Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Pop-up Problems


  • Please log in to reply
1 reply to this topic

#1 warrickgo

warrickgo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 02 April 2007 - 09:44 PM

been following this topic http://www.bleepingcomputer.com/forums/t/85915/infected-but-cant-find-a-n-obvious-cause/ because we seem to have the same problem.

ive tried running backlight

next i tried running combofix and this is the log:

"wgo" - 07-04-03 10:19:44 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\PC\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-03-03 to 2007-04-03 ))))))))))))))))))))))))))))))))))


2007-03-27 22:02 1 --a------ C:\WINDOWS\system32\sav80231.sys
2007-03-27 21:58 85,960 --a------ C:\WINDOWS\system32\update.exe
2007-03-27 21:58 72,064 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-03-27 21:58 291,776 --a------ C:\WINDOWS\system32\DealioKit97-stub-0.exe
2007-03-27 21:58 1 --a------ C:\WINDOWS\system32\sav87312.sys
2007-03-27 21:57 5,570,560 --a------ C:\WINDOWS\system32\3D Galaxy Journey.scr
2007-03-27 21:57 d-------- C:\Program Files\3Deep Space
2007-03-26 21:00 d-------- C:\Program Files\Real Alternative
2007-03-26 21:00 d-------- C:\Program Files\Media Player Classic
2007-03-26 21:00 d-------- C:\DOCUME~1\PC\APPLIC~1\Real
2007-03-26 21:00 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-03-25 22:46 d-------- C:\Program Files\DietMP3
2007-03-22 19:49 d-------- C:\Program Files\Common Files\Adobe
2007-03-22 19:49 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
2007-03-18 10:37 d-------- C:\WINDOWS\system32\drivers\umdf
2007-03-18 00:25 414,223 --a------ C:\WINDOWS\system32\vimc.exe
2007-03-18 00:22 d-------- C:\WINDOWS\system32\VITrans
2007-03-18 00:05 d-------- C:\WINDOWS\system32\VIRepair
2007-03-17 23:06 d-------- C:\DOCUME~1\PC\APPLIC~1\Styler
2007-03-17 22:56 8,439,808 --a------ C:\WINDOWS\system32\vistaui.exe
2007-03-17 22:56 d-------- C:\Program Files\VisualTooltip
2007-03-17 22:56 d-------- C:\Program Files\Styler
2007-03-17 22:56 d-------- C:\DOCUME~1\PC\APPLIC~1\Stardock
2007-03-17 22:53 81,920 --a------ C:\WINDOWS\system32\closeapp.exe
2007-03-17 22:53 8,636 --a------ C:\WINDOWS\system32\modifype.exe
2007-03-17 22:53 69,632 --a------ C:\WINDOWS\system32\moveex.exe
2007-03-17 22:53 19,968 --a------ C:\WINDOWS\system32\reico.exe
2007-03-17 22:53 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2007-03-17 22:53 d-------- C:\VTPFiles
2007-03-17 22:23 d-------- C:\WINDOWS\Vista 5308
2007-03-17 20:50 36,864 --------- C:\WINDOWS\system32\wbsys.dll
2007-03-17 20:50 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-03-17 20:47 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-03-17 20:47 d-------- C:\Program Files\Stardock
2007-03-17 20:47 d-------- C:\Program Files\Common Files\stardock
2007-03-17 20:10 22,040 ---h----- C:\DOCUME~1\PC\APPLIC~1\addon.dat
2007-03-17 20:10 d--h----- C:\WINDOWS\Win32GI
2007-03-16 21:44 d-------- C:\Program Files\AC3Filter
2007-03-16 14:40 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-03-15 21:28 d-------- C:\Program Files\QuickSFV
2007-03-15 21:28 d-------- C:\Program Files\GetDiz
2007-03-11 16:34 8,464 --a------ C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-03 10:33 -------- d-------- C:\DOCUME~1\PC\APPLIC~1\utorrent
2007-04-03 09:12 -------- d-------- C:\Program Files\symantec antivirus
2007-04-03 00:03 -------- d-------- C:\Program Files\spywareblaster
2007-03-30 17:56 -------- d-------- C:\Program Files\yahoo!
2007-03-30 17:32 -------- d-------- C:\Program Files\warcraft iii
2007-03-18 09:55 -------- d--h----- C:\Program Files\installshield installation information
2007-03-16 14:39 -------- d-------- C:\Program Files\mystery case files huntsville
2007-03-16 10:28 -------- d-------- C:\Program Files\k-lite codec pack
2007-03-09 14:31 -------- d-------- C:\DOCUME~1\PC\APPLIC~1\limewire
2007-02-09 17:35 -------- d-------- C:\DOCUME~1\PC\APPLIC~1\tortoisesvn
2007-02-09 11:08 -------- d-------- C:\Program Files\tortoisesvn
2007-02-09 10:40 -------- d-------- C:\Program Files\ca
2007-01-26 11:37 31160 --a------ C:\DOCUME~1\PC\APPLIC~1\gdipfontcachev1.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"SigmatelSysTrayApp"="stsystra.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\Quickset.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"VisualTooltip"="C:\\Program Files\\VisualTooltip\\VisualToolTip.exe"
"Styler"="C:\\Program Files\\Styler\\Styler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1c0230b0-6dfa-11db-be7b-0015c5b47e5a}]
Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1c0230b4-6dfa-11db-be7b-0015c5b47e5a}]
Shell\AutoRun\command New Document.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9c42a3cc-9678-11db-bef5-0015c5b47e5a}]
Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-03 10:37:35


please help, the pop-ups are getting annoying :D

BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:17 AM

Posted 03 April 2007 - 12:50 PM

Could you please post a hijackthis log here? :thumbsup:
Greets Jürgenv

Donation: Click me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users