Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log Analysis - Errorsafe, Winantivirus Popups


  • This topic is locked This topic is locked
24 replies to this topic

#1 teabie

teabie

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:45 PM

Posted 23 August 2006 - 05:07 AM

Okay, so I keep getting these popups sometimes when I am surfing the internet. I also realised my computer's performance is starting to slow down, and shutting down takes quite some time too.

I've just ran Vundo Fix and VirtumundoBegone, but none detected anything. My McAfee Spyware scan and AdAware (all updated definitions) had caught nothing either.

I'll be really grateful if someone can tell me what's really going on! :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 6:03:30 PM, on 8/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slrundll.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8A2-850A-101B-AFC0-4210102A8DA7} (Microsoft TreeView Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/shared/C...22/ComCtl32.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120659984770
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

Edited by teabie, 23 August 2006 - 05:22 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:45 AM

Posted 23 August 2006 - 06:46 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
Your log doesn't show me much, so let's get a more detailed log.


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 teabie

teabie
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:45 PM

Posted 23 August 2006 - 09:12 AM

Hi Sam,

Thanks for replying!

I've installed ComboFix and left it running for 1/2 an hour, and I did not click on its window nor was I fiddling with my PC. I rebooted and tried again, but 3 times and nothing happened. It just kept at "Please wait..." for 1/2 an hour each time. Is the duration actually longer, or was I too impatient?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:45 AM

Posted 23 August 2006 - 11:34 AM

Check here to see if a log was created and it just didn't open.

C:\ComboFix.txt


If not, delete the copy you downloaded and download it again. The tool is updated frequently.

Reboot right before you run it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 teabie

teabie
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:45 PM

Posted 23 August 2006 - 09:55 PM

Thanks for the reply!

I've tried again and it now works, but I hope it's complete because my McAfee popped a notification saying it was a suspicious script and it ended the activity. Hmm.

Can I delete the other files that arose from the scanning (i.e. handle, nircmd, NTP, Ntrights, RestartIt!, sc, sid2user, swreg?)


Stephanie - 06-08-24 10:47:57.32
ComboFix 06.08.24 - Running from: C:\Documents and Settings\Stephanie.STEPHANIE\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-24 to 2006-08-24 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-24 10:45 -------- d----c--- C:\Program Files\PeerGuardian2
2006-08-23 18:13 -------- d----c--- C:\Program Files\Winamp
2006-08-23 18:03 -------- d----c--- C:\Program Files\HijackThis
2006-08-23 16:25 -------- d----c--- C:\Documents and Settings\Stephanie.STEPHANIE\Application Data\Skype
2006-08-23 15:58 -------- d----c--- C:\Program Files\Common Files\Personal
2006-08-10 11:19 -------- d----c--- C:\Program Files\Internet Explorer
2006-07-27 21:24 679424 --a--c--- C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-23 14:53 -------- d----c--- C:\Program Files\MSN Messenger
2006-07-23 14:53 -------- d----c--- C:\Program Files\Messenger Plus! Live
2006-07-21 16:24 72704 --a--c--- C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-14 11:03 -------- d----c--- C:\Program Files\BitComet
2006-07-04 23:34 -------- d----c--- C:\Documents and Settings\Stephanie.STEPHANIE\Application Data\Image Zone Express
2006-07-02 11:29 -------- d----c--- C:\Program Files\Common Files\Microsoft Shared
2006-06-16 14:34 48936 --a--c--- C:\WINDOWS\SYSTEM32\sirenacm.dll
2006-05-01 14:32 2190 --a--c--- C:\Documents and Settings\Stephanie.STEPHANIE\Application Data\HPSU_48BitScanUpdate.log
2006-05-01 14:28 5489 --a--c--- C:\Documents and Settings\Stephanie.STEPHANIE\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"DataLayer"="C:\\PROGRA~1\\COMMON~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\TRAYAP~1.EXE"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"_AntiSpyware"="c:\\progra~1\\mcafee\\MCAFEE~1\\masalert.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"Sonic RecordNow!"=""
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"McAfee QuickClean Imonitor"="C:\\Program Files\\McAfee\\McAfee QuickClean\\Plguni.exe /START"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ea,00,00,00,00,00,00,00,16,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,ea,00,00,00,00,00,00,00,16,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\mcafee antispyware.job

Completion time: Thu 24/08/2006 10:49:42.10
ComboFix.txt

Edited by teabie, 23 August 2006 - 09:59 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:45 AM

Posted 24 August 2006 - 07:21 AM

Where are those files located that you mentioned?

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 teabie

teabie
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:45 PM

Posted 25 August 2006 - 02:17 AM

Hello again,

Okay, I've done as per instructed and this is the result I got.

Just today, I received the silly WinAntiVirus popup again! ARGH.



GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-25 15:15:19
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.10 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE AE81CC8A

---- EOF - GMER 1.0.10 ----

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:45 AM

Posted 25 August 2006 - 08:14 AM

That log doesn't help either. Let's try another one.

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the RootkitRevealer folder and double-click RootkitRevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go to File > Save. Choose to save the log to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Please don't surf or do anything else during the scan with RootkitRevealer, or it may interfere with the results and show legitimate entries.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 teabie

teabie
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:45 PM

Posted 26 August 2006 - 11:25 AM

Hi Sam!

Okay, here are the results from the RootKit Scan.


C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temp\~DF75A9.tmp 06-08-26 21:05 400.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temp\~DF75D6.tmp 06-08-26 21:05 512 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temp\~DFB8B4.tmp 06-08-26 21:07 400.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temp\~DFB8C3.tmp 06-08-26 21:07 512 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\0000057243_000000000000000205295[1].gif 06-08-26 23:29 9.20 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\20060822-9[1].jpg 06-08-26 23:36 4.89 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\20060824-5[1].jpg 06-08-26 23:35 44.77 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\bannerlink[1].gif 06-08-26 23:35 360 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\bg_feed[1].gif 06-08-26 23:34 299 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\bind[1].htm 06-08-27 00:15 8.48 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\blank[1].htm 06-08-26 23:34 213 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\box-bg[1].gif 06-08-26 23:32 111 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\box-butt-left[1].gif 06-08-26 23:32 169 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\box-head-right[1].gif 06-08-26 23:32 3.52 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\browse-happy[1].gif 06-08-26 23:30 4.29 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\bullet_go[1].gif 06-08-26 23:34 301 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\card_left2[1].gif 06-08-26 23:31 126 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\checkmark[1].gif 06-08-26 23:31 843 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\cleardot[1].gif 06-08-27 00:15 43 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\custom-fields[1].js 06-08-26 23:31 1.38 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\fbapix[1].gif 06-08-26 23:35 314 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\flashlib[1].js 06-08-26 23:32 610 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\getmod[1].htm 06-08-26 23:36 3 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\inline-uploading[1].htm 06-08-26 23:32 8.82 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\mail[3] 06-08-27 00:05 24.97 KB Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\mail[5] 06-08-27 00:14 155 bytes Hidden from Windows API.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\mail[6] 06-08-26 23:34 25.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\numlist[1].gif 06-08-26 23:34 111 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\offline_white1[1].gif 06-08-27 00:04 891 bytes Hidden from Windows API.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\post[1].htm 06-08-26 23:31 17.39 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\slider[1].js 06-08-26 23:30 10.54 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\smlnopresence[1].gif 06-08-27 00:05 49 bytes Hidden from Windows API.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\tagboard[1].htm 06-08-26 23:35 4.55 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\test[1].htm 06-08-27 00:14 515 bytes Hidden from Windows API.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\tiny_mce_config[1].htm 06-08-26 23:31 1.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\tiny_mce_gzip[2].php 06-08-26 23:31 3.31 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\wp-admin[1].css 06-08-26 23:29 16.57 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\4J2TSJ03\xml-podcast[1].gif 06-08-26 23:35 624 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\0000001564_000000000000000332806[1].swf 06-08-26 23:36 10.06 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\20060822-1[1].jpg 06-08-26 23:35 18.17 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\20060822-7[1].jpg 06-08-26 23:35 31.95 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\bg-malaysiaflag[1].gif 06-08-26 23:35 1.73 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\bg_5[1].jpg 06-08-26 23:34 34.63 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\bind[1].htm 06-08-26 23:38 776 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\box-bg-left[1].gif 06-08-26 23:32 37 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\box-head[1].gif 06-08-26 23:32 879 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\builder[1].js 06-08-26 23:29 3.28 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\card_bl[1].gif 06-08-26 23:31 198 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\card_top[1].gif 06-08-26 23:31 55 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\editor_ui[1].css 06-08-26 23:32 6.78 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\fat[1].js 06-08-26 23:29 2.51 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\firefox_80x15[1].png 06-08-26 23:35 1.04 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\hello-world[1].htm 06-08-26 23:32 13.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\mail[6] 06-08-27 00:10 155 bytes Hidden from Windows API.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\paperclip[1].gif 06-08-26 23:35 976 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\smile[1].gif 06-08-26 23:35 185 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\star_off_sm_2[1].gif 06-08-26 23:31 126 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\star_on_sm_2[1].gif 06-08-26 23:31 161 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\strikethrough[1].gif 06-08-26 23:34 83 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\style[1].css 06-08-26 23:32 10.29 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\tearoff_icon[1].gif 06-08-26 23:31 98 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\toggle[1].gif 06-08-26 23:32 216 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\wordpress-logo[1].png 06-08-26 23:30 2.29 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\wp-login[1].htm 06-08-26 23:34 1.49 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\N8YLP8SW\wpcombar_bkg[1].png 06-08-26 23:34 2.42 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\0000001564_000000000000000334832[1].swf 06-08-26 23:32 9.86 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\20060822-3[1].jpg 06-08-26 23:36 68.78 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\20060822-4[1].jpg 06-08-26 23:36 34.05 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\banner-malaysiaflag[1].jpg 06-08-26 23:35 20.26 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\bind[1].htm 06-08-26 23:41 632 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\bold[1].gif 06-08-26 23:34 76 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\box-bg-right[1].gif 06-08-26 23:32 151 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\box-butt[1].gif 06-08-26 23:32 347 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\bullet_arrow_down[1].gif 06-08-26 23:34 176 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\bullist[1].gif 06-08-26 23:34 108 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\card_bot[1].gif 06-08-26 23:31 92 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\card_tl[1].gif 06-08-26 23:31 292 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\card_tr[1].gif 06-08-26 23:31 175 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\chat_bubble_nav[1].gif 06-08-27 00:05 334 bytes Hidden from Windows API.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\cleardot[2].gif 06-08-27 00:04 43 bytes Hidden from Windows API.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\dbx[1].js 06-08-26 23:31 18.54 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\dragdrop[1].js 06-08-26 23:30 28.92 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\effects[1].js 06-08-26 23:29 32.14 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\mail[5] 06-08-26 23:36 155 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\mail[6] 06-08-26 23:40 155 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\my[1].htm 06-08-26 23:35 8.28 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\paperclip[1].gif 06-08-27 00:05 976 bytes Hidden from Windows API.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\print_icon[1].gif 06-08-26 23:31 94 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\prototype[1].js 06-08-26 23:29 53.89 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\quicktags[1].js 06-08-26 23:32 9.34 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\star_on_sm_2[1].gif 06-08-27 00:04 161 bytes Hidden from Windows API.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\stat[1].gif 06-08-26 23:36 401 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\styles-site[1].css 06-08-26 23:35 6.87 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\switch[1].css 06-08-26 23:32 2.08 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\teabie.wordpress[1].css 06-08-26 23:34 62 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\wp-admin[1].css 06-08-26 23:34 16.57 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\wp-admin[1].htm 06-08-26 23:29 14.32 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\UKF799RU\wpcom[1].js 06-08-26 23:32 1.24 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\20060822-5[1].jpg 06-08-26 23:36 18.17 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\bg_1[1].jpg 06-08-26 23:34 33.28 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\bg_body[1].gif 06-08-26 23:34 709 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\box-butt-right[1].gif 06-08-26 23:32 960 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\box-head-left[1].gif 06-08-26 23:32 334 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\card_br[1].gif 06-08-26 23:31 193 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\card_left[1].gif 06-08-26 23:31 89 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\chat_bubble_nav[1].gif 06-08-26 23:31 334 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\cleardot[1].gif 06-08-27 00:14 43 bytes Hidden from Windows API.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\controls[1].js 06-08-26 23:30 27.38 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\fade-butt[1].png 06-08-26 23:30 785 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\getmod[1].htm 06-08-26 23:35 3 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\getmod[2].htm 06-08-26 23:36 3 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\h[1].gif 06-08-26 23:32 50 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\italic[1].gif 06-08-26 23:34 79 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\login-bkg-bottom[1].gif 06-08-26 23:34 704 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\login-bkg-tile[1].gif 06-08-26 23:34 18.83 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\mail[3] 06-08-26 23:38 155 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\mod[1].htm 06-08-26 23:35 673 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\scriptaculous[1].js 06-08-26 23:29 2.19 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\separator[1].gif 06-08-26 23:34 57 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\side-menu-art[1].jpg 06-08-26 23:35 10.14 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\sound[1].swf 06-08-26 23:31 6.94 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\tiny_mce_gzip[1].php 06-08-26 23:32 259.67 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\tw-sack[1].js 06-08-26 23:31 4.85 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Local Settings\Temporary Internet Files\Content.IE5\WMPCFWIE\urchin[2].js 06-08-26 23:32 17.69 KB Visible in Windows API, but not in MFT or directory index.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:45 AM

Posted 26 August 2006 - 06:55 PM

Well I'm afraid that doesn't help us either.

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 teabie

teabie
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:45 PM

Posted 27 August 2006 - 02:51 AM

This is strange. After switching on the PC, I would sometimes visit my own blog site to check for comments. And it seems the popups appear then. It doesn't appear when I'm googling or visiting online newspapers. But after I CTL-ALT-DEL the explorer away and subsequently visit my blog site again, the popup will not appear until my next bootup. It happens sometimes when I'm also visiting other blogs. But my blog is hosted by my ISP, whereas theirs are by BlogSpot.com, so I can't figure that out. Is there an underlying connection?

Posted Image

****


Anyhow, I've performed the scan as per instructed.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 17/07/2003 4:26:44 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 3/08/2006 9:22:50 AM 8255912 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/08/2006 9:22:50 AM 8255912 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 4/08/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 4/08/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 17/07/2003 4:50:38 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 3/08/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
27/08/2006 3:19:42 PM S 2048 C:\WINDOWS\bootstat.dat
27/08/2006 3:23:14 PM HS 7168 C:\WINDOWS\Thumbs.db
5/07/2006 8:21:58 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917422.cat
28/07/2006 8:16:08 PM S 23751 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat
27/07/2006 10:00:28 PM S 10337 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920214.cat
21/07/2006 5:03:14 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920670.cat
13/07/2006 10:24:46 PM S 13050 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921398.cat
15/07/2006 12:13:00 AM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921883.cat
14/07/2006 11:53:20 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922616.cat
27/08/2006 3:19:22 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\default.LOG
27/08/2006 3:21:24 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
27/08/2006 3:19:46 PM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
27/08/2006 3:21:28 PM H 53248 C:\WINDOWS\SYSTEM32\CONFIG\software.LOG
27/08/2006 3:19:56 PM H 962560 C:\WINDOWS\SYSTEM32\CONFIG\system.LOG
10/08/2006 11:18:08 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat.LOG
2/07/2006 11:28:36 AM S 341 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8
2/07/2006 11:28:38 AM S 413 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165
2/07/2006 11:28:36 AM S 574 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5
2/07/2006 11:28:36 AM S 126 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8
2/07/2006 11:28:38 AM S 98 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165
2/07/2006 11:28:36 AM S 136 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5
3/07/2006 1:21:50 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\f145323f-7c37-4243-84a2-a61c9b2c444e
3/07/2006 1:21:50 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
27/08/2006 3:18:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT
24/08/2006 4:43:42 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
24/08/2006 4:43:42 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
24/08/2006 4:43:42 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0HIZ49EN\desktop.ini
24/08/2006 4:43:42 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GXUBSDQF\desktop.ini
24/08/2006 4:43:42 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IQPUA1QG\desktop.ini
24/08/2006 4:43:42 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S12NG1I7\desktop.ini

Checking for CPL files...
Microsoft Corporation 4/08/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Logitech Inc. 18/01/2005 5:36:14 PM 282624 C:\WINDOWS\SYSTEM32\camcpl.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 17/07/2003 4:32:24 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 17/07/2003 4:37:20 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 17/07/2003 4:47:58 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 17/07/2003 4:32:24 AM 187904 C:\WINDOWS\SYSTEM32\DLLCACHE\main.cpl
Microsoft Corporation 17/07/2003 4:37:20 AM 35840 C:\WINDOWS\SYSTEM32\DLLCACHE\ncpa.cpl
Microsoft Corporation 17/07/2003 4:47:58 AM 28160 C:\WINDOWS\SYSTEM32\DLLCACHE\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/07/2005 5:55:12 PM 986 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
16/07/2005 12:08:22 AM 1757 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
6/07/2005 9:43:38 PM HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
28/02/2006 5:04:08 PM 1808 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
16/01/2006 5:57:06 PM 1885 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/03/2006 10:58:18 PM 305 C:\Documents and Settings\All Users.WINDOWS\Application Data\addr_file.html
7/07/2005 5:33:08 AM HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini
17/08/2006 1:37:10 AM 1744 C:\Documents and Settings\All Users.WINDOWS\Application Data\hpzinstall.log
17/07/2006 10:36:58 AM 1767 C:\Documents and Settings\All Users.WINDOWS\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
6/07/2005 9:43:38 PM HS 84 C:\Documents and Settings\Stephanie Chia.STEPHANIE\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
16/07/2005 12:06:56 AM 877 C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\AdobeDLM.log
7/07/2005 5:33:08 AM HS 62 C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\desktop.ini
16/07/2005 12:06:56 AM 0 C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\dm.ini
1/05/2006 2:28:36 PM 5489 C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
1/05/2006 2:32:10 PM 2190 C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\HPSU_48BitScanUpdate.log
1/04/2006 2:29:14 AM 34178 C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\Update_HP_RedboxHprblog_HPSU.log

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
Windows Live Sign-in Helper = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
MSPY2002 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
DataLayer C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
PCSuiteTrayApplication C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
LVCOMSX C:\WINDOWS\system32\LVCOMSX.EXE
LogitechVideoRepair C:\Program Files\Logitech\Video\ISStart.exe
LogitechVideoTray C:\Program Files\Logitech\Video\LogiTray.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HP Software Update C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D-Link AirPlus G C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
ANIWZCS2Service C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
VSOCheckTask "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online C:\Program Files\McAfee.com\VSO\mcvsshld.exe
_AntiSpyware c:\progra~1\mcafee\MCAFEE~1\masalert.exe
OASClnt C:\Program Files\McAfee.com\VSO\oasclnt.exe
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
LDM C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
LogitechSoftwareUpdate "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
Sonic RecordNow!
PeerGuardian C:\Program Files\PeerGuardian2\pg2.exe
McAfee QuickClean Imonitor C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 27/08/2006 3:30:29 PM

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:45 AM

Posted 27 August 2006 - 03:46 AM

That popup definitely has malicious intent and I can't imagine those sites serving that junk to you. It's got to be on your computer somewhere, but everything is coming up clean. Let's keep looking.


Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
=============



Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Double-click sspsetup1.exe to install it.
  • Before installation it may ask you to check for program updates. Click YES.
    Then finish installation leaving all the default options.
  • Once the program is installed, it will ask if you wish to reboot now choose YES.
  • After reboot, open SpySweeper, by double-clicking the icon on your desktop.
  • Click Options on the left side.
  • Click the Sweep tab.
  • Under Items to Sweep make sure the following are checked:
    • Windows registry
    • Memory objects
    • Cookies
    • Compressed Files
    • System Restore Folder
  • Under Other Options make sure the following are checked:
    • Sweep all user accounts
    • Enable Direct Disk Sweeping
    • Sweep for rootkits
  • Click the Sweep button on the left side.
  • Click the Start Sweep button.
  • When it's done scanning, make sure everything has a check next to it, then click the Quarantine Selected button.
  • It will quarantine all of the items found.
  • Click View Session Log in the right corner above the box where the items are listed.
  • Click Save to File and save it on your desktop.
  • Exit SpySweeper.
  • Paste the contents of the session log you saved into your next reply (Spy Sweeper Session Log.txt).
  • NOTE: you can get to the log by clicking Options on the left. Then, View Session Log will be listed under Other Options.
Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 teabie

teabie
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:45 PM

Posted 28 August 2006 - 01:08 PM

Thanks so much for trying to help!!

Here are the scan results. I'm sorry I did not get rid of the cookies prior to scanning. I'll do so now.


Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
2:01 AM: Shield States
2:01 AM: Spyware Definitions: 749
2:01 AM: Spy Sweeper 5.0.5.1286 started
1:18 AM: | End of Session, Tuesday, 29 August 2006 |
1:13 AM: Your spyware definitions have been updated.
Operation: File Access
Target:
Source: C:\PROGRA~1\MCAFEE.COM\VSO\MCSHIELD.EXE
1:13 AM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
1:05 AM: Shield States
1:05 AM: Spyware Definitions: 691
1:05 AM: Spy Sweeper 5.0.5.1286 started
1:05 AM: Spy Sweeper 5.0.5.1286 started
1:05 AM: | Start of Session, Tuesday, 29 August 2006 |
********
1:59 AM: Removal process completed. Elapsed time 00:03:11
1:59 AM: Preparing to restart your computer. Please wait...
1:57 AM: Quarantining All Traces: yadro cookie
1:57 AM: Quarantining All Traces: myaffiliateprogram.com cookie
1:57 AM: Quarantining All Traces: mp3s hits cookie
1:57 AM: Quarantining All Traces: clixgalore cookie
1:57 AM: Quarantining All Traces: videodome cookie
1:57 AM: Quarantining All Traces: webtrendslive cookie
1:57 AM: Quarantining All Traces: statcounter cookie
1:57 AM: Quarantining All Traces: onestat.com cookie
1:57 AM: Quarantining All Traces: servlet cookie
1:57 AM: Quarantining All Traces: serving-sys cookie
1:57 AM: Quarantining All Traces: partypoker cookie
1:57 AM: Quarantining All Traces: nextag cookie
1:57 AM: Quarantining All Traces: webtrends cookie
1:57 AM: Quarantining All Traces: fastclick cookie
1:57 AM: Quarantining All Traces: overture cookie
1:57 AM: Quarantining All Traces: directtrack cookie
1:57 AM: Quarantining All Traces: cassava cookie
1:57 AM: Quarantining All Traces: casalemedia cookie
1:57 AM: Quarantining All Traces: burstnet cookie
1:57 AM: Quarantining All Traces: bs.serving-sys cookie
1:57 AM: Quarantining All Traces: banner cookie
1:57 AM: Quarantining All Traces: atwola cookie
1:57 AM: Quarantining All Traces: atlas dmt cookie
1:57 AM: Quarantining All Traces: ask cookie
1:57 AM: Quarantining All Traces: tacoda cookie
1:57 AM: Quarantining All Traces: revenue.net cookie
1:57 AM: Quarantining All Traces: specificclick.com cookie
1:57 AM: Quarantining All Traces: hbmediapro cookie
1:57 AM: Quarantining All Traces: yieldmanager cookie
1:57 AM: Quarantining All Traces: about cookie
1:57 AM: Quarantining All Traces: 888 cookie
1:57 AM: Quarantining All Traces: 2o7.net cookie
1:57 AM: c:\documents and settings\stephanie chia.stephanie\my documents\mp3 songs\background music\tsubasa ~ reservoir chronicles~\oukyuu no matinee chapter 1 ~suijou toshi coral~\tsubasa chronicle drama & character album - oukyuu no matinee chapter.1 ~suijou toshi coral~.m3u is in use. It will be removed on reboot.
1:57 AM: c:\documents and settings\stephanie chia.stephanie\my documents\mp3 songs\background music\tsubasa ~ reservoir chronicles~\oukyuu no matinee chapter 1 ~suijou toshi coral~\tsubasa chronicle drama & character album - oukyuu no matinee chapter.1 ~suijou toshi coral~.txt is in use. It will be removed on reboot.
1:57 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
1:57 AM: Quarantining All Traces: potentially rootkit-masked files
1:55 AM: Removal process initiated
1:55 AM: Traces Found: 63
1:55 AM: Full Sweep has completed. Elapsed time 00:36:35
1:55 AM: File Sweep Complete, Elapsed Time: 00:34:13
1:51 AM: c:\documents and settings\stephanie chia.stephanie\my documents\mp3 songs\background music\tsubasa ~ reservoir chronicles~\oukyuu no matinee chapter 1 ~suijou toshi coral~\tsubasa chronicle drama & character album - oukyuu no matinee chapter.1 ~suijou toshi coral~.m3u (ID = 0)
1:51 AM: c:\documents and settings\stephanie chia.stephanie\my documents\mp3 songs\background music\tsubasa ~ reservoir chronicles~\oukyuu no matinee chapter 1 ~suijou toshi coral~\tsubasa chronicle drama & character album - oukyuu no matinee chapter.1 ~suijou toshi coral~.txt (ID = 0)
1:51 AM: Found System Monitor: potentially rootkit-masked files
1:51 AM: Warning: Failed to access drive E:
1:51 AM: Warning: Failed to access drive D:
1:50 AM: Warning: Failed to open file "c:\program files\logitech\desktop messenger\8876480\users\stephanie chia\data\d0000000.fcs". The operation completed successfully
1:49 AM: Warning: Failed to open file "c:\windows\temp\sqlite_s8tvfpejpovulbh". The operation completed successfully
1:49 AM: Warning: Failed to open file "c:\windows\temp\sqlite_j6iks1kbbwuqxft". The operation completed successfully
1:49 AM: Warning: Failed to open file "c:\windows\temp\sqlite_xauajysb7lfk0lz". The operation completed successfully
1:20 AM: Starting File Sweep
1:20 AM: Cookie Sweep Complete, Elapsed Time: 00:00:03
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@yadro[2].txt (ID = 3743)
1:20 AM: Found Spy Cookie: yadro cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@www.myaffiliateprogram[1].txt (ID = 3032)
1:20 AM: Found Spy Cookie: myaffiliateprogram.com cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@www.mp3bleeps[1].txt (ID = 3019)
1:20 AM: Found Spy Cookie: mp3s hits cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@www.clixgalore[1].txt (ID = 2417)
1:20 AM: Found Spy Cookie: clixgalore cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@www.burstnet[1].txt (ID = 2337)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@virginmobile.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@videodome[1].txt (ID = 3638)
1:20 AM: Found Spy Cookie: videodome cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@ulta.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@thomsoneducationdirect.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@tcompany.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@tacoda[1].txt (ID = 6444)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@statse.webtrendslive[2].txt (ID = 3667)
1:20 AM: Found Spy Cookie: webtrendslive cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@statcounter[1].txt (ID = 3447)
1:20 AM: Found Spy Cookie: statcounter cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@stat.onestat[2].txt (ID = 3098)
1:20 AM: Found Spy Cookie: onestat.com cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@servlet[1].txt (ID = 3345)
1:20 AM: Found Spy Cookie: servlet cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@serving-sys[2].txt (ID = 3343)
1:20 AM: Found Spy Cookie: serving-sys cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@sento.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@secure.directtrack[1].txt (ID = 2528)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@paypal.112.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@partypoker[1].txt (ID = 3111)
1:20 AM: Found Spy Cookie: partypoker cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@partygaming.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@nextag[1].txt (ID = 5014)
1:20 AM: Found Spy Cookie: nextag cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@newsinteractive.112.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@nbcuniversal.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@msnportal.112.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@msninvite.112.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@microsoftwlspacesmkt.112.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@microsoftwlmessengermkt.112.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@meetupcom.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@m.webtrends[2].txt (ID = 3669)
1:20 AM: Found Spy Cookie: webtrends cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@itimenetwork.directtrack[2].txt (ID = 2528)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@homeschooling.about[1].txt (ID = 2038)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@fastclick[2].txt (ID = 2651)
1:20 AM: Found Spy Cookie: fastclick cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@directtrack[1].txt (ID = 2527)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@digitalhomediscountptyltd.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@desktoppub.about[2].txt (ID = 2038)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@data2.perf.overture[1].txt (ID = 3106)
1:20 AM: Found Spy Cookie: overture cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@commissionxchange.directtrack[2].txt (ID = 2528)
1:20 AM: Found Spy Cookie: directtrack cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@cnetaustralia.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@cnetasiapacific.122.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@cassava[1].txt (ID = 2362)
1:20 AM: Found Spy Cookie: cassava cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@casalemedia[2].txt (ID = 2354)
1:20 AM: Found Spy Cookie: casalemedia cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@burstnet[2].txt (ID = 2336)
1:20 AM: Found Spy Cookie: burstnet cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@bs.serving-sys[2].txt (ID = 2330)
1:20 AM: Found Spy Cookie: bs.serving-sys cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@bidzcom.112.2o7[1].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@banner[1].txt (ID = 2276)
1:20 AM: Found Spy Cookie: banner cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@atwola[2].txt (ID = 2255)
1:20 AM: Found Spy Cookie: atwola cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@atdmt[2].txt (ID = 2253)
1:20 AM: Found Spy Cookie: atlas dmt cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@ask[1].txt (ID = 2245)
1:20 AM: Found Spy Cookie: ask cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@anad.tacoda[1].txt (ID = 6445)
1:20 AM: Found Spy Cookie: tacoda cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@ads1.revenue[1].txt (ID = 3258)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@ads0.revenue[1].txt (ID = 3258)
1:20 AM: Found Spy Cookie: revenue.net cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@adopt.specificclick[2].txt (ID = 3400)
1:20 AM: Found Spy Cookie: specificclick.com cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@adopt.hbmediapro[2].txt (ID = 2768)
1:20 AM: Found Spy Cookie: hbmediapro cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@ad.yieldmanager[1].txt (ID = 3751)
1:20 AM: Found Spy Cookie: yieldmanager cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@about[2].txt (ID = 2037)
1:20 AM: Found Spy Cookie: about cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@888[2].txt (ID = 2019)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@888[1].txt (ID = 2019)
1:20 AM: Found Spy Cookie: 888 cookie
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@2o7[2].txt (ID = 1957)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@122.2o7[2].txt (ID = 1958)
1:20 AM: c:\documents and settings\stephanie chia.stephanie\cookies\stephanie chia@112.2o7[1].txt (ID = 1958)
1:20 AM: Found Spy Cookie: 2o7.net cookie
1:20 AM: Starting Cookie Sweep
1:20 AM: Registry Sweep Complete, Elapsed Time:00:00:18
1:20 AM: Starting Registry Sweep
1:20 AM: Memory Sweep Complete, Elapsed Time: 00:01:42
1:18 AM: Starting Memory Sweep
1:18 AM: Sweep initiated using definitions version 749
1:18 AM: Spy Sweeper 5.0.5.1286 started
1:18 AM: | Start of Session, Tuesday, 29 August 2006 |
********

Edited by teabie, 28 August 2006 - 01:22 PM.


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:45 AM

Posted 28 August 2006 - 07:35 PM

Spysweeper picked up on the rootkit, but it's unclear if it was removed.

Please post a new hijackthis log and a log from Combofix.
Are you still getting popups?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 teabie

teabie
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:45 PM

Posted 29 August 2006 - 10:37 AM

Hello,

So far, there has been no popups. But my computer's performance has become pretty sluggish, and internet explorer sometimes stops responding.

Btw, should I keep the trial version of Spy Sweeper on or can I uninstall it now?



Okay, this is the new HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:33:11 PM, on 29/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\fxssvc.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\slrundll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Stephanie Chia.STEPHANIE\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] "C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" /START
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8A2-850A-101B-AFC0-4210102A8DA7} (Microsoft TreeView Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/shared/C...22/ComCtl32.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120659984770
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



And this is the new ComboFix log.

Stephanie Chia - 06-08-29 23:30:24.12
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Stephanie Chia.STEPHANIE\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-29 to 2006-08-29 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-29 12:08 -------- d----c--- C:\Program Files\PeerGuardian2
2006-08-29 01:02 -------- d----c--- C:\Program Files\Webroot
2006-08-29 01:02 -------- d----c--- C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\Webroot
2006-08-27 15:23 6144 --ahsc--- C:\Program Files\Thumbs.db
2006-08-27 14:54 -------- d----c--- C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\Skype
2006-08-23 18:13 -------- d----c--- C:\Program Files\Winamp
2006-08-23 18:03 -------- d----c--- C:\Program Files\HijackThis
2006-08-23 15:58 -------- d----c--- C:\Program Files\Common Files\Personal
2006-08-10 11:19 -------- d----c--- C:\Program Files\Internet Explorer
2006-07-27 21:24 679424 --a--c--- C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-23 14:53 -------- d----c--- C:\Program Files\MSN Messenger
2006-07-23 14:53 -------- d----c--- C:\Program Files\Messenger Plus! Live
2006-07-21 16:24 72704 --a--c--- C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-14 11:03 -------- d----c--- C:\Program Files\BitComet
2006-07-07 16:41 15360 --a--c--- C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2006-07-07 16:41 14848 --a--c--- C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2006-07-07 16:41 13824 --a--c--- C:\WINDOWS\SYSTEM32\DRIVERS\SSFS041A.sys
2006-07-07 16:41 117248 --a--c--- C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2006-07-04 23:34 -------- d----c--- C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\Image Zone Express
2006-07-02 11:29 -------- d----c--- C:\Program Files\Common Files\Microsoft Shared
2006-06-16 14:34 48936 --a--c--- C:\WINDOWS\SYSTEM32\sirenacm.dll
2006-05-01 14:32 2190 --a--c--- C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\HPSU_48BitScanUpdate.log
2006-05-01 14:28 5489 --a--c--- C:\Documents and Settings\Stephanie Chia.STEPHANIE\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="\"C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe\" /SYNC"
"PHIME2002ASync"="\"C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE\" /SYNC"
"PHIME2002A"="\"C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE\" /IMEName"
"DataLayer"="C:\\PROGRA~1\\COMMON~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\TRAYAP~1.EXE"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="\"C:\\Program Files\\Logitech\\Video\\ISStart.exe\" "
"LogitechVideoTray"="\"C:\\Program Files\\Logitech\\Video\\LogiTray.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"D-Link AirPlus G"="\"C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe\""
"ANIWZCS2Service"="\"C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe\""
"_AntiSpyware"="c:\\progra~1\\mcafee\\MCAFEE~1\\masalert.exe"
"OASClnt"="\"C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe\""
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="\"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe\""
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"Sonic RecordNow!"=""
"PeerGuardian"="\"C:\\Program Files\\PeerGuardian2\\pg2.exe\""
"McAfee QuickClean Imonitor"="\"C:\\Program Files\\McAfee\\McAfee QuickClean\\Plguni.exe\" /START"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ea,00,00,00,00,00,00,00,16,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,ea,00,00,00,00,00,00,00,16,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\mcafee antispyware.job

Completion time: Tue 29/08/2006 23:32:21.79
ComboFix.txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users