Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoying Pop-ups.. Please Help!


  • Please log in to reply
10 replies to this topic

#1 jenim

jenim

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 02 July 2007 - 01:54 AM

Hi bleepingcomputer team -

Thanks for doing this great service to the virus infected computers like ours. I really hope you can help me out with the annoying pop-ups that I keep getting for the past two weeks.
When I first saw these pop-ups, I checked my add/Remove programs and found OuterInfo listed there. I clicked on Remove and it showed a small pop-up to verify the serial code, when I did that, finally OuterInfo disappeared from the Add/Remove Program list, but I don't know if it completely removed it or not.

In the Allowed pop-ups in Internet Explorer option, I also see Starsdoor.com, which I never included in the Allow pop-ups. I removed starsdoor from this option, but it didn't help. Don't know if Outerinfo and starsdoor are associated with each other.

I ran several spyware removal tools like AdAware, SpySweeper etc., even ran the recommended "McAfee Avert Stinger" - still getting the annoying pop-ups even as I'm typing this out.
Please help me get rid of these pop-ups. Thanks!

Below is the copy-paste of Hijack this log:

BC AdBot (Login to Remove)

 


m

#2 jenim

jenim
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 02 July 2007 - 01:55 AM

Logfile of HijackThis v1.99.1
Scan saved at 2:34:24 AM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
c:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
c:\Program Files\AppSense Technologies\Application Manager Agent\ASAgent.exe
c:\Program Files\AppSense Technologies\Auditing Agent\AUAgent.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\AppSense Technologies\Application Manager Agent\AMAgentAssist.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
c:\Program Files\Netdeploy\Launcher\ndserv.exe
c:\Program Files\Netdeploy\Schedule Agent\ndinit.exe
c:\Program Files\Netdeploy\Schedule Agent\ndtask.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINNT\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\system32\mqsvc.exe
c:\Program Files\Softricity\SoftGrid for Windows Desktops\sftlist.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\system32\mqtgsvc.exe
c:\Program Files\Citrix\ICA Client\ssonsvr.exe
c:\Program Files\Softricity\SoftGrid for Windows Desktops\sftdcc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netdeploy\Schedule Agent\ndtask.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Canon\SCANGE~1\SGTBox.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Netdeploy\Usage Agent\mgsusageag.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,"c:\Program Files\Softricity\SoftGrid for Windows Desktops\sftdcc.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - c:\Program Files\LexisNexis\CheckCite\llieobj.dll
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "c:\Program Files\Netdeploy\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE546321EBB44A793D76257339A26033AAC
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll (file missing)
O15 - Trusted Zone: *.debit
O15 - Trusted Zone: *.debit2
O15 - Trusted Zone: http://*.DesktopMgmt
O15 - Trusted Zone: *.nydebiis01
O15 - Trusted Zone: *.nyiis01
O15 - Trusted Zone: *.webiis
O15 - Trusted Zone: *.westlaw.com
O15 - Trusted Zone: *.debit (HKLM)
O15 - Trusted Zone: *.debit2 (HKLM)
O15 - Trusted Zone: http://*.DesktopMgmt (HKLM)
O15 - Trusted Zone: http://*.einvoice (HKLM)
O15 - Trusted Zone: *.nydebiis01 (HKLM)
O15 - Trusted Zone: *.nyiis01 (HKLM)
O15 - Trusted Zone: *.webiis (HKLM)
O15 - Trusted Zone: *.westlaw.com (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136389700814
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deb.net
O17 - HKLM\Software\..\Telephony: DomainName = deb.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deb.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deb.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = deb.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: pcdocs - {EDC110E5-4CFB-4FEE-813A-BF796297030E} - c:\Program Files\DocsOpen\Progs396\perclnt2\PwDMoniker.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - c:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: AppSense Application Manager Agent - AppSense Technologies - c:\Program Files\AppSense Technologies\Application Manager Agent\ASAgent.exe
O23 - Service: AppSense Auditing Agent - AppSense Technologies - c:\Program Files\AppSense Technologies\Auditing Agent\AUAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINNT\system32\IcdSptSv.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - c:\Program Files\Netdeploy\Launcher\ndserv.exe
O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - c:\Program Files\Netdeploy\Schedule Agent\ndinit.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoftGrid Client (sftlist) - Softricity, Inc. - c:\Program Files\Softricity\SoftGrid for Windows Desktops\sftlist.exe
O23 - Service: SoftGrid Virtual Services Manager (sftvsm) - Unknown owner - c:\Program Files\Softricity\SoftGrid for Windows Desktops\sftvsm.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

#3 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:44 AM

Posted 02 July 2007 - 09:46 PM

Welcome to BC :thumbsup:

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt and a fresh Hijackthis log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Microsoft MVP Consumer Security--2007-2010

#4 jenim

jenim
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 03 July 2007 - 03:20 PM

Thanks for looking into my adware problem.

This is the log file after running ComboFix:
------------------------------------------------------------

"nat" - 2007-07-03 16:04:59 - ComboFix 07-07-03.9 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\crosof~1.net
C:\Program Files\dobe~1
C:\Program Files\inetget2
C:\Program Files\racle~1
C:\temp\tn3
C:\WINNT\b122.exe
C:\WINNT\b136.exe
C:\WINNT\icroso~1
C:\WINNT\stem~1
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\core.sys
C:\WINNT\system32\wintiit32.exe
C:\WINNT\system32\ymbols~1
C:\WINNT\uninstall_nmon.vbs
C:\WINNT\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core


((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))


2007-07-03 16:03 51,200 --a------ C:\WINNT\nircmd.exe
2007-06-30 12:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-30 11:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-30 11:51 <DIR> d-------- C:\Spyware Remover
2007-06-29 17:52 <DIR> d-------- C:\Program Files\Canon
2007-06-29 17:51 <DIR> d-------- C:\TEMP\ScanGearToolboxCSv223
2007-06-29 17:51 <DIR> d-------- C:\TEMP\~~adtmp~
2007-06-29 17:40 15,104 --a------ C:\WINNT\system32\drivers\usbscan.sys
2007-06-29 17:39 <DIR> d-------- C:\TEMP\CanoScanCSUv571a
2007-06-29 17:39 <DIR> d-------- C:\TEMP\2343.tmp
2007-06-29 17:39 <DIR> d-------- C:\CanoScan_N1220U_CSUv571a
2007-06-29 00:14 23,864 --a------ C:\WINNT\system32\drivers\sskbfd.sys
2007-06-29 00:14 21,816 --a------ C:\WINNT\system32\drivers\sshrmd.sys
2007-06-29 00:14 20,280 --a------ C:\WINNT\system32\drivers\SSFS0BB8.sys
2007-06-29 00:14 160,056 --a------ C:\WINNT\system32\drivers\ssidrv.sys
2007-06-29 00:13 1,520,952 --a------ C:\WINNT\WRSetup.dll
2007-06-29 00:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-28 23:37 <DIR> d-------- C:\Program Files\Webroot
2007-06-28 23:37 <DIR> d-------- C:\DOCUME~1\unataraj\APPLIC~1\Webroot
2007-06-28 22:35 57,344 --a------ C:\TEMP\InstHelp.dll
2007-06-28 22:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-28 22:35 <DIR> d-------- C:\DOCUME~1\unataraj\APPLIC~1\Lavasoft
2007-06-27 08:25 <DIR> d-------- C:\PerfLogs
2007-06-27 02:28 16,384 --a----t- C:\TEMP\Perflib_Perfdata_ddc.dat
2007-06-27 02:13 852,566 --a------ C:\TEMP\cmdinst.exe
2007-06-27 02:13 <DIR> d--hs---- C:\WINNT\RGViZXZvaXNlIFVzZXI
2007-06-26 02:34 <DIR> d-------- C:\DOCUME~1\unataraj\APPLIC~1\WinRAR
2007-06-25 14:25 <DIR> d-------- C:\Recipes
2007-06-25 03:52 <DIR> d-------- C:\WinFormC#
2007-06-25 03:47 <DIR> d-------- C:\TEMP\NERDA.tmp
2007-06-25 01:26 <DIR> d-------- C:\ux
2007-06-25 00:27 13,312 --a------ C:\TEMP\UnInstall.exe
2007-06-25 00:22 <DIR> d-------- C:\TEMP\Wram
2007-06-22 20:29 <DIR> d-------- C:\Prasanna's Home
2007-06-20 02:31 <DIR> d-------- C:\Program Files\Microsoft Visual SourceSafe
2007-06-20 00:00 45,056 --a------ C:\TEMP\GLF8.tmp.dll
2007-06-19 23:42 40,960 --a------ C:\TEMP\DispReadmeTop.exe
2007-06-19 23:41 81,920 --a------ C:\TEMP\IMS.dll
2007-06-19 23:41 49,152 --a------ C:\TEMP\EdRegAcd.dll
2007-06-19 23:41 45,056 --a------ C:\TEMP\ChkWmf9.dll
2007-06-19 23:41 39,048 --a------ C:\WINNT\system32\drivers\IcdUsb2.sys
2007-06-19 23:41 31,744 --a------ C:\WINNT\system32\drivers\ICDSX.sys
2007-06-19 23:41 26,409 --a------ C:\WINNT\system32\drivers\Icdusb.sys
2007-06-19 23:41 184,320 --a------ C:\TEMP\UnUsb.exe
2007-06-19 23:41 156,289 --a------ C:\TEMP\WSS.EXE
2007-06-19 23:41 <DIR> d-------- C:\TEMP\soniclauc
2007-06-19 23:41 <DIR> d-------- C:\Program Files\SONY
2007-06-19 23:40 94,208 --a------ C:\WINNT\system32\IcdYsys.dll
2007-06-19 23:40 90,112 --a------ C:\WINNT\system32\IcdSConv.dll
2007-06-19 23:40 86,016 --a------ C:\WINNT\system32\spicc.dll
2007-06-19 23:40 86,016 --a------ C:\WINNT\system32\IcdCdda.dll
2007-06-19 23:40 81,920 --a------ C:\WINNT\system32\dsp_trc.dll
2007-06-19 23:40 770,048 --a------ C:\WINNT\system32\CDDBUISony.dll
2007-06-19 23:40 77,824 --a------ C:\WINNT\system32\IcdMSCom.dll
2007-06-19 23:40 73,728 --a------ C:\WINNT\system32\CddbLinkSony.dll
2007-06-19 23:40 69,632 --a------ C:\WINNT\system32\IcdSptSv.exe
2007-06-19 23:40 655,360 --a------ C:\WINNT\system32\CDDBControlSony.dll
2007-06-19 23:40 65,536 --a------ C:\WINNT\system32\rcnv2.dll
2007-06-19 23:40 61,440 --a------ C:\WINNT\system32\ICDUSB2.dll
2007-06-19 23:40 61,440 --a------ C:\WINNT\system32\DSConv.dll
2007-06-19 23:40 573,440 --a------ C:\WINNT\system32\id3lib.dll
2007-06-19 23:40 57,344 --a------ C:\WINNT\system32\StrmOut.dll
2007-06-19 23:40 57,344 --a------ C:\WINNT\system32\ICDUSB.dll
2007-06-19 23:40 57,344 --a------ C:\WINNT\system32\IcdSpi.dll
2007-06-19 23:40 46,080 --------- C:\WINNT\system32\drivers\PxHelp20.sys
2007-06-19 23:40 348,160 --a------ C:\WINNT\system32\MP3Enc.dll
2007-06-19 23:40 323,584 --a------ C:\WINNT\system32\LPEC.dll
2007-06-19 23:40 317,440 --a------ C:\WINNT\system32\IcdXa.dll
2007-06-19 23:40 28,672 --a------ C:\WINNT\system32\spc.dll
2007-06-19 23:40 28,672 --a------ C:\WINNT\system32\IcdShare.dll
2007-06-19 23:40 28,160 --a------ C:\WINNT\system32\icdcomm.dll
2007-06-19 23:40 24,576 --a------ C:\WINNT\system32\IcdSptSvps.dll
2007-06-19 23:40 229,376 --a------ C:\WINNT\system32\IcdStor2.dll
2007-06-19 23:40 208,896 --a------ C:\WINNT\system32\ICDFConv.dll
2007-06-19 23:40 2,560 --------- C:\WINNT\system32\drivers\cdralw2k.sys
2007-06-19 23:40 2,432 --------- C:\WINNT\system32\drivers\cdr4_xp.sys
2007-06-19 23:40 176,128 --a------ C:\WINNT\system32\IcdShlex.dll
2007-06-19 23:40 157,352 --------- C:\WINNT\system32\pxwma.dll
2007-06-19 23:40 126,976 --a------ C:\WINNT\system32\icdcomm3.dll
2007-06-19 23:40 126,976 --a------ C:\WINNT\system32\icdcomm2.dll
2007-06-19 23:40 122,880 --a------ C:\WINNT\system32\trc.dll
2007-06-19 23:40 115,880 --------- C:\WINNT\system32\pxinsi64.exe
2007-06-19 23:40 114,856 --------- C:\WINNT\system32\pxcpyi64.exe
2007-06-19 23:40 1,681,056 --a------ C:\TEMP\pxengine3_00_48a.exe
2007-06-19 23:37 45,056 --a------ C:\TEMP\GLF7.tmp.dll
2007-06-19 23:37 45,056 --------- C:\TEMP\DveOsLang.dll
2007-06-19 23:37 <DIR> d-------- C:\SONY
2007-06-18 03:21 <DIR> d-------- C:\Visual Studio VB
2007-06-16 00:52 <DIR> d-------- C:\DOCUME~1\unataraj\APPLIC~1\InterVideo
2007-06-15 20:20 <DIR> d-------- C:\DOCUME~1\unataraj\APPLIC~1\CopyToDvd
2007-06-15 19:51 <DIR> d-------- C:\TEMP\NERF8.tmp
2007-06-15 19:48 9,600 --a------ C:\WINNT\system32\drivers\hidusb.sys
2007-06-15 19:48 31,616 --a------ C:\WINNT\system32\drivers\usbccgp.sys
2007-06-14 21:20 <DIR> d-------- C:\DOCUME~1\unataraj\APPLIC~1\vlc
2007-06-14 19:41 <DIR> d-------- C:\Movies
2007-06-10 22:59 <DIR> d-------- C:\From WNYMIS007596
2007-06-10 22:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vsosdk
2007-06-09 00:28 302,648 --a------ C:\TEMP\ywc_update2.exe
2007-06-07 11:44 <DIR> d-------- C:\Resume
2007-06-06 12:27 <DIR> d-------- C:\Medical Insurance


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-03 20:10:22 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-16 05:26:00 -------- d-----w C:\DOCUME~1\unataraj\APPLIC~1\Vso
2007-06-16 05:24:04 -------- d-----w C:\Program Files\VSO
2007-06-10 05:09:15 -------- d-----w C:\DOCUME~1\unataraj\APPLIC~1\Ahead
2007-06-02 23:43:14 -------- d-----w C:\Program Files\softwise
2007-05-30 18:22:38 -------- d-----w C:\Program Files\Nero
2007-05-30 18:05:36 -------- d-----w C:\Program Files\DVD Shrink
2007-05-30 18:04:10 87,608 ----a-w C:\DOCUME~1\unataraj\APPLIC~1\inst.exe
2007-05-30 18:04:10 47,360 ----a-w C:\WINNT\system32\drivers\pcouffin.sys
2007-05-30 18:04:10 47,360 ----a-w C:\DOCUME~1\unataraj\APPLIC~1\pcouffin.sys
2007-05-27 08:06:49 -------- d-----w C:\DOCUME~1\unataraj\APPLIC~1\ICAClient
2007-05-26 18:15:23 -------- d-----w C:\Program Files\Common Files\Merge Modules
2007-05-26 18:12:53 -------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-05-26 18:11:57 -------- d-----w C:\Program Files\CE Remote Tools
2007-05-19 04:06:22 -------- d-----w C:\Program Files\MSBuild
2007-05-19 04:00:13 -------- d-----w C:\Program Files\Common Files\Business Objects
2007-05-19 01:00:19 -------- d-----w C:\Program Files\Microsoft SQL Server
2007-05-19 00:58:50 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-19 00:56:38 -------- d-----w C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2007-04-06 23:47:40 8,546 ----a-w C:\WINNT\system32\shortcut_ex.dat
2004-08-04 08:00:00 73,728 --sha-w C:\WINNT\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2005-08-02 20:46:54 187,904 --sha-r C:\WINNT\RGViZXZvaXNlIFVzZXI\asappsrv.dll
2005-08-02 20:58:38 293,888 --sha-r C:\WINNT\RGViZXZvaXNlIFVzZXI\command.exe
2005-07-29 20:24:26 472 --sha-r C:\WINNT\RGViZXZvaXNlIFVzZXI\l3p2trtSurh5KIpWtrK.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 18:17 54248 --a------ c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SchedulingAgent_nDG"="c:\Program Files\Netdeploy\Schedule Agent\ndschedag.exe" [2004-07-26 04:15]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2004-07-19 17:12]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 19:02]
"vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 15:19]
"RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\\FaxCtrl.exe" [2005-03-11 11:47]
"AClntUsr"="C:\Program Files\Altiris\AClient\AClntUsr.EXE" [2007-07-03 16:09]
"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 18:00]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-09 12:04]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2007-06-21 18:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=1 (0x1)
"ForceActiveDesktopOn"=1
"UseDesktopIniCache"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"DisablePersonalDirChange"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoBandCustomize"=1 (0x1)
"NoChangeStartMenu"=1 (0x1)
"NoHardwareTab"=1 (0x1)
"NoCommonGroups"=1 (0x1)
"DisallowRun"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"=mscvb32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=admin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=Serial2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=LogLocalAdmin2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2720657771-3418192679-767377221-500\Scripts\Logoff\0\0]
"Script"=Logout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logoff\0\0]
"Script"=Logout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logoff\1\0]
"Script"=OutlookLogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logoff\2\0]
"Script"=TempDelete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logoff\3\0]
"Script"=DotSync.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logoff\4\0]
"Script"=DotSync.exe OFF

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logon\0\0]
"Script"=RandomProxy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logon\1\0]
"Script"=DeleteOffice10Reg.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logon\1\1]
"Script"=OutlookLogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logon\2\0]
"Script"=AcrobatRegistration.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logon\2\1]
"Script"=Lexis.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logon\2\2]
"Script"=VirusClean.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logon\2\3]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-11256\Scripts\Logon\3\0]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-21822\Scripts\Logoff\0\0]
"Script"=Logout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-21822\Scripts\Logoff\1\0]
"Script"=TempDelete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-21822\Scripts\Logon\0\0]
"Script"=RandomProxy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-21822\Scripts\Logon\1\0]
"Script"=AcrobatRegistration.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-21822\Scripts\Logon\1\1]
"Script"=Lexis.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-21822\Scripts\Logon\1\2]
"Script"=VirusClean.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-21822\Scripts\Logon\1\3]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logoff\0\0]
"Script"=Logout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logoff\1\0]
"Script"=OutlookLogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logoff\2\0]
"Script"=TempDelete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logoff\3\0]
"Script"=DotSync.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logoff\4\0]
"Script"=DotSync.exe OFF

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logon\0\0]
"Script"=RandomProxy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logon\1\0]
"Script"=DeleteOffice10Reg.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logon\1\1]
"Script"=OutlookLogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logon\2\0]
"Script"=AcrobatRegistration.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logon\2\1]
"Script"=Lexis.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logon\2\2]
"Script"=VirusClean.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27511\Scripts\Logon\3\0]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27734\Scripts\Logoff\0\0]
"Script"=Logout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-27734\Scripts\Logon\0\0]
"Script"=RandomProxy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logoff\0\0]
"Script"=Logout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logoff\1\0]
"Script"=OutlookLogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logoff\2\0]
"Script"=TempDelete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logon\0\0]
"Script"=RandomProxy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logon\1\0]
"Script"=DeleteOffice10Reg.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logon\1\1]
"Script"=OutlookLogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logon\2\0]
"Script"=AcrobatRegistration.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logon\2\1]
"Script"=Lexis.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logon\2\2]
"Script"=VirusClean.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logon\2\3]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logon\3\0]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-31451\Scripts\Logon\3\1]
"Script"=RemoveBlackberry.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logoff\0\0]
"Script"=Logout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logoff\1\0]
"Script"=OutlookLogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logoff\2\0]
"Script"=TempDelete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logoff\3\0]
"Script"=DotSync.exe OFF

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logon\0\0]
"Script"=RandomProxy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logon\1\0]
"Script"=DeleteOffice10Reg.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logon\1\1]
"Script"=OutlookLogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logon\2\0]
"Script"=AcrobatRegistration.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logon\2\1]
"Script"=Lexis.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logon\2\2]
"Script"=VirusClean.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-34938\Scripts\Logon\2\3]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6859\Scripts\Logoff\0\0]
"Script"=Logout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6859\Scripts\Logoff\1\0]
"Script"=OutlookLogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6859\Scripts\Logoff\2\0]
"Script"=TempDelete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6859\Scripts\Logon\0\0]
"Script"=RandomProxy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6859\Scripts\Logon\1\0]
"Script"=DeleteOffice10Reg.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6859\Scripts\Logon\1\1]
"Script"=OutlookLogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6859\Scripts\Logon\2\0]
"Script"=AcrobatRegistration.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6859\Scripts\Logon\2\1]
"Script"=Lexis.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6859\Scripts\Logon\2\2]
"Script"=VirusClean.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6859\Scripts\Logon\2\3]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logoff\0\0]
"Script"=Logout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logoff\1\0]
"Script"=OutlookLogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logoff\2\0]
"Script"=TempDelete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logon\0\0]
"Script"=RandomProxy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logon\1\0]
"Script"=DeleteOffice10Reg.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logon\1\1]
"Script"=OutlookLogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logon\2\0]
"Script"=AcrobatRegistration.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logon\2\1]
"Script"=Lexis.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logon\2\2]
"Script"=VirusClean.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logon\2\3]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logon\3\0]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-6909\Scripts\Logon\3\1]
"Script"=RemoveBlackberry.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logoff\0\0]
"Script"=Logout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logoff\1\0]
"Script"=OutlookLogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logoff\2\0]
"Script"=TempDelete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logoff\3\0]
"Script"=DotSync.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logoff\4\0]
"Script"=DotSync.exe OFF

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logon\0\0]
"Script"=RandomProxy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logon\1\0]
"Script"=DeleteOffice10Reg.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logon\1\1]
"Script"=OutlookLogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logon\2\0]
"Script"=AcrobatRegistration.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logon\2\1]
"Script"=Lexis.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logon\2\2]
"Script"=VirusClean.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logon\2\3]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-7431124-25503001-2015980265-9126\Scripts\Logon\3\0]
"Script"=Logons.vbs

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]


**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-03 16:11:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-03 16:13:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-03 16:13

--- E O F ---

Edited by jenim, 03 July 2007 - 03:27 PM.


#5 jenim

jenim
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 03 July 2007 - 03:24 PM

And this is the HijackThis file log:

Logfile of HijackThis v1.99.1
Scan saved at 16:21, on 2007-07-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
c:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
c:\Program Files\AppSense Technologies\Application Manager Agent\ASAgent.exe
c:\Program Files\AppSense Technologies\Auditing Agent\AUAgent.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\AppSense Technologies\Application Manager Agent\AMAgentAssist.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
c:\Program Files\Netdeploy\Launcher\ndserv.exe
c:\Program Files\Netdeploy\Schedule Agent\ndinit.exe
c:\Program Files\Netdeploy\Schedule Agent\ndtask.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINNT\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Netdeploy\Usage Agent\mgsusageag.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\system32\mqsvc.exe
c:\Program Files\Softricity\SoftGrid for Windows Desktops\sftlist.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\system32\mqtgsvc.exe
c:\Program Files\Citrix\ICA Client\ssonsvr.exe
c:\Program Files\Softricity\SoftGrid for Windows Desktops\sftdcc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netdeploy\Schedule Agent\ndtask.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - c:\Program Files\LexisNexis\CheckCite\llieobj.dll
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "c:\Program Files\Netdeploy\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll (file missing)
O15 - Trusted Zone: *.debit
O15 - Trusted Zone: *.debit2
O15 - Trusted Zone: http://*.DesktopMgmt
O15 - Trusted Zone: *.nydebiis01
O15 - Trusted Zone: *.nyiis01
O15 - Trusted Zone: *.webiis
O15 - Trusted Zone: *.westlaw.com
O15 - Trusted Zone: *.debit (HKLM)
O15 - Trusted Zone: *.debit2 (HKLM)
O15 - Trusted Zone: http://*.DesktopMgmt (HKLM)
O15 - Trusted Zone: http://*.einvoice (HKLM)
O15 - Trusted Zone: *.nydebiis01 (HKLM)
O15 - Trusted Zone: *.nyiis01 (HKLM)
O15 - Trusted Zone: *.webiis (HKLM)
O15 - Trusted Zone: *.westlaw.com (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136389700814
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deb.net
O17 - HKLM\Software\..\Telephony: DomainName = deb.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deb.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deb.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = deb.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: pcdocs - {EDC110E5-4CFB-4FEE-813A-BF796297030E} - c:\Program Files\DocsOpen\Progs396\perclnt2\PwDMoniker.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - c:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: AppSense Application Manager Agent - AppSense Technologies - c:\Program Files\AppSense Technologies\Application Manager Agent\ASAgent.exe
O23 - Service: AppSense Auditing Agent - AppSense Technologies - c:\Program Files\AppSense Technologies\Auditing Agent\AUAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINNT\system32\IcdSptSv.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - c:\Program Files\Netdeploy\Launcher\ndserv.exe
O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - c:\Program Files\Netdeploy\Schedule Agent\ndinit.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoftGrid Client (sftlist) - Softricity, Inc. - c:\Program Files\Softricity\SoftGrid for Windows Desktops\sftlist.exe
O23 - Service: SoftGrid Virtual Services Manager (sftvsm) - Unknown owner - c:\Program Files\Softricity\SoftGrid for Windows Desktops\sftvsm.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

#6 jenim

jenim
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 03 July 2007 - 04:01 PM

Hi..
Thanks for helping me out..

I just noticed something after I ran the combofix.exe and it rebooted my machine.
The time display on the bottom right corner on my Windows XP has changed from displaying it the regular way.
As I'm typing this, it is displaying time as 17:01 instead of 5:01 PM as it did before.

I would like to know how to change it back to the way it was before.
I tried going to Control panel -> Date and Time. But it doesn't let me change the way the time displays with the AM and PM. The time itself is correct, it shows the EST, but it shows in the 17:00 hours format, instead of the 5:00 PM format.

Again, thanks for any input.

Edited by jenim, 03 July 2007 - 04:23 PM.


#7 jenim

jenim
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 04 July 2007 - 12:14 AM

For my previous request regarding how to revert to previous time/Date set-up..
After some searching, I figured that out myself - it took me a while, but I'm sure for most of you Gurus, it's child's play ;-)
I had to do it via Control Panel -> Regional & Language Options - to change the way date and time displays in Windows.

Anyway, waiting for someone to take a look at my "logs" to give me a final OK. Also can some one tell me after looking at my HJT logs, what malware or adware had caused the annoying pop-ups to show all the time?
Thanks for helping.

#8 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:44 AM

Posted 04 July 2007 - 11:01 PM

Glad that you got that last problem resolved!!!! :thumbsup: About the popups, you had a couple of adware programs that produce popups. However, one of them is pretty nasty and is hidden behind a rootkit.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

=======================================

Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:
  • Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
  • If you don't have a Firewall installed, please choose from the following:
  • If you don't have a Anti-Virus installed, please download the following free program:
  • Here are two great Preventive programs:
    • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
    • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
  • Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
    • Red for Warning
    • Yellow for Use Caution
    • Green for Safe
    • Grey for Unknown
    Here are the link to install SiteAdisor in Internet Explorer and Firefox
  • Anti-Spyware Programs I Recommend:
  • For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place]

Microsoft MVP Consumer Security--2007-2010

#9 jenim

jenim
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 06 July 2007 - 12:46 AM

Thank you.

I'm working on the last big section of your post on "how to keep the computer clean". It seems like I have to install a lot of stuff, to make sure that my machine is not prone to spyware and such. I hope I can finish it in the next few days.

I do not see any more pop-ups, ever since I ran the ComboFix. Thank you!
Am I to assume that my computer is now clear off the things that you mentioned in the root kit, after setting a new restore point and deleting the old one? Is there anything else that I need to do to completely get rid off of the malware/spyware thingies?

I noticed in my C: drive, there are bunch of new folders, after running ComboFix. Specifically, these:

C:\QooBox\Quarantine\C\WINNT\system32\drivers - In this folder I see these files :

core.cache.dsk.vir
core.sys.vir

wintiit32.exe.vir - in folder: C:\QooBox\Quarantine\C\WINNT\system32

In folder: C:\QooBox\Quarantine\C\WINNT, these files:
b122.exe.vir
b136.exe.vir
uninstall_nmon.vbs.vir
wr.txt.vir

The type of all these files is 'VIR'.
This causes a bit of a worry, are these the virus files? Are these still harmful or could they become harmful at a later date?
Is it still safe to keep these in my C:\QooBox\Quarantine directory? Or Should I be completely getting rid of these?

Someone Please let me know. Thanks.

Edited by jenim, 06 July 2007 - 12:48 AM.


#10 jenim

jenim
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 06 July 2007 - 12:53 AM

About the popups, you had a couple of adware programs that produce popups. However, one of them is pretty nasty and is hidden behind a rootkit.


Also will you be able to tell me from my HJT and the other log that I posted, which is the nasty adware program that is hidden behind the rootkit?
Did ComboFix actually get rid off the adware by itself!?

#11 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:44 AM

Posted 06 July 2007 - 11:18 AM

yes it was all removed by Combofix.

You can delete that folder C:\Qoobox
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users