Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Up From Adultfriendfinder


  • This topic is locked This topic is locked
18 replies to this topic

#1 sandyy

sandyy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 21 August 2006 - 08:26 AM

All of a sudden I've started getting one pop up from adultfriendfinder... in IE & FF.

My HJT log,

Logfile of HijackThis v1.99.1
Scan saved at 6:51:29 AM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1F39E40-DB11-404D-9941-C64FCD647C7D}: NameServer = 203.115.71.66 203.115.81.38
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 22 August 2006 - 09:14 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 sandyy

sandyy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 22 August 2006 - 10:25 AM

Buckeye_Sam,thanks for your help :thumbsup:

I've scanned with Vundo, but no infected files where found.

VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.4

Java version is 1.5.0.3

Scan started at 7:49:59 AM 8/22/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

Logfile of HijackThis v1.99.1
Scan saved at 8:45:26 AM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1F39E40-DB11-404D-9941-C64FCD647C7D}: NameServer = 203.115.71.66 203.115.81.38
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 22 August 2006 - 07:13 PM

I guess I lost that round. :thumbsup:

Your hijackthis log is not showing any signs of malware, so let's get a look at a more detailed log.


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 sandyy

sandyy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 23 August 2006 - 09:50 AM

michael - 06-08-23 20:11:46.12
ComboFix 06.08.18 - Running from: C:\Documents and Settings\michael\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-23 to 2006-08-23 ))))))))))))))))))))))))))))))))))


2006-08-02 20:29 22,752 C:\WINDOWS\system32\spupdsvc.exe
2006-07-30 23:07 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-29 14:37 2,019,328 C:\WINDOWS\NuNinst.exe
2006-07-29 14:17 476,320 C:\WINDOWS\system32\ImagXpr7.dll
2006-07-29 14:17 471,040 C:\WINDOWS\system32\ImagXRA7.dll
2006-07-29 14:17 262,144 C:\WINDOWS\system32\ImagXR7.dll
2006-07-29 14:17 155,648 C:\WINDOWS\system32\NeroCheck.exe
2006-07-29 14:17 106,496 C:\WINDOWS\system32\TwnLib20.dll
2006-07-29 14:17 1,568,768 C:\WINDOWS\system32\ImagX7.dll
2006-07-29 13:44 8,828 C:\WINDOWS\pppoe.dll
2006-07-29 13:44 69,632 C:\WINDOWS\pppoecfg.exe
2006-07-29 13:41 89,360 C:\WINDOWS\system32\VB5DB.DLL
2006-07-29 13:28 720,896 C:\WINDOWS\system32\Audio3D.dll
2006-07-29 13:28 720,896 C:\WINDOWS\system32\a3d.dll
2006-07-29 13:28 53,248 C:\WINDOWS\SOUNDMAN.EXE
2006-07-29 13:28 208,896 C:\WINDOWS\alcupd.exe
2006-07-29 13:28 155,648 C:\WINDOWS\system32\igfxres.dll
2006-07-29 13:28 135,168 C:\WINDOWS\alcrmv.exe
2006-07-29 13:27 90,112 C:\WINDOWS\system32\igfxext.exe
2006-07-29 13:27 73,728 C:\WINDOWS\system32\ialmrem.dll
2006-07-29 13:27 65,536 C:\WINDOWS\system32\iAlmCoIn_v13.dll
2006-07-29 13:27 32,768 C:\WINDOWS\system32\igfxexps.dll
2006-07-29 13:27 188,416 C:\WINDOWS\system32\ialmgdev.dll
2006-07-29 13:27 1,859,584 C:\WINDOWS\system32\ialmgicd.dll
2006-07-29 13:26 86,016 C:\WINDOWS\system32\igfxdo.dll
2006-07-29 13:26 503,808 C:\WINDOWS\system32\igfxress.dll
2006-07-29 13:26 487,424 C:\WINDOWS\system32\igfxcfg.exe
2006-07-29 13:26 460,866 C:\WINDOWS\system32\ialmdd5.dll
2006-07-29 13:26 45,056 C:\WINDOWS\system32\igfxdgps.dll
2006-07-29 13:26 33,792 C:\WINDOWS\system32\ialmrnt5.dll
2006-07-29 13:26 315,392 C:\WINDOWS\system32\igfxsrvc.dll
2006-07-29 13:26 221,184 C:\WINDOWS\system32\igfxeud.dll
2006-07-29 13:26 204,800 C:\WINDOWS\system32\igfxpph.dll
2006-07-29 13:26 194,427 C:\WINDOWS\system32\ialmdev5.dll
2006-07-29 13:26 155,648 C:\WINDOWS\system32\igfxtray.exe
2006-07-29 13:26 151,552 C:\WINDOWS\system32\igfxdiag.exe
2006-07-29 13:26 147,456 C:\WINDOWS\system32\igfxdev.dll
2006-07-29 13:26 118,784 C:\WINDOWS\system32\igfxhk.dll
2006-07-29 13:26 118,784 C:\WINDOWS\system32\hccutils.dll
2006-07-29 13:26 114,748 C:\WINDOWS\system32\ialmdnt5.dll
2006-07-29 13:26 114,688 C:\WINDOWS\system32\hkcmd.exe
2006-07-29 13:15 112,128 C:\WINDOWS\system32\mapi32.dll
2006-07-29 13:15 0 C:\MSDOS.SYS
2006-07-29 13:15 0 C:\IO.SYS
2006-07-29 13:15 0 C:\CONFIG.SYS
2006-07-29 13:15 0 C:\AUTOEXEC.BAT
2006-07-29 13:12 81,920 C:\WINDOWS\system32\isign32.dll
2006-07-29 13:12 81,920 C:\WINDOWS\system32\ils.dll
2006-07-29 13:12 8,192 C:\WINDOWS\system32\bitsprx2.dll
2006-07-29 13:12 73,728 C:\WINDOWS\system32\icwdial.dll
2006-07-29 13:12 7,168 C:\WINDOWS\system32\bitsprx3.dll
2006-07-29 13:12 69,632 C:\WINDOWS\system32\msconf.dll
2006-07-29 13:12 678,400 C:\WINDOWS\system32\inetcomm.dll
2006-07-29 13:12 67,584 C:\WINDOWS\system32\srclient.dll
2006-07-29 13:12 65,536 C:\WINDOWS\system32\icwphbk.dll
2006-07-29 13:12 64,512 C:\WINDOWS\system32\acctres.dll
2006-07-29 13:12 6,656 C:\WINDOWS\system32\wuauserv.dll
2006-07-29 13:12 48,128 C:\WINDOWS\system32\inetres.dll
2006-07-29 13:12 465,176 C:\WINDOWS\system32\wuapi.dll
2006-07-29 13:12 45,568 C:\WINDOWS\system32\safrslv.dll
2006-07-29 13:12 43,520 C:\WINDOWS\system32\safrcdlg.dll
2006-07-29 13:12 43,520 C:\WINDOWS\system32\racpldlg.dll
2006-07-29 13:12 41,240 C:\WINDOWS\system32\wups.dll
2006-07-29 13:12 382,464 C:\WINDOWS\system32\qmgr.dll
2006-07-29 13:12 34,560 C:\WINDOWS\system32\mnmdd.dll
2006-07-29 13:12 32,768 C:\WINDOWS\system32\mnmsrvc.exe
2006-07-29 13:12 32,768 C:\WINDOWS\system32\isrdbg32.dll
2006-07-29 13:12 29,696 C:\WINDOWS\system32\safrdm.dll
2006-07-29 13:12 28,672 C:\WINDOWS\system32\nmmkcert.dll
2006-07-29 13:12 274,944 C:\WINDOWS\system32\mstask.dll
2006-07-29 13:12 274,432 C:\WINDOWS\system32\inetcfg.dll
2006-07-29 13:12 252,928 C:\WINDOWS\system32\msoeacct.dll
2006-07-29 13:12 239,104 C:\WINDOWS\system32\srrstr.dll
2006-07-29 13:12 22,528 C:\WINDOWS\system32\fltMc.exe
2006-07-29 13:12 194,328 C:\WINDOWS\system32\wuaueng1.dll
2006-07-29 13:12 190,976 C:\WINDOWS\system32\schedsvc.dll
2006-07-29 13:12 18,944 C:\WINDOWS\system32\qmgrprxy.dll
2006-07-29 13:12 173,536 C:\WINDOWS\system32\wuweb.dll
2006-07-29 13:12 172,312 C:\WINDOWS\system32\wuauclt1.exe
2006-07-29 13:12 170,496 C:\WINDOWS\system32\srsvc.dll
2006-07-29 13:12 16,896 C:\WINDOWS\system32\fltlib.dll
2006-07-29 13:12 16,384 C:\WINDOWS\system32\icfgnt5.dll
2006-07-29 13:12 127,256 C:\WINDOWS\system32\wucltui.dll
2006-07-29 13:12 124,184 C:\WINDOWS\system32\wuauclt.exe
2006-07-29 13:12 12,288 C:\WINDOWS\system32\nmevtmsg.dll
2006-07-29 13:12 12,288 C:\WINDOWS\system32\mstinit.exe
2006-07-29 13:12 11,264 C:\WINDOWS\system32\atrace.dll
2006-07-29 13:12 105,984 C:\WINDOWS\system32\msoert2.dll
2006-07-29 13:12 1,343,768 C:\WINDOWS\system32\wuaueng.dll
2006-07-29 13:10 93,696 C:\WINDOWS\system32\tscfgwmi.dll
2006-07-29 13:10 90,112 C:\WINDOWS\system32\mtxoci.dll
2006-07-29 13:10 9,728 C:\WINDOWS\system32\reset.exe
2006-07-29 13:10 87,176 C:\WINDOWS\system32\rdpwsx.dll
2006-07-29 13:10 82,432 C:\WINDOWS\system32\comrepl.dll
2006-07-29 13:10 80,384 C:\WINDOWS\system32\charmap.exe
2006-07-29 13:10 73,216 C:\WINDOWS\system32\avwav.dll
2006-07-29 13:10 67,072 C:\WINDOWS\system32\rdshost.exe
2006-07-29 13:10 655,360 C:\WINDOWS\system32\mstscax.dll
2006-07-29 13:10 62,464 C:\WINDOWS\system32\rdpclip.exe
2006-07-29 13:10 605,696 C:\WINDOWS\system32\getuname.dll
2006-07-29 13:10 60,416 C:\WINDOWS\system32\remotepg.dll
2006-07-29 13:10 56,832 C:\WINDOWS\system32\sol.exe
2006-07-29 13:10 55,296 C:\WINDOWS\system32\freecell.exe
2006-07-29 13:10 54,272 C:\WINDOWS\system32\stclient.dll
2006-07-29 13:10 538,624 C:\WINDOWS\system32\spider.exe
2006-07-29 13:10 5,632 C:\WINDOWS\system32\write.exe
2006-07-29 13:10 5,120 C:\WINDOWS\system32\dcomcnfg.exe
2006-07-29 13:10 44,544 C:\WINDOWS\system32\tscupgrd.exe
2006-07-29 13:10 44,544 C:\WINDOWS\system32\hticons.dll
2006-07-29 13:10 407,552 C:\WINDOWS\system32\mstsc.exe
2006-07-29 13:10 4,096 C:\WINDOWS\system32\rdpcfgex.dll
2006-07-29 13:10 4,096 C:\WINDOWS\system32\mtxex.dll
2006-07-29 13:10 38,912 C:\WINDOWS\system32\cfgbkend.dll
2006-07-29 13:10 35,328 C:\WINDOWS\system32\winchat.exe
2006-07-29 13:10 345,088 C:\WINDOWS\system32\hypertrm.dll
2006-07-29 13:10 343,040 C:\WINDOWS\system32\mspaint.exe
2006-07-29 13:10 33,792 C:\WINDOWS\system32\regini.exe
2006-07-29 13:10 295,424 C:\WINDOWS\system32\termsrv.dll
2006-07-29 13:10 25,600 C:\WINDOWS\system32\comaddin.dll
2006-07-29 13:10 25,088 C:\WINDOWS\system32\mtxlegih.dll
2006-07-29 13:10 227,840 C:\WINDOWS\system32\avtapi.dll
2006-07-29 13:10 22,016 C:\WINDOWS\system32\qwinsta.exe
2006-07-29 13:10 20,992 C:\WINDOWS\system32\msg.exe
2006-07-29 13:10 20,480 C:\WINDOWS\system32\qprocess.exe
2006-07-29 13:10 20,480 C:\WINDOWS\system32\mtxdm.dll
2006-07-29 13:10 19,968 C:\WINDOWS\system32\rdpsnd.dll
2006-07-29 13:10 183,808 C:\WINDOWS\system32\accwiz.exe
2006-07-29 13:10 161,280 C:\WINDOWS\system32\msdtcuiu.dll
2006-07-29 13:10 16,896 C:\WINDOWS\system32\tsshutdn.exe
2006-07-29 13:10 16,896 C:\WINDOWS\system32\qappsrv.exe
2006-07-29 13:10 16,384 C:\WINDOWS\system32\tskill.exe
2006-07-29 13:10 16,384 C:\WINDOWS\system32\avmeter.dll
2006-07-29 13:10 15,872 C:\WINDOWS\system32\rwinsta.exe
2006-07-29 13:10 15,872 C:\WINDOWS\system32\cdmodem.dll
2006-07-29 13:10 15,360 C:\WINDOWS\system32\logoff.exe
2006-07-29 13:10 147,968 C:\WINDOWS\system32\rdchost.dll
2006-07-29 13:10 147,456 C:\WINDOWS\system32\comsnap.dll
2006-07-29 13:10 140,800 C:\WINDOWS\system32\sessmgr.exe
2006-07-29 13:10 14,848 C:\WINDOWS\system32\tsdiscon.exe
2006-07-29 13:10 14,848 C:\WINDOWS\system32\tscon.exe
2006-07-29 13:10 14,848 C:\WINDOWS\system32\shadow.exe
2006-07-29 13:10 138,752 C:\WINDOWS\system32\sndvol32.exe
2006-07-29 13:10 131,584 C:\WINDOWS\system32\sndrec32.exe
2006-07-29 13:10 13,824 C:\WINDOWS\system32\rdsaddin.exe
2006-07-29 13:10 126,976 C:\WINDOWS\system32\mshearts.exe
2006-07-29 13:10 123,392 C:\WINDOWS\system32\mplay32.exe
2006-07-29 13:10 119,808 C:\WINDOWS\system32\winmine.exe
2006-07-29 13:10 114,688 C:\WINDOWS\system32\calc.exe
2006-07-29 13:10 11,264 C:\WINDOWS\system32\icaapi.dll
2006-07-29 13:10 102,912 C:\WINDOWS\system32\clipbrd.exe
2006-07-29 13:10 1,161 C:\WINDOWS\system32\usrlogon.cmd
2006-07-29 13:09 949,248 C:\WINDOWS\system32\msdtctm.dll
2006-07-29 13:09 85,504 C:\WINDOWS\system32\catsrvps.dll
2006-07-29 13:09 628,224 C:\WINDOWS\system32\catsrvut.dll
2006-07-29 13:09 628,224 C:\WINDOWS\system32\catsrvut(2).dll
2006-07-29 13:09 62,464 C:\WINDOWS\system32\colbact.DLL
2006-07-29 13:09 62,464 C:\WINDOWS\system32\colbact(2).DLL
2006-07-29 13:09 6,144 C:\WINDOWS\system32\msdtc.exe
2006-07-29 13:09 58,880 C:\WINDOWS\system32\msdtclog.dll
2006-07-29 13:09 58,880 C:\WINDOWS\system32\licwmi.dll
2006-07-29 13:09 56,320 C:\WINDOWS\system32\servdeps.dll
2006-07-29 13:09 540,160 C:\WINDOWS\system32\comuid.dll
2006-07-29 13:09 501,248 C:\WINDOWS\system32\CLBCATQ.DLL
2006-07-29 13:09 501,248 C:\WINDOWS\system32\CLBCATQ(2).DLL
2006-07-29 13:09 425,472 C:\WINDOWS\system32\msdtcprx.dll
2006-07-29 13:09 229,888 C:\WINDOWS\system32\catsrv.dll
2006-07-29 13:09 229,888 C:\WINDOWS\system32\catsrv(2).dll
2006-07-29 13:09 185,344 C:\WINDOWS\system32\cmprops.dll
2006-07-29 13:09 17,408 C:\WINDOWS\system32\mmfutil.dll
2006-07-29 13:09 110,080 C:\WINDOWS\system32\clbcatex.dll
2006-07-29 13:09 11,776 C:\WINDOWS\system32\xolehlp.dll
2006-07-29 13:09 1,251,840 C:\WINDOWS\system32\comsvcs.dll
2006-07-29 13:09 1,251,840 C:\WINDOWS\system32\comsvcs(2).dll
2006-07-29 13:04 86,016 C:\WINDOWS\system32\mdmxsdk.dll
2006-07-29 13:04 74,240 C:\WINDOWS\system32\usbui.dll
2006-07-29 13:04 4,096 C:\WINDOWS\system32\ksuser.dll
2006-07-29 13:04 32,285 C:\WINDOWS\system32\HSFCISP2.dll
2006-07-29 13:03 85,020 C:\WINDOWS\system32\dgsetup.dll
2006-07-29 13:03 8,192 C:\WINDOWS\system32\kbdhept.dll
2006-07-29 13:03 7,168 C:\WINDOWS\system32\kbdcz.dll
2006-07-29 13:03 6,656 C:\WINDOWS\system32\kbdycl.dll
2006-07-29 13:03 6,656 C:\WINDOWS\system32\kbdsl1.dll
2006-07-29 13:03 6,656 C:\WINDOWS\system32\kbdsl.dll
2006-07-29 13:03 6,656 C:\WINDOWS\system32\kbdpl.dll
2006-07-29 13:03 6,656 C:\WINDOWS\system32\kbdhu.dll
2006-07-29 13:03 6,656 C:\WINDOWS\system32\kbdhela3.dll
2006-07-29 13:03 6,656 C:\WINDOWS\system32\kbdcz2.dll
2006-07-29 13:03 6,656 C:\WINDOWS\system32\kbdcz1.dll
2006-07-29 13:03 6,656 C:\WINDOWS\system32\kbdcr.dll
2006-07-29 13:03 6,656 C:\WINDOWS\system32\KBDAL.DLL
2006-07-29 13:03 6,144 C:\WINDOWS\system32\kbdtuq.dll
2006-07-29 13:03 6,144 C:\WINDOWS\system32\kbdtuf.dll
2006-07-29 13:03 6,144 C:\WINDOWS\system32\kbdlv1.dll
2006-07-29 13:03 6,144 C:\WINDOWS\system32\kbdlv.dll
2006-07-29 13:03 6,144 C:\WINDOWS\system32\kbdhela2.dll
2006-07-29 13:03 6,144 C:\WINDOWS\system32\kbdgkl.dll
2006-07-29 13:03 6,144 C:\WINDOWS\system32\kbdest.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdycc.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbduzb.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdur.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdtat.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdru1.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdru.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdro.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdpl1.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdmon.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdlt1.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdlt.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdkyr.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdkaz.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdhu1.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdhe319.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdhe220.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdhe.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdbu.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdblr.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdazel.dll
2006-07-29 13:03 5,632 C:\WINDOWS\system32\kbdaze.dll
2006-07-29 13:03 176,157 C:\WINDOWS\system32\dgrpsetu.dll
2006-07-29 13:03 13,312 C:\WINDOWS\system32\irclass.dll
2006-07-29 13:02 8,704 C:\WINDOWS\system32\batt.dll
2006-07-29 13:02 74,752 C:\WINDOWS\system32\storprop.dll
2006-07-29 13:02 69,120 C:\WINDOWS\NOTEPAD.EXE
2006-07-29 13:02 24,661 C:\WINDOWS\system32\spxcoins.dll
2006-07-29 13:02 15,360 C:\WINDOWS\TASKMAN.EXE
2006-07-29 13:02 103,424 C:\WINDOWS\system32\EqnClass.Dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-17 21:01 -------- d-------- C:\Program Files\FrostWire
2006-08-17 21:01 -------- d-------- C:\Documents and Settings\michael\Application Data\FrostWire
2006-08-12 21:37 -------- d-------- C:\Program Files\Java
2006-08-12 21:37 -------- d-------- C:\Program Files\Common Files\Java
2006-08-11 19:30 -------- d-------- C:\Program Files\Network Associates
2006-08-11 19:30 -------- d-------- C:\Program Files\Common Files\Network Associates
2006-08-09 23:27 -------- d-------- C:\Program Files\Lavasoft
2006-08-09 23:27 -------- d-------- C:\Documents and Settings\michael\Application Data\Lavasoft
2006-08-09 22:09 -------- d-------- C:\Program Files\SpywareBlaster
2006-07-31 16:49 -------- d-------- C:\Program Files\YahELite
2006-07-31 10:36 -------- d-------- C:\Documents and Settings\michael\Application Data\AdobeUM
2006-07-31 10:36 -------- d-------- C:\Documents and Settings\michael\Application Data\Adobe
2006-07-30 22:59 -------- d-------- C:\Documents and Settings\michael\Application Data\Macromedia
2006-07-29 21:35 -------- d-------- C:\Documents and Settings\michael\Application Data\Sun
2006-07-29 21:13 -------- d-------- C:\Program Files\LimeWire
2006-07-29 15:18 -------- d-------- C:\Documents and Settings\michael\Application Data\ZipGenius
2006-07-29 14:46 -------- d-------- C:\Program Files\Mozilla Firefox
2006-07-29 14:46 -------- d-------- C:\Documents and Settings\michael\Application Data\Mozilla
2006-07-29 14:39 -------- d-------- C:\Documents and Settings\michael\Application Data\Identities
2006-07-29 14:31 -------- d-------- C:\Program Files\ZipGenius 6
2006-07-29 14:23 -------- d-------- C:\Program Files\Yahoo!
2006-07-29 14:19 -------- d-------- C:\Program Files\Common Files\Nero
2006-07-29 14:16 -------- d-------- C:\Program Files\Common Files\Ahead
2006-07-29 14:16 -------- d-------- C:\Program Files\Ahead
2006-07-29 14:14 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-29 14:14 -------- d-------- C:\Program Files\Adobe
2006-07-29 14:06 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-07-29 14:05 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-07-29 14:05 -------- d-------- C:\Program Files\Common Files\Designer
2006-07-29 14:04 -------- d-------- C:\Program Files\Microsoft Office
2006-07-29 13:41 -------- d-------- C:\Program Files\Broadband Pacenet
2006-07-29 13:37 -------- d-------- C:\Program Files\Common Files\Cisco Systems
2006-07-29 13:29 -------- d-------- C:\Program Files\Realtek Sound Manager
2006-07-29 13:28 -------- d-------- C:\Program Files\AvRack
2006-07-29 13:26 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-29 13:26 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-07-29 13:24 -------- d--h----- C:\Program Files\Uninstall Information
2006-07-29 13:16 -------- d-------- C:\Program Files\xerox
2006-07-29 13:16 -------- d-------- C:\Program Files\microsoft frontpage
2006-07-29 13:15 0 -rahs---- C:\MSDOS.SYS
2006-07-29 13:15 0 -rahs---- C:\IO.SYS
2006-07-29 13:15 0 --a------ C:\CONFIG.SYS
2006-07-29 13:15 0 --a------ C:\AUTOEXEC.BAT
2006-07-29 13:13 -------- d--h----- C:\Program Files\WindowsUpdate
2006-07-29 13:12 -------- d-------- C:\Program Files\Outlook Express
2006-07-29 13:12 -------- d-------- C:\Program Files\NetMeeting
2006-07-29 13:12 -------- d-------- C:\Program Files\Movie Maker
2006-07-29 13:12 -------- d-------- C:\Program Files\Internet Explorer
2006-07-29 13:12 -------- d-------- C:\Program Files\Common Files\System
2006-07-29 13:12 -------- d-------- C:\Program Files\Common Files\Services
2006-07-29 13:12 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-07-29 13:11 -------- d-------- C:\Program Files\ComPlus Applications
2006-07-29 13:10 -------- d-------- C:\Program Files\Windows NT
2006-07-29 13:10 -------- d-------- C:\Program Files\Windows Media Player
2006-07-29 13:10 -------- d-------- C:\Program Files\Online Services
2006-07-29 13:10 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-07-29 13:10 -------- d-------- C:\Program Files\MSN
2006-07-29 13:03 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-07-29 13:03 -------- d-------- C:\Program Files\Common Files\ODBC
2006-07-29 13:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-29 13:03 -------- d-------- C:\Program Files\Common Files
2006-07-29 13:02 62 --ahs---- C:\Documents and Settings\michael\Application Data\desktop.ini
2006-07-29 13:02 -------- d---s---- C:\Documents and Settings\michael\Application Data\Microsoft


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"



Completion time: 06-08-23 20:12:31.37
ComboFix2.txt
ComboFix.txt

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 23 August 2006 - 11:30 AM

When did you first notice the popups?

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 sandyy

sandyy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 25 August 2006 - 10:48 AM

I started getting these pop ups 2 weeks ago. I also get pop ups for the latest computers and laptops too :whistle:I did scan with gmer, no results appeared after the scan.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 25 August 2006 - 09:20 PM

All of your logs are coming up clean. Which means that there's got to be a rootkit hiding everything from us. We just have to find it.

Let's try another tool.

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the RootkitRevealer folder and double-click RootkitRevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go to File > Save. Choose to save the log to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Please don't surf or do anything else during the scan with RootkitRevealer, or it may interfere with the results and show legitimate entries.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 sandyy

sandyy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 27 August 2006 - 09:42 AM

HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwFilesScanned 06-08-26 19:26 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\szLastScanned 06-08-26 19:26 128 bytes Windows API length not consistent with raw hive data.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 27 August 2006 - 10:11 AM

Update Java:
  • Click Start -> Control Panel -> Add/Remove Programs
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • The current version of Java can be downloaded from http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 5.0 Update 8' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.
Go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
=============



Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
=============



Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Double-click sspsetup1.exe to install it.
  • Before installation it may ask you to check for program updates. Click YES.
    Then finish installation leaving all the default options.
  • Once the program is installed, it will ask if you wish to reboot now choose YES.
  • After reboot, open SpySweeper, by double-clicking the icon on your desktop.
  • Click Options on the left side.
  • Click the Sweep tab.
  • Under Items to Sweep make sure the following are checked:
    • Windows registry
    • Memory objects
    • Cookies
    • Compressed Files
    • System Restore Folder
  • Under Other Options make sure the following are checked:
    • Sweep all user accounts
    • Enable Direct Disk Sweeping
    • Sweep for rootkits
  • Click the Sweep button on the left side.
  • Click the Start Sweep button.
  • When it's done scanning, make sure everything has a check next to it, then click the Quarantine Selected button.
  • It will quarantine all of the items found.
  • Click View Session Log in the right corner above the box where the items are listed.
  • Click Save to File and save it on your desktop.
  • Exit SpySweeper.
  • Paste the contents of the session log you saved into your next reply (Spy Sweeper Session Log.txt).
  • NOTE: you can get to the log by clicking Options on the left. Then, View Session Log will be listed under Other Options.
Also please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 sandyy

sandyy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 28 August 2006 - 09:05 AM

I've followed your instructions, and have posted both the logs requested by you.
Spy Sweeper Session Log.txt).

11:53: None
11:53: Traces Found: 0
11:53: Full Sweep has completed. Elapsed time 00:26:45
11:53: File Sweep Complete, Elapsed Time: 00:23:07
11:52: Warning: Access violation at address 00401D58 in module 'SpySweeper.exe'. Read of address 7E8E000C
11:52: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
11:52: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
11:52: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
11:52: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
11:51: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
11:51: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
11:51: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
11:51: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C


11:48: Warning: Failed to access drive E:
Operation: File Access
Target:
Source: C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\MCSHIELD.EXE
11:39: Tamper Detection
11:36: Warning: Failed to open file "c:\documents and settings\michael\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
11:36: Warning: Failed to open file "c:\documents and settings\michael\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
11:36: Warning: Failed to open file "c:\documents and settings\michael\ntuser.dat". The process cannot access the file because it is being used by another process
11:36: Warning: Failed to open file "c:\documents and settings\michael\ntuser.dat.log". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\data\settings.dat". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\all users\application data\network associates\bopdata\_date-20060828_time-112414531_enterceptexceptions.dat". The process cannot access the file because it is being used by another process
11:35: Warning: Failed to open file "c:\documents and settings\all users\application data\network associates\bopdata\_date-20060828_time-112414531_enterceptrules.dat". The process cannot access the file because it is being used by another process
11:33: Warning: Failed to open file "c:\windows\softwaredistribution\eventcache\{e6710e4d-e53a-4255-8f53-d86c5409c90c}.bin". The process cannot access the file because it is being used by another process
11:31: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
11:31: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
11:31: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
11:31: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
11:31: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
11:31: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
11:31: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
11:31: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
11:31: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
11:31: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
11:30: Warning: Failed to open file "c:\pagefile.sys". Access is denied
11:30: Starting File Sweep
11:30: Warning: Failed to access drive A:
11:30: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:30: Starting Cookie Sweep
11:30: Registry Sweep Complete, Elapsed Time:00:00:41
11:29: Starting Registry Sweep
11:29: Memory Sweep Complete, Elapsed Time: 00:02:42
11:26: Starting Memory Sweep
11:26: Sweep initiated using definitions version 691
11:26: Spy Sweeper 5.0.5.1286 started
11:26: | Start of Session, 06-08-27 |
********
11:26: | End of Session, 06-08-27 |
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
11:24: Shield States
11:24: Spyware Definitions: 691
11:23: Spy Sweeper 5.0.5.1286 started
11:23: Spy Sweeper 5.0.5.1286 started
11:23: | Start of Session, 06-08-27 |
********



Logfile of HijackThis v1.99.1
Scan saved at 17:14, on 06-08-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1F39E40-DB11-404D-9941-C64FCD647C7D}: NameServer = 203.115.71.66 203.115.81.38
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 28 August 2006 - 07:05 PM

Are you still getting popups?
If so, tell me about them. When do you get them? What are they for? How often do they occur?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 13 September 2006 - 05:17 PM

Unfortunately there has been no response, and this thread will now be closed. :thumbsup:

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 17 September 2006 - 05:12 PM

Thread reopened. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 sandyy

sandyy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 18 September 2006 - 09:04 AM

Thanks for reopening my thread :thumbsup: Yes, I still get these pop up ads (Adobe Flash Player 9)...Only on websites which have the Word Indian or India in the URL,from my bookmarks, for eg if I visit http://www.zdnetindia.com I'm taken to this link http://www.zdnetindia.com/Ads/2006/IBM/ibm....zdnetindia.com won't open ...I'm stuck with viewing ads for IBM, Philips etc , :flowers:

Edited by sandyy, 18 September 2006 - 09:05 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users