Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Numerous Pop-ups And Can't Get Rid Of Them


  • Please log in to reply
4 replies to this topic

#1 khunkao

khunkao

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 12 June 2007 - 08:20 PM

I am running a Windows XP SP2 system. I also run etrust Antivirus 7 and ZoneAlarm Pro. A little while ago I started getting tons of pop ups and ads appearing, even while in Firefox. Scanning the system showed Smitfraud-C.Toolbar888 infection. Even though it said it was deleted, it would return after reboot. I even used the Smitfraud removal utility from S!ri. Didn't work. Finally I looked into my registry and found something called ApachInc that kept loading a dqxx(whatever).dll at startup. I managed to delete it. The Smitfraud seemed to have disappeared but I still get pop-ups and annoying ads. A number of scans and reboots with Ad-Aware 2007 and Spybot S&D 1.4 as well as others didn't do much. They would fix the problem temporarily but it would return after reboot. A number of things appeared during startup, mostly Spybot allowing registry changes. I finally ran HJT. Here is the log so far:

Logfile of HijackThis v1.99.1
Scan saved at 9:16:37 PM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\steam\steam.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\iTunes\iTunes.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HijackThis.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "d:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Shortcut to YzDock.lnk = C:\yzdock\YzDock.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://go.caducidxct.com/net6helper.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3164515-7C55-454A-9D06-07B3D50347DB}: Domain = caduceus_ny001
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3164515-7C55-454A-9D06-07B3D50347DB}: NameServer = 10.11.12.10
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


Any suggestions?

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 June 2007 - 06:28 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum khunkao :thumbsup:

Please move HijackThis.exe to its own permanent folder on the hard drive such as C:\HJT
Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse the line entry deletion if found to be necessary.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

******************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

******************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


******************************

Now go to:
C:\HJT\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 16 June 2007 - 06:43 AM

HI Rich I posted my outcome results last time for killbox and superantispyware...I don't seem to see it here anymore. Did you see them?

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 17 June 2007 - 04:59 AM

Could you please follow my instructions above again please.
The site recently changed over to a new server, but had problems and some topic replies were lost :thumbsup:
Posted Image
Posted Image

#5 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 19 June 2007 - 07:05 PM

output from Vundo:

VundoFix V6.5.0

Checking Java version...

Scan started at 20:01:11 2007-06-19

Listing files found while scanning....

No infected files were found.

------------------------------------

output of ComboFix:

ComboFix 07-06-13.7 - C:\Documents and Settings\jmah\Desktop\ComboFix.exe
"jmah" - 2007-06-19 19:55:40 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))


2007-06-16 20:40 <DIR> d-------- C:\Program Files\iTunes
2007-06-16 20:40 <DIR> d-------- C:\Program Files\iPod
2007-06-16 17:07 98,304 --a------ C:\WINDOWS\system32\LVComS.exe
2007-06-16 17:07 69,632 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-06-16 17:07 59,904 --a------ C:\WINDOWS\system32\drivers\lvcam2.dll
2007-06-16 17:07 57,344 --a------ C:\WINDOWS\system32\LVComC.dll
2007-06-16 17:07 44,032 --a------ C:\WINDOWS\system32\drivers\lvce.sys
2007-06-16 17:07 412,672 --a------ C:\WINDOWS\system32\drivers\lvcodek2.dll
2007-06-16 17:07 33,280 --a------ C:\WINDOWS\system32\drivers\LVSound2.sys
2007-06-16 17:07 200,704 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-06-16 17:07 172,032 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-06-16 17:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-16 17:07 <DIR> d-------- C:\Program Files\Windows Media Components
2007-06-16 17:07 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-06-16 17:06 <DIR> d-------- C:\Program Files\Logitech
2007-06-16 17:05 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-06-16 17:05 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-06-16 17:05 25,216 --a------ C:\WINDOWS\system32\drivers\OVSound2.sys
2007-06-16 17:05 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-06-16 17:05 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-06-16 17:05 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-06-16 17:05 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-06-16 17:05 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-06-16 17:04 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-06-16 17:04 48,000 --a------ C:\WINDOWS\system32\drivers\OVCam2.sys
2007-06-16 17:04 44,544 --a------ C:\WINDOWS\system32\OVUI2.dll
2007-06-16 17:04 41,984 --a------ C:\WINDOWS\system32\OVUI2RC.dll
2007-06-16 17:04 39,424 --a------ C:\WINDOWS\system32\OVComS.exe
2007-06-16 17:04 351,616 --a------ C:\WINDOWS\system32\drivers\OVCodek2.sys
2007-06-16 17:04 31,872 --a------ C:\WINDOWS\system32\drivers\OVCE.sys
2007-06-16 17:04 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-06-16 17:04 20,480 --a------ C:\WINDOWS\system32\OVComC.dll
2007-06-16 17:04 116,736 --a------ C:\WINDOWS\system32\OVCodec2.dll
2007-06-13 20:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-13 20:02 <DIR> d-------- C:\DOCUME~1\jmah\APPLIC~1\SUPERAntiSpyware.com
2007-06-13 20:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-13 19:55 <DIR> d-------- C:\!KillBox
2007-06-13 15:38 <DIR> d-------- C:\HJT
2007-06-13 15:27 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-13 15:08 <DIR> d-------- C:\VundoFix Backups
2007-06-13 02:19 <DIR> d-------- C:\DOCUME~1\jmah\.housecall6.6
2007-06-12 21:16 218,112 --a------ C:\HijackThis.exe
2007-06-12 19:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-12 19:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-12 07:48 <DIR> d-------- C:\Program Files\Western Digital Technologies
2007-06-10 19:38 <DIR> d-------- C:\DOCUME~1\jmah\APPLIC~1\dvdcss
2007-06-10 19:27 <DIR> d-------- C:\DOCUME~1\jmah\APPLIC~1\vlc
2007-06-10 19:24 <DIR> d-------- C:\Program Files\VideoLAN
2007-06-10 07:35 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-06-10 07:35 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-06-10 07:35 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-06-10 07:35 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-06-10 07:35 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-06-10 07:35 471,552 --a------ C:\WINDOWS\system32\Smab.dll
2007-06-10 07:35 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-06-10 07:35 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-06-10 07:35 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-06-10 07:35 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-06-10 07:35 217,073 --a------ C:\WINDOWS\meta4.exe
2007-06-10 07:35 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-06-10 07:35 <DIR> d-------- C:\Program Files\eRightSoft
2007-06-10 07:35 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-06-07 08:19 <DIR> d-------- C:\DOCUME~1\jmah\APPLIC~1\ImgBurn
2007-06-07 02:30 <DIR> d-------- C:\Program Files\DVDFab Platinum 3
2007-06-07 02:13 87,608 --a------ C:\DOCUME~1\jmah\APPLIC~1\inst.exe
2007-06-07 02:13 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-06-07 02:13 47,360 --a------ C:\DOCUME~1\jmah\APPLIC~1\pcouffin.sys
2007-06-07 02:13 <DIR> d-------- C:\DOCUME~1\jmah\APPLIC~1\Vso
2007-06-06 23:06 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-06-06 22:47 <DIR> d-------- C:\vobblanker
2007-06-06 22:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-24 23:04 <DIR> d-------- C:\DOCUME~1\jmah\APPLIC~1\SlySoft
2007-05-24 23:03 <DIR> d-------- C:\Program Files\SlySoft
2007-05-24 20:53 <DIR> d-------- C:\Program Files\Red Kawa
2007-05-24 20:47 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-05-24 20:47 34,820 --a------ C:\WINDOWS\system32\ffdshow.reg
2007-05-24 20:47 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-05-24 20:47 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-05-24 20:47 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-05-24 20:47 <DIR> d-------- C:\Program Files\Cucusoft
2007-05-24 20:47 <DIR> d-------- C:\ConverterOutput
2007-05-24 20:30 <DIR> d-------- C:\Program Files\QuickTime


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 00:38:05 -------- d-----w C:\Program Files\Apple Software Update
2007-06-12 23:44:13 -------- d-----w C:\Program Files\Lavasoft
2007-06-11 01:51:12 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-06-10 11:37:55 -------- d-----w C:\Program Files\K-Lite Codec Pack
2007-06-10 11:02:17 -------- d-----w C:\Program Files\Dell
2007-06-07 10:25:14 -------- d-----w C:\Program Files\DVD Shrink
2007-06-07 06:29:47 -------- d-----w C:\Program Files\PeerGuardian2
2007-06-07 05:58:22 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-03 18:31:28 10,752 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-05-31 12:44:56 740,442 ----a-w C:\WINDOWS\system32\divx.dll
2007-05-25 00:31:28 -------- d-----w C:\DOCUME~1\jmah\APPLIC~1\Apple Computer
2007-04-28 18:54:36 593,920 ----a-w C:\WINDOWS\system32\xvidcore.dll
2007-04-26 04:53:28 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-25 00:25:22 -------- d-----w C:\Program Files\DameWare Development
2007-04-23 06:15:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 06:02:36 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2006-07-02 01:22:50 88 -csh--r C:\WINDOWS\system32\F550F326E1.sys
2006-07-02 01:22:50 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-06 02:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 15:58]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2003-02-13 10:25]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 09:28]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 09:28]
"AtiPTA"="atiptaxx.exe" [2006-02-21 21:05 C:\WINDOWS\system32\atiptaxx.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24]
"Steam"="d:\steam\steam.exe" [2007-05-31 19:44]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 17:10]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4b8fa24-8f05-11db-a6e6-0015c52103f8}]
AutoRun\command- G:\podcastready.exe


Contents of the 'Scheduled Tasks' folder
2007-06-17 00:37:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 19:58:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-19 19:58:59
C:\ComboFix-quarantined-files.txt ... 2007-06-19 19:58
C:\ComboFix2.txt ... 2007-06-13 15:36

--- E O F ---


------------------------------------

output of HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 20:00, on 2007-06-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
D:\steam\steam.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\abc.bat.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [Steam] "d:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Shortcut to YzDock.lnk = C:\yzdock\YzDock.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by111fd.bay111.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3164515-7C55-454A-9D06-07B3D50347DB}: Domain = caduceus_ny001
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3164515-7C55-454A-9D06-07B3D50347DB}: NameServer = 10.11.12.10
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users