Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Annoying popups - help!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Annoying popups - help!

Unread postby guruofgentoo » June 10th, 2007, 3:00 pm

OK I started getting popups every 10 minutes or so for free stuff and an ebay search of apple ipod, also for some AV system care thing. Sounded like normal adware so I ran Adaware, Spybot S&D, SUPER-antispyware. Didn't help so I ran a TrendMicro virus scan and TrojanHunter. Neither of them helped. Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:21:47 PM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\wamp\apache2\bin\httpd.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\wamp\apache2\bin\httpd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Synergy\synergys.exe
C:\wamp\wampmanager.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.224.189.2:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Synergy Server] "C:\Program Files\Synergy\synergys.exe" --no-daemon --debug WARNING --name MattLappy --address :24800
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampmanager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1466282750
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D631086-5348-4120-8177-41889B8478AA}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D631086-5348-4120-8177-41889B8478AA}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{1D631086-5348-4120-8177-41889B8478AA}: NameServer = 208.67.222.222,208.67.220.220
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 4646 bytes


Also, I went ahead and ran the Dekkards System Scanner, here are the logs:

Deckard's System Scanner v20070603.47
Run by Matt on 2007-06-10 at 14:29:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
41: 2007-06-10 18:29:52 UTC - RP87 - Deckard's System Scanner Restore Point
40: 2007-06-10 18:16:37 UTC - RP86 - Removed SUPERAntiSpyware Professional
39: 2007-06-10 09:07:43 UTC - RP85 - Software Distribution Service 2.0
38: 2007-06-10 06:20:18 UTC - RP84 - Installed SUPERAntiSpyware Professional
37: 2007-06-10 06:17:34 UTC - RP83 - Removed Ad-Aware 2007


-- First Restore Point --
1: 2007-05-02 18:24:05 UTC - RP47 - Removed Java 2 Runtime Environment, SE v1.4.2_14


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-06-10 14:31:40
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.5730.11)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\wamp\Apache2\bin\httpd.exe
C:\wamp\mysql\bin\mysqld-nt.exe
C:\wamp\Apache2\bin\httpd.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Synergy\synergys.exe
C:\wamp\wampmanager.exe
C:\Program Files\Apoint\ApntEx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Synergy Server] "C:\Program Files\Synergy\synergys.exe" --no-daemon --debug WARNING --name MattLappy --address :24800
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampmanager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1466282750
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{1D631086-5348-4120-8177-41889B8478AA}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - "C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6
O23 - Service: wampapache - Apache Software Foundation - "c:\wamp\apache2\bin\httpd.exe" -k runservice
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 wampapache - "c:\wamp\apache2\bin\httpd.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 wampmysqld - c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld

S3 Tomcat6 (Apache Tomcat) - "c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6.exe" //rs//tomcat6 <Not Verified; Apache Software Foundation; Service Runner>


-- Files created between 2007-05-10 and 2007-06-10 -----------------------------

2007-06-10 05:20:26 0 d-------- C:\WINDOWS\network diagnostic
2007-06-10 04:28:22 0 d-------- C:\Documents and Settings\Matt\.housecall6.6
2007-06-10 02:20:23 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-06-10 02:20:18 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-06-08 21:35:31 0 d-------- C:\Program Files\Synergy
2007-06-08 21:30:31 0 d-------- C:\Documents and Settings\Matt\Application Data\.purple
2007-06-08 21:30:14 0 d-------- C:\Program Files\Pidgin
2007-06-08 14:41:44 0 d-------- C:\Documents and Settings\Matt\Application Data\MySQL
2007-06-08 14:41:07 0 d-------- C:\Program Files\MySQL
2007-06-08 04:47:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-06-08 04:37:16 0 d-------- C:\VundoFix Backups
2007-06-08 02:05:24 0 d-------- C:\WINDOWS\pss
2007-06-07 20:39:14 0 d-------- C:\wamp
2007-06-07 20:23:29 0 d-------- C:\Program Files\FlashDevelop
2007-06-06 21:23:09 0 d-------- C:\Program Files\TVUPlayer
2007-06-06 15:17:34 0 d-------- C:\Program Files\SharpDevelop
2007-06-06 01:11:46 0 d-------- C:\Documents and Settings\Matt\Application Data\PCTV4Me
2007-06-06 01:11:46 0 d-------- C:\Documents and Settings\All Users\Application Data\PCTV4Me
2007-05-31 18:51:31 0 d-------- C:\Documents and Settings\Matt\Application Data\gtk-2.0
2007-05-30 17:42:57 0 d-------- C:\Program Files\wxFormBuilder
2007-05-30 14:27:09 0 d-------- C:\sourceforge
2007-05-29 18:07:45 10 --a------ C:\WINDOWS\system32\deposit.dll
2007-05-29 18:07:14 0 d-------- C:\WINDOWS\Downloaded Installations
2007-05-27 21:36:45 0 d-------- C:\Program Files\OpenLaszlo Server 4.0.2
2007-05-27 21:26:20 0 d-------- C:\Program Files\Apache Software Foundation
2007-05-22 15:42:51 0 d-------- C:\Documents and Settings\Matt\Application Data\Joost
2007-05-22 15:42:26 0 d-------- C:\Program Files\Joost
2007-05-14 01:30:13 0 d-------- C:\Documents and Settings\Matt\Application Data\dvdcss
2007-05-10 22:19:26 0 d-------- C:\Program Files\Risk


-- Find3M Report ---------------------------------------------------------------

2007-06-10 14:17:03 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-06-10 02:17:47 0 d-------- C:\Program Files\Lavasoft
2007-06-10 02:12:07 0 d-------- C:\Program Files\Free Download Manager
2007-06-09 17:09:33 0 d-------- C:\Documents and Settings\Matt\Application Data\OpenOffice.org2
2007-06-08 21:30:31 0 d-------- C:\Documents and Settings\Matt\Application Data\.gaim
2007-06-06 01:35:04 0 d-------- C:\Program Files\GuitarFX 3
2007-06-06 01:34:29 0 d-------- C:\Program Files\Practiline Source Code Line Counter
2007-05-31 15:43:02 0 d-------- C:\Program Files\GIMP-2.0
2007-05-02 14:27:41 0 d-------- C:\Program Files\Java
2007-05-02 13:47:09 0 d-------- C:\Program Files\netbeans-5.5
2007-05-02 01:18:02 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-21 17:10:31 0 d-------- C:\Documents and Settings\Matt\Application Data\TVU Networks
2007-04-19 01:56:29 4679 --a------ C:\WINDOWS\mozver.dat
2007-04-19 01:56:27 0 d-------- C:\Program Files\DivX
2007-04-18 23:25:46 0 d-------- C:\Documents and Settings\Matt\Application Data\Google
2007-04-18 23:25:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-18 23:25:25 0 d-------- C:\Program Files\Google
2007-04-16 06:12:05 0 d-------- C:\Documents and Settings\Matt\Application Data\Free Download Manager
2007-04-14 14:16:53 0 d-------- C:\Program Files\ISTool
2007-04-14 14:16:53 0 d-------- C:\Documents and Settings\Matt\Application Data\ISTool
2007-04-14 14:11:39 0 d-------- C:\Program Files\HiSoft
2007-04-14 14:11:39 0 d-------- C:\Documents and Settings\Matt\Application Data\HiSoft
2007-04-12 16:18:47 0 d-------- C:\Program Files\Inno Setup 5
2007-04-10 00:14:26 0 d-------- C:\Program Files\Dell 720
2007-03-31 21:14:27 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-31 21:02:31 0 -rahs---- C:\MSDOS.SYS
2007-03-31 21:02:31 0 -rahs---- C:\IO.SYS
2007-03-31 21:02:31 0 --a------ C:\CONFIG.SYS
2007-03-31 21:02:31 0 --a------ C:\AUTOEXEC.BAT
2007-03-31 20:57:54 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-31 15:46:00 62 --ahs---- C:\Documents and Settings\Matt\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ofgmuueemd"="c:\\windows\\system32\\ofgmuueemd.exe ofgmuueemd"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Synergy Server"="\"C:\\Program Files\\Synergy\\synergys.exe\" --no-daemon --debug WARNING --name MattLappy --address :24800"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-06-10 at 14:32:11 ---------

Deckard's System Scanner v20070603.47
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) M processor 1.60GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 511.37 MiB / 217.7 MiB
Pagefile Memory (total/avail): 1502.49 MiB / 1203.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.25 MiB

C: is Fixed (NTFS) - 17.72 GiB total, 7.88 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Java\\j2sdk1.4.2_14\\bin\\java.exe"="C:\\Program Files\\Java\\j2sdk1.4.2_14\\bin\\java.exe:*:Enabled:java"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\wamp\\Apache2\\bin\\httpd.exe"="C:\\wamp\\Apache2\\bin\\httpd.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\Synergy\\synergys.exe"="C:\\Program Files\\Synergy\\synergys.exe:*:Enabled:synergys"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Matt\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MATT-A6182FA0E7
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Matt
include=C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
JAVA_HOME="C:\Program Files\Java\jdk1.5.0_11"
lib=C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\VC98\lib
LOGONSERVER=\\MATT-A6182FA0E7
MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\proj\MinGW\bin;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Matt\LOCALS~1\Temp
TMP=C:\DOCUME~1\Matt\LOCALS~1\Temp
USERDOMAIN=MATT-A6182FA0E7
USERNAME=Matt
USERPROFILE=C:\Documents and Settings\Matt
windir=C:\WINDOWS
WXWIN=c:/proj/environment/wxWidgets-2.8.3


-- User Profiles ---------------------------------------------------------------

Matt (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
"GNU make 3.80.0" --> C:\proj\mingw\uninstall\unins000.exe
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player 9 --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
Apache Tomcat 6.0 (remove only) --> "C:\Program Files\Apache Software Foundation\Tomcat 6.0\Uninstall.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
C++ Code Export 1.0 (Beta) --> "C:\Program Files\C++ Code Export\unins000.exe"
Conexant D110 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Dell Photo Printer 720 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
FlashDevelop 2.0.2 --> C:\Program Files\FlashDevelop\Uninstall.exe
Free Download Manager 2.1 --> "C:\Program Files\Free Download Manager\unins000.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GTK+ 2.10.6-1 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
HijackThis 2.0.0 --> "C:\DOCUME~1\Matt\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis_v2.zip\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Inno Script Generator version 1.0.2.5 --> "C:\Program Files\HiSoft\Inno Script Generator\Uninstall Information\unins000.exe"
Inno Setup version 5.1.11 --> "C:\Program Files\Inno Setup 5\unins000.exe"
ISTool 5.1.8.0 --> "C:\Program Files\ISTool\unins000.exe"
J2SE Development Kit 5.0 Update 11 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150110}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java 2 Runtime Environment, SE v1.4.2_14 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142140}
Java 2 SDK, SE v1.4.2_14 --> MsiExec.exe /I{35A3A4F4-B792-11D6-A78A-00B0D0142140}
Joost (tm) 0.10.1 --> C:\Program Files\Joost\uninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 6.0 Professional Edition --> "C:\Program Files\Microsoft Visual Studio\VC98\Setup\1033\Setup.exe"
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.4) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (1.5.0.12) --> C:\PROGRA~1\MOZILL~2\uninstall\uninstall.exe /ua "1.5.0.12 (en-US)"
MySQL Tools for 5.0 --> MsiExec.exe /I{EC561602-C0B9-4FAA-A175-1B3273639AC3}
NetBeans IDE 5.5 --> C:\Program Files\netbeans-5.5\_uninst\uninstaller.exe
OpenOffice.org 2.2 --> MsiExec.exe /I{65A27B19-3398-4B23-837C-7A9EA6A39F03}
Pidgin 2.0.1 (remove only) --> C:\Program Files\Pidgin\pidgin-uninst.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SharpDevelop 2.1 --> MsiExec.exe /I{91C56D33-EF7D-49DF-B168-6BCEB05F119F}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Sun Download Manager 2.0 (web) --> C:\WINDOWS\system32\javaws.exe -uninstall "http://javadl-esd.sun.com/update/sdm20/sdm20.jnlp"
Synergy --> "C:\Program Files\Synergy\uninstall.exe"
The GIMP 2.2.14 --> "C:\Program Files\GIMP-2.0\unins000.exe"
TVUPlayer 2.3.0.0 --> C:\Program Files\TVUPlayer\uninst.exe
VideoLAN VLC media player 0.8.6a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WAMP5 1.7.2 --> c:\wamp\unins000.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
wxFormBuilder 3.0.18 --> "C:\Program Files\wxFormBuilder\unins000.exe"
wxWidgets 2.8.3 --> "C:\proj\wxWidgets-2.8.3\unins000.exe"


-- End of Deckard's System Scanner: finished at 2007-06-10 at 14:32:11 ---------

Please help me find what I missed
guruofgentoo
Active Member
 
Posts: 3
Joined: June 10th, 2007, 2:34 pm
Advertisement
Register to Remove

Unread postby amateur » June 10th, 2007, 4:30 pm

Hello and welcome to MR.

Please download Navilog1 by IL-MAFIOSO:

  • Extract its contents to the desktop.
  • Double click on navilog1.exe to install it on your computer.
  • When the installation is complete, the tool will start automatically.
  • If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
  • Press E for English from the language Menu.
  • Type 1 in the next Menu to select Search and press Enter.
  • Wait for the Scan to finish (It may take a reasonable amount of time)
  • Press any key as requested .
  • A new document will be produced: fixnavi.txt.
  • Please copy/paste the contents of this report in your next reply.
The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)

==============================

Please download ComboFix

Note: It is important that it is saved directly to your desktop.

Close all browsers.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply along with fixnavi.txt and a fresh HijackThis log.
  • Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.


P.S. You are using a Beta version of HijackThis. Please remove it via Add/Remove Program Files in Control Panel and delete its folder from the desktop.

You can get a complete installer that installs HijackThis to C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut from http://downloads.malwareremoval.com/HJTsetup.exe.

Click on the link and select Save, save it to your desktop and double click HJTsetup.exe.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby guruofgentoo » June 10th, 2007, 6:36 pm

Search Navipromo version 2.0.3 began on Sun 06/10/2007 at 16:40:18.75

!!! Warning, this report can can include legitimate files/programs!!!
!!! Post this report on the forum you are being helped !!!
!!! Don't run cleanning fix before special advise from the helper !!!

Fix running from C:\Program Files\navilog1
Updated the 08.06.2007 at 17h00 by IL-MAFIOSO

Done in normal mode

*** Search installed Sofwares ***




*** Search folders in C:\WINDOWS ***




*** Search folders in C:\Program Files ***




*** Search folders in C:\Documents and Settings\All Users\Application Data ***




*** Search folders in C:\Documents and Settings\Matt\Application Data ***



*** Search with BlackLight Engine/F-secure ***
BlackLight Engine is product from F-secure, for more infos :
http://www.f-secure.com/blacklight/blacklight_help.html

Hidden(s) file(s) in C:\WINDOWS\system32 :

c:\WINDOWS\system32\ofgmuueemd.dat
C:\windows\system32\ofgmuueemd.exe
c:\WINDOWS\system32\ofgmuueemd_nav.dat
c:\WINDOWS\system32\ofgmuueemd_navps.dat

Hidden(s) Process in C:\WINDOWS\system32 :

C:\windows\system32\ofgmuueemd.exe


*** Search files ***


C:\WINDOWS\pack.epk found !
C:\WINDOWS\system32\nvs2.inf found !


*** Search registry keys ***


Search in [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]



Search in [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]



Search Magic Control Key

HKEY_CURRENT_USER\Software\Lanconfig found !
HKEY_USERS\S-1-5-21-1454471165-1409082233-725345543-1003\Software\Lanconfig found !


*** Complementary Search ***
(Search specifics files)

1)Search known files:


2)Heuristic Search :
*
C:\WINDOWS\system32\ofgmuueemd.dat found !
**
C:\WINDOWS\system32\ofgmuueemd.dat found !
***
****
C:\WINDOWS\system32\ofgmuueemd_navps.dat found !
*****
******
*******
********
C:\WINDOWS\system32\ofgmuueemd.exe found !


*** Search Finished the Sun 06/10/2007 at 16:45:31.89 ***

The link you had to HijackThis was dead; I went to MajorGeeks website and downloaded that version. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 16:50, on 2007-06-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\wamp\apache2\bin\httpd.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\wamp\apache2\bin\httpd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Synergy\synergys.exe
C:\wamp\wampmanager.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.224.189.2:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Synergy Server] "C:\Program Files\Synergy\synergys.exe" --no-daemon --debug WARNING --name MattLappy --address :24800
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampmanager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1466282750
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D631086-5348-4120-8177-41889B8478AA}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D631086-5348-4120-8177-41889B8478AA}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{1D631086-5348-4120-8177-41889B8478AA}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Apache Tomcat (Tomcat6) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6 (file missing)
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

And finally the ComboThis log:

ComboFix 07-06-11 - C:\Documents and Settings\Matt\Desktop\ComboFix.exe
"Matt" - 2007-06-10 18:31:36 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\ofgmuueemd.dat
C:\WINDOWS\system32\ofgmuueemd.exe
C:\WINDOWS\system32\ofgmuueemd_nav.dat
C:\WINDOWS\system32\ofgmuueemd_navps.dat


((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))


2007-06-10 16:47 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-10 16:40 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-10 16:39 <DIR> d-------- C:\Program Files\Navilog1
2007-06-10 14:53 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\TrojanHunter
2007-06-10 14:37 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-06-10 14:25 <DIR> d-------- C:\Deckard
2007-06-10 05:20 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-10 04:28 <DIR> d-------- C:\DOCUME~1\Matt\.housecall6.6
2007-06-10 02:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-10 02:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-08 21:35 <DIR> d-------- C:\Program Files\Synergy
2007-06-08 21:30 <DIR> d-------- C:\Program Files\Pidgin
2007-06-08 21:30 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\.purple
2007-06-08 14:41 <DIR> d-------- C:\Program Files\MySQL
2007-06-08 14:41 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\MySQL
2007-06-08 04:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-08 04:37 <DIR> d-------- C:\VundoFix Backups
2007-06-08 02:05 <DIR> d-------- C:\WINDOWS\pss
2007-06-07 20:39 <DIR> d-------- C:\wamp
2007-06-07 20:23 <DIR> d-------- C:\Program Files\FlashDevelop
2007-06-06 21:23 <DIR> d-------- C:\Program Files\TVUPlayer
2007-06-06 15:17 <DIR> d-------- C:\Program Files\SharpDevelop
2007-06-06 01:11 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\PCTV4Me
2007-06-06 01:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PCTV4Me
2007-05-31 18:51 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\gtk-2.0
2007-05-30 17:42 <DIR> d-------- C:\Program Files\wxFormBuilder
2007-05-30 14:27 <DIR> d-------- C:\sourceforge
2007-05-29 18:07 10 --a------ C:\WINDOWS\system32\deposit.dll
2007-05-29 18:07 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-05-27 21:36 <DIR> d-------- C:\Program Files\OpenLaszlo Server 4.0.2
2007-05-27 21:26 <DIR> d-------- C:\Program Files\Apache Software Foundation
2007-05-22 15:42 <DIR> d-------- C:\Program Files\Joost
2007-05-22 15:42 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Joost
2007-05-14 01:30 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\dvdcss
2007-05-10 22:19 <DIR> d-------- C:\Program Files\Risk


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-10 19:30:42 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\OpenOffice.org2
2007-06-10 18:17:03 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-06-10 06:17:47 -------- d-----w C:\Program Files\Lavasoft
2007-06-10 06:12:07 -------- d-----w C:\Program Files\Free Download Manager
2007-06-09 01:33:24 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\.purple
2007-06-09 01:30:31 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\.gaim
2007-06-06 05:35:04 -------- d-----w C:\Program Files\GuitarFX 3
2007-06-06 05:34:29 -------- d-----w C:\Program Files\Practiline Source Code Line Counter
2007-05-31 19:43:02 -------- d-----w C:\Program Files\GIMP-2.0
2007-05-02 17:47:09 -------- d-----w C:\Program Files\netbeans-5.5
2007-05-02 05:18:02 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-21 21:10:31 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\TVU Networks
2007-04-19 05:56:29 4,679 ----a-w C:\WINDOWS\mozver.dat
2007-04-19 05:56:27 -------- d-----w C:\Program Files\DivX
2007-04-19 03:25:46 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\Google
2007-04-19 03:25:25 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-19 03:25:25 -------- d-----w C:\Program Files\Google
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 10:12:05 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\Free Download Manager
2007-04-14 18:16:53 -------- d-----w C:\Program Files\ISTool
2007-04-14 18:16:53 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\ISTool
2007-04-14 18:11:39 -------- d-----w C:\Program Files\HiSoft
2007-04-14 18:11:39 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\HiSoft
2007-04-12 20:18:47 -------- d-----w C:\Program Files\Inno Setup 5
2007-04-10 04:14:26 -------- d-----w C:\Program Files\Dell 720
2007-04-01 01:14:27 0 ----a-w C:\WINDOWS\nsreg.dat
2007-04-01 01:02:31 0 --sha-r C:\MSDOS.SYS
2007-04-01 01:02:31 0 --sha-r C:\IO.SYS
2007-04-01 01:02:31 0 ----a-w C:\CONFIG.SYS
2007-04-01 01:02:31 0 ----a-w C:\AUTOEXEC.BAT
2007-04-01 00:57:54 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Synergy Server"="C:\Program Files\Synergy\synergys.exe" [2006-04-02 16:20]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-12-17 13:09]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 18:34:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wampmysqld]
"ImagePath"="c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld"

Completion time: 2007-06-10 18:34:40
C:\ComboFix-quarantined-files.txt ... 2007-06-10 18:34

--- E O F ---
guruofgentoo
Active Member
 
Posts: 3
Joined: June 10th, 2007, 2:34 pm

Unread postby amateur » June 10th, 2007, 10:47 pm

Hi,

You might like to print these instructions so that you'll have access to them later when you're in Safe Mode.

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

Run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

========================================

Download and install AVG Anti-Spyware v7.5 Free version.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
    • From the main screen, click on update, then click the Start
      update
      button.
    • After the update finishes (the status bar at the bottom will display "Update
      successful")
    • select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    • Under "Reports"
    • Select "Do Not Automatically generate report after every scan"

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop.

=========================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The JSE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6.0 windows-i586-p.exe to install the newest version.


=========================================

Perform an online scan using Internet Explorer with Panda ActiveScan
  • Click on Image located at the bottom of the page.
  • A "pop up" window will appear. Please ensure that your pop up blocker doesn't block it
  • Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place
Begin the scan by selecting Image
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on Image then click Image and post back the contents please.
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.

==========================================

Please post back the results from AVG Anti-Spyware and Panda online scans, and a fresh HijackThis log. I believe you do not have the popups anymore, but please confirm.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby amateur » June 12th, 2007, 10:10 am

Hello,

There's still some work to be done with your system. So, please do not abandon the thread, and reply back with the requested logs. Thanks.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby guruofgentoo » June 12th, 2007, 10:55 pm

I will do so tomorrow; I had a project to complete on short notice.

Thanks.
guruofgentoo
Active Member
 
Posts: 3
Joined: June 10th, 2007, 2:34 pm

Unread postby NonSuch » June 25th, 2007, 11:59 pm

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27231
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware