Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer With Adware Popups


  • This topic is locked This topic is locked
8 replies to this topic

#1 wazza08

wazza08

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 28 May 2008 - 10:18 AM

I keep getting the CiD adwarepoups as well as there being several internet explorer processes when I am not even using IE. I have run NoLop but the popups keep appearing. Here are the logs. Thanks in advance.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-28 15:59:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-05-28 14:59:58 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-05-28 11:13:06 UTC - RP2 - ComboFix created restore point
1: 2008-05-28 11:12:01 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 224 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:01:13, on 28/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe
C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pcservicecall.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Part browse safe hold] C:\Documents and Settings\All Users\Application Data\Audio 4 part browse\Settings send.exe
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe -startup
O4 - HKLM\..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [Regs Soft] C:\DOCUME~1\Owner\APPLIC~1\PLATFO~1\Purehtm.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ,avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6388 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 catchme - c:\combofix\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-28 15:11:11 254 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-28 15:54:37 106 --a------ C:\delete.bat
2008-05-28 15:39:15 0 d-------- C:\Program Files\Trend Micro
2008-05-28 15:27:38 0 d-------- C:\NoLopBackups
2008-05-28 12:11:36 68096 --a------ C:\WINDOWS\zip.exe
2008-05-28 12:11:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-28 12:11:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-28 12:11:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-28 12:11:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-28 12:11:36 98816 --a------ C:\WINDOWS\sed.exe
2008-05-28 12:11:36 80412 --a------ C:\WINDOWS\grep.exe
2008-05-28 12:11:36 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-28 10:53:11 0 d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-05-28 10:53:11 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-28 10:53:11 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-19 13:35:09 0 d-------- C:\Documents and Settings\Owner\Application Data\Sony Ericsson
2008-05-19 13:33:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Teleca
2008-05-19 13:17:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-05-19 13:17:35 0 d-------- C:\Program Files\Common Files\Teleca Shared
2008-05-19 13:17:32 0 d-------- C:\Program Files\Sony Ericsson
2008-05-19 13:17:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-05-19 13:10:48 0 d-------- C:\WINDOWS\Downloaded Installations
2008-05-15 12:08:51 0 d--h----- C:\$AVG8.VAULT$
2008-05-15 11:58:43 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-15 00:40:57 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-14 11:14:02 0 d-------- C:\WINDOWS\pss
2008-05-12 14:05:36 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-10 17:03:00 0 d-------- C:\Documents and Settings\Owner\Application Data\Help
2008-05-08 21:56:54 155648 --a------ C:\WINDOWS\system32\flashshl.dll
2008-05-08 21:56:53 208896 --a------ C:\WINDOWS\system32\smshell.dll <Not Verified; OnSpec Electronic Inc.,; Digital Media Format Shell Extension>
2008-05-08 21:56:53 274432 --a------ C:\WINDOWS\system32\lxblf2k.dll <Not Verified; OnSpec Electronic, Inc.; Digital Media Format DLL>
2008-05-08 21:56:49 21504 --a------ C:\WINDOWS\LXBLSET.EXE
2008-05-08 21:56:49 4608 --a------ C:\WINDOWS\DelShell.exe
2008-05-08 21:56:49 0 d-------- C:\Program Files\Lexmark
2008-05-08 21:53:14 0 d-------- C:\Program Files\Lexmark Z700-P700 Series
2008-05-08 21:53:03 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-05-07 11:51:05 0 d-------- C:\Program Files\Lavasoft
2008-05-07 11:51:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-07 11:50:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-07 11:40:47 0 d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-05-07 11:40:01 0 d-------- C:\Program Files\AVG
2008-05-06 23:58:56 0 d-------- C:\Program Files\MSXML 4.0
2008-05-06 19:58:58 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-06 16:57:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Template
2008-05-06 16:57:29 996 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-05-06 16:13:07 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-06 16:12:50 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-05-06 16:05:43 11073568 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-06 14:14:13 0 d-------- C:\Program Files\ZoneAlarmSB
2008-05-06 14:04:22 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-06 14:04:09 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-06 14:03:40 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-05-06 14:01:51 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-05-06 13:58:08 0 d-------- C:\WINDOWS\Internet Logs
2008-05-06 13:32:44 0 d-------- C:\WINDOWS\system32\PreInstall
2008-05-06 12:35:58 0 d-------- C:\Documents and Settings\Owner\Contacts
2008-05-06 12:29:35 0 d-------- C:\Program Files\Windows Live Toolbar
2008-05-06 12:29:27 0 d-------- C:\Program Files\Windows Live Favorites
2008-05-06 12:28:12 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-05-06 12:04:08 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-06 12:03:14 0 d-------- C:\Program Files\Windows Live
2008-05-06 12:03:02 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-06 12:02:22 0 d---s---- C:\Documents and Settings\Owner\UserData
2008-05-06 12:02:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Audio 4 part browse
2008-05-06 12:01:56 0 d-------- C:\Program Files\platformtool
2008-05-06 12:01:56 0 d-------- C:\Documents and Settings\Owner\Application Data\platformtool
2008-05-06 11:20:05 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-05-06 11:17:41 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-05-02 05:22:36 0 d-------- C:\WINDOWS\I386
2008-05-02 05:11:40 0 dr------- C:\Program Files
2008-05-02 05:11:40 0 dr------- C:\Documents and Settings\Owner\Start Menu
2008-05-02 05:11:40 0 dr-h----- C:\Documents and Settings\Owner\SendTo
2008-05-02 05:11:40 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-05-02 05:11:40 0 dr------- C:\Documents and Settings\Owner\My Documents
2008-05-02 05:11:40 0 dr------- C:\Documents and Settings\Owner\Favorites
2008-05-02 05:11:39 0 dr-h----- C:\Documents and Settings\Owner\Application Data
2008-05-02 05:11:39 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-05-02 05:11:39 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-05-02 05:11:39 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-05-02 05:11:39 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-05-02 05:11:38 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-05-02 05:11:37 0 dr------- C:\Documents and Settings\All Users\Documents
2008-05-02 05:11:37 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-05-02 05:10:56 0 dr------- C:\WINDOWS\Offline Web Pages
2008-05-02 05:10:05 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-05-02 05:09:49 0 --a------ C:\SMINST
2008-05-01 21:26:19 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-05-19 13:17:35 0 d-------- C:\Program Files\Common Files
2008-05-12 14:13:37 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-05-08 21:58:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-02 05:25:00 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
15/05/2008 11:58 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
06/05/2008 14:14 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [15/05/2008 11:58 2050816]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [06/05/2008 14:14 262144]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [15/05/2008 11:56]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [02/04/2008 21:07]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [01/08/2005 14:53]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [01/08/2005 14:53]
"SoundMan"="SOUNDMAN.EXE" [01/08/2005 14:55 C:\WINDOWS\SOUNDMAN.EXE]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [28/08/2003 05:20]
"SiSPower"="SiSPower.dll" [01/08/2005 14:52 C:\WINDOWS\system32\SiSPower.dll]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [22/04/2005 22:44]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [28/08/2004 01:50]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [14/09/2002 05:42]
"Part browse safe hold"="C:\Documents and Settings\All Users\Application Data\Audio 4 part browse\Settings send.exe" [28/05/2008 15:06]
"MemoryCardManager"="C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe" [28/04/2003 17:29]
"LXBLKsk"="C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe" [26/03/2003 10:10]
"AGRSMMSG"="AGRSMMSG.exe" [01/08/2005 14:55 C:\WINDOWS\AGRSMMSG.exe]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 17:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Regs Soft"="C:\DOCUME~1\Owner\APPLIC~1\PLATFO~1\Purehtm.exe" [06/05/2008 12:01]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 19:44:06]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [07/09/2005 01:04:23]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [07/09/2005 00:58:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=,avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ace9dc1-dec9-11d9-821f-806d6172696f}]
AutoRun\command- E:\Launch.exe




-- End of Deckard's System Scanner: finished at 2008-05-28 16:08:26 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 29 May 2008 - 07:52 AM

Hi,

Please uninstall ZoneAlarm Spy Blocker via software > add / remove programs since this one is not recommended.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [Part browse safe hold] C:\Documents and Settings\All Users\Application Data\Audio 4 part browse\Settings send.exe
O4 - HKCU\..\Run: [Regs Soft] C:\DOCUME~1\Owner\APPLIC~1\PLATFO~1\Purehtm.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Navigate to and delete the following folders:

C:\Documents and Settings\All Users\Application Data\Audio 4 part browse
C:\Program Files\platformtool
C:\Documents and Settings\Owner\Application Data\platformtool

If you're having problems with deleting them, delete them from Windows Safe mode.
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Reboot and post a new HijackThislog in your next reply
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 09 June 2008 - 07:17 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 29 June 2008 - 01:14 PM

Reopened. Please perform the steps I asked.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 wazza08

wazza08
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 29 June 2008 - 02:38 PM

Here is the log. Thanks for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:36:22, on 29/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe
C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe -startup
O4 - HKLM\..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ,avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6227 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 30 June 2008 - 12:07 AM

Hi,

This looks OK again.

Popups gone now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 wazza08

wazza08
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 30 June 2008 - 10:01 AM

yeh looks like it. thanks for your help. appreciate it. :thumbsup:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 30 June 2008 - 10:08 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 04 July 2008 - 07:29 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users