Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Multiple Pop-ups + Virus Remover2008 +Returns

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Multiple Pop-ups + Virus Remover2008 +Returns

Unread postby Insane » December 29th, 2008, 9:18 am

Same infection as my laptop.
Laptop thread;

viewtopic.php?f=11&t=37969

HijackThis Log;


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:16:25, on 29/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [14e8b1db] rundll32.exe "C:\WINDOWS\system32\mpjcctgi.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra 'Tools' menuitem: iMacros Web Automation - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C50D662-88C5-4D58-AC1C-C2586CDA1343}: NameServer = 208.67.222.222,208.67.222.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C50D662-88C5-4D58-AC1C-C2586CDA1343}: NameServer = 208.67.222.222,208.67.222.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL rpopmo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4539 bytes
Insane
Regular Member
 
Posts: 23
Joined: December 24th, 2008, 12:24 am
Advertisement
Register to Remove

Re: Multiple Pop-ups + Virus Remover2008 +Returns

Unread postby Carolyn » January 2nd, 2009, 12:23 pm

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.


Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Multiple Pop-ups + Virus Remover2008 +Returns

Unread postby Insane » January 2nd, 2009, 2:39 pm

ComboFix 09-01-01.02 - Sami 2009-01-02 18:20:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.119 [GMT 0:00]
Running from: c:\documents and settings\Sami\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\system32\_004669_.tmp.dll
c:\windows\system32\_004670_.tmp.dll
c:\windows\system32\_004671_.tmp.dll
c:\windows\system32\_004672_.tmp.dll
c:\windows\system32\_004679_.tmp.dll
c:\windows\system32\_004680_.tmp.dll
c:\windows\system32\_004681_.tmp.dll
c:\windows\system32\_004682_.tmp.dll
c:\windows\system32\_004684_.tmp.dll
c:\windows\system32\_004685_.tmp.dll
c:\windows\system32\_004688_.tmp.dll
c:\windows\system32\_004689_.tmp.dll
c:\windows\system32\_004691_.tmp.dll
c:\windows\system32\_004692_.tmp.dll
c:\windows\system32\_004693_.tmp.dll
c:\windows\system32\_004695_.tmp.dll
c:\windows\system32\_004698_.tmp.dll
c:\windows\system32\_004699_.tmp.dll
c:\windows\system32\_004703_.tmp.dll
c:\windows\system32\_004704_.tmp.dll
c:\windows\system32\_004706_.tmp.dll
c:\windows\system32\_004709_.tmp.dll
c:\windows\system32\_004711_.tmp.dll
c:\windows\system32\_004712_.tmp.dll
c:\windows\system32\_004713_.tmp.dll
c:\windows\system32\_004714_.tmp.dll
c:\windows\system32\_004715_.tmp.dll
c:\windows\system32\_004718_.tmp.dll
c:\windows\system32\_004719_.tmp.dll
c:\windows\system32\_004720_.tmp.dll
c:\windows\system32\_004721_.tmp.dll
c:\windows\system32\_004722_.tmp.dll
c:\windows\system32\_004727_.tmp.dll
c:\windows\system32\_004729_.tmp.dll
c:\windows\system32\_004730_.tmp.dll
c:\windows\system32\a.exe
c:\windows\system32\chantthq.dll
c:\windows\system32\igtccjpm.ini
c:\windows\system32\junlrfps.dll
c:\windows\system32\mpjcctgi.dll
c:\windows\system32\rpopmo.dll
c:\windows\system32\yaceNUtv.ini
c:\windows\system32\yaceNUtv.ini2

.
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-09-12 21:44 . 2008-10-29 13:04 <DIR> d-------- c:\program files\Tales of Pirates Online
2009-04-22 20:35 . 2009-04-22 20:35 <DIR> d-------- c:\program files\alot
2008-12-29 13:15 . 2008-12-29 13:15 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 12:28 . 2008-12-27 12:28 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-26 21:48 . 2008-12-26 22:04 <DIR> d-------- c:\program files\ProxyWay
2008-12-25 18:21 . 2008-12-25 18:21 <DIR> d-------- c:\documents and settings\yousuf
2008-12-24 22:11 . 2008-12-26 22:04 <DIR> d-------- c:\documents and settings\Sami\Application Data\Hide IP NG
2008-12-24 21:46 . 2008-12-24 21:46 32 --a------ c:\windows\go
2008-12-24 20:42 . 2008-12-24 20:42 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-24 20:42 . 2008-12-24 20:42 <DIR> d-------- c:\documents and settings\Sami\Application Data\SUPERAntiSpyware.com
2008-12-24 20:42 . 2008-12-24 20:42 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-12-10 22:48 . 2008-12-10 22:48 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Adobe Systems
2008-12-09 19:41 . 2008-12-09 19:41 <DIR> d-------- c:\windows\.jagex_cache_32
2008-12-08 10:51 . 2008-12-08 10:51 <DIR> d--hs---- C:\found.000
2008-12-07 17:38 . 2008-12-07 17:38 <DIR> d-------- c:\documents and settings\Sami\Application Data\Megaupload
2008-12-07 17:37 . 2008-12-07 17:38 <DIR> d-------- c:\documents and settings\Sami\Application Data\EmailNotifier
2008-12-07 17:37 . 2008-12-07 17:37 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Megaupload
2008-12-07 17:37 . 2008-12-07 17:37 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\EmailNotifier
2008-12-06 22:10 . 2008-12-06 22:10 <DIR> d-------- c:\program files\GoldWave
2008-12-04 15:58 . 2008-12-04 15:58 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-03 12:15 . 2008-12-03 12:15 <DIR> d-------- c:\program files\FileZilla FTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 20:43 --------- d-----w c:\documents and settings\zaiby\Application Data\alot
2009-04-22 20:42 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-04-22 20:41 --------- d-----w c:\documents and settings\zaiby\Application Data\Publish Providers
2009-04-22 20:40 --------- d-----w c:\documents and settings\zaiby\Application Data\Sony
2008-12-29 16:09 --------- d-----w c:\program files\Google
2008-12-27 12:59 --------- d-----w c:\documents and settings\Sami\Application Data\FileZilla
2008-12-27 12:27 --------- d-----w c:\program files\Java
2008-12-26 22:29 --------- d-----w c:\program files\Tubeinator
2008-12-24 20:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-10 22:45 --------- d-----w c:\program files\Common Files\Adobe
2008-12-07 19:28 --------- d-----w c:\program files\TubeAdder
2008-12-07 19:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 20:14 --------- d-----w c:\program files\Windows Live
2008-11-24 20:13 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\WLInstaller
2008-11-24 14:41 --------- d-----w c:\program files\Microsoft
2008-11-24 14:28 --------- d-----w c:\program files\Common Files\Windows Live
2008-11-17 20:24 --------- d-----w c:\program files\Topaz Labs LLC
2008-11-15 17:56 --------- d-----w c:\program files\Traffic Hurricane
2008-11-15 17:47 --------- d-----w c:\program files\Common Files\Real
2008-11-15 13:33 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-15 13:30 --------- d-----w c:\documents and settings\Sami\Application Data\SystemRequirementsLab
2008-11-14 20:20 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-11-14 20:20 249,856 ------w c:\windows\Setup1.exe
2008-11-11 14:06 434,688 ----a-w c:\windows\system32\ss2uinst.exe
2008-11-10 13:34 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-10 13:26 676,224 ----a-w c:\windows\system32\ogacheckcontrol.dll
2008-11-09 14:17 --------- d-----w c:\program files\Ahead
2008-11-05 20:19 --------- d-----w c:\program files\Magic Traffic Bot
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.

------- Sigcheck -------

2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
2002-12-31 12:00 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Sami\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-14 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
"ProxyWay"="c:\program files\ProxyWay\proxyway.exe" [2008-12-26 409088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]

c:\documents and settings\Sami\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll rpopmo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2002-12-31 12:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 18:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-18 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-23 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-23 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-18 76040]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16dfbc98-2843-11de-a4ec-0016761da936}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16dfbc9b-2843-11de-a4ec-0016761da936}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1303643608-2147027303-1003.job
- c:\documents and settings\Sami\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-14 15:55]
.
- - - - ORPHANS REMOVED - - - -

BHO-{925dcd6d-4d73-4100-958c-e840b68593b9} - c:\windows\system32\rpopmo.dll
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKCU-Run-Free Ram Optimizer - c:\program files\AceLogix\Free Ram Optimizer\fro.exe
Notify-dimsntfy - (no file)
MSConfigStartUp-NeroCheck - c:\windows\system32\\NeroCheck.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = socks=
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
TCP: {3C50D662-88C5-4D58-AC1C-C2586CDA1343} = 208.67.222.222,208.67.222.220
FF - ProfilePath - c:\documents and settings\Sami\Application Data\Mozilla\Firefox\Profiles\zsc14161.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\documents and settings\Sami\Application Data\Mozilla\Firefox\Profiles\zsc14161.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 18:29:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-1303643608-2147027303-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96615BFF-D8CB-B059-E66B-2D036C7C3CD4}*NULL*]
"hanbngpannofhjfl"=hex:6a,61,68,6a,6a,6d,6b,6b,62,6c,69,63,6e,62,6f,69,6a,64,\
63,6f,00,22
"iahphkdlghjiodmije"=hex:63,61,62,6a,6c,70,00,00
"iadchhkigoeeipdmof"=hex:6a,61,68,6a,6a,6d,6b,6b,62,6c,69,63,6e,62,6f,69,6a,64,\
63,6f,00,d6

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\DJZERO]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\JKWL]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\JKWL\msg/view/140482/inbox]
@DACL=(02 0000)
"LU"="www.google-analytics.com/__utm.gif?utmwv=4.3&utmn=1067967982&utmhn=www.streetmobster.com&utmcs=UTF-8&utmsr=1024x768&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.0%20r12&utmdt=STREETMOBSTER.COM%20%E2%80%94%20the%20hottest%20online%20mobster%20game!&utmhid=1728396597&utmr=-&utmp=/?q=msg/view/140482/inbox&z=TxtO&utmac=UA-4769024-1&utmcc=__utma%3D65884396.4361062169877727700.1230229586.1230552612.1230558779.13%3B%2B__utmz%3D65884396.1230229586.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B"
"CT"=dword:00000001
"LT"=hex:fe,e8,da,c4,bc,69,c9,01

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\metajuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
"LBL"=hex:00,00,00,00,00,00,00,00
"MN"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\meta_mg]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\profiling4]
@DACL=(02 0000)
"LTM"=hex:04,40,44,41,bb,69,c9,01
"CDY"=hex:fe,e8,da,c4,bc,69,c9,01
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\superjuan]
@DACL=(02 0000)
"LTM"=hex:fe,e8,da,c4,bc,69,c9,01
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000033

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\TrackDJuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ôw*NULL*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-02 18:35:45 - machine was rebooted [Sami]
ComboFix-quarantined-files.txt 2009-01-02 18:35:41

Pre-Run: 18,891,427,840 bytes free
Post-Run: 28,121,726,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

291 --- E O F --- 2008-12-19 11:54:37





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:36:38, on 02/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\Sami\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\CF16361.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sami\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra 'Tools' menuitem: iMacros Web Automation - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C50D662-88C5-4D58-AC1C-C2586CDA1343}: NameServer = 208.67.222.222,208.67.222.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C50D662-88C5-4D58-AC1C-C2586CDA1343}: NameServer = 208.67.222.222,208.67.222.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll rpopmo.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5672 bytes
Insane
Regular Member
 
Posts: 23
Joined: December 24th, 2008, 12:24 am

Re: Multiple Pop-ups + Virus Remover2008 +Returns

Unread postby Carolyn » January 3rd, 2009, 3:54 pm

Hi,

Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

If you receive no notice, click on the Scan button.

  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.

In your next reply, please post the contents of Gmer.txt
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Multiple Pop-ups + Virus Remover2008 +Returns

Unread postby NonSuch » January 10th, 2009, 12:32 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware