Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Popup ads even though I.E. is closed

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Popup ads even though I.E. is closed

Unread postby ckwr1 » October 28th, 2008, 10:14 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:10 PM, on 10/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX3000.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackCheck\Hcheck.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mysidesearch search enhancer - {4AC0DC2C-F31D-06B2-DD1F-F3172EBBB9C0} - C:\WINDOWS\system32\lqfynrjzngwr.dll
O2 - BHO: cpmsky browser enhancer - {9429DFE4-4DCD-791B-0E66-DF4EFD27CD56} - C:\WINDOWS\system32\rovoclpaymgjsodc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DISCover] "C:\Program Files\DISC\DISCover.exe"
O4 - HKLM\..\Run: [DiscUpdateManager] "C:\Program Files\DISC\DiscUpdMgr.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [viwbheurjaydwc] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\rovoclpaymgjsodc.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 11305 bytes
ckwr1
Active Member
 
Posts: 5
Joined: October 28th, 2008, 11:42 am
Advertisement
Register to Remove

Re: Popup ads even though I.E. is closed

Unread postby Shaba » October 30th, 2008, 4:12 am

Hi ckwr1

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popup ads even though I.E. is closed

Unread postby ckwr1 » October 30th, 2008, 9:52 pm

I am not sure if below is what you meant by including the C:\ComboFix.txt but this is what was produced by ComboFix. I put a big space between this and the HIJACK THIS log.

Thanks for the help,


ComboFix 08-10-30.09 - HP_Administrator 2008-10-30 20:30:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.564 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator.JKHOME\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\HP_Administrator.JKHOME\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\MCX1\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\MCX2\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\IE4 Error Log.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-31 )))))))))))))))))))))))))))))))
.

2008-10-28 15:53 . 2008-10-28 15:53 172,544 --a------ C:\WINDOWS\system32\rovoclpaymgjsodc.dll
2008-10-27 05:17 . 2008-10-27 05:17 <DIR> d-------- C:\WINDOWS\system32\References
2008-10-20 05:09 . 2008-10-20 05:09 600,064 --a------ C:\WINDOWS\system32\lqfynrjzngwr.dll
2008-10-17 13:48 . 2008-10-17 13:48 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-10-17 13:33 . 2008-10-20 10:46 90,948 --a------ C:\WINDOWS\system32\lqfynrjzngwr.dll-uninst.exe
2008-10-17 13:32 . 2008-10-28 16:33 78,620 --a------ C:\WINDOWS\system32\simhwaacioo.exe
2008-10-17 12:53 . 2008-10-17 12:53 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-10-17 12:40 . 2008-10-17 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-17 12:38 . 2008-10-17 12:38 <DIR> d-------- C:\Program Files\Bonjour
2008-09-10 20:44 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-09-10 20:44 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-09-10 20:44 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-09-10 20:44 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-09-10 20:44 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-09-10 20:44 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-09-10 20:44 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-09-10 20:44 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 03:54 --------- d-----w C:\Program Files\Trend Micro
2008-10-20 00:48 --------- d-----w C:\Program Files\Tansee iPod Transfer Photo
2008-10-19 21:03 --------- d-----w C:\Program Files\HP Games
2008-10-19 21:00 --------- d-----w C:\Program Files\LimeWire
2008-10-19 18:27 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-10-18 04:53 --------- d-----w C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire
2008-10-17 17:40 --------- d-----w C:\Program Files\iTunes
2008-10-17 17:40 --------- d-----w C:\Program Files\iPod
2008-10-17 17:37 --------- d-----w C:\Program Files\QuickTime
2008-10-17 17:26 --------- d-----w C:\Program Files\Apple Software Update
2008-10-15 08:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-28 10:04 333,056 ------w C:\WINDOWS\system32\drivers\srv.sys
2008-03-31 00:14 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-14 07:23 52,816 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-11-13 04:28 1,388 ------w C:\Documents and Settings\HP_Administrator\Application Data\ViewerApp.dat
2007-09-07 03:56 0 ------w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2006-07-27 16:02 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AC0DC2C-F31D-06B2-DD1F-F3172EBBB9C0}]
2008-10-20 05:09 600064 --a------ C:\WINDOWS\system32\lqfynrjzngwr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9429DFE4-4DCD-791B-0E66-DF4EFD27CD56}]
2008-10-28 15:53 172544 --a------ C:\WINDOWS\system32\rovoclpaymgjsodc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-29 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 492808]
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 7311360]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2006-03-16 1077248]
"DiscUpdateManager"="C:\Program Files\DISC\DiscUpdMgr.exe" [2006-03-16 61440]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2007-04-10 709992]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-06 180269]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"viwbheurjaydwc"="C:\WINDOWS\system32\rovoclpaymgjsodc.dll" [2008-10-28 172544]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-01-24 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-06 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18432]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-29 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-11-01 118784]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-05-06 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b73cb5e-3ee0-11dd-bc42-001731ab145c}]
\Shell\AutoRun\command - J:\Accessories_eCommerce.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7e2dd94-5c36-11dd-bc48-0016b69a2619}]
\Shell\AutoRun\command - J:\3Q_Wholesale_Central.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Search Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 20:38:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-10-30 20:44:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-31 01:44:29

Pre-Run: 41,425,592,320 bytes free
Post-Run: 43,267,256,320 bytes free

201 --- E O F --- 2008-10-27 08:01:37




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:40 PM, on 10/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackCheck\Hcheck.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mysidesearch search enhancer - {4AC0DC2C-F31D-06B2-DD1F-F3172EBBB9C0} - C:\WINDOWS\system32\lqfynrjzngwr.dll
O2 - BHO: cpmsky browser enhancer - {9429DFE4-4DCD-791B-0E66-DF4EFD27CD56} - C:\WINDOWS\system32\rovoclpaymgjsodc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DISCover] "C:\Program Files\DISC\DISCover.exe"
O4 - HKLM\..\Run: [DiscUpdateManager] "C:\Program Files\DISC\DiscUpdMgr.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [viwbheurjaydwc] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\rovoclpaymgjsodc.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 10786 bytes
ckwr1
Active Member
 
Posts: 5
Joined: October 28th, 2008, 11:42 am

Re: Popup ads even though I.E. is closed

Unread postby Shaba » October 31st, 2008, 5:25 am

That is fine :)

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popup ads even though I.E. is closed

Unread postby ckwr1 » November 1st, 2008, 8:00 pm

Here is the save list you were requesting


2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Agere Systems PCI-SV92PP Soft Modem
Ancient Sudoku
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
Bejeweled 2 Deluxe
Big Kahuna Reef
Blackhawk Striker 2
Blasterball 2 Remix
Blasterball 2 Revolution
Bonjour
Bookworm Deluxe
Bounce Symphony
Brother MFL-Pro Suite
Chuzzle Deluxe
Customer Experience Enhancement
Diner Dash
DISCover
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
Fairies
Family Feud
FATE
Flip Words
GemMaster Mystic
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 6.1
HP DVD Play 2.1
HP Game Console
HP Imaging Device Functions 7.0
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 6.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP PSC & OfficeJet 5.3.B
HP PSC & OfficeJet 6.1.A
HP Rhapsody
HP Solution Center and Imaging Support Tools 6.1
HP Update
HP Web Helper
Insaniquarium Deluxe
iTunes
J2SE Runtime Environment 5.0 Update 5
Jewel Quest
Mah Jong Quest
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft Location Finder
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Streets & Trips 2006
Microsoft Works
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
Mystery Case Files
Netscape Browser (remove only)
Nikon Message Center
NVIDIA Drivers
Otto
PC-Doctor 5 for Windows
PictureProject
Poker Superstars
Polar Bowler
Polar Golfer
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Ricochet Lost Worlds
RON Tool Cpmsky
SCRABBLE
Search Assistant Mysidesearch
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB955936)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB955470)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
SightSpeed (remove only)
Slingo Deluxe
Snowy The Bears Adventure
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Super Granny
Tennis Titans
Tornado Jockey
Tradewinds
Trend Micro Internet Security
Trend Micro Internet Security
Update for Office 2007 (KB946691)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Updates from HP (remove only)
WildTangent Web Driver
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067

Thanks,
ckwr1
Active Member
 
Posts: 5
Joined: October 28th, 2008, 11:42 am

Re: Popup ads even though I.E. is closed

Unread postby Shaba » November 2nd, 2008, 5:56 am

Uninstall via add/remove programs:

Search Assistant Mysidesearch

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\rovoclpaymgjsodc.dll
C:\WINDOWS\system32\lqfynrjzngwr.dll
C:\WINDOWS\system32\lqfynrjzngwr.dll-uninst.exe
C:\WINDOWS\system32\simhwaacioo.exe

DirLook::
C:\WINDOWS\system32\References
C:\Program Files\Common Files\eSellerate

Folder::
C:\Program Files\LimeWire
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AC0DC2C-F31D-06B2-DD1F-F3172EBBB9C0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9429DFE4-4DCD-791B-0E66-DF4EFD27CD56}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"viwbheurjaydwc"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popup ads even though I.E. is closed

Unread postby ckwr1 » November 3rd, 2008, 8:09 pm

Everything went smoothly, here is the Combofix log.

ComboFix 08-10-30.09 - HP_Administrator 2008-11-03 17:54:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.488 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator.JKHOME\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator.JKHOME\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\lqfynrjzngwr.dll
C:\WINDOWS\system32\lqfynrjzngwr.dll-uninst.exe
C:\WINDOWS\system32\rovoclpaymgjsodc.dll
C:\WINDOWS\system32\simhwaacioo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\filters.props
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\installation.props
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\library.dat
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\limewire.props
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\mojito.props
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\questions.props
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\responses.cache
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\spam.dat
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\tables.props
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\version.txt
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\ttrees.cache
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\ttroot.cache
C:\Documents and Settings\HP_Administrator.JKHOME\Application Data\LimeWire\version.xml
C:\Program Files\LimeWire
C:\Program Files\LimeWire\aopalliance.pack
C:\Program Files\LimeWire\clink.pack
C:\Program Files\LimeWire\commons-httpclient.pack
C:\Program Files\LimeWire\commons-logging.pack
C:\Program Files\LimeWire\commons-net.pack
C:\Program Files\LimeWire\commons-pool.pack
C:\Program Files\LimeWire\daap.pack
C:\Program Files\LimeWire\forms.pack
C:\Program Files\LimeWire\foxtrot.pack
C:\Program Files\LimeWire\GenericWindowsUtils.dll
C:\Program Files\LimeWire\gettext-commons.pack
C:\Program Files\LimeWire\guice-1.0.pack
C:\Program Files\LimeWire\hs_err_pid5328.log
C:\Program Files\LimeWire\httpcore-nio.pack
C:\Program Files\LimeWire\httpcore.pack
C:\Program Files\LimeWire\i18n.jar
C:\Program Files\LimeWire\icu4j.pack
C:\Program Files\LimeWire\id3v2.pack
C:\Program Files\LimeWire\jcraft.pack
C:\Program Files\LimeWire\jdic.pack
C:\Program Files\LimeWire\jdic_stub.pack
C:\Program Files\LimeWire\jflac.pack
C:\Program Files\LimeWire\jl.pack
C:\Program Files\LimeWire\jmdns.pack
C:\Program Files\LimeWire\jogg.pack
C:\Program Files\LimeWire\jorbis.pack
C:\Program Files\LimeWire\lib\jl011.jar
C:\Program Files\LimeWire\lib\MessagesBundles.jar
C:\Program Files\LimeWire\lib\mp3sp14.jar
C:\Program Files\LimeWire\lib\UnpackedJars.7z
C:\Program Files\LimeWire\lib\vorbis.jar
C:\Program Files\LimeWire\LimeWire.jar.tmp
C:\Program Files\LimeWire\LimeWire20.dll
C:\Program Files\LimeWire\log4j.pack
C:\Program Files\LimeWire\looks.pack
C:\Program Files\LimeWire\messages.pack
C:\Program Files\LimeWire\mp3spi.pack
C:\Program Files\LimeWire\ProgressTabs.pack
C:\Program Files\LimeWire\swt.pack
C:\Program Files\LimeWire\themes.pack
C:\Program Files\LimeWire\tritonus.pack
C:\Program Files\LimeWire\vorbisspi.pack
C:\Program Files\LimeWire\WindowsFirewall.dll
C:\Program Files\LimeWire\WindowsV5PlusUtils.dll
C:\Program Files\LimeWire\xerces.jar
C:\Program Files\LimeWire\xml-apis.jar
C:\Program Files\LimeWire\xml.war
C:\WINDOWS\system32\rovoclpaymgjsodc.dll
C:\WINDOWS\system32\simhwaacioo.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.

2008-10-27 04:17 . 2008-10-27 04:17 <DIR> d-------- C:\WINDOWS\system32\References
2008-10-17 12:48 . 2008-10-17 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-10-17 11:53 . 2008-10-17 11:53 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-10-17 11:40 . 2008-10-17 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-17 11:38 . 2008-10-17 11:38 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 03:54 --------- d-----w C:\Program Files\Trend Micro
2008-10-20 00:48 --------- d-----w C:\Program Files\Tansee iPod Transfer Photo
2008-10-19 21:03 --------- d-----w C:\Program Files\HP Games
2008-10-19 18:27 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-10-17 17:40 --------- d-----w C:\Program Files\iTunes
2008-10-17 17:40 --------- d-----w C:\Program Files\iPod
2008-10-17 17:37 --------- d-----w C:\Program Files\QuickTime
2008-10-17 17:26 --------- d-----w C:\Program Files\Apple Software Update
2008-10-15 16:57 332,800 ----a-w C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-15 08:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-03 17:41 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-08-29 15:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 14:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-08-14 10:00 2,180,352 ------w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ------w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ------w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:22 2,057,728 ------w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ------w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ------w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-03-31 00:14 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-14 07:23 52,816 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-11-13 04:28 1,388 ------w C:\Documents and Settings\HP_Administrator\Application Data\ViewerApp.dat
2007-09-07 03:56 0 ------w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2006-10-03 07:43 2,402,550 ----a-w C:\WINDOWS\inf\SETA8.tmp
2006-10-03 07:43 2,402,550 ----a-w C:\WINDOWS\inf\SET7E.tmp
2006-10-03 07:43 2,402,550 ----a-w C:\WINDOWS\inf\SET61.tmp
2006-10-03 07:43 2,402,550 ----a-w C:\WINDOWS\inf\SET152.tmp
2006-10-03 07:43 2,402,550 ------w C:\WINDOWS\inf\SETA4.tmp
2006-10-03 07:43 2,402,550 ------w C:\WINDOWS\inf\SET76F.tmp
2006-07-27 16:02 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\Common Files\eSellerate ----

2008-10-17 11:53 279172 --a------ C:\Program Files\Common Files\eSellerate\KWNDE681265\eWebClient.dll

---- Directory of C:\WINDOWS\system32\References ----



((((((((((((((((((((((((((((( snapshot@2008-10-30_20.43.59.97 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 13:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
+ 2000-08-31 14:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
+ 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
- 2008-07-19 00:08:32 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
+ 2008-08-16 08:00:46 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
- 2008-07-19 00:08:38 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
+ 2008-08-16 08:00:52 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
- 2008-07-18 23:51:32 1,195,448 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
+ 2008-08-16 07:53:50 1,195,448 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-29 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 492808]
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 7311360]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2006-03-16 1077248]
"DiscUpdateManager"="C:\Program Files\DISC\DiscUpdMgr.exe" [2006-03-16 61440]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2007-04-10 709992]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-06 180269]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-01-24 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-06 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18432]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-29 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-11-01 118784]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-05-06 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b73cb5e-3ee0-11dd-bc42-001731ab145c}]
\Shell\AutoRun\command - J:\Accessories_eCommerce.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7e2dd94-5c36-11dd-bc48-0016b69a2619}]
\Shell\AutoRun\command - J:\3Q_Wholesale_Central.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 18:02:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-03 18:04:33
ComboFix-quarantined-files.txt 2008-11-04 00:04:28
ComboFix2.txt 2008-10-31 01:44:40

Pre-Run: 42,775,162,880 bytes free
Post-Run: 42,898,108,416 bytes free

282 --- E O F --- 2008-10-27 08:01:37
ckwr1
Active Member
 
Posts: 5
Joined: October 28th, 2008, 11:42 am

Re: Popup ads even though I.E. is closed

Unread postby Shaba » November 4th, 2008, 9:41 am

Please post also a fresh HijackThis log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popup ads even though I.E. is closed

Unread postby ckwr1 » November 5th, 2008, 9:54 am

Here you go

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:17 AM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackCheck\Hcheck.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DISCover] "C:\Program Files\DISC\DISCover.exe"
O4 - HKLM\..\Run: [DiscUpdateManager] "C:\Program Files\DISC\DiscUpdMgr.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 10120 bytes
ckwr1
Active Member
 
Posts: 5
Joined: October 28th, 2008, 11:42 am

Re: Popup ads even though I.E. is closed

Unread postby Shaba » November 5th, 2008, 10:45 am

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popup ads even though I.E. is closed

Unread postby Shaba » November 10th, 2008, 5:34 am

Due to lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware