :

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

Edited by teacup61, 03 March 2008 - 07:22 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 mike4764

mike4764
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 03 March 2008 - 10:45 PM

I think it may have worked, no popups but alot of clicking when I go online, here is the logs
ComboFix 08-03-03.17 - STROBELIGHT 2008-03-03 22:13:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.115 [GMT -5:00]
Running from: C:\Documents and Settings\STROBELIGHT\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-03 16:38 . 2008-03-03 16:38 <DIR> d-------- C:\Documents and Settings\STROBELIGHT\Application Data\Grisoft
2008-03-03 16:38 . 2008-03-03 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-03 16:38 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-03 16:25 . 2008-03-03 16:25 <DIR> d-------- C:\Program Files\Sun
2008-03-03 16:25 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-03 12:30 . 2008-03-03 12:30 100 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-03-03 09:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-02 14:51 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\hgprpchjwhvh.sys
2008-03-02 14:33 . 2008-03-02 17:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-02 14:33 . 2008-03-02 14:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-02 14:33 . 2008-03-02 14:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-02 14:33 . 2008-03-02 14:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-01 01:07 . 2008-03-02 15:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-29 21:44 . 2008-02-29 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-29 21:43 . 2008-03-02 15:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-29 21:43 . 2008-02-29 21:43 <DIR> d-------- C:\Documents and Settings\STROBELIGHT\Application Data\SUPERAntiSpyware.com
2008-02-29 21:42 . 2008-02-29 21:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 21:02 . 2008-02-29 21:02 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-29 19:16 . 2008-02-29 21:02 <DIR> d-------- C:\VundoFix Backups
2008-02-29 18:11 . 2008-03-02 16:21 <DIR> d-------- C:\WINDOWS\system32\iDlo18_temp
2008-02-26 16:37 . 2008-02-26 16:37 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-26 16:27 . 2008-02-26 16:27 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-25 22:49 . 2008-02-25 22:49 272 --a------ C:\WINDOWS\_delis32.ini
2008-02-25 16:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-25 16:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-21 01:13 . 2008-02-21 01:19 <DIR> d-------- C:\Program Files\Microsoft Small Business
2008-02-14 18:11 . 2008-02-14 18:11 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-14 18:10 . 2008-02-14 18:10 <DIR> d-------- C:\Program Files\Intuit
2008-02-14 18:10 . 1999-05-09 23:00 1,694,992 --a------ C:\WINDOWS\system32\vba6.dll
2008-02-14 18:10 . 2000-11-15 12:46 999,424 --a------ C:\WINDOWS\system32\SPR32X30.ocx
2008-02-14 18:10 . 2002-01-05 03:48 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-02-14 18:10 . 2000-11-15 12:46 737,280 --a------ C:\WINDOWS\system32\spr32d30.dll
2008-02-14 18:10 . 2002-09-20 07:45 339,968 --a------ C:\WINDOWS\system32\cdintf.dll
2008-02-14 17:53 . 2008-02-14 17:53 <DIR> d-------- C:\WINDOWS\Intuit
2008-02-14 16:17 . 2008-02-14 16:17 74,464 --a------ C:\Documents and Settings\STROBELIGHT\Application Data\GDIPFONTCACHEV1.DAT
2008-02-11 15:28 . 2008-02-11 15:34 <DIR> d-------- C:\EASYBEE
2008-02-11 15:27 . 2008-02-11 15:27 <DIR> d-------- C:\WINDOWS\EBdownload
2008-02-08 22:19 . 2007-11-07 11:37 319,488 --------- C:\WINDOWS\system32\fppmon3.dll
2008-02-08 22:19 . 2007-11-05 10:25 126,976 --------- C:\WINDOWS\system32\fppr332.dll
2008-02-07 21:08 . 2008-02-07 21:08 <DIR> d-------- C:\Documents and Settings\STROBELIGHT\Application Data\ScanSoft
2008-02-07 20:44 . 2006-12-07 16:50 144,280 --a------ C:\WINDOWS\system32\dlsrm.dll
2008-02-07 20:44 . 2005-03-01 16:32 28,787 --a------ C:\WINDOWS\maxlink.ini
2008-02-07 20:44 . 2008-02-07 20:44 33 --a------ C:\WINDOWS\BiMonitor.ini
2008-02-07 20:43 . 2008-02-07 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-07 20:42 . 2008-02-07 20:42 <DIR> d-------- C:\Program Files\Common Files\Scansoft Shared
2008-02-07 20:42 . 2008-02-07 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-02-07 20:40 . 2008-02-23 21:32 <DIR> d-------- C:\Program Files\Dell Printers
2008-02-07 20:39 . 2008-02-14 18:12 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-02-07 20:38 . 2006-10-24 19:38 536,576 -ra------ C:\WINDOWS\system32\dlsbairs.dll
2008-02-07 20:38 . 2006-11-21 10:00 118,784 --a------ C:\WINDOWS\system32\dlxbazil.dll
2008-02-07 20:38 . 2006-12-12 20:45 48,128 -ra------ C:\WINDOWS\system32\dlsbaisc.dll
2008-02-05 23:24 . 2008-02-05 23:24 <DIR> d-------- C:\Program Files\Trancite
2008-02-05 23:24 . 1998-05-11 19:01 40,960 --a------ C:\WINDOWS\regsvr32.exe
2008-02-05 23:24 . 2008-02-08 22:20 2,112 --a------ C:\WINDOWS\sscene.ini
2008-02-04 23:24 . 2008-02-04 23:24 <DIR> d-------- C:\WINDOWS\PrimoPDF
2008-02-04 23:24 . 2008-02-04 23:24 <DIR> d-------- C:\Program Files\activePDF
2008-02-04 23:24 . 2006-12-11 15:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 21:25 --------- d-----w C:\Program Files\Java
2008-03-03 20:51 --------- d-----w C:\Program Files\Google
2008-03-03 17:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-02 20:34 --------- d-----w C:\Program Files\Common Files\Command Software
2008-03-02 20:31 --------- d-----w C:\Program Files\Apoint2K
2008-03-01 14:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 21:37 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-26 04:27 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-26 03:50 --------- d-----w C:\Program Files\Common Files\Logitech
2008-02-26 03:46 --------- d-----w C:\Program Files\AvailSuite
2008-02-20 17:14 --------- d-----w C:\Program Files\LimeWire
2008-02-14 23:12 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-09 04:18 1,392,671 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2008-02-08 01:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-22 13:31 --------- d-----w C:\Program Files\iTunes
2008-01-22 13:30 --------- d-----w C:\Program Files\iPod
2008-01-22 13:28 --------- d-----w C:\Program Files\QuickTime
2008-01-22 13:18 --------- d-----w C:\Documents and Settings\STROBELIGHT\Application Data\WinPatrol
2008-01-22 10:51 --------- d-----w C:\Program Files\Kids Cam Sticker Factory
2008-01-22 10:02 --------- d-----w C:\Program Files\ACW
2008-01-22 07:55 --------- d-----w C:\Program Files\Ontrack
2008-01-22 07:55 --------- d-----w C:\Documents and Settings\STROBELIGHT\Application Data\Ontrack
2008-01-12 20:01 --------- d-----w C:\Program Files\Security Task Manager
2008-01-12 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-08 04:15 --------- d-----w C:\Program Files\ATI Technologies
2008-01-07 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-07 02:51 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-07 00:28 60,968 ----a-w C:\Documents and Settings\STROBELIGHT\GoToAssistDownloadHelper.exe
2008-01-05 04:43 --------- d-----w C:\Documents and Settings\STROBELIGHT\Application Data\UpManager
2008-01-05 04:33 --------- d-----w C:\Program Files\Trend Micro
2008-01-05 03:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\drvaimdebugfunk
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2006-01-26 04:35 524,300 ----a-w C:\Documents and Settings\STROBELIGHT\Application Data\position.bin
2005-02-26 02:00 573,440 ----a-w C:\Documents and Settings\STROBELIGHT\Application Data\arasan.exe
2005-02-26 01:21 1,179,648 ----a-w C:\Documents and Settings\STROBELIGHT\Application Data\book.bin
2005-02-26 01:14 1,118,208 ----a-w C:\Documents and Settings\STROBELIGHT\Application Data\arasanx.exe
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 11:06 292152]
"TPSMain"="TPSMain.exe" [2004-06-01 22:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 18:37 151552]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 18:46 192512]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\Dell Printers\paperport\pptd40nt.exe" [2006-06-30 18:08 36864]
"IndexSearch"="C:\Program Files\Dell Printers\paperport\IndexSearch.exe" [2006-06-30 18:08 40960]
"DLPSP"="C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2006-12-07 16:52 340888]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 15:45 36040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

R0 TCtrlIO;TOSHIBA Controls Driver;C:\WINDOWS\system32\drivers\TCtrlIO.sys [2004-08-02 16:32]
R0 TPwSav;Toshiba Power Saver Driver;C:\WINDOWS\system32\DRIVERS\TPwSav.sys [2004-08-20 11:30]
R1 SerTVOutCtlr;TOSHIBA Controls Driver -EPIOMngr;C:\WINDOWS\system32\drivers\EPIOMngr.sys [2004-07-30 17:05]
R2 DLSDB;Dell Printer Status Database;C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 16:52]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-02-14 20:03]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS []
S3 WLAN;IEEE 802.11b WLAN network adaptor Driver;C:\WINDOWS\system32\DRIVERS\WLANNDS.sys [2003-10-17 15:40]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 21:47:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 22:17:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Completion time: 2008-03-03 22:19:19
ComboFix-quarantined-files.txt 2008-03-04 03:19:03
ComboFix2.txt 2008-03-04 02:54:25
.
2008-03-02 13:08:33 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:08 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Dell Printers\paperport\pptd40nt.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Dell Printers\paperport\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Dell Printers\paperport\IndexSearch.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 6848 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:14 PM

Posted 04 March 2008 - 11:25 AM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\drivers\hgprpchjwhvh.sys
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\iDlo18_temp
C:\WINDOWS\_delis32.ini
C:\Documents and Settings\All Users\Application Data\drvaimdebugfunk

Driver::
hgprpchjwhvh


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. How is it running? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 mike4764

mike4764
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 04 March 2008 - 12:42 PM

No popups yet so I think you fixed it, here are the logs you requested
ComboFix 08-03-03.17 - STROBELIGHT 2008-03-04 12:19:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -5:00]
Running from: C:\Documents and Settings\STROBELIGHT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\STROBELIGHT\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\drvaimdebugfunk
C:\WINDOWS\_delis32.ini
C:\WINDOWS\system32\drivers\hgprpchjwhvh.sys
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\iDlo18_temp
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\_delis32.ini
C:\WINDOWS\system32\drivers\hgprpchjwhvh.sys
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HGPRPCHJWHVH
-------\hgprpchjwhvh


((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-03 16:38 . 2008-03-03 16:38 <DIR> d-------- C:\Documents and Settings\STROBELIGHT\Application Data\Grisoft
2008-03-03 16:38 . 2008-03-03 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-03 16:38 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-03 16:25 . 2008-03-03 16:25 <DIR> d-------- C:\Program Files\Sun
2008-03-03 16:25 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-03 12:30 . 2008-03-03 12:30 100 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-03-03 09:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-02 14:33 . 2008-03-02 17:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-01 01:07 . 2008-03-02 15:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-29 21:44 . 2008-02-29 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-29 21:43 . 2008-03-02 15:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-29 21:43 . 2008-02-29 21:43 <DIR> d-------- C:\Documents and Settings\STROBELIGHT\Application Data\SUPERAntiSpyware.com
2008-02-29 21:42 . 2008-02-29 21:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 21:02 . 2008-02-29 21:02 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-29 19:16 . 2008-02-29 21:02 <DIR> d-------- C:\VundoFix Backups
2008-02-29 18:11 . 2008-03-02 16:21 <DIR> d-------- C:\WINDOWS\system32\iDlo18_temp
2008-02-26 16:37 . 2008-02-26 16:37 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-26 16:27 . 2008-02-26 16:27 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-25 16:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-25 16:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-21 01:13 . 2008-02-21 01:19 <DIR> d-------- C:\Program Files\Microsoft Small Business
2008-02-14 18:11 . 2008-02-14 18:11 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-14 18:10 . 2008-02-14 18:10 <DIR> d-------- C:\Program Files\Intuit
2008-02-14 18:10 . 1999-05-09 23:00 1,694,992 --a------ C:\WINDOWS\system32\vba6.dll
2008-02-14 18:10 . 2000-11-15 12:46 999,424 --a------ C:\WINDOWS\system32\SPR32X30.ocx
2008-02-14 18:10 . 2002-01-05 03:48 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-02-14 18:10 . 2000-11-15 12:46 737,280 --a------ C:\WINDOWS\system32\spr32d30.dll
2008-02-14 18:10 . 2002-09-20 07:45 339,968 --a------ C:\WINDOWS\system32\cdintf.dll
2008-02-14 17:53 . 2008-02-14 17:53 <DIR> d-------- C:\WINDOWS\Intuit
2008-02-14 16:17 . 2008-02-14 16:17 74,464 --a------ C:\Documents and Settings\STROBELIGHT\Application Data\GDIPFONTCACHEV1.DAT
2008-02-11 15:28 . 2008-02-11 15:34 <DIR> d-------- C:\EASYBEE
2008-02-11 15:27 . 2008-02-11 15:27 <DIR> d-------- C:\WINDOWS\EBdownload
2008-02-08 22:19 . 2007-11-07 11:37 319,488 --------- C:\WINDOWS\system32\fppmon3.dll
2008-02-08 22:19 . 2007-11-05 10:25 126,976 --------- C:\WINDOWS\system32\fppr332.dll
2008-02-07 21:08 . 2008-02-07 21:08 <DIR> d-------- C:\Documents and Settings\STROBELIGHT\Application Data\ScanSoft
2008-02-07 20:44 . 2006-12-07 16:50 144,280 --a------ C:\WINDOWS\system32\dlsrm.dll
2008-02-07 20:44 . 2005-03-01 16:32 28,787 --a------ C:\WINDOWS\maxlink.ini
2008-02-07 20:44 . 2008-02-07 20:44 33 --a------ C:\WINDOWS\BiMonitor.ini
2008-02-07 20:43 . 2008-02-07 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-07 20:42 . 2008-02-07 20:42 <DIR> d-------- C:\Program Files\Common Files\Scansoft Shared
2008-02-07 20:42 . 2008-02-07 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-02-07 20:40 . 2008-02-23 21:32 <DIR> d-------- C:\Program Files\Dell Printers
2008-02-07 20:39 . 2008-02-14 18:12 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-02-07 20:38 . 2006-10-24 19:38 536,576 -ra------ C:\WINDOWS\system32\dlsbairs.dll
2008-02-07 20:38 . 2006-11-21 10:00 118,784 --a------ C:\WINDOWS\system32\dlxbazil.dll
2008-02-07 20:38 . 2006-12-12 20:45 48,128 -ra------ C:\WINDOWS\system32\dlsbaisc.dll
2008-02-05 23:24 . 2008-02-05 23:24 <DIR> d-------- C:\Program Files\Trancite
2008-02-05 23:24 . 1998-05-11 19:01 40,960 --a------ C:\WINDOWS\regsvr32.exe
2008-02-05 23:24 . 2008-02-08 22:20 2,112 --a------ C:\WINDOWS\sscene.ini
2008-02-04 23:24 . 2008-02-04 23:24 <DIR> d-------- C:\WINDOWS\PrimoPDF
2008-02-04 23:24 . 2008-02-04 23:24 <DIR> d-------- C:\Program Files\activePDF
2008-02-04 23:24 . 2006-12-11 15:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 21:25 --------- d-----w C:\Program Files\Java
2008-03-03 20:51 --------- d-----w C:\Program Files\Google
2008-03-03 17:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-02 20:34 --------- d-----w C:\Program Files\Common Files\Command Software
2008-03-02 20:31 --------- d-----w C:\Program Files\Apoint2K
2008-03-01 14:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 21:37 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-26 04:27 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-26 03:50 --------- d-----w C:\Program Files\Common Files\Logitech
2008-02-26 03:46 --------- d-----w C:\Program Files\AvailSuite
2008-02-20 17:14 --------- d-----w C:\Program Files\LimeWire
2008-02-14 23:12 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-08 01:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-22 13:31 --------- d-----w C:\Program Files\iTunes
2008-01-22 13:30 --------- d-----w C:\Program Files\iPod
2008-01-22 13:28 --------- d-----w C:\Program Files\QuickTime
2008-01-22 13:18 --------- d-----w C:\Documents and Settings\STROBELIGHT\Application Data\WinPatrol
2008-01-22 10:51 --------- d-----w C:\Program Files\Kids Cam Sticker Factory
2008-01-22 10:02 --------- d-----w C:\Program Files\ACW
2008-01-22 07:55 --------- d-----w C:\Program Files\Ontrack
2008-01-22 07:55 --------- d-----w C:\Documents and Settings\STROBELIGHT\Application Data\Ontrack
2008-01-12 20:01 --------- d-----w C:\Program Files\Security Task Manager
2008-01-12 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-08 04:15 --------- d-----w C:\Program Files\ATI Technologies
2008-01-07 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-07 02:51 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-07 00:28 60,968 ----a-w C:\Documents and Settings\STROBELIGHT\GoToAssistDownloadHelper.exe
2008-01-05 04:43 --------- d-----w C:\Documents and Settings\STROBELIGHT\Application Data\UpManager
2008-01-05 04:33 --------- d-----w C:\Program Files\Trend Micro
2008-01-05 03:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\drvaimdebugfunk
2006-01-26 04:35 524,300 ----a-w C:\Documents and Settings\STROBELIGHT\Application Data\position.bin
2005-02-26 02:00 573,440 ----a-w C:\Documents and Settings\STROBELIGHT\Application Data\arasan.exe
2005-02-26 01:21 1,179,648 ----a-w C:\Documents and Settings\STROBELIGHT\Application Data\book.bin
2005-02-26 01:14 1,118,208 ----a-w C:\Documents and Settings\STROBELIGHT\Application Data\arasanx.exe
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 11:06 292152]
"TPSMain"="TPSMain.exe" [2004-06-01 22:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 18:37 151552]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 18:46 192512]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\Dell Printers\paperport\pptd40nt.exe" [2006-06-30 18:08 36864]
"IndexSearch"="C:\Program Files\Dell Printers\paperport\IndexSearch.exe" [2006-06-30 18:08 40960]
"DLPSP"="C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2006-12-07 16:52 340888]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 15:45 36040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

R0 TCtrlIO;TOSHIBA Controls Driver;C:\WINDOWS\system32\drivers\TCtrlIO.sys [2004-08-02 16:32]
R0 TPwSav;Toshiba Power Saver Driver;C:\WINDOWS\system32\DRIVERS\TPwSav.sys [2004-08-20 11:30]
R1 SerTVOutCtlr;TOSHIBA Controls Driver -EPIOMngr;C:\WINDOWS\system32\drivers\EPIOMngr.sys [2004-07-30 17:05]
R2 DLSDB;Dell Printer Status Database;C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 16:52]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-02-14 20:03]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS []
S3 WLAN;IEEE 802.11b WLAN network adaptor Driver;C:\WINDOWS\system32\DRIVERS\WLANNDS.sys [2003-10-17 15:40]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 21:47:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 12:28:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
.
**************************************************************************
.
Completion time: 2008-03-04 12:31:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 17:31:54
ComboFix2.txt 2008-03-04 03:19:20
ComboFix3.txt 2008-03-04 02:54:25
.
2008-03-02 13:08:33 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:32 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Dell Printers\paperport\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Dell Printers\paperport\IndexSearch.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 6573 bytes

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:14 PM

Posted 04 March 2008 - 02:33 PM

Hello,

Glad to know it. :thumbsup: Is the clicking gone as well?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 mike4764

mike4764
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 04 March 2008 - 09:03 PM

The clicking is there only when I first open IE. Other than that it works fine, thank you.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:14 PM

Posted 19 March 2008 - 01:54 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users