Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Massive Popups


  • This topic is locked This topic is locked
4 replies to this topic

#1 TheLightedPath

TheLightedPath

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 08 August 2006 - 07:09 PM

I have tried resolving this by myself, but so far I can't seem to get rid of it i can do just enough to slow it down. Any help would be appreciated thank you.
~TLP

Logfile of HijackThis v1.99.1
Scan saved at 8:18:29 PM, on 8/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{DCDE575C-0321-1033-0608-010202180001}\Update.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\COMMON~1\MCROSO~1.NET\spool32.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\WINNT\FSScrCtl.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Makins1\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QveCtl2Tray] C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE C:\Program Files\Philips\PSA2\skin
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\System32\msmsgs.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Drts] "C:\PROGRA~1\COMMON~1\MCROSO~1.NET\spool32.exe" -vt yazr
O4 - HKCU\..\Run: [Exfmxb] C:\Documents and Settings\Makins1\Application Data\T?sks\w?crtupd.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89CAAD56-A157-4F15-A3DE-0B62626E978E}: NameServer = 192.168.0.1,4.2.2.3
O20 - Winlogon Notify: H323TSP - C:\WINNT\system32\gp8sl3l71.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 AM

Posted 09 August 2006 - 03:49 AM

Hi TheLightedPath

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Look in your control panels add/remove programs for PuritySCAN By OIN, OuterInfo, OIN or similar , click on it and click remove.
Reboot and delete this folder if found:
C:\Program Files\PurityScan

If not listed, download and run this uninstaller:
Uninstaller

Tutorial for the uninstaller if needed

Reboot when done and delete this folder if found:
C:\Program Files\PurityScan


Send:

- a fresh HijackThis log
- combofix log
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 TheLightedPath

TheLightedPath
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 12 August 2006 - 03:13 PM

Here is the two logs. Sorry it took me so long to reply.


Start Time= Sat 08/12/2006 15:37:15.94
Running from: C:\Documents and Settings\Makins1\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{2F16D0AC-1CA4-4B24-ADE5-96105745002A}]
@=""

[HKEY_CLASSES_ROOT\clsid\{2F16D0AC-1CA4-4B24-ADE5-96105745002A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{2F16D0AC-1CA4-4B24-ADE5-96105745002A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{2F16D0AC-1CA4-4B24-ADE5-96105745002A}\InprocServer32]
@="C:\\WINNT\\system32\\lnica13n.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINNT\SYSTEM32\FY10.dll
C:\WINNT\SYSTEM32\irlol5331.dll
C:\WINNT\SYSTEM32\lgani13n.dll
C:\WINNT\SYSTEM32\lnica13n.dll
C:\WINNT\SYSTEM32\lv8q09l5e.dll
C:\WINNT\SYSTEM32\lvjs0917e.dll
C:\WINNT\SYSTEM32\lvp8097ue.dll


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Makins1\Local Settings\Temp\drsmartload180a.exe
C:\Documents and Settings\Makins1\My Documents\Temporary Internet Files\Content.IE5\0SHX45I7\drsmartload849a[1].exe
C:\Documents and Settings\Makins1\My Documents\Temporary Internet Files\Content.IE5\0SHX45I7\drsmartload[1].exe
C:\WINNT\uninstall_nmon.vbs
C:\Documents and Settings\Default User\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-12 14:52:40 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-08-05 21:12:52 ( AD... ) "C:\Program Files\Common Files"
2006-08-04 10:54:24 1167 ( A.... ) "C:\WINNT\system32\ftc910f7.sys"
2006-08-04 10:54:24 1167 ( A.... ) "C:\WINNT\system32\ftc910f7.sys"
2006-08-04 10:51:56 2560 ( A.... ) "C:\WINNT\_MSRSTRT.EXE"
2006-08-04 10:42:16 155136 ( A.... ) "C:\WINNT\system32\oins.exe"
2006-08-04 10:42:16 39424 ( A.... ) "C:\WINNT\mtuninst.exe"
2006-08-04 10:37:30 61952 ( A.... ) "C:\WINNT\system32\ftc910f7.dll"
2006-08-04 10:37:06 29696 ( A.... ) "C:\WINNT\system32\w3906acc.dll"
2006-08-04 10:36:58 221184 ( A.... ) "C:\WINNT\system32\vm7cmapox.dll"
2006-08-04 10:36:58 45056 ( A.... ) "C:\WINNT\system32zkdmg.exe"
2006-08-04 10:36:58 36864 ( A.... ) "C:\WINNT\system32uvzgi.exe"
2006-08-04 10:36:58 28672 ( A.... ) "C:\WINNT\system32tpsd.exe"
2006-08-04 10:36:58 28672 ( A.... ) "C:\WINNT\system32\poznfsqy.exe"
2006-08-04 10:36:56 36864 ( A.... ) "C:\WINNT\system32\uvzgi.exe"
2006-08-04 10:36:56 32768 ( A.... ) "C:\WINNT\unstall.exe"
2006-08-04 10:36:56 28672 ( A.... ) "C:\WINNT\system32\tpsd.exe"
2006-08-04 10:36:54 53120 ( A.... ) "C:\WINNT\optimize.exe"
2006-08-04 10:36:54 45056 ( A.... ) "C:\WINNT\system32\zkdmg.exe"
2006-08-04 10:36:48 57344 ( A.... ) "C:\WINNT\cs2m6f.exe"
2006-08-04 10:36:40 380928 ( A.... ) "C:\WINNT\system32\WinNB58.dll"
2006-08-04 10:36:40 ( .D... ) "C:\Program Files\Common Files\{DCDE575C-0321-1033-0608-010202180001}"
2006-08-04 10:36:36 139264 ( A.... ) "C:\WINNT\MirarSetup_876075.exe"
2006-07-31 20:29:06 ( .D... ) "C:\Program Files\Support.com"
2006-07-31 16:03:08 1163264 ( A.... ) "C:\WINNT\system32\riwzkn.exe"
2006-07-31 16:02:56 36864 ( A.... ) "C:\WINNT\system32\hauc.exe"
2006-07-31 16:01:30 159744 ( A.... ) "C:\WINNT\system32\ekuxpv3.exe"
2006-07-25 09:25:24 278528 ( A.... ) "C:\WINNT\system32\livesnth.dll"
2006-07-21 00:17:42 ( .D... ) "C:\Documents and Settings\Makins1\Application Data\çasks"
2006-07-15 22:13:14 ( .D... ) "C:\Documents and Settings\Makins1\Application Data\T?sks"
2006-07-15 22:12:24 ( .D... ) "C:\Program Files\Common Files\M?crosoft.NET"
2006-07-15 22:11:20 1697 ( A.... ) "C:\WINNT\bl4ck.com"
2006-07-15 22:11:20 1697 ( A.... ) "C:\WINNT\a58c8a4a.exe"
2006-07-01 15:39:26 ( .D... ) "C:\Program Files\Yahoo!"
2006-07-01 15:33:18 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-07-01 15:33:08 ( .D... ) "C:\Documents and Settings\Makins1\Application Data\Apple Computer"
2006-07-01 15:32:46 ( .D... ) "C:\Program Files\QuickTime"
2006-07-01 15:31:34 ( .D... ) "C:\Program Files\iTunes"
2006-07-01 15:31:30 ( .D... ) "C:\Program Files\iPod"
2006-06-24 09:37:42 ( .D... ) "C:\Program Files\LittleFighter2"
2006-06-22 20:04:50 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-06-22 20:04:44 176167 ( A.... ) "C:\WINNT\system32\rmoc3260.dll"
2006-06-22 20:04:36 6656 ( A.... ) "C:\WINNT\system32\pndx5016.dll"
2006-06-22 20:04:36 5632 ( A.... ) "C:\WINNT\system32\pndx5032.dll"
2006-06-22 20:04:34 278528 ( A.... ) "C:\WINNT\system32\pncrt.dll"
2006-06-22 20:03:22 ( .D... ) "C:\Documents and Settings\Makins1\Application Data\Real"
2006-06-20 20:55:02 ( .D... ) "C:\Program Files\KalOnline"
2006-06-18 19:37:36 ( .D... ) "C:\Documents and Settings\Makins1\Application Data\Sun"
2006-06-18 19:36:58 ( .D... ) "C:\Program Files\Java"
2006-06-18 19:35:46 ( .D... ) "C:\Program Files\Common Files\Java"
2006-06-17 10:36:14 ( .D... ) "C:\Program Files\Windows Media Player"
2006-06-17 10:36:12 57344 ( A.... ) "C:\WINNT\uneng.exe"
2006-06-17 10:36:12 49152 ( A.... ) "C:\WINNT\system32\cdrtc.dll"
2006-06-17 10:36:12 45056 ( A.... ) "C:\WINNT\system32\cdral.dll"
2006-06-17 10:36:12 ( .D... ) "C:\Program Files\Common Files\Adaptec Shared"
2006-06-15 20:58:48 ( .D... ) "C:\Program Files\Viewpoint"
2006-06-15 18:07:52 ( .D... ) "C:\Program Files\Lavasoft"
2006-06-14 21:01:04 ( .D... ) "C:\Documents and Settings\Makins1\Application Data\Google"
2006-06-14 20:48:52 ( .D... ) "C:\Documents and Settings\Makins1\Application Data\Aim"
2006-06-14 20:48:14 ( .D... ) "C:\Program Files\AIM"
2006-06-14 20:42:14 ( .D... ) "C:\Documents and Settings\Makins1\Application Data\Mozilla"
2006-06-14 19:00:10 ( AD... ) "C:\Program Files\Common Files\Motive"
2006-05-29 19:29:06 29184 ( A.... ) "C:\WINNT\system32\sstunst2.exe"
2006-05-29 19:29:02 499200 ( A.... ) "C:\WINNT\system32\Civil War Days .scr"
2006-05-29 19:29:02 249344 ( A.... ) "C:\WINNT\FSScrCtl.exe"
2006-05-29 19:29:02 25600 ( A.... ) "C:\WINNT\QStart.exe"
2006-05-29 19:00:28 1520040 ( A.... ) "C:\WINNT\Civilwar.exe"
2006-05-29 19:00:26 372960 ( A.... ) "C:\WINNT\Civilwar.scr"
2006-05-29 19:00:26 30208 ( A.... ) "C:\WINNT\mickey32.dll"
2004-08-29 14:07:58 271 ( ...H. ) "C:\Program Files\desktop.ini"
2004-08-29 14:07:56 21952 ( ...H. ) "C:\Program Files\folder.htt"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-04 10:51 2,560 C:\WINNT\_MSRSTRT.EXE
2006-08-04 10:41 39,424 C:\WINNT\mtuninst.exe
2006-08-04 10:41 155,136 C:\WINNT\system32\oins.exe
2006-08-04 10:37 61,952 C:\WINNT\system32\ftc910f7.dll
2006-08-04 10:37 29,696 C:\WINNT\system32\w3906acc.dll
2006-08-04 10:37 1,167 C:\WINNT\system32\ftc910f7.sys
2006-08-04 10:36 57,344 C:\WINNT\cs2m6f.exe
2006-08-04 10:36 53,120 C:\WINNT\optimize.exe
2006-08-04 10:36 45,056 C:\WINNT\system32zkdmg.exe
2006-08-04 10:36 45,056 C:\WINNT\system32\zkdmg.exe
2006-08-04 10:36 380,928 C:\WINNT\system32\WinNB58.dll
2006-08-04 10:36 36,864 C:\WINNT\system32uvzgi.exe
2006-08-04 10:36 36,864 C:\WINNT\system32\uvzgi.exe
2006-08-04 10:36 36,864 C:\WINNT\system32\hauc.exe
2006-08-04 10:36 32,768 C:\WINNT\unstall.exe
2006-08-04 10:36 28,672 C:\WINNT\system32tpsd.exe
2006-08-04 10:36 28,672 C:\WINNT\system32\tpsd.exe
2006-08-04 10:36 28,672 C:\WINNT\system32\poznfsqy.exe
2006-08-04 10:36 221,184 C:\WINNT\system32\vm7cmapox.dll
2006-08-04 10:36 159,744 C:\WINNT\system32\ekuxpv3.exe
2006-08-04 10:36 139,264 C:\WINNT\MirarSetup_876075.exe
2006-08-04 10:36 1,163,264 C:\WINNT\system32\riwzkn.exe
2006-07-25 09:25 278,528 C:\WINNT\system32\livesnth.dll
2006-07-15 22:12 1,697 C:\WINNT\bl4ck.com
2006-07-15 22:12 1,697 C:\WINNT\a58c8a4a.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"QveCtl2Tray"="C:\\Program Files\\Philips\\PSA2\\skin\\QveCplSk.EXE C:\\Program Files\\Philips\\PSA2\\skin"
"AtiPTA"="atiptaxx.exe"
"HydraVisionDesktopManager"="desk95.exe"
"InCD"="C:\\Program Files\\ahead\\InCD\\InCD.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"LWBMOUSE"="C:\\Program Files\\Browser Mouse\\Browser Mouse\\1.0\\lwbwheel.exe"
"MSN Messenger"="C:\\WINNT\\System32\\msmsgs.exe"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\FirstStart.exe"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"tgcmd"="\"C:\\Program Files\\Support.com\\BellSouth\\hcenter.exe\" /starthidden /tgcmdwrapper"
"ntdll.dll"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PPWebCap"="C:\\PROGRA~1\\ScanSoft\\PAPERP~1\\PPWebCap.exe"
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor.exe"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ntdll.dll"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{DCDE575C-0321-1033-0608-010202180001}"="\"C:\\Program Files\\Common Files\\{DCDE575C-0321-1033-0608-010202180001}\\Update.exe\" mc-110-12-0000103"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:c0000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system



Contents of the 'Scheduled Tasks' folder

Completion time: Sat 08/12/2006 15:41:45.78
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-09.172619.txt
ComboFix.2006-08-09.173101.txt
ComboFix.2006-08-09.175524.txt
ComboFix.2006-08-12.153715.txt


Logfile of HijackThis v1.99.1
Scan saved at 4:23:19 PM, on 8/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{DCDE575C-0321-1033-0608-010202180001}\Update.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\WINNT\FSScrCtl.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Makins1\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QveCtl2Tray] C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE C:\Program Files\Philips\PSA2\skin
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\System32\msmsgs.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ntdll.dll] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89CAAD56-A157-4F15-A3DE-0B62626E978E}: NameServer = 192.168.0.1,4.2.2.3
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 AM

Posted 13 August 2006 - 05:01 AM

Hi

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ntdll.dll] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe


Close all windows including browser and press fix checked

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*) on Desktop

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{DCDE575C-0321-1033-0608-010202180001}"=-

Doubleclick fix.reg, press Yes and ok.

Please download the Killbox.
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\ftc910f7.sys
C:\WINNT\_MSRSTRT.EXE
C:\WINNT\system32\oins.exe
C:\WINNT\mtuninst.exe
C:\WINNT\system32\ftc910f7.dll
C:\WINNT\system32\w3906acc.dll
C:\WINNT\system32\vm7cmapox.dll
C:\WINNT\system32zkdmg.exe
C:\WINNT\system32uvzgi.exe
C:\WINNT\system32tpsd.exe
C:\WINNT\system32\poznfsqy.exe
C:\WINNT\system32\uvzgi.exe
C:\WINNT\unstall.exe
C:\WINNT\system32\tpsd.exe
C:\WINNT\optimize.exe
C:\WINNT\system32\zkdmg.exe
C:\WINNT\cs2m6f.exe
C:\WINNT\system32\WinNB58.dll
C:\WINNT\system32\riwzkn.exe
C:\WINNT\system32\hauc.exe
C:\WINNT\system32\ekuxpv3.exe
C:\WINNT\system32\livesnth.dll
C:\WINNT\MirarSetup_876075.exe
C:\WINNT\bl4ck.com
C:\WINNT\a58c8a4a.exe
C:\WINNT\cs2m6f.exe
C:\WINNT\optimize.exe

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Boot in safe mode -> http://www.pchell.com/support/safemode.shtml

Delete these:

C:\Program Files\Common Files\{DCDE575C-0321-1033-0608-010202180001}
C:\Documents and Settings\Makins1\Application Data\Tasks
C:\Program Files\Common Files\Microsoft.NET

Reboot

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Re-run combofix

Send:

- a fresh HijackThis log
- combofix report
- kaspersky report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#5 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 AM

Posted 20 August 2006 - 03:54 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users