Jump to content

Random Popups - logs attached


Recommended Posts

Hello. I've had multiple pop ups. I ran malware and sometimes it shows items, sometimes no but the popups are still there. It appears that my mcafee is not functioning. It looks ok until I click on it or try to run a scan, the window is just blank. Nothing there. I did dowload Avira and found several viruses at the beginning of the month. Malwarebytes didn't find anything this time and Avira only found one virus. Sigh

Malwarebytes' Anti-Malware 1.33

Database version: 1659

Windows 5.1.2600 Service Pack 3

1/17/2009 12:02:54 AM

mbam-log-2009-01-17 (00-02-54).txt

Scan type: Quick Scan

Objects scanned: 63640

Time elapsed: 17 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:08:20 AM, on 1/17/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINNT\system32\CTsvcCDA.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://*.mcafee.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - http://offers.e-centives.com/cif/download/bin/actxcab.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

O20 - AppInit_DLLs: C:\WINNT\system32\karna.dat c:\winnt\system32\gakemojo.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 12153 bytes

Link to post
Share on other sites

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

Hi. So sorry for the delay. I've attached combofix log first and hijack second. Thanks for your help!!!

ComboFix 09-01-21.04 - Owner 2009-01-22 23:34:25.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.862 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\temp\1cb

c:\temp\1cb\syscheck.log

c:\temp\FT62

c:\temp\FT62\teTU.log

c:\winnt\IE4 Error Log.txt

c:\winnt\system32\amurihuj.ini

c:\winnt\system32\ap

c:\winnt\system32\cooyiuc.dat

c:\winnt\system32\cooyiuc.exe

c:\winnt\system32\cooyiuc_nav.dat

c:\winnt\system32\cooyiuc_navps.dat

c:\winnt\system32\dPI19

c:\winnt\system32\hmzirayx_navtmp.dat

c:\winnt\system32\hpowiax7.dll

c:\winnt\system32\ikutujah.ini

c:\winnt\system32\TDSSmtve.dat

c:\winnt\system32\tim

c:\winnt\system32\tmp.reg

c:\winnt\system32\vd2

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))

.

2009-01-13 05:52 . 2009-01-13 05:52 <DIR> d-------- c:\program files\Avira

2009-01-13 05:52 . 2009-01-13 05:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-01-12 19:53 . 2009-01-12 19:53 <DIR> d-------- c:\program files\Trend Micro

2009-01-10 13:56 . 2009-01-14 05:41 <DIR> d-------- c:\program files\RogueRemover FREE

2009-01-10 13:45 . 2009-01-10 13:44 33,846 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.bmp

2009-01-10 13:45 . 2009-01-10 13:45 11,473 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.dat

2009-01-10 13:44 . 2009-01-10 13:44 33,846 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp WavPack Codec.bmp

2009-01-10 13:44 . 2009-01-10 13:44 33,846 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.bmp

2009-01-10 13:44 . 2009-01-10 13:44 33,846 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.bmp

2009-01-10 13:44 . 2009-01-10 13:46 33,846 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.bmp

2009-01-10 13:44 . 2009-01-10 13:44 33,846 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp Dalet Codec.bmp

2009-01-10 13:44 . 2009-01-10 13:44 3,153 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat

2009-01-10 13:44 . 2009-01-10 13:46 3,107 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat

2009-01-10 13:44 . 2009-01-10 13:44 3,065 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat

2009-01-10 13:44 . 2009-01-10 13:44 3,008 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp WavPack Codec.dat

2009-01-10 13:44 . 2009-01-10 13:44 1,206 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp Dalet Codec.dat

2009-01-10 13:43 . 2009-01-10 13:46 33,846 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp

2009-01-10 13:43 . 2009-01-10 13:46 33,846 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.bmp

2009-01-10 13:43 . 2009-01-10 13:46 2,987 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat

2009-01-10 13:43 . 2009-01-10 13:46 2,843 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.dat

2009-01-10 13:29 . 2009-01-10 13:28 27,958 --a------ c:\winnt\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp

2009-01-10 13:29 . 2009-01-10 13:29 17,871 --a------ c:\winnt\system32\SpoonUninstall-dBpowerAMP Music Converter.dat

2009-01-10 13:28 . 2009-01-10 13:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\AccurateRip

2009-01-10 11:51 . 2009-01-10 13:38 33,846 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp DSP Effects.bmp

2009-01-10 11:51 . 2009-01-10 13:38 10,210 --a------ c:\winnt\system32\SpoonUninstall-dBpoweramp DSP Effects.dat

2009-01-03 14:47 . 2009-01-03 14:47 <DIR> d-------- c:\program files\Lavasoft

2009-01-03 14:47 . 2009-01-03 14:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-03 14:45 . 2009-01-03 14:45 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-01-02 23:13 . 2009-01-02 23:15 <DIR> d-------- c:\documents and settings\Owner\Application Data\ArcSoft

2009-01-02 22:50 . 2009-01-02 22:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\Nikon

2009-01-02 22:47 . 2009-01-02 22:47 <DIR> d-------- c:\program files\Nikon

2009-01-02 22:47 . 2009-01-02 22:51 <DIR> d-------- c:\program files\Common Files\Nikon

2009-01-02 22:47 . 2009-01-02 22:47 <DIR> d-------- c:\program files\Common Files\muvee Technologies

2009-01-02 22:47 . 2009-01-02 22:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nikon

2009-01-02 22:46 . 2009-01-02 22:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ultima_T15

2009-01-02 22:46 . 2009-01-02 22:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\EnterNHelp

2009-01-02 22:46 . 2009-01-02 22:51 20 ---h----- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT

2008-12-31 05:07 . 2008-12-31 05:12 1,488 --a------ c:\winnt\system32\BIN_STRSBW.SPT

2008-12-27 16:27 . 2008-12-27 17:24 <DIR> d-------- c:\documents and settings\Owner\Application Data\Media Player Classic

2008-12-26 06:29 . 2009-01-22 23:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\HPAppData

2008-12-26 02:11 . 2008-12-26 02:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG

2008-12-26 02:09 . 2008-12-26 20:00 <DIR> d-------- c:\documents and settings\Owner\Application Data\HP

2008-12-26 02:06 . 2008-12-26 02:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard

2008-12-26 02:06 . 2007-10-20 18:25 118,272 --a------ c:\winnt\system32\hpz3l5mu.dll

2008-12-26 02:01 . 2008-12-26 02:01 <DIR> d-------- c:\program files\Hewlett-Packard

2008-12-26 02:01 . 2008-12-26 02:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant

2008-12-26 02:01 . 2009-01-04 14:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP

2008-12-26 02:00 . 2008-12-26 02:00 <DIR> d-------- c:\program files\Common Files\HP

2008-12-26 02:00 . 2008-12-26 02:00 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard

2008-12-26 01:59 . 2008-12-26 02:08 <DIR> d-------- c:\program files\HP

2008-12-26 01:59 . 2007-10-22 02:45 581,632 --a------ c:\winnt\system32\hpotscl6.dll

2008-12-26 01:59 . 2007-10-30 19:25 372,736 --a------ c:\winnt\system32\hppldcoi.dll

2008-12-26 01:59 . 2007-10-30 19:25 309,760 --a------ c:\winnt\system32\difxapi.dll

2008-12-26 01:59 . 2007-10-22 02:45 303,104 --a------ c:\winnt\system32\hpovst15.dll

2008-12-26 01:59 . 2007-11-09 01:56 271,704 --a------ c:\winnt\system32\hpzids01.dll

2008-12-26 01:59 . 2007-10-30 19:25 49,920 --a------ c:\winnt\system32\drivers\HPZid412.sys

2008-12-26 01:59 . 2007-10-30 19:25 21,568 --a------ c:\winnt\system32\drivers\HPZius12.sys

2008-12-26 01:59 . 2007-10-30 19:25 16,496 --a------ c:\winnt\system32\drivers\HPZipr12.sys

2008-12-26 01:56 . 2008-12-26 02:09 157,452 --a------ c:\winnt\hpoins28.dat

2008-12-26 01:56 . 2007-12-13 12:59 932 --------- c:\winnt\hpomdl28.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-23 04:28 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-01-17 04:41 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-01-14 21:11 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys

2009-01-14 21:11 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys

2009-01-14 11:01 --------- d-----w c:\program files\Windows Live

2009-01-14 10:59 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-14 10:58 --------- d-----w c:\program files\Creative

2009-01-10 19:37 --------- d-----w c:\documents and settings\Owner\Application Data\FrostWire

2009-01-10 18:52 --------- d-----w c:\program files\Free Video Converter

2008-12-31 10:06 --------- d-----w c:\documents and settings\Owner\Application Data\McAfee

2008-12-31 06:30 --------- d-----w c:\program files\FrostWire

2008-12-20 09:35 --------- d-----w c:\program files\Common Files\Adobe

2008-12-20 05:03 --------- d-----w c:\program files\PHM

2008-12-11 10:57 333,952 ----a-w c:\winnt\system32\drivers\srv.sys

2008-12-06 21:38 --------- d-----w c:\program files\Java

2008-11-30 01:25 --------- d-----w c:\program files\ThemeGenerator

2008-11-29 21:01 --------- d-----w c:\program files\Audible

2008-11-29 10:32 --------- d-----w c:\program files\CA Yahoo! Anti-Spy

2008-11-29 10:32 --------- d-----w c:\program files\AIM

2008-11-27 04:57 --------- d-----w c:\program files\Microsoft ActiveSync

2008-11-27 03:44 --------- d-----w c:\documents and settings\Owner\Application Data\Astraware

2005-06-22 05:37 45,568 -csha-r c:\winnt\system32\cygz.dll

2008-08-03 17:33 32,768 -csha-w c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080320080804\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-06 136600]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-03 116040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-09 289064]

"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2005-01-23 155648]

"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2005-01-23 126976]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"CHotkey"="mHotkey.exe" [2002-01-07 c:\winnt\mHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2005-01-23 11:31 126976 c:\winnt\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2005-01-23 11:36 155648 c:\winnt\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

-ra--c--- 2001-07-09 05:50 155648 c:\winnt\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2008-04-01 13:49 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINNT\\system32\\rtcshare.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-05-17 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b415f0-7f86-11dd-a417-000cf18d549f}]

\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee56afba-77ae-11dd-a412-000cf18d549f}]

\Shell\AutoRun\command - E:\start.exe

.

Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\winnt\Tasks\AE674AD09110FBE8.job

- c:\docume~1\owner\applic~1\nurbpr~1\Antecampmp3.exe []

2004-02-01 c:\winnt\Tasks\ISP signup reminder 1.job

- c:\winnt\System32\OOBE\oobebaln.exe [2008-04-13 19:12]

2004-02-09 c:\winnt\Tasks\ISP signup reminder 2.job

- c:\winnt\System32\OOBE\oobebaln.exe [2008-04-13 19:12]

2004-02-14 c:\winnt\Tasks\ISP signup reminder 3.job

- c:\winnt\System32\OOBE\oobebaln.exe [2008-04-13 19:12]

.

- - - - ORPHANS REMOVED - - - -

BHO-{912df4e1-29cf-4b0d-896b-e3589c1bd7e6} - (no file)

BHO-{9F915C11-80B1-0D85-C24D-E561E204ECDD} - (no file)

HKCU-Run-Aim6 - (no file)

HKLM-Run-cooyiuc - c:\winnt\system32\cooyiuc.exe

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

MSConfigStartUp-Desktop Weather 3 - c:\progra~1\THEWEA~1\THEWEA~1.EXE

MSConfigStartUp-Excite Private Messenger Pipe - c:\program files\Excite\PrvtMsgr\bin\x8IMPipe.exe

MSConfigStartUp-Gateway Ink Monitor - c:\program files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe

MSConfigStartUp-kuekifyrdzmf - c:\winnt\System32\kaqstl.exe

MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

MSConfigStartUp-NAV CfgWiz - c:\program files\Common Files\Symantec Shared\CfgWiz.exe

MSConfigStartUp-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1laoj3oa.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-amo&p=

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-amo&p=

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13 .

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.mcafee.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)

O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9755 bytes

Link to post
Share on other sites

Do you use netmeeting?

Please uninstall these:

ViewPoint View Manager

Viewpoint Media Player

FrostWire

Click start-->Control Panel-->Add/Remove Programs...scroll down the list and locate the program names. Click Remove for each...then reboot when finished uninstalling.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated along with a fresh HijackThis log. Thanks!

File::

c:\winnt\system32\cygz.dll

c:\winnt\Tasks\AE674AD09110FBE8.job

c:\docume~1\owner\applic~1\nurbpr~1\Antecampmp3.exe

Folder::

c:\documents and settings\Owner\Application Data\FrostWire

c:\program files\FrostWire

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\Program Files\FrostWire\FrostWire.exe"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b415f0-7f86-11dd-a417-000cf18d549f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee56afba-77ae-11dd-a412-000cf18d549f}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04079851-5845-4dea-848C-3ECD647AA554}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

Link to post
Share on other sites

No, I do not use net meeting, but I do use frostwire. Is that a bad thing? Also, if I uninstall, can I put it back on in the future?

Do you use netmeeting?

Please uninstall these:

ViewPoint View Manager

Viewpoint Media Player

FrostWire

Click start-->Control Panel-->Add/Remove Programs...scroll down the list and locate the program names. Click Remove for each...then reboot when finished uninstalling.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated along with a fresh HijackThis log. Thanks!

File::

c:\winnt\system32\cygz.dll

c:\winnt\Tasks\AE674AD09110FBE8.job

c:\docume~1\owner\applic~1\nurbpr~1\Antecampmp3.exe

Folder::

c:\documents and settings\Owner\Application Data\FrostWire

c:\program files\FrostWire

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\Program Files\FrostWire\FrostWire.exe"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b415f0-7f86-11dd-a417-000cf18d549f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee56afba-77ae-11dd-a412-000cf18d549f}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04079851-5845-4dea-848C-3ECD647AA554}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

Link to post
Share on other sites

Okie dokie. I just looked at the article. Yikes. I have not been home in a few days but will uninstall this evening and post the new logs. Luckily I'm not having any more issues but am aware that items can still lurk. Thanks so much and i'll have those logs to you a little later.

Link to post
Share on other sites

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.