1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need assistance getting rid of pop-ups

Discussion in 'Virus & Other Malware Removal' started by jgrenie, Nov 2, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. jgrenie

    jgrenie Thread Starter

    Joined:
    Mar 10, 2008
    Messages:
    72
    Computer recently started having pop-ups. It is a Windows XP computer and the users use Mozilla as a web browser, not IE. However, IE is still installed on the computer.

    Recently, have been getting popups randomly, even when all applications are closed. I have downloaded the latest Ad-Aware program, run the scan several times and told the program to "Remove All". Pop-ups still are there. The program finds Win32.Adware.BHO along with some MyWebSearch and Cookie results.

    I have tried to uninstall the My Web Search Assist from Control Panel -> Add / Remove programs, but the uninstall fails.

    I downloaded and ran the HiJack This program and have the results of the log below:

    ===============================================================
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:23:39 PM, on 11/2/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16915)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Grenie's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\msa.exe
    C:\DOCUME~1\Grenie's\LOCALS~1\Temp\i.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
    O3 - Toolbar: Web Application - {81705D67-3F73-4983-859B-97D0922E5ABE} - C:\Program Files\NetProject\wamdl.dll (file missing)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\Grenie's\Local Settings\Temporary Internet Files\Content.IE5\C9O9ER4P\WinAntiVirusPro2006FreeInstall[1].exe" -nag
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
    O4 - HKLM\..\Run: [SNM] "C:\Program Files\SpyNoMore\SNM.exe" /startup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MSKAGENTEXE] c:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Grenie's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [PopRock] C:\DOCUME~1\Grenie's\LOCALS~1\Temp\i.exe
    O4 - HKCU\..\Run: [NordBull] C:\WINDOWS\msa.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (file missing)
    O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
    O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O22 - SharedTaskScheduler: armillifer - {e1adb94e-0dc6-487c-b274-981bee6301a1} - (no file)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 9733 bytes

    =========================================================

    Any help / recommendations would be appreciated.

    Thanks.
     
  2. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    [​IMG] Please download Malwarebytes' Anti-Malware from Here.



    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:



    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.



    ====================================================


    We need to see some additional information about what is happening in your machine.
    Please perform the following scan:
    • Download DDS by sUBs from one of the following links. Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool.
    • When done, DDS will open two (2) logs
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop.
    • The instructions here ask you to attach the Attach.txt.
      [​IMG]
    • Instead of attaching, please copy/past both logs into your next reply.
    • Close the program window, and delete the program from your desktop.
    Please note: You may have to disable any script protection running if the scan fails to run.
    After downloading the tool, disconnect from the internet and disable all antivirus protection.
    Run the scan, enable your A/V and reconnect to the internet.
    Information on A/V control HERE
     
  3. jgrenie

    jgrenie Thread Starter

    Joined:
    Mar 10, 2008
    Messages:
    72
    I downloaded and ran Malwarebytes' Anti-Malware. The log is pasted below:

    Malwarebytes' Anti-Malware 1.41
    Database version: 3143
    Windows 5.1.2600 Service Pack 3

    11/10/2009 6:48:48 PM
    mbam-log-2009-11-10 (18-48-48).txt

    Scan type: Quick Scan
    Objects scanned: 135607
    Time elapsed: 33 minute(s), 0 second(s)

    Memory Processes Infected: 2
    Memory Modules Infected: 0
    Registry Keys Infected: 25
    Registry Values Infected: 9
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 21

    Memory Processes Infected:
    C:\WINDOWS\msa.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\Documents and Settings\Grenie's\Local Settings\Temp\i.exe (Trojan.Downloader) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijacker) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{23ed2206-856d-461a-bbcf-1c2466ac5ae3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8bd4438c-2511-4b93-ad34-2bdcd0ff78d2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\video add-on setup (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Web Application (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nordbull (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{e1adb94e-0dc6-487c-b274-981bee6301a1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program Files\Online Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\Video Add-on Setup (Trojan.Zlob) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\msa.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Documents and Settings\Grenie's\Local Settings\Temp\i.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grenie's\Local Settings\Temp\a.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grenie's\Local Settings\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grenie's\Local Settings\Temp\0.9583258894483817.exe (Malware.Packer) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grenie's\Local Settings\Temp\g.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grenie's\Local Settings\Temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grenie's\Local Settings\Temp\jar_cache58026.tmp (Malware.Packer) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grenie's\Local Settings\Temporary Internet Files\Content.IE5\1OM4V9SH\Inst_305s5[1].exe (Rogue.AlphaAV) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grenie's\Local Settings\Temporary Internet Files\Content.IE5\1ZON2P0J\Inst_305s5[1].exe (Rogue.AlphaAV) -> Quarantined and deleted successfully.
    C:\Program Files\Online Add-on\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\Online Add-on\Thumbs.db (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\Online Add-on\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\Video Add-on Setup\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\Video Add-on Setup\Thumbs.db (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\Video Add-on Setup\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\Video Add-on Setup\uninst.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grenie's\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grenie's\Local Settings\Temp\laf1.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

    ================================================

    I then downloaded and ran the DDS. The logs are pasted below:

    DDS.txt

    DDS (Ver_09-10-26.01) - NTFSx86
    Run by Grenie's at 20:45:33.14 on Tue 11/10/2009
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.100 [GMT -6:00]

    AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Grenie's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    G:\Mom & Dad\dds.pif

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\mskagent.exe
    uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    uRun: [Google Update] "c:\documents and settings\grenie's\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
    mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
    mRun: [RealTray] "c:\program files\real\realplayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [NI.UWA6P_0001_N822M1605] "c:\documents and settings\grenie's\local settings\temporary internet files\content.ie5\c9o9er4p\WinAntiVirusPro2006FreeInstall[1].exe" -nag
    mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
    mRun: [SNM] "c:\program files\spynomore\SNM.exe" /startup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\documents and settings\grenie's\start menu\programs\startup\PowerReg Scheduler V3.exe
    StartupFolder: c:\documents and settings\grenie's\start menu\programs\startup\PowerReg Scheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    uPolicies-explorer: NoThemesTab = 0 (0x0)
    IE: &Search
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Notify: igfxcui - igfxdev.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\grenie's\applic~1\mozilla\firefox\profiles\gnqhh4js.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Search
    FF - prefs.js: browser.startup.homepage - hxxp://host.madison.com/
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-2 64288]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-20 102448]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
    S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
    S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-10-24 116416]

    =============== Created Last 30 ================

    2009-11-11 00:14:22 0 d-----w- c:\docume~1\grenie's\applic~1\Malwarebytes
    2009-11-11 00:14:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-11-11 00:14:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-11-11 00:14:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-11-11 00:14:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-11-05 15:33:25 54156 ---ha-w- c:\windows\QTFont.qfn
    2009-11-05 15:33:25 1409 ----a-w- c:\windows\QTFont.for
    2009-11-02 21:23:10 0 d-----w- c:\program files\Trend Micro
    2009-11-02 17:52:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2009-11-02 16:38:10 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2009-11-02 16:37:21 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2009-11-02 16:29:30 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
    2009-10-26 10:30:59 0 d-sh--w- C:\found.000
    2009-10-24 16:17:25 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-10-19 19:47:37 63 ----a-w- c:\windows\STRINGS.INI
    2009-10-19 19:47:09 345600 ----a-r- c:\windows\system\QTIM32.DLL
    2009-10-19 19:46:52 678 ----a-w- c:\windows\WININI.QTW
    2009-10-19 19:46:52 306 ----a-w- c:\windows\QTW.INI
    2009-10-19 19:46:52 231 ----a-w- c:\windows\SYSINI.QTW
    2009-10-19 19:46:05 30 ----a-w- c:\windows\RESULT.QTW
    2009-10-19 19:45:40 43800 ----a-w- c:\windows\system32\BAUEFUIB.TTF
    2009-10-19 19:45:40 1409 ----a-w- c:\windows\system32\BAUEFUIB.FOT
    2009-10-19 19:45:37 0 ----a-w- c:\windows\MADCCS.INI
    2009-10-19 19:45:37 0 ----a-w- c:\windows\MADCCF.INI
    2009-10-19 19:45:27 0 d-----w- C:\CWONDERS

    ==================== Find3M ====================

    2009-10-29 17:22:30 41150 ----a-w- c:\docume~1\grenie's\applic~1\wklnhst.dat
    2009-10-21 04:08:54 3598336 ------w- c:\windows\system32\dllcache\mshtml.dll
    2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
    2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
    2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
    2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
    2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
    2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
    2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
    2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
    2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll
    2008-06-11 20:24:04 0 ----a-w- c:\program files\temp01
    2008-10-28 11:53:39 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
    2008-10-28 11:53:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat
    2008-10-28 11:53:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

    ============= FINISH: 20:46:07.75 ===============

    Attach.txt will be second post ... too long for one reply!
     
  4. jgrenie

    jgrenie Thread Starter

    Joined:
    Mar 10, 2008
    Messages:
    72
    Attach.txt below:
    Attach.txt


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-10-26.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 3/12/2005 5:45:28 PM
    System Uptime: 11/10/2009 6:50:59 PM (2 hours ago)

    Motherboard: Dell Inc. | | 0M3918
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 70 GiB total, 48.228 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is CDROM (CDFS)
    G: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1555: 7/24/2009 11:37:30 AM - System Checkpoint
    RP1556: 7/25/2009 11:38:34 AM - System Checkpoint
    RP1557: 7/26/2009 1:00:14 PM - System Checkpoint
    RP1558: 7/27/2009 1:38:32 PM - System Checkpoint
    RP1559: 7/31/2009 3:38:24 PM - System Checkpoint
    RP1560: 8/1/2009 3:00:19 AM - Software Distribution Service 3.0
    RP1561: 8/2/2009 3:11:45 AM - System Checkpoint
    RP1562: 8/3/2009 4:11:44 AM - System Checkpoint
    RP1563: 8/4/2009 5:11:45 AM - System Checkpoint
    RP1564: 8/5/2009 6:39:38 AM - System Checkpoint
    RP1565: 8/6/2009 7:12:47 AM - System Checkpoint
    RP1566: 8/7/2009 8:44:09 AM - System Checkpoint
    RP1567: 8/7/2009 1:50:17 PM - Installed RollerCoaster Tycoon 2
    RP1568: 8/7/2009 1:59:09 PM - Installed RollerCoaster Tycoon 2
    RP1569: 8/8/2009 3:04:02 PM - System Checkpoint
    RP1570: 8/9/2009 3:44:38 PM - System Checkpoint
    RP1571: 8/10/2009 4:43:35 PM - System Checkpoint
    RP1572: 8/11/2009 5:28:08 PM - System Checkpoint
    RP1573: 8/12/2009 6:04:14 PM - System Checkpoint
    RP1574: 8/13/2009 7:04:12 PM - System Checkpoint
    RP1575: 8/14/2009 3:00:17 AM - Software Distribution Service 3.0
    RP1576: 8/15/2009 3:13:54 AM - System Checkpoint
    RP1577: 8/16/2009 4:13:54 AM - System Checkpoint
    RP1578: 8/17/2009 5:13:55 AM - System Checkpoint
    RP1579: 8/18/2009 5:25:54 AM - System Checkpoint
    RP1580: 8/19/2009 7:13:55 AM - System Checkpoint
    RP1581: 8/20/2009 7:22:49 AM - System Checkpoint
    RP1582: 8/21/2009 9:25:55 AM - System Checkpoint
    RP1583: 8/22/2009 9:32:55 AM - System Checkpoint
    RP1584: 8/23/2009 11:34:43 AM - System Checkpoint
    RP1585: 8/24/2009 12:14:46 PM - System Checkpoint
    RP1586: 8/25/2009 2:05:24 PM - System Checkpoint
    RP1587: 8/26/2009 3:25:43 PM - System Checkpoint
    RP1588: 8/27/2009 3:00:19 AM - Software Distribution Service 3.0
    RP1589: 8/28/2009 4:49:42 AM - System Checkpoint
    RP1590: 8/29/2009 5:13:26 AM - System Checkpoint
    RP1591: 8/30/2009 6:13:27 AM - System Checkpoint
    RP1592: 8/31/2009 8:01:28 AM - System Checkpoint
    RP1593: 9/1/2009 8:22:02 AM - System Checkpoint
    RP1594: 9/2/2009 8:37:27 AM - System Checkpoint
    RP1595: 9/3/2009 10:25:28 AM - System Checkpoint
    RP1596: 9/4/2009 10:37:29 AM - System Checkpoint
    RP1597: 9/5/2009 11:01:12 AM - System Checkpoint
    RP1598: 9/6/2009 1:57:23 PM - System Checkpoint
    RP1599: 9/7/2009 2:12:27 PM - System Checkpoint
    RP1600: 9/8/2009 3:48:14 PM - System Checkpoint
    RP1601: 9/9/2009 4:36:38 PM - System Checkpoint
    RP1602: 9/10/2009 3:00:16 AM - Software Distribution Service 3.0
    RP1603: 9/11/2009 4:08:55 AM - System Checkpoint
    RP1604: 9/12/2009 4:32:40 AM - System Checkpoint
    RP1605: 9/13/2009 5:32:41 AM - System Checkpoint
    RP1606: 9/14/2009 5:41:52 AM - System Checkpoint
    RP1607: 9/15/2009 7:08:47 AM - System Checkpoint
    RP1608: 9/16/2009 7:52:51 AM - System Checkpoint
    RP1609: 9/17/2009 8:49:09 AM - System Checkpoint
    RP1610: 9/18/2009 10:05:53 AM - System Checkpoint
    RP1611: 9/19/2009 10:53:48 AM - System Checkpoint
    RP1612: 9/21/2009 8:37:40 AM - System Checkpoint
    RP1613: 9/22/2009 9:16:25 AM - System Checkpoint
    RP1614: 9/23/2009 9:18:58 AM - System Checkpoint
    RP1615: 9/24/2009 9:23:35 AM - System Checkpoint
    RP1616: 9/25/2009 11:16:26 AM - System Checkpoint
    RP1617: 9/26/2009 11:17:31 AM - System Checkpoint
    RP1618: 9/27/2009 12:16:25 PM - System Checkpoint
    RP1619: 9/28/2009 12:49:31 PM - System Checkpoint
    RP1620: 9/29/2009 2:13:32 PM - System Checkpoint
    RP1621: 9/30/2009 3:13:31 PM - System Checkpoint
    RP1622: 10/1/2009 3:14:36 PM - System Checkpoint
    RP1623: 10/2/2009 4:19:47 PM - System Checkpoint
    RP1624: 10/3/2009 4:22:07 PM - System Checkpoint
    RP1625: 10/4/2009 6:25:31 PM - System Checkpoint
    RP1626: 10/5/2009 7:49:00 PM - System Checkpoint
    RP1627: 10/6/2009 9:13:00 PM - System Checkpoint
    RP1628: 10/7/2009 9:22:01 PM - System Checkpoint
    RP1629: 10/8/2009 9:49:01 PM - System Checkpoint
    RP1630: 10/9/2009 10:49:01 PM - System Checkpoint
    RP1631: 10/17/2009 8:52:06 PM - System Checkpoint
    RP1632: 10/18/2009 3:00:17 AM - Software Distribution Service 3.0
    RP1633: 10/19/2009 3:14:42 AM - System Checkpoint
    RP1634: 10/20/2009 4:50:44 AM - System Checkpoint
    RP1635: 10/21/2009 5:50:43 AM - System Checkpoint
    RP1636: 10/24/2009 11:16:09 AM - Installed Java(TM) 6 Update 15
    RP1637: 10/24/2009 11:18:20 AM - Installed Java Runtime Environment
    RP1638: 10/25/2009 5:47:02 AM - Removed Kodak EasyShare printer dock
    RP1639: 10/25/2009 5:52:41 AM - Removed Musicmatch for Windows Media Player
    RP1640: 11/4/2009 4:00:30 AM - Software Distribution Service 3.0

    ==== Installed Programs ======================

    Acrobat.com
    Ad-Aware
    Adobe Acrobat Reader 3.01
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1.3
    AVG Anti-Spyware 7.5
    Ballistik
    Banctec Service Agreement
    Bejeweled 2 Deluxe 1.0
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Camera WIA Driver
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DC_DV 6 for ZoomBrowser EX
    Canon Camera Window MC 6 for ZoomBrowser EX
    Canon EOS Kiss REBEL 300D WIA Driver
    Canon G.726 WMP-Decoder
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon MovieEdit Task for ZoomBrowser EX
    Canon MP Navigator EX 2.0
    Canon MP620 series MP Drivers
    Canon MP620 series User Registration
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities EOS Utility
    Canon Utilities My Printer
    Canon Utilities PhotoStitch
    Canon Utilities Solution Menu
    Canon Utilities ZoomBrowser EX
    Capture-A-ScreenShot
    Compatibility Pack for the 2007 Office system
    Cook'n Recipe Organizer
    Critical Update for Windows Media Player 11 (KB959772)
    Dell Digital Jukebox Driver
    Dell Driver Reset Tool
    Dell Media Experience
    Dell Media Experience Update
    Dell System Restore
    DellSupport
    Fisher-Price 1-2-3's
    getPlus(R) for Adobe
    Google Chrome
    HijackThis 2.0.2
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hoyle Classic Games
    IBM & Crayola Magic Princess
    Inkjet Printer/Scanner Extended Survey Program
    Intel(R) 537EP V9x DF PCI Modem
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet for Wired Connections
    Internet Explorer Default Page
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Jasc Paint Shop Photo Album
    Jasc Paint Shop Pro 8 Dell Edition
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 15
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    LiveUpdate 3.1 (Symantec Corporation)
    Macromedia Flash Player
    Macromedia Flash Player 8
    Macromedia Shockwave Player
    Madeline Rainy Day Activities
    Malwarebytes' Anti-Malware
    Microsoft Encarta Encyclopedia Standard 2004
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2004
    Microsoft Money 2004 System Pack
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Picture It! Photo Premium 9
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Streets and Trips 2004
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Works
    Microsoft Works 2004 Setup Launcher
    Microsoft Works Suite Add-in for Microsoft Word
    Milton Bradley Classic Board Games
    Modem Event Monitor
    Modem Helper
    Modem On Hold
    Mozilla Firefox (3.0.15)
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MusicmatchÆ Jukebox
    My Way Search Assistant
    OpenOffice.org Installer 1.0
    Photo Click
    Poker Superstars
    PokerStars
    PowerDVD 5.3
    Public Messenger ver 2.03
    QuickBooks Simple Start Special Edition
    QuickTime
    QuickTime 3.0
    Reader Rabbit's Preschool
    Reader Rabbit's Toddler
    RealPlayer Basic
    Roll
    Security Toolbar
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Shockwave
    Sierra Utilities
    Sonic DLA
    Sonic Update Manager
    Symantec AntiVirus
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973815)
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 11
    Windows XP Service Pack 3
    Yahtzee

    ==== End Of File ===========================

    Please review and advise of the next steps.
    Thanks.
     
  5. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please download the OTM.exe by OldTimer.
    • Save it to your desktop.
    • Please double-click OTM.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :files
      C:\WINDOWS\system32\zwebauth.dll
      c:\documents and settings\grenie's\local settings\temporary internet files\content.ie5
      c:\documents and settings\grenie's\start menu\programs\startup\PowerReg Scheduler V3.exe
      c:\documents and settings\grenie's\start menu\programs\startup\PowerReg Scheduler.exe
      :reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "NI.UWA6P_0001_N822M1605"=-
      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
      "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
      :commands
      [emptytemp]
    • Return to OTMoveIt3, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Click Ok to allow OTM reboot your machine.
    • After reboot, a log file will appear. Copy the contents to the clipboard[/b] by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
     
  6. jgrenie

    jgrenie Thread Starter

    Joined:
    Mar 10, 2008
    Messages:
    72
    Had some issues with the computer where Windows wouldn't boot up. Had to repair Windows. I am starting over with a HijackThis log as the popups are still an issue.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:54:28 PM, on 12/22/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\msb.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\DOCUME~1\Grenie's\LOCALS~1\Temp\b.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\Grenie's\Local Settings\Temporary Internet Files\Content.IE5\C9O9ER4P\WinAntiVirusPro2006FreeInstall[1].exe" -nag
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
    O4 - HKLM\..\Run: [SNM] "C:\Program Files\SpyNoMore\SNM.exe" /startup
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [ctfmon] RUNDLL32.EXE C:\WINDOWS\system32\fgjk4wvb.dll,w
    O4 - HKLM\..\Run: [Ffozu] rundll32.exe "C:\WINDOWS\udunuhog.dll",Startup
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MSKAGENTEXE] c:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [MailBlocker] C:\DOCUME~1\Grenie's\LOCALS~1\Temp\b.exe
    O4 - HKCU\..\Run: [Minisoft] C:\DOCUME~1\Grenie's\LOCALS~1\Temp\c.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 8753 bytes
     
  7. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Well your certainly still infected.


    Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
     
  8. jgrenie

    jgrenie Thread Starter

    Joined:
    Mar 10, 2008
    Messages:
    72
    I attempted twice to download combofix.exe and run it on the infected computer. Each time I got the following message and ComboFix would not run:

    !! ALERT !! It is NOT SAFE to continue!

    The contents of the ComboFix package has been compromised. Please download a fresh copy from:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Note: You may be infected with a file patching virus 'Virut'

    Please let me know the next steps to try.

    Thanks.
     
  9. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
  10. jgrenie

    jgrenie Thread Starter

    Joined:
    Mar 10, 2008
    Messages:
    72
    Bummer. I read that blog and it doesn't sound too promising. I really don't want to have to attempt to wipe the Hard drive and reinstall everything. Do you know if I can do a Dell restore back to factory install and if that would work?

    I think I am going to attempt the suggestion in the blog of running Dr. Web's CureIt followed by the Norman Malware Cleaner.

    I would appreciate any other scripts/fixer programs you would send as well.

    Thanks.
     
  11. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
  12. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
  13. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    When you do the dell restore, you will loose all your installed programs except the ones that first came with the pc.
     
  14. jgrenie

    jgrenie Thread Starter

    Joined:
    Mar 10, 2008
    Messages:
    72
    I am aware that if I do the restore I will lose everything. I am just wondering if this will eliminate the viruses/trojans that exist on the computer or if I will still deal with them after that?

    Also, can you tell me how I can go about burning an .iso image onto a CD/DVD to run as a boot scanner as you suggested?

    Thanks for your assistance.
     
  15. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/873917

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice