Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Pc Cleaner Pop Up


  • This topic is locked This topic is locked
4 replies to this topic

#1 Greg Williams

Greg Williams

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 21 April 2008 - 03:08 PM

I have a pop up for PC Cleaner and other stuff.

Here are my logs

Thanks for the Help

Kaspersy

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 21, 2008 2:02:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/04/2008
Kaspersky Anti-Virus database records: 718029
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 40515
Number of viruses found: 6
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 01:12:36

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\LISAPH~1\LOCALS~1\Temp\rsyncini.exe Infected: Trojan.Win32.Shutdowner.em skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Lisa Phillips\Application Data\Sun\Java\Deployment\cache\6.0\29\3c8283dd-7211b4a9/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Lisa Phillips\Application Data\Sun\Java\Deployment\cache\6.0\29\3c8283dd-7211b4a9 ZIP: infected - 1 skipped
C:\Documents and Settings\Lisa Phillips\Application Data\Sun\Java\Deployment\cache\6.0\37\63380ea5-43613df0/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Lisa Phillips\Application Data\Sun\Java\Deployment\cache\6.0\37\63380ea5-43613df0 ZIP: infected - 1 skipped
C:\Documents and Settings\Lisa Phillips\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-4b6298a9-724cc4ae.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Lisa Phillips\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-4b6298a9-724cc4ae.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Lisa Phillips\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-50316a3b-2fc7d47c.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Lisa Phillips\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-50316a3b-2fc7d47c.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Lisa Phillips\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lisa Phillips\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Lisa Phillips\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lisa Phillips\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lisa Phillips\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lisa Phillips\Local Settings\Temp\~DF95A1.tmp Object is locked skipped
C:\Documents and Settings\Lisa Phillips\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Lisa Phillips\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lisa Phillips\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lisa Phillips\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\lqsyqasl.exe Infected: Trojan-Downloader.Win32.Agent.mxd skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHUB09AR\count[1].php Infected: Trojan-Downloader.Win32.Agent.mxd skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\pwrcsmwp.exe Infected: Trojan-Downloader.Win32.Agent.mxd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CD190668-2DFD-4585-ACD3-A79AC65FCE3B}\RP295\A0446264.exe Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{CD190668-2DFD-4585-ACD3-A79AC65FCE3B}\RP296\A0449268.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.hu skipped
C:\System Volume Information\_restore{CD190668-2DFD-4585-ACD3-A79AC65FCE3B}\RP301\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\V3LJ75YF\count[1].php Infected: Trojan-Downloader.Win32.Agent.mxd skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7f4.dat Object is locked skipped
C:\WINDOWS\Web\def.htm Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Deckard

Deckard's System Scanner v20071014.68
Run by Lisa Phillips on 2008-04-20 21:10:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
43: 2008-04-21 03:11:07 UTC - RP301 - Deckard's System Scanner Restore Point
42: 2008-04-21 01:10:51 UTC - RP300 - Update to an unsigned driver
41: 2008-04-21 01:06:46 UTC - RP299 - Software Distribution Service 3.0
40: 2008-04-21 01:04:15 UTC - RP298 - Unsigned driver install
39: 2008-04-21 00:59:12 UTC - RP297 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-01-31 17:37:29 UTC - RP259 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 1.81 GiB (less than 15%) free.


-- HijackThis (run as Lisa Phillips.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:44 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\xmnstcps\vgvipgjg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ryfspyxg.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Documents and Settings\Lisa Phillips\Local Settings\Temporary Internet Files\Content.IE5\MUW28MTC\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Lisa Phillips.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ocbwpldu] C:\WINDOWS\system32\ryfspyxg.exe
O4 - HKLM\..\Policies\Explorer\Run: [Rfd71llkll] C:\Documents and Settings\All Users\Application Data\xmnstcps\vgvipgjg.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F243D65-0B39-4BC8-A0DD-E5A4A529531B}: NameServer = 192.168.7.1,205.171.3.65
O21 - SSODL: HGddAHANBd - {50A091B5-FA0A-3B1F-61E8-F07A71E64BAC} - C:\WINDOWS\System32\glpq.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5653 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 W8335XP (802.11g/b Driver for Windows XP ) - c:\windows\system32\drivers\mrvw125.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11 NIC>

S3 RimUsb (BlackBerry Device) - c:\windows\system32\drivers\rimusb.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\1A9E4DE01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\1A9E4DE01800
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-03-17 06:17:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-20 and 2008-04-20 -----------------------------

2008-04-20 21:29:26 0 d-------- C:\Program Files\Trend Micro
2008-04-18 10:37:20 0 d-------- C:\Program Files\PC-Cleaner
2008-04-14 19:29:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32taack.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32taack.dat
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-03-25 20:31:29 0 d-------- C:\WINDOWS\system32smp
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32netode.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-03-25 20:31:29 4096 --a------ C:\WINDOWS\a.bat
2008-03-25 20:31:29 0 d-------- C:\Program Files\Inet Delivery
2008-03-25 20:31:29 0 d-------- C:\Documents and Settings\Lisa Phillips\Desktopvirii
2008-03-25 20:31:29 4096 --a------ C:\Documents and Settings\Lisa Phillips\Desktopfilemanagerclient.exe
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\winsystem.exe
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32thun.dll
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32bdn.com
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\mssecu.exe
2008-03-25 20:31:28 0 d-------- C:\WINDOWS\mslagent
2008-03-25 20:31:28 4096 --a------ C:\WINDOWS\bdn.com
2008-03-25 20:31:28 0 d-------- C:\Program Files\akl
2008-03-25 20:31:28 4096 --a------ C:\Documents and Settings\Lisa Phillips\DesktopFWebdEditor.exe
2008-03-25 20:31:28 4096 --a------ C:\Documents and Settings\Lisa Phillips\Desktopfwebd.exe
2008-03-25 20:31:06 0 d-------- C:\Documents and Settings\All Users\Application Data\xmnstcps
2008-03-25 20:31:05 98304 --a------ C:\WINDOWS\system32\ryfspyxg.exe
2008-03-25 20:30:27 1 --a------ C:\WINDOWS\system32\kr_done1


-- Find3M Report ---------------------------------------------------------------

2008-04-20 18:49:48 0 d-------- C:\Documents and Settings\Lisa Phillips\Application Data\MSN6
2008-04-18 09:56:07 0 d-------- C:\Program Files\Google
2008-04-14 19:36:38 0 d-------- C:\Documents and Settings\Lisa Phillips\Application Data\Google
2008-03-19 20:14:57 0 d-------- C:\Documents and Settings\Lisa Phillips\Application Data\MSNInstaller
2008-03-09 16:50:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-09 16:49:58 0 d-------- C:\Program Files\Qwest
2008-03-09 16:49:49 0 d-------- C:\Program Files\Common Files
2008-03-09 16:49:49 0 d-------- C:\Program Files\Common Files\supportsoft
2008-03-09 16:49:02 0 d-------- C:\Program Files\2Wire
2008-03-09 16:48:33 0 d-------- C:\Program Files\Actiontec
2008-03-09 16:37:27 0 d-------- C:\Documents and Settings\Lisa Phillips\Application Data\InstallShield
2008-03-09 16:26:32 0 d-------- C:\Documents and Settings\Lisa Phillips\Application Data\Talkback
2008-03-09 16:26:18 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-09 16:26:11 0 d-------- C:\Documents and Settings\Lisa Phillips\Application Data\Mozilla
2008-03-09 15:57:27 0 d-------- C:\Documents and Settings\Lisa Phillips\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [01/27/2005 05:00 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 12:37 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"nForce Tray Options"="sstray.exe" [11/13/2002 01:34 AM C:\WINDOWS\system32\sstray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/02/2007 03:24 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/22/2007 02:07 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"ocbwpldu"="C:\WINDOWS\system32\ryfspyxg.exe" [03/25/2008 08:31 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/14/2008 7:29:52 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"Rfd71llkll"=C:\Documents and Settings\All Users\Application Data\xmnstcps\vgvipgjg.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"HGddAHANBd"= {50A091B5-FA0A-3B1F-61E8-F07A71E64BAC} - C:\WINDOWS\System32\glpq.dll [04/16/2007 09:52 AM 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-20 21:30:25 ------------

Extra

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 1800+
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 767.48 MiB / 514.78 MiB
Pagefile Memory (total/avail): 1206.16 MiB / 972.05 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.5 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 13.98 GiB total, 1.81 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - QUANTUM FIREBALLlct15 15 - 13.99 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 13.98 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.8.1169 [VPS 080421-0] v4.8.1169 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lisa Phillips\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LISA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lisa Phillips
LOGONSERVER=\\LISA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\LISAPH~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\LISAPH~1\LOCALS~1\Temp
USERDOMAIN=LISA
USERNAME=Lisa Phillips
USERPROFILE=C:\Documents and Settings\Lisa Phillips
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Lisa Phillips (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Actiontec Gateway --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9692FD03-6662-4E62-B08C-30DFF51651E1}\setup.exe" -l0x9
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
iTunes --> MsiExec.exe /I{01B51908-02EF-453B-87A9-815182E8C2F2}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
MathPlayer --> C:\Program Files\Design Science\MathPlayer\Setup.exe -u
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msniadm.exe /Action:ARP
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600816}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvuaudio.exe UninstallGUI
NVIDIA nForce Utilities --> C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_SSUtilsNT 132 C:\WINDOWS\INF\nvautlml.inf
NVIDIA Windows 2000/XP nForce Drivers --> rundll32.exe C:\WINDOWS\system32\NVNFINST.DLL,NvUninstallCrush
QuickConnect --> C:\Program Files\InstallShield Installation Information\{4998FF95-709A-430A-B104-92A009ABB848}\setup.exe -runfromtemp -l0x0009 -removeonly
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2015 / Error
Event Submitted/Written: 04/13/2008 04:43:01 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2014 / Error
Event Submitted/Written: 04/13/2008 04:40:45 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2013 / Error
Event Submitted/Written: 04/13/2008 04:40:45 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2012 / Error
Event Submitted/Written: 04/13/2008 04:40:40 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2011 / Error
Event Submitted/Written: 04/13/2008 04:40:40 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type876 / Warning
Event Submitted/Written: 04/20/2008 09:04:46 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 0810170402A9. The IP address being used is 169.254.177.33.

Event Record #/Type875 / Warning
Event Submitted/Written: 04/20/2008 09:04:37 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0810170402A9. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type680 / Error
Event Submitted/Written: 04/20/2008 10:14:20 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type679 / Warning
Event Submitted/Written: 04/20/2008 08:08:32 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type644 / Error
Event Submitted/Written: 04/18/2008 10:14:19 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.



-- End of Deckard's System Scanner: finished at 2008-04-20 21:30:25 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:38 PM

Posted 26 April 2008 - 12:40 PM

Hello Greg Williams,

Welcome back to Bleeping Computer :thumbsup:


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

***If it gives you problems running, then go offline and disable your Avast! and try to run it.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Greg Williams

Greg Williams
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 28 April 2008 - 11:34 AM

I did not receive a reply for 4 days, so I just reinstalled the operating system and started from scratch. Thank you for your help though.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:38 PM

Posted 28 April 2008 - 12:50 PM

Thank you so much for letting me know. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:38 PM

Posted 08 May 2008 - 12:34 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users