Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Explorer Popups While Using Firefox


  • This topic is locked This topic is locked
13 replies to this topic

#1 jhomrighaus

jhomrighaus

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 02 June 2008 - 07:07 PM

Hi,

Kind of at my whits end with this one. spysweeper finds nothing, killing processes does nothing yet still getting very irritatating popups wheneve browsing with Firefox. The popups are ALWAYS internet Explorer which I never use. Your help is appreciated. here is the Log file, I kan run the other if needed.

Thanks , Jason


Deckard's System Scanner v20071014.68
Run by user on 2008-06-02 20:12:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:35 PM, on 6/2/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\ni_nic.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\New Folder\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [{82-28-84-45-DW}] C:\WINDOWS\system32\pinz1\cegmgr76.exe DWram
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\user\Application Data\pislu.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125440393453
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel Client Instrumentation for DMI and SNMP (ni_nic) - Intel® Corporation - C:\WINDOWS\system32\ni_nic.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/user/LOCALS~1/Temp/msoclip1/01/clip_image002.gif

--
End of file - 5011 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS\system32\SHELL32.DLL,2
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\system32\migicons.exe,1
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS\system32\WScript.exe,3
.js - JSFile - shell\open\command - C:\WINDOWS\system32\WScript.exe "%1" %*
.reg - regfile - DefaultIcon - C:\WINDOWS\system32\migicons.exe,16
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\system32\WScript.exe,2
.vbs - VBSFile - shell\open\command - C:\WINDOWS\system32\WScript.exe "%1" %*
.vbs - VBSFile - shell\edit\command - C:\WINDOWS\system32\Notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 mff - c:\windows\system32\drivers\mff.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ni_nic (Intel Client Instrumentation for DMI and SNMP) - c:\windows\system32\ni_nic.exe <Not Verified; Intel® Corporation; Intel® DMI 2.0 Instrumenation loader for Windows NT>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-07 23:00:00 502 --a------ C:\WINDOWS\Tasks\Tune-up Application Start.job


-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-02 19:16:49 0 d-------- C:\Program Files\Trend Micro
2008-06-01 22:28:57 0 --ahs---- C:\Documents and Settings\user\Application Data\0048435a82e59262258089556d1e4ad8dfa28a04f9.dat
2008-06-01 22:26:51 0 d-------- C:\Documents and Settings\user\Application Data\Zinaps7
2008-05-31 16:52:30 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-05-31 16:52:10 0 d-------- C:\Program Files\Security Task Manager
2008-05-28 20:07:49 0 d-------- C:\WINDOWS\winsxs


-- Find3M Report ---------------------------------------------------------------

2008-06-01 22:32:20 33 --a------ C:\Documents and Settings\user\Application Data\install.ini
2008-05-31 20:53:40 0 d-------- C:\Program Files\Java
2008-05-31 18:05:51 0 d-------- C:\Program Files\Google
2008-05-31 17:10:53 0 d-------- C:\Program Files\mqtbar2
2008-05-31 17:10:05 0 d-------- C:\Program Files\Common Files\DataViz
2008-05-31 16:57:46 0 d-------- C:\Program Files\Pocket TV Browser
2008-05-31 14:04:15 0 dra------ C:\Program Files\Common Files
2008-05-28 20:05:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-28 19:54:19 0 d-------- C:\Documents and Settings\user\Application Data\AdobeUM
2008-05-01 20:24:03 164 --a------ C:\install.dat
2008-04-29 18:24:35 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_5160.dat
2008-04-15 23:07:44 0 d-------- C:\Program Files\Lavasoft
2008-04-15 22:47:07 0 d-------- C:\Program Files\Webroot
2008-04-15 22:47:07 0 d-------- C:\Documents and Settings\user\Application Data\Webroot
2008-04-15 21:23:15 1285998 ---h----- C:\WINDOWS\ShellIconCache
2008-04-13 12:43:27 0 d-------- C:\Program Files\LimeWire
2008-04-04 20:29:36 0 d-------- C:\Program Files\Starcraft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [07/14/03 08:00a C:\WINDOWS\SYSTEM32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [09/27/01 04:39a C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [12/11/01 08:33p]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/08 04:25a]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/02/06 10:09p]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/14/06 04:24p]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/06/06 07:45p]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/16/07 03:10a]
"{82-28-84-45-DW}"="C:\WINDOWS\system32\pinz1\cegmgr76.exe" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/08 08:56p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"DW4"="" []
"Aim6"="" []
"Microsoft Windows Adapter 5.1.3214"="C:\Documents and Settings\user\Application Data\pislu.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [6/9/2004 5:16:08 PM]
Launch Microsoft Outlook.lnk - C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE [12/16/1998 5:09:20 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 4:15:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-06-02 20:16:13 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.80GHz
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 511.48 MiB / 353.36 MiB
Pagefile Memory (total/avail): 863.48 MiB / 712.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1955.93 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19 GiB total, 4 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 232.88 GiB total, 81.79 GiB free.

\\.\PHYSICALDRIVE0 - ST320011A - 19 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 19 GiB - C:

\\.\PHYSICALDRIVE1 - ST325082 0A USB Device - 232.88 GiB - 1 partition
\PARTITION0 - Installable File System - 232.88 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JASON
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\JASON
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINDOWS\system32\os2\dll;
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;"C:\Program Files\Symantec\Norton Ghost 2003\";C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$p$g
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
USERDOMAIN=JASON
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
ACDSee 5.0 PowerPack --> MsiExec.exe /I{5058B085-AA79-41E5-A726-681B4C4B846E}
ACDSee 5.0 Standard Trial --> MsiExec.exe /I{A4C7096C-DB17-4B31-BBDB-E805513AA637}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Reader for Palm OS, 3.05 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\Adobe Reader for Palm OS\AcroDesk.isu" -c"C:\Program Files\Adobe\Adobe Reader for Palm OS\unpdf.dll"
AIM 6 --> C:\Program Files\AIM6\uninst.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Blender (remove only) --> "C:\Program Files\Blender Foundation\Blender\uninstall.exe"
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033
Canon Camera TWAIN Driver 6.6 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E4E929CE-EF1D-407C-A14B-E1DDEDA8FA0E} /l1033
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}
Canon Camera Window DSLR 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0A146245-DB79-4197-BF5D-FE1A699A2CC7}
Canon Camera Window MC 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B147DC1B-49B3-4368-8A01-5AD9992CD58D}
Canon PhotoRecord --> MsiExec.exe /X{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}
Canon ZoomBrowser EX (E) --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CopyPod Suite (remove only) --> "C:\Program Files\WindSolutions\CopyPod Suite\uninstall.exe"
Desktop Weather by The Weather Channel --> C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
DirectX 9 Hotfix - KB839643 --> C:\WINDOWS\$NtUninstallKB839643-DirectX9$\spuninst\spuninst.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Documents To Go --> MsiExec.exe /X{D6FFC3B5-0CE1-4566-801D-3F9D8F000652}
DTCLookup --> C:\PROGRA~1\DTCLOO~1\UNWISE.EXE C:\PROGRA~1\DTCLOO~1\INSTALL.LOG
Express Scribe Uninstall --> C:\Program Files\NCH Swift Sound\Scribe\uninst.exe
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google SketchUp --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E1423608-F529-40A1-93CA-C7F396F30DF0}\setup.exe" -l0x9
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Handmark® Pocket Express® for Palm OS® --> C:\WINDOWS\unvise32.exe C:\Program Files\Handmark\Express for Palm OS\uninstal.log
Hi-Speed USB-to-IDE Win98 Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64D88A3F-92E8-4C55-BC7F-2A577323BCF0}\SETUP.EXE" -l0x9
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp deskjet 930c series (Remove only) --> C:\Program Files\hp deskjet 930c series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=LPT1: -vproduct=930c -huninstall
Intel Client Instrumentation for DMI --> C:\WINDOWS\system32\SNMPINST.EXE Uninstall
Intel Client Instrumentation for DMI and SNMP --> C:\WINDOWS\system32\snmpinst.exe Uninstall
Intel Ultra ATA Storage Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\setup.exe" -INTELUNINST
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
JumpStart Kindergarten v2.4b --> C:\WINDOWS\uninst.exe -fC:\KA\KG\DeIsL1.isu
JumpStart PreSchool v1.4 --> C:\WINDOWS\IsUninst.exe -fC:\KA\PRSCHOOL\DeIsL3.isu
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSETUP.EXE /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office 2000 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Norton Ghost --> MsiExec.exe /I{6975E810-C92F-45F0-0BFD-187B312F10E8}
palmOne --> MsiExec.exe /X{E434580A-2D4A-4433-A81E-4BCAE86AD148}
palmOne VersaMail™ --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E3A64050-AB9D-486E-B7AA-6B52F53F4DD8} /l1033
PC Inspector File Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x9
PocketMirror 3.1.10 (Professional XT Edition) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Chapura\PocketMirror XT\DeIsL1.isu" -cC:\PROGRA~1\Chapura\POCKET~1\UninXTEx.dll
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Task Manager 1.7f --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for DirectX 9 (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
SoundMAXWDM --> C:\Program Files\Analog Devices\SoundMAX\ADIOUT.BAT
SplashID --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9DBBC53C-AD7B-44ED-91A7-7568B51182F8}\setup.exe" -l0x9
SplashShopper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0681859-D086-4384-B204-386FA7D80A5B}\setup.exe" -l0x9
SpongeBob SquarePants Typing --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\Uninstall.xml"
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
Ultrasoft Money --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8F5B5D0-9620-11D3-BA0E-0000861DA578}\Setup.exe" -l0x9
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Weather Services --> C:\WINDOWS\System32\control.exe C:\WINDOWS\System32\wxfw.cpl,4
Windows Genuine Advantage v1.3.0254.0 --> MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINDOWS\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~1\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type441 / Error
Event Submitted/Written: 05/31/2008 09:39:54 PM
Event ID/Source: 4097 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706B9 from line 42 of .\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type437 / Error
Event Submitted/Written: 05/31/2008 06:32:30 PM
Event ID/Source: 1000 / Userenv
Event Description:
Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.

DETAIL - Access is denied. , Build number ((2195)).

Event Record #/Type435 / Error
Event Submitted/Written: 05/31/2008 02:03:04 PM
Event ID/Source: 1015 / Perflib
Event Description:
The timeout waiting for the performance data collection function "PerfProc"
in the "C:\WINDOWS\system32\perfproc.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Event Record #/Type431 / Error
Event Submitted/Written: 05/28/2008 07:59:29 PM
Event ID/Source: 1015 / Perflib
Event Description:
The timeout waiting for the performance data collection function "PerfProc"
in the "C:\WINDOWS\system32\perfproc.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Event Record #/Type430 / Error
Event Submitted/Written: 05/28/2008 07:58:47 PM
Event ID/Source: 1015 / Perflib
Event Description:
The timeout waiting for the performance data collection function "PerfProc"
in the "C:\WINDOWS\system32\perfproc.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2582 / Error
Event Submitted/Written: 05/31/2008 09:41:30 PM
Event ID/Source: 20027 / Rasman
Event Description:
Remote Access Connection Manager failed to start because NDISWAN could not
be opened. Restart the computer. The system cannot find the file specified.

Event Record #/Type2581 / Error
Event Submitted/Written: 05/31/2008 09:41:07 PM
Event ID/Source: 5728 / Workstation
Event Description:
Could not load any transport.

Event Record #/Type2576 / Error
Event Submitted/Written: 05/31/2008 09:37:14 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type2574 / Error
Event Submitted/Written: 05/31/2008 09:26:40 PM / 05/31/2008 09:27:09 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type2569 / Error
Event Submitted/Written: 05/31/2008 09:15:24 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Viewpoint Manager Service service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-06-02 20:16:13 ------------

Edited by jhomrighaus, 03 June 2008 - 02:48 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 AM

Posted 03 June 2008 - 01:55 PM

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#3 jhomrighaus

jhomrighaus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 03 June 2008 - 03:01 PM

Thanks for your help and for your attention to the other issue. I realize I mispelled the name of the product which probably didn't help anything. I didn't intend to come off as strong as I did, It was late, I was tired and have been waring with my computer for 4 days now and it just tweaked my buttons a little and I snapped back, perhaps a little prematurely and stronger than was needed. I understand having some fun so I hope no one gets in trouble for what happened.

As to your reply I will execute these instructions as soon as I get home this evening(about 7:30pm) and post the results as soon as I have them. Thank you so very much for your help, I've never had an issue like this that I couldn't figure out through normal means and it has been very worrisome for me(I was afraid I was losing my mind).

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 AM

Posted 03 June 2008 - 04:07 PM

Understood, and noone is getting in trouble. The purpose of the word replacement was to make the spammers so irritated that they stopped spamming certain words. Unfortunately, our slap back at the spammers didn't work in this case as planned.

As for the problem, I know the infection well. We will get rid of it fairly easily.

#5 jhomrighaus

jhomrighaus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 03 June 2008 - 07:30 PM

I had several more popups will drafting this response FWIW. Malwarebytes asked for a restart and it was done immediately, after restart, outlook started automatically(normal) I opened firefox to post this and had 3 popup windows, Spysweeper quarantined an attempted install at this point as well.

Here is the Spysweeper log if it is of any value.

8:18 PM: File System Shield: found: Virus: Troj/Tued-A, version
8:17 PM: Your virus definitions have been updated.
8:17 PM: Informational: Loaded AntiVirus Engine: 2.74.1; SDK Version: 4.30E; Virus Definitions: 6/3/2008 3:35:48 PM (GMT)
8:16 PM: IE Tracking Cookies Shield: Removed zedo cookie
8:16 PM: IE Tracking Cookies Shield: Removed zedo cookie
8:16 PM: Your spyware definitions have been updated.
8:16 PM: IE Tracking Cookies Shield: Removed zedo cookie
8:16 PM: IE Tracking Cookies Shield: Removed zedo cookie
8:15 PM: Firefox Tracking Cookies Shield: Removed mediaplex cookie
8:14 PM: Automated check for program update in progress.
Keylogger: Off
E-mail Attachment: On
8:14 PM: Firefox Tracking Cookies Shield: Removed mediaplex cookie
8:14 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
8:14 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
8:14 PM: IE Tracking Cookies Shield: Removed zedo cookie
Alternate Data Stream (ADS) Execution Shield: On
8:14 PM: IE Tracking Cookies Shield: Removed tribalfusion cookie
Startup Shield: On
8:14 PM: IE Tracking Cookies Shield: Removed adbureau cookie
8:14 PM: IE Tracking Cookies Shield: Removed trafficmp cookie
8:14 PM: IE Tracking Cookies Shield: Removed statcounter cookie
8:14 PM: IE Tracking Cookies Shield: Removed dealtime cookie
Common Ad Sites: On
8:14 PM: IE Tracking Cookies Shield: Removed specificclick.com cookie
8:14 PM: IE Tracking Cookies Shield: Removed serving-sys cookie
8:14 PM: IE Tracking Cookies Shield: Removed search123 cookie
8:14 PM: IE Tracking Cookies Shield: Removed realmedia cookie
8:14 PM: IE Tracking Cookies Shield: Removed questionmarket cookie
8:14 PM: IE Tracking Cookies Shield: Removed overture cookie
8:14 PM: IE Tracking Cookies Shield: Removed mygeek cookie
8:14 PM: IE Tracking Cookies Shield: Removed mediaplex cookie
8:14 PM: IE Tracking Cookies Shield: Removed findwhat cookie
8:14 PM: IE Tracking Cookies Shield: Removed enhance cookie
8:14 PM: IE Tracking Cookies Shield: Removed directtrack cookie
8:14 PM: IE Tracking Cookies Shield: Removed dealtime cookie
Hosts File Shield: On
8:14 PM: IE Tracking Cookies Shield: Removed casalemedia cookie
8:14 PM: IE Tracking Cookies Shield: Removed bs.serving-sys cookie
Internet Communication Shield: On
8:14 PM: IE Tracking Cookies Shield: Removed bravenet cookie
8:14 PM: IE Tracking Cookies Shield: Removed atlas dmt cookie
8:14 PM: IE Tracking Cookies Shield: Removed directtrack cookie
8:14 PM: IE Tracking Cookies Shield: Removed advertising cookie
8:14 PM: IE Tracking Cookies Shield: Removed advertising cookie
8:14 PM: IE Tracking Cookies Shield: Removed adserver cookie
8:14 PM: IE Tracking Cookies Shield: Removed pointroll cookie
8:14 PM: IE Tracking Cookies Shield: Removed specificclick.com cookie
8:14 PM: IE Tracking Cookies Shield: Removed yieldmanager cookie
8:14 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
8:14 PM: Shield States
8:14 PM: License Check Status (0): Success
8:14 PM: Spyware Definitions: 1217
8:14 PM: Informational: Loaded AntiVirus Engine: 2.73.0; SDK Version: 4.29E; Virus Definitions: 6/2/2008 6:58:50 PM (GMT)
8:12 PM: Spy Sweeper 5.5.7.124 started
8:12 PM: Spy Sweeper 5.5.7.124 started
8:12 PM: | Start of Session, Tuesday, June 03, 2008 |





Malwarebytes' Anti-Malware 1.14
Database version: 818

8:09:41 PM 6/3/2008
mbam-log-6-3-2008 (20-09-41).txt

Scan type: Quick Scan
Objects scanned: 40665
Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Adapter 5.1.3214 (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\user\Application Data\Zinaps7 (Rogue.Zinaps) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Start Menu\Programs\Zinaps7 (Rogue.Zinaps) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\user\Application Data\Zinaps7\settings.ini (Rogue.Zinaps) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Start Menu\Programs\Zinaps7\Uninstall Zinaps Anti-Spyware 7.0.lnk (Rogue.Zinaps) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Start Menu\Programs\Zinaps7\Zinaps Anti-Spyware 7.0.lnk (Rogue.Zinaps) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk (Malware.Trace) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:26 PM, on 6/3/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\ni_nic.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [{82-28-84-45-DW}] C:\WINDOWS\system32\pinz1\cegmgr76.exe DWram
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125440393453
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel Client Instrumentation for DMI and SNMP (ni_nic) - Intel® Corporation - C:\WINDOWS\system32\ni_nic.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/user/LOCALS~1/Temp/msoclip1/01/clip_image002.gif

--
End of file - 5189 bytes

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 AM

Posted 03 June 2008 - 10:15 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#7 jhomrighaus

jhomrighaus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 03 June 2008 - 11:45 PM

ComboFix 08-06-03.1 - user 06/04/2008 0:25:11.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.350 [GMT -4:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\start.exe
C:\WINDOWS\system32\config\SAM.SAV
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\mff.sys
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MFF
-------\Service_mff


((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-03 20:17 . 08-06-03 20:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-03 20:17 . 08-06-03 20:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-03 19:36 . 08-06-03 19:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 19:36 . 08-06-03 19:36 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-06-03 19:36 . 08-06-03 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 19:36 . 08-05-30 01:06 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-03 19:36 . 08-05-30 01:06 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-03 19:34 . 08-06-03 19:34 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-02 20:24 . 08-06-02 20:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-06-02 20:24 . 08-06-02 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 19:36 . 08-06-02 19:36 <DIR> d-------- C:\Deckard
2008-06-02 19:16 . 08-06-02 19:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-01 22:28 . 08-06-01 22:28 0 --ahs---- C:\Documents and Settings\user\Application Data\0048435a82e59262258089556d1e4ad8dfa28a04f9.dat
2008-05-31 20:54 . 08-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-31 16:52 . 08-05-31 17:00 <DIR> d-------- C:\Program Files\Security Task Manager
2008-05-31 16:52 . 08-06-03 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-05-28 20:07 . 08-05-28 20:07 <DIR> d-------- C:\WINDOWS\winsxs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 00:53 --------- d-----w C:\Program Files\Java
2008-05-31 22:05 --------- d-----w C:\Program Files\Google
2008-05-31 21:10 --------- d-----w C:\Program Files\mqtbar2
2008-05-31 21:10 --------- d-----w C:\Program Files\Common Files\DataViz
2008-05-31 20:57 --------- d-----w C:\Program Files\Pocket TV Browser
2008-05-31 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-29 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-29 00:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-28 23:54 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-05-02 00:24 164 ----a-w C:\install.dat
2008-05-02 00:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-16 03:07 --------- d-----w C:\Program Files\Lavasoft
2008-04-16 02:47 --------- d-----w C:\Program Files\Webroot
2008-04-16 02:47 --------- d-----w C:\Documents and Settings\user\Application Data\Webroot
2008-04-13 16:43 --------- d-----w C:\Program Files\LimeWire
2008-04-05 00:29 --------- d-----w C:\Program Files\Starcraft
2005-07-06 00:18 271 ---h--w C:\Program Files\desktop.ini
2005-07-06 00:18 21,952 ---h--w C:\Program Files\folder.htt
2007-08-15 22:33 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-08-15 22:33 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-08-15 22:33 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [ ]
"DW4"="" []
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-14 08:00 111376 C:\WINDOWS\SYSTEM32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [01-09-27 04:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01-12-11 20:33 196608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [08-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06-08-02 22:09 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-06-14 16:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-08-06 19:45 282624]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07-08-16 03:10 1838592]
"{82-28-84-45-DW}"="C:\WINDOWS\system32\pinz1\cegmgr76.exe" [ ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [08-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-07-14 08:00 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 17:16:08 471040]
Launch Microsoft Outlook.lnk - C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE [1998-12-16 17:09:20 57393]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.VDOM"= vdowave.drv

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [07-01-04 17:38 ]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [01-09-27 03:28 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINDOWS\system32\DRIVERS\openhci.sys [03-06-19 12:05 ]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
S1 sglfb;sglfb;C:\WINDOWS\system32\drivers\sglfb.sys [03-07-14 08:00 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-05-08 03:00:00 C:\WINDOWS\Tasks\Tune-up Application Start.job"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 00:30:23
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-04 0:36:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 04:36:48

Pre-Run: 4,184,182,272 bytes free
Post-Run: 4,243,162,624 bytes free

126 --- E O F --- 2008-05-16 07:07:20




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:36 AM, on 6/4/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\ni_nic.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [{82-28-84-45-DW}] C:\WINDOWS\system32\pinz1\cegmgr76.exe DWram
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125440393453
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel Client Instrumentation for DMI and SNMP (ni_nic) - Intel® Corporation - C:\WINDOWS\system32\ni_nic.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/user/LOCALS~1/Temp/msoclip1/01/clip_image002.gif

--
End of file - 5323 bytes

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 AM

Posted 04 June 2008 - 06:48 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

dirlook::
C:\Documents and Settings\All Users\Application Data\SecTaskMan

file::
C:\install.dat
C:\Program Files\folder.htt

registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{82-28-84-45-DW}"=-


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#9 jhomrighaus

jhomrighaus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 04 June 2008 - 07:41 PM

ComboFix 08-06-03.1 - user 06/04/2008 20:20:42.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.321 [GMT -4:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\install.dat
C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.dat
C:\Program Files\folder.htt

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 20:20 . 06/04/08 08:20p 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_314.dat
2008-06-03 19:36 . 06/03/08 07:36p <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 19:36 . 06/03/08 07:36p <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-06-03 19:36 . 06/03/08 07:36p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 19:36 . 05/30/08 01:06a 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-03 19:36 . 05/30/08 01:06a 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-03 19:34 . 06/03/08 07:34p <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-02 20:24 . 06/02/08 08:24p <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-06-02 20:24 . 06/02/08 08:24p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 19:36 . 06/02/08 07:36p <DIR> d-------- C:\Deckard
2008-06-02 19:16 . 06/02/08 07:16p <DIR> d-------- C:\Program Files\Trend Micro
2008-06-01 22:28 . 06/01/08 10:28p 0 --ahs---- C:\Documents and Settings\user\Application Data\0048435a82e59262258089556d1e4ad8dfa28a04f9.dat
2008-05-31 20:54 . 02/22/08 02:33a 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-31 16:52 . 05/31/08 05:00p <DIR> d-------- C:\Program Files\Security Task Manager
2008-05-31 16:52 . 06/03/08 11:34p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-05-28 20:07 . 05/28/08 08:07p <DIR> d-------- C:\WINDOWS\winsxs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 00:53 --------- d-----w C:\Program Files\Java
2008-05-31 22:05 --------- d-----w C:\Program Files\Google
2008-05-31 21:10 --------- d-----w C:\Program Files\mqtbar2
2008-05-31 21:10 --------- d-----w C:\Program Files\Common Files\DataViz
2008-05-31 20:57 --------- d-----w C:\Program Files\Pocket TV Browser
2008-05-31 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-29 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-29 00:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-28 23:54 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-05-02 00:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-16 03:07 --------- d-----w C:\Program Files\Lavasoft
2008-04-16 02:47 --------- d-----w C:\Program Files\Webroot
2008-04-16 02:47 --------- d-----w C:\Documents and Settings\user\Application Data\Webroot
2008-04-13 16:43 --------- d-----w C:\Program Files\LimeWire
2008-04-05 00:29 --------- d-----w C:\Program Files\Starcraft
2008-03-27 07:13 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 07:06 355,104 ----a-w C:\WINDOWS\SYSTEM32\msxbde40.dll
2008-03-27 07:05 838,432 ----a-w C:\WINDOWS\SYSTEM32\mswdat10.dll
2008-03-27 07:05 621,344 ----a-w C:\WINDOWS\SYSTEM32\mswstr10.dll
2008-03-27 07:05 264,992 ----a-w C:\WINDOWS\SYSTEM32\mstext40.dll
2008-03-27 07:04 559,904 ----a-w C:\WINDOWS\SYSTEM32\msrepl40.dll
2008-03-27 07:04 432,928 ----a-w C:\WINDOWS\SYSTEM32\msrd2x40.dll
2008-03-27 07:04 322,336 ----a-w C:\WINDOWS\SYSTEM32\msrd3x40.dll
2008-03-27 07:03 355,104 ----a-w C:\WINDOWS\SYSTEM32\mspbde40.dll
2008-03-27 07:03 248,608 ----a-w C:\WINDOWS\SYSTEM32\msjtes40.dll
2008-03-27 07:03 219,936 ----a-w C:\WINDOWS\SYSTEM32\msltus40.dll
2008-03-27 07:02 60,192 ----a-w C:\WINDOWS\SYSTEM32\msjter40.dll
2008-03-27 07:02 355,112 ----a-w C:\WINDOWS\SYSTEM32\msjetoledb40.dll
2008-03-27 07:01 1,516,568 ----a-w C:\WINDOWS\SYSTEM32\msjet40.dll
2008-03-27 07:00 518,944 ----a-w C:\WINDOWS\SYSTEM32\msexch40.dll
2008-03-27 07:00 326,432 ----a-w C:\WINDOWS\SYSTEM32\msexcl40.dll
2008-03-19 09:26 1,644,080 ----a-w C:\WINDOWS\SYSTEM32\WIN32K.SYS
2005-07-06 00:18 271 ---h--w C:\Program Files\desktop.ini
2003-07-14 12:00 32,528 ----a-w C:\WINDOWS\inf\wbfirdma.sys
2007-08-15 22:33 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-08-15 22:33 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-08-15 22:33 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\SecTaskMan ----

08-06-01 22:43 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_Monitor311C0
08-06-01 22:43 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_cegmgr7617840
08-06-01 22:43 451 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\Zinaps7.exe.q_36FE0_q.ini
08-06-01 22:42 624 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_TaskMan2CA8B168
08-06-01 22:42 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_Zinaps7514C0
08-06-01 22:42 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_System 1210
08-06-01 22:42 13813 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ExplorerBD8B713
08-06-01 22:33 4665 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_TCsf43793800
08-06-01 22:33 304 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\TCsf.exe.q_334D3800_q.ini
08-05-31 21:33 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_{7981494e-ceb3-c23e-f394-9976ad87e2b3}12AF0
08-05-31 21:25 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ViewpointService3E270
08-05-31 21:25 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ni_nicF7D0
08-05-31 21:25 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_mqtbar214670
08-05-31 21:25 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_googletoolbar31CD30
08-05-31 21:25 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_DvzIncMsgr34E50
08-05-31 21:25 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_AcroIEHelper321C0
08-05-31 21:24 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ssv1A200
08-05-31 21:05 29366 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ssv1A20C597
08-05-31 21:05 1121 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_MAPISP323C8A8000
08-05-31 21:05 10942 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_GoogleDesktopNetwork35E923802
08-05-31 21:04 8425 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_services14776B11
08-05-31 21:04 654 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_csrss12181510
08-05-31 21:04 6242 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_smss111AB310
08-05-31 21:04 50 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_System idle 2160
08-05-31 21:04 4352 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_OSA9233835
08-05-31 21:04 4318 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_spoolsv161BB910
08-05-31 21:04 3835 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_reader_sl272C7400
08-05-31 21:04 38008 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_Hotsync197F3007
08-05-31 21:04 32348 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_winlogon1557D912
08-05-31 21:04 1712 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_OUTLOOK3014E031
08-05-31 21:04 15895 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_qttask1AFE5004
08-05-31 21:04 12537 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_lsass114E8310
08-05-31 21:04 10722 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_atiptaxx1654C003
08-05-31 21:04 10540 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_msiexec12243401
08-05-31 21:03 9678 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_stisvc134DF110
08-05-31 21:03 6168 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_regsvc11C0B11
08-05-31 20:53 45748 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_jucheck1B6EB072
08-05-31 20:53 1526 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_zipper6FF45000
08-05-31 20:49 74 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610005.dll
08-05-31 20:49 571 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610005
08-05-31 18:28 343 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\MSTask.exe.q_804DD11_q.ini
08-05-31 18:19 372 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\AcroIEHelper.dll.q_182B0_q.ini
08-05-31 17:24 15495 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_WinMgmt1A0665
08-05-31 17:21 392 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\googletoolbar3.dll.q_905AC64_q.ini
08-05-31 17:14 12208 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_MSTask128BDD11
08-05-31 17:12 1663 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_svchost14F81F10
08-05-31 17:11 2518 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_iexplore2DC96401
08-05-31 17:11 1347 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_Rundll3212872710
08-05-31 17:10 607 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\DvzIncMsgr.exe.q_19807000_q.ini
08-05-31 17:10 355 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\mqtbar2.dll.q_9CBAA12_q.ini
08-05-31 17:09 2198 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_hidserv13344D10
08-05-31 17:06 84682 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_EXCEL2590209A
08-05-31 17:06 547065 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_SpySweeperUI3F99E7C1
08-05-31 17:05 388067 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_firefox2452E4E4
08-05-31 17:05 18522 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_iPodService1CADF004
08-05-31 16:59 86444 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_mqtbar21467AA12
08-05-31 16:58 6467 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ssv1A20D069
08-05-31 16:58 4767 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_jusched1CCA906F
08-05-31 16:58 4155 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ni_nicF7DE000
08-05-31 16:58 2040 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_DvzIncMsgr34E57000
08-05-31 16:58 1971 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ViewpointService3E27604C
08-05-31 16:58 191463 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_googletoolbar31CD3AC64
08-05-31 16:58 13842 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_realsched3241C02F
08-05-31 16:58 10720 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_SSU2ABB4573
08-05-31 16:58 10423 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_iTunesHelper20754004
08-05-31 16:57 64293 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_PTVManager2F867005
08-05-31 16:56 83143 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_GoogleDesktop46CDE1C
08-05-31 16:56 246076 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_SpySweeper3A1383A6
08-05-31 16:54 3324 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_{7981494e-ceb3-c23e-f394-9976ad87e2b3}12AF9605
08-05-31 16:53 829 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A085434EA4D233448AE1B4AC8EA61D84
08-05-31 16:53 666 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_05046A3ED9BAE6847BAAB6255FF3D48D
08-05-31 16:53 6398 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A085434EA4D233448AE1B4AC8EA61D84.dll
08-05-31 16:53 634 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A49D0C45764FCBA4D920E6854768864D
08-05-31 16:53 613 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E2F8BE2AB9D6B8F469BE9F673DF314F6
08-05-31 16:53 610 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C6907C4A71BD13B4BBBD8E5015A36A73
08-05-31 16:53 602 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A7D67D1CBB3FAE747A64B5E1F2CFD12F
08-05-31 16:53 581 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_98B2CBBB391E84348AC38CDD28014ACA
08-05-31 16:53 569 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A41D0D1A677B7094CB0015942F920868
08-05-31 16:53 55 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9EC9653600AFC964FAC55E4D9DA3FC19.dll
08-05-31 16:53 536 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BCBABCC2724655A40B19946864324CF3
08-05-31 16:53 522 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_EC929E4ED1FEC7041AB41EDDDE8AAFE0
08-05-31 16:53 522 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C8D617F6F8933D11581E000540386890
08-05-31 16:53 522 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B1CD741B3B948634A810A59D99C25DD8
08-05-31 16:53 522 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9F13FFD239872294FA669C1ABEE4BB13
08-05-31 16:53 522 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9EC9653600AFC964FAC55E4D9DA3FC19
08-05-31 16:53 4230 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904040001E872D116BF00006799C897E.dll
08-05-31 16:53 41 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A41D0D1A677B7094CB0015942F920868.dll
08-05-31 16:53 31 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9F13FFD239872294FA669C1ABEE4BB13.dll
08-05-31 16:53 301 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_98B2CBBB391E84348AC38CDD28014ACA.dll
08-05-31 16:53 222 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B1CD741B3B948634A810A59D99C25DD8.dll
08-05-31 16:53 2178 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A7D67D1CBB3FAE747A64B5E1F2CFD12F.dll
08-05-31 16:53 212 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E2F8BE2AB9D6B8F469BE9F673DF314F6.dll
08-05-31 16:53 1865 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C6907C4A71BD13B4BBBD8E5015A36A73.dll
08-05-31 16:53 1843 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A49D0C45764FCBA4D920E6854768864D.dll
08-05-31 16:53 1662 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_05046A3ED9BAE6847BAAB6255FF3D48D.dll
08-05-31 16:53 1298 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904040001E872D116BF00006799C897E
08-05-31 16:53 108 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C8D617F6F8933D11581E000540386890.dll
08-05-31 16:53 10 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_EC929E4ED1FEC7041AB41EDDDE8AAFE0.dll
08-05-31 16:53 10 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BCBABCC2724655A40B19946864324CF3.dll
08-05-31 16:52 826 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7447A0100000020.dll
08-05-31 16:52 763 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_542641A097BD7914FBD5EFA196A9C27C.dll
08-05-31 16:52 671 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5B3CFF6D1EC0665408D1F3D9F8006025
08-05-31 16:52 655 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_08152E05CDB3D6B4082AF3F1C0C93FD9
08-05-31 16:52 654 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_542641A097BD7914FBD5EFA196A9C27C
08-05-31 16:52 639 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4255D12C079AAF24CAA8958B7CDCAC13
08-05-31 16:52 626 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_580B850597AA5E147A6286B1C4B448E6
08-05-31 16:52 621 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7447A0100000020
08-05-31 16:52 602 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2C965B116FB40DE4D9714A729334BC42
08-05-31 16:52 593 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_6A57A3C609A93A447A3028CAE16A8AD5
08-05-31 16:52 585 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_3F44E4787A9B1AA44BAB385E86E49D6C
08-05-31 16:52 571 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510006
08-05-31 16:52 571 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510004
08-05-31 16:52 539 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2AD34AAB5C6BCE641B36E0E8AE9F574A
08-05-31 16:52 42 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510006.dll
08-05-31 16:52 42 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510004.dll
08-05-31 16:52 399 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2AD34AAB5C6BCE641B36E0E8AE9F574A.dll
08-05-31 16:52 3098 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4255D12C079AAF24CAA8958B7CDCAC13.dll
08-05-31 16:52 302 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_6A57A3C609A93A447A3028CAE16A8AD5.dll
08-05-31 16:52 2880 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904010001E872D116BF00006799C897E
08-05-31 16:52 2567 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_580B850597AA5E147A6286B1C4B448E6.dll
08-05-31 16:52 191 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2C965B116FB40DE4D9714A729334BC42.dll
08-05-31 16:52 151 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_08152E05CDB3D6B4082AF3F1C0C93FD9.dll
08-05-31 16:52 1349 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5B3CFF6D1EC0665408D1F3D9F8006025.dll
08-05-31 16:52 10585 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904010001E872D116BF00006799C897E.dll
08-05-31 16:52 10 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_3F44E4787A9B1AA44BAB385E86E49D6C.dll
07-11-24 21:20 697 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\DvzIncMsgr.exe.q_19807000_q.start
05-07-06 21:38 28672 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\DvzIncMsgr.exe.q_19807000_q
05-06-03 00:54 483600 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
05-04-21 01:08 401168 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_entreelist.dll
05-04-19 17:08 1223168 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\mqtbar2.dll.q_9CBAA12_q
04-09-07 08:59 122128 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\MSTask.exe.q_804DD11_q


------- Sigcheck -------


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [ ]
"DW4"="" []
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [07/14/03 08:00a 111376 C:\WINDOWS\SYSTEM32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [09/27/01 04:39a 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [12/11/01 08:33p 196608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/08 04:25a 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/02/06 10:09p 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/14/06 04:24p 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/06/06 07:45p 282624]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/16/07 03:10a 1838592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [07/14/03 08:00a 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 17:16:08 471040]
Launch Microsoft Outlook.lnk - C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE [1998-12-16 17:09:20 57393]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.VDOM"= vdowave.drv

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [01/04/07 05:38p]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [09/27/01 03:28a]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINDOWS\system32\DRIVERS\openhci.sys [06/19/03 12:05p]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\usbhub20.sys [06/19/03 12:05p]
S1 sglfb;sglfb;C:\WINDOWS\system32\drivers\sglfb.sys [07/14/03 08:00a]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-05-08 03:00:00 C:\WINDOWS\Tasks\Tune-up Application Start.job"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 20:22:59
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 06/04/2008 20:24:44
ComboFix-quarantined-files.txt 2008-06-05 00:24:16
ComboFix2.txt 2008-06-04 04:37:00

Pre-Run: 4,211,112,448 bytes free
Post-Run: 4,205,562,880 bytes free

269 --- E O F --- 2008-05-16 07:07:20




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:21 PM, on 6/4/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\ni_nic.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125440393453
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel Client Instrumentation for DMI and SNMP (ni_nic) - Intel® Corporation - C:\WINDOWS\system32\ni_nic.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/user/LOCALS~1/Temp/msoclip1/01/clip_image002.gif

--
End of file - 5074 bytes

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 AM

Posted 05 June 2008 - 09:02 AM

Download this program:

Suspicious files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\SYSTEM32\javacpl.cpl


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go here
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

#11 jhomrighaus

jhomrighaus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 05 June 2008 - 10:17 PM

File Submitted.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 AM

Posted 06 June 2008 - 07:36 AM

Looks clean..how is the computer operating now?

#13 jhomrighaus

jhomrighaus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 06 June 2008 - 09:10 AM

No more popups, seems a little faster i guess, but the pop-ups are gone and that is a huge relief.

Thanks a ton for your help, Hopefully I won't be needing it again in the future :thumbsup:

Best of luck and keep up the service, its great to know there is someone to come to when things get crazy.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 AM

Posted 06 June 2008 - 09:46 AM

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

or

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users