1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: WinAntiVirus 2007 got me again!

Discussion in 'Virus & Other Malware Removal' started by FireFoxy, Jul 27, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. FireFoxy

    FireFoxy Thread Starter

    Joined:
    Apr 27, 2007
    Messages:
    12
    Hi - I got another pop-up virus running on my PC where an ad pops in every 5-10 minutes. Below is my HijackThis log - any help is very much appreciated!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:53:48 AM, on 7/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    c:\program files\logitech\nulooq navigator\nulooqcore.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
    C:\WINNT\system32\Tablet.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Softex\OmniPass\scureapp.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Logitech\NuLOOQ navigator\NuLOOQHelper.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Softex\OmniPass\Help.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Web Buying\v1.8.0\webbuying.exe
    C:\WINNT\system32\WTablet\TabUserW.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wnba.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [NuLOOQ Tray Helper] C:\Program Files\Logitech\NuLOOQ navigator\NuLOOQHelper.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [{ZN}] C:\WINNT\TISKY009.exe SKY009
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunOnce: [RemoveInstallPath] cmd.exe C:\WINNT\system32\cmd.exe /c rmdir /S /Q "C:\PROGRA~1\WinPop" > nul
    O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://courtside.nba.com/qp2.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134946136281
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134946124562
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NuLOOQ Driver Core Module (NuLooqCore) - Logitech, Inc. - c:\program files\logitech\nulooq navigator\nulooqcore.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

    --
    End of file - 8292 bytes
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

    Download this file :

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
    or
    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall

    ====================
    Download Superantispyware (SAS) free home version

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.

    This will take some time!!!!!!!!
     
  3. FireFoxy

    FireFoxy Thread Starter

    Joined:
    Apr 27, 2007
    Messages:
    12
    Here's all the info - thanks for your help!

    "Administrator" - 2007-07-27 19:34:35 [GMT -7:00] - ComboFix 07-07-24 - Service Pack 2 NTFS


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
    C:\Program Files\Common Files\winantispyware 2007
    C:\Program Files\Common Files\winantispyware 2007\err.log
    C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
    C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
    C:\Program Files\inetget2
    C:\Program Files\inetget2\popinstall.exe
    C:\Program Files\web buying
    C:\Program Files\web buying\v1.8.0\wbuninst.exe
    C:\Program Files\web buying\v1.8.0\webbuying.exe
    C:\WINNT\b122.exe
    C:\WINNT\dls0523pmw.exe
    C:\WINNT\offun.exe
    C:\WINNT\system32\b02FdUe
    C:\WINNT\system32\b02FdUe\b02FdUe1065.exe
    C:\WINNT\system32\drivers\fopn.sys
    C:\WINNT\system32\G1
    C:\WINNT\system32\G1\kmhp83122.exe
    C:\WINNT\system32\G11
    C:\WINNT\system32\G11\z553.exe
    C:\WINNT\system32\G3
    C:\WINNT\system32\G3\wr725.exe
    C:\WINNT\system32\G5
    C:\WINNT\system32\G5\tns2.exe
    C:\WINNT\system32\G7
    C:\WINNT\system32\G9
    C:\WINNT\system32\G9\wb720.exe
    C:\WINNT\system32\win
    C:\WINNT\TISKY009.exe
    C:\WINNT\wr.txt


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_FOPN


    ((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 )))))))))))))))))))))))))))))))


    2007-07-27 19:33 51,200 --a------ C:\WINNT\nircmd.exe
    2007-07-27 08:53 <DIR> d-------- C:\Program Files\Trend Micro
    2007-07-26 22:43 69,184 --a------ C:\WINNT\system32\fkirxles.dll
    2007-07-26 22:40 126,016 --a------ C:\WINNT\system32\afdgcgnt.dll
    2007-07-26 21:39 1,760,705 ---hs---- C:\WINNT\system32\xybeg.bak2
    2007-07-26 09:51 43,176 --a------ C:\WINNT\system32\drivers\aswTdi.sys
    2007-07-26 09:51 23,416 --a------ C:\WINNT\system32\drivers\aswRdr.sys
    2007-07-26 09:50 95,872 --a------ C:\WINNT\system32\AvastSS.scr
    2007-07-26 09:50 94,552 --a------ C:\WINNT\system32\drivers\aswmon2.sys
    2007-07-26 09:50 85,952 --a------ C:\WINNT\system32\drivers\aswmon.sys
    2007-07-26 09:50 745,600 --a------ C:\WINNT\system32\aswBoot.exe
    2007-07-26 09:50 26,888 --a------ C:\WINNT\system32\drivers\aavmker4.sys
    2007-07-26 09:50 <DIR> d-------- C:\Program Files\Alwil Software
    2007-07-26 09:39 6,467 ---hs---- C:\WINNT\system32\xybeg.bak1
    2007-07-26 09:39 228,960 --a------ C:\WINNT\system32\gebyx.dll
    2007-07-26 09:38 31,254 --a------ C:\WINNT\system32\ddcywtr.dll
    2007-07-26 09:34 31,254 --a------ C:\WINNT\system32\tuvvsrp.dll
    2007-07-26 09:34 31,254 --a------ C:\WINNT\system32\cbxxyaa.dll
    2007-07-26 09:34 171,520 --a------ C:\WINNT\system32\bmbvknv.dll
    2007-07-26 09:34 <DIR> d-------- C:\temp\brr
    2007-07-26 09:34 <DIR> d-------- C:\temp\0c2
    2007-07-18 16:42 <DIR> d-------- C:\Program Files\Smith Micro


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-28 02:41:59 17,383 ----a-w C:\WINNT\system32\tablet.dat
    2007-07-26 16:58:35 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-07-26 16:56:47 -------- d-----w C:\Program Files\Norton AntiVirus
    2007-07-20 20:25:50 -------- d-----w C:\Program Files\Mozilla Thunderbird
    2007-06-18 15:26:33 -------- d--h--w C:\Program Files\WindowsUpdate
    2007-05-28 01:09:18 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Thunderbird
    2007-05-16 15:12:02 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
    2007-05-11 18:44:27 6,820 ----a-w C:\WINNT\system32\d3d9caps.dat


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
    2007-07-26 09:34 31254 --a------ C:\WINNT\system32\tuvvsrp.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3970C9FB-864D-4F3A-9D7F-92995349CFBA}]
    2007-07-26 09:39 228960 --a------ C:\WINNT\system32\gebyx.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B00F157E-DB33-4108-94FE-BF5705207DC8}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{baefb5f7-81ea-4131-bd42-27fe61fe5511}]
    2007-07-26 09:34 171520 --a------ C:\WINNT\system32\bmbvknv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
    2007-07-26 22:43 69184 --a------ C:\WINNT\system32\fkirxles.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2004-08-20 19:24]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 06:03]
    "NuLOOQ Tray Helper"="C:\Program Files\Logitech\NuLOOQ navigator\NuLOOQHelper.exe" [2006-11-16 18:18]
    "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
    "@"="" []
    "Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    TabUserW.exe.lnk - C:\WINNT\system32\WTablet\TabUserW.exe [2006-01-04 12:27:48]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINNT\system32\tuvvsrp.dll [2007-07-26 09:34 31254]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyx]
    C:\WINNT\system32\gebyx.dll 2007-07-26 09:39 228960 C:\WINNT\system32\gebyx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
    C:\Program Files\Softex\OmniPass\opxpgina.dll 2004-08-20 19:19 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvsrp]
    tuvvsrp.dll 2007-07-26 09:34 31254 C:\WINNT\system32\tuvvsrp.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=C:\WINNT\pss\HotSync Manager.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=C:\WINNT\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=C:\WINNT\pss\Adobe Gamma.lnkCommon Startup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
    C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
    Ati2mdxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    %systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]
    rundll32.exe "C:\WINNT\system32\afdgcgnt.dll",forkonce

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\MSMSGS.EXE" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINNT\System32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
    C:\WINNT\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
    "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
    C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
    C:\Program Files\Web Buying\v1.8.0\webbuying.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebLink]
    C:\Program Files\Softex\Weblink\WebLink.exe /boot

    R0 iaStor;Intel Integrated RAID;C:\WINNT\system32\DRIVERS\iaStor.sys
    R0 PenClass;Pen Class;C:\WINNT\system32\drivers\PenClass.sys
    R1 Kbdclass;Keyboard Class Driver;C:\WINNT\system32\DRIVERS\kbdclass.sys
    R1 Mouclass;Mouse Class Driver;C:\WINNT\system32\DRIVERS\mouclass.sys
    R2 NuLooqCore;NuLOOQ Driver Core Module;"c:\program files\logitech\nulooq navigator\nulooqcore.exe"
    R2 Stuffit Archive Name Service;Stuffit Archive Name Service;"C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe"
    R3 E1000;Intel(R) PRO/1000 Adapter Driver;C:\WINNT\system32\DRIVERS\e1000325.sys
    R3 FLMCKUSB;AuthenTec TruePrint USB Driver (AES3400, AES3500, AES4000);C:\WINNT\system32\Drivers\FLMckUSB.sys
    R3 Gpc;Generic Packet Classifier;C:\WINNT\system32\DRIVERS\msgpc.sys
    R3 HidUsb;Microsoft HID Class Driver;C:\WINNT\system32\DRIVERS\hidusb.sys
    R3 sbpci;Sound Blaster AudioPCI 128D Driver (WDM);C:\WINNT\system32\drivers\sbpci.sys
    S3 E100B;Intel(R) PRO Adapter Driver;C:\WINNT\system32\DRIVERS\e100b325.sys
    S3 Ipsapsnsta;Ipsapsnsta;C:\WINNT\system32\asr_ldm.exe
    S3 PalmUSBD;PalmUSBD;C:\WINNT\system32\drivers\PalmUSBD.sys
    S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
    S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tni126.tmp
    S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys
    S4 ATMsrvc;ATM Service;C:\WINNT\System32\ATMsrvc.exe


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{540b0f94-1514-11dc-898d-001111768b60}]
    AutoRun\command- G:\wd_windows_tools\setup.exe


    Contents of the 'Scheduled Tasks' folder
    2005-12-18 22:58:09 C:\WINNT\tasks\Symantec NetDetect.job

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-27 19:42:24
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-27 19:44:57 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-27 19:44

    --- E O F ---


    -----------------------------------

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/27/2007 at 08:28 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3275
    Trace Rules Database Version: 1286

    Scan type : Complete Scan
    Total Scan Time : 00:35:08

    Memory items scanned : 388
    Memory threats detected : 2
    Registry items scanned : 5678
    Registry threats detected : 21
    File items scanned : 47975
    File threats detected : 51

    Adware.Vundo Variant
    C:\WINNT\SYSTEM32\GEBYX.DLL
    C:\WINNT\SYSTEM32\GEBYX.DLL
    HKLM\Software\Classes\CLSID\{3964D8D6-86D0-493A-B460-A805B5401114}
    HKCR\CLSID\{3964D8D6-86D0-493A-B460-A805B5401114}
    HKCR\CLSID\{3964D8D6-86D0-493A-B460-A805B5401114}\InprocServer32
    HKCR\CLSID\{3964D8D6-86D0-493A-B460-A805B5401114}\InprocServer32#ThreadingModel
    HKLM\Software\Classes\CLSID\{3970C9FB-864D-4F3A-9D7F-92995349CFBA}
    HKCR\CLSID\{3970C9FB-864D-4F3A-9D7F-92995349CFBA}
    HKCR\CLSID\{3970C9FB-864D-4F3A-9D7F-92995349CFBA}\InprocServer32
    HKCR\CLSID\{3970C9FB-864D-4F3A-9D7F-92995349CFBA}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3970C9FB-864D-4F3A-9D7F-92995349CFBA}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{3964D8D6-86D0-493A-B460-A805B5401114}
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\gebyx
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\tuvvsrp

    Adware.Vundo Variant/Resident
    C:\WINNT\SYSTEM32\TUVVSRP.DLL
    C:\WINNT\SYSTEM32\TUVVSRP.DLL

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{baefb5f7-81ea-4131-bd42-27fe61fe5511}
    HKCR\CLSID\{BAEFB5F7-81EA-4131-BD42-27FE61FE5511}
    HKCR\CLSID\{BAEFB5F7-81EA-4131-BD42-27FE61FE5511}\InprocServer32
    HKCR\CLSID\{BAEFB5F7-81EA-4131-BD42-27FE61FE5511}\InprocServer32#ThreadingModel
    C:\WINNT\SYSTEM32\BMBVKNV.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{baefb5f7-81ea-4131-bd42-27fe61fe5511}

    Adware.Tracking Cookie
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected]=0_[2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected]thers.hitbox[2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected]=0_[3].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

    Trojan.Windows Overlay Components/SysMon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#UninstallString



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:43:02 PM, on 7/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    c:\program files\logitech\nulooq navigator\nulooqcore.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
    C:\WINNT\system32\Tablet.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Softex\OmniPass\scureapp.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Logitech\NuLOOQ navigator\NuLOOQHelper.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Softex\OmniPass\Help.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINNT\system32\WTablet\TabUserW.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wnba.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll (file missing)
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {B00F157E-DB33-4108-94FE-BF5705207DC8} - \
    O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINNT\system32\fkirxles.dll
    O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [NuLOOQ Tray Helper] C:\Program Files\Logitech\NuLOOQ navigator\NuLOOQHelper.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://courtside.nba.com/qp2.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134946136281
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134946124562
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NuLOOQ Driver Core Module (NuLooqCore) - Logitech, Inc. - c:\program files\logitech\nulooq navigator\nulooqcore.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

    --
    End of file - 8739 bytes
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Fix these with HiJackThis – mark them, close IE, click fix checked

    O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll (file missing)

    O2 - BHO: (no name) - {B00F157E-DB33-4108-94FE-BF5705207DC8} - \

    O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINNT\system32\fkirxles.dll

    O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)

    DownLoad http://www.downloads.subratam.org/KillBox.zip or
    http://www.thespykiller.co.uk/files/killbox.exe

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINNT\system32\fkirxles.dll


    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new hijack log from normal NOT safe mode



    How are things????????????
     
  5. FireFoxy

    FireFoxy Thread Starter

    Joined:
    Apr 27, 2007
    Messages:
    12
    The popups seem to be gone! Here's my report:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:05:50 AM, on 7/28/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    c:\program files\logitech\nulooq navigator\nulooqcore.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
    C:\WINNT\system32\Tablet.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Softex\OmniPass\scureapp.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Logitech\NuLOOQ navigator\NuLOOQHelper.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINNT\system32\WTablet\TabUserW.exe
    C:\Program Files\Softex\OmniPass\Help.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\WINNT\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wnba.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [NuLOOQ Tray Helper] C:\Program Files\Logitech\NuLOOQ navigator\NuLOOQHelper.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://courtside.nba.com/qp2.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134946136281
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134946124562
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NuLOOQ Driver Core Module (NuLooqCore) - Logitech, Inc. - c:\program files\logitech\nulooq navigator\nulooqcore.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

    --
    End of file - 8331 bytes
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/601377

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice