Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE popping up ad windows at random - redux

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 15th, 2010, 10:36 pm

Unable to use VirusTotal - the indicated file does not exist on my computer.

Kaspersky scan reports 0 problems. There is no report; it is empty.

HJT log to follow.
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am
Advertisement
Register to Remove

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 15th, 2010, 10:39 pm

I lost focus on my browser window while typing this reply, so I'm not at all sure the PC is cleaned yet. Given the sneaky nature of the problem, I will watch it overnight to see what happens.

Some strange things have happened to a few of my programs during this whole process. Hopefully I can restore the correct registration keys and the like.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:36:00 PM, on 7/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
\Sean2\c\Program Files\PureText\PureText.exe
C:\Program Files\AutoMate4\Automate.exe
C:\Program Files\GridMove\GridMove.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\ScanningProcess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINNT\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [TridentWatchDog] twatdog.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINNT\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [PureText] "\\Sean2\c\Program Files\PureText\PureText.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: GridMove.lnk = C:\Program Files\GridMove\GridMove.exe
O4 - Startup: QuickMonth Calendar.lnk = C:\WINNT\qmc.exe
O4 - Startup: WallMaster Pro.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoMate Task Service.lnk = C:\Program Files\AutoMate4\Automate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4457702253
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe

--
End of file - 8535 bytes
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 16th, 2010, 4:29 am

Hi Occam,

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
C:\Program Files\GridMove\GridMove.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 16th, 2010, 10:17 am

Argh... still there! Persistent little SOB. I swear every time we try and clean, it runs away and hides somewhere, then poked it's scabby little nose back out when the exterminator has left.

I'd be shocked if it was GridMove. I used the same install file as I used on my other machines - been using it 3 years on 2-3 machines. I could see it possibly being a problem if I had re-downloaded it, but I'm sure I didn't.


Results: VT reports file was already analyzed previously. [Or should I say analysed, as we're operating on the Queen's English right now. ;-) ]


File Not available, prior to VT database update received on 2008.11.06 14:07:36 (UTC)
Current status: finished
Result: 4/33 (12.12%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - Trojan-Spy.Win32.Agent.bbg
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - Infostealer
Rising - - -
SAVMail - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
File size: 242934 bytes
MD5 : 0af30892ea2fd05e0058853695da97ed
SHA1 : 652981985c3bd5516945c4c0a2f351f5c36eb3d2
SHA256: facd5600788dd580d71c176efcfd1eeea576d0e415e1854b41c3d503998cd1e8
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x750E0
timedatestamp.....: 0x474423A6 (Wed Nov 21 13:25:10 2007)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x45000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x46000 0x30000 0x2FE00 8.00 6a39b86ef21979a52ebdb438b3e0f4cf
.rsrc 0x76000 0x8000 0x7A00 5.04 c3bf662a7703ed0f4980950e809fdb7f

( 12 imports )

> advapi32.dll: RegCloseKey
> comctl32.dll: -
> comdlg32.dll: GetOpenFileNameA
> gdi32.dll: BitBlt
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ole32.dll: CoInitialize
> oleaut32.dll: -
> shell32.dll: DragFinish
> user32.dll: GetDC
> version.dll: VerQueryValueA
> winmm.dll: mixerOpen
> wsock32.dll: -

( 0 exports )
TrID : File type identification
39.5% (.EXE) UPX compressed Win32 Executable (30569/9/7)
34.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
11.0% (.EXE) Win32 Executable Generic (8527/13/3)
9.8% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
ssdeep: 6144:dWF2cNUTdsHoj+Tl39kWJpAcETNBaur8baoSfbY:dW5oTWX2jau4aoSzY
PEiD : UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers (Kaspersky): UPX
packers (F-Prot): UPX_LZMA
RDS : NSRL Reference Data Set
-


Thanks!
S.
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 16th, 2010, 1:44 pm

Hi Occam,

I'd be shocked if it was GridMove


Me too! But since the problem is hiding from all the usual tools we need to check everything thoroughly.

VT reports file was already analyzed previously


Please submit the file again but this time choose to do a new scan and not use the previous result.

Next

RootRepeal
Please download RootRepeal.zip.
Save it to your Desktop. Alternate download links here or here.
Please print these instructions, you will not have an Internet connection!
RootRepeal site wrote:RootRepeal is currently in public beta. Whereas every effort has been made to ensure compatibility with every system configuration on Windows 2000, XP, 2003 and Vista, it cannot be guaranteed. There is always some risk when scanning for rootkits. Before running RootRepeal, please make sure you have backups of all important data and have saved all open documents.
If you have a 3rd party "unzipping" program...use it to open the zipped file...then skip to Step 5. Otherwise...
  1. Right click on RootRepeal.zip and select "Extract All"....
  2. Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
  3. Click on the Browse...button, then click on Desktop, then click OK.
  4. Once done, check (tick) the Show extracted files box and click Finish.
  5. Before running RootRepeal:
      Disconnect from the Internet as your system will be unprotected while using this tool.
      Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it.
    • When the program opens, click the Report tab at the bottom, then click the Scan button.
    • In the Select Scan, dialog which asks What do you want to include in the scan?, check ALL the boxes.
      Image
    • Click OK.
    • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
      The scan can take some time to finish. Do not use the computer while the scan is running.
      When the scan has completed, a list of files will be generated in the RootRepeal window.
    • Click on the Save Report button and save it as "rootrepeal.txt" to your desktop.
    • Close and exit RootRepeal
    • Double-click on the file rootrepeal.txt... Notepad will open... copy/paste the file contents in your next reply.

    Make sure to enable your anti-virus, Firewall and any other security programs you disabled.
    Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".

    Next

    RSIT (Random's System Information Tool)
    Please download RSIT by random/random... save it to your desktop.
    1. Double click on RSIT.exe to run it... read the disclaimer... click on Continue.
    2. RSIT will start running. When done... 2 logs files...will be produced.
      The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.
    3. Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 16th, 2010, 5:56 pm

VT below. RootRepeal to follow.

Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.16 -
AhnLab-V3 2010.07.16.00 2010.07.15 -
AntiVir 8.2.4.12 2010.07.16 -
Antiy-AVL 2.0.3.7 2010.07.15 -
Authentium 5.2.0.5 2010.07.16 -
Avast 4.8.1351.0 2010.07.16 -
Avast5 5.0.332.0 2010.07.16 -
AVG 9.0.0.836 2010.07.16 -
BitDefender 7.2 2010.07.16 -
CAT-QuickHeal 11.00 2010.07.16 -
ClamAV 0.96.0.3-git 2010.07.16 -
Comodo 5451 2010.07.16 -
DrWeb 5.0.2.03300 2010.07.16 -
eSafe 7.0.17.0 2010.07.15 -
eTrust-Vet 36.1.7715 2010.07.16 -
F-Prot 4.6.1.107 2010.07.16 -
F-Secure 9.0.15370.0 2010.07.16 -
Fortinet 4.1.143.0 2010.07.16 -
GData 21 2010.07.16 -
Ikarus T3.1.1.84.0 2010.07.16 -
Jiangmin 13.0.900 2010.07.16 -
Kaspersky 7.0.0.125 2010.07.16 -
McAfee 5.400.0.1158 2010.07.16 -
McAfee-GW-Edition 2010.1 2010.07.16 Heuristic.BehavesLike.Win32.ModifiedUPX.C!87
Microsoft 1.6004 2010.07.16 -
NOD32 5285 2010.07.16 -
Norman 6.05.11 2010.07.16 -
nProtect 2010-07-16.01 2010.07.16 -
Panda 10.0.2.7 2010.07.16 -
PCTools 7.0.3.5 2010.07.16 -
Prevx 3.0 2010.07.16 High Risk Information Stealer
Rising 22.56.04.04 2010.07.16 -
Sophos 4.55.0 2010.07.16 -
Sunbelt 6594 2010.07.16 -
SUPERAntiSpyware 4.40.0.1006 2010.07.16 -
Symantec 20101.1.1.7 2010.07.16 -
TheHacker 6.5.2.1.318 2010.07.16 -
TrendMicro 9.120.0.1004 2010.07.16 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.16 -
VBA32 3.12.12.6 2010.07.16 -
ViRobot 2010.7.12.3932 2010.07.16 -
VirusBuster 5.0.27.0 2010.07.16 -
Additional information
File size: 242934 bytes
MD5...: 0af30892ea2fd05e0058853695da97ed
SHA1..: 652981985c3bd5516945c4c0a2f351f5c36eb3d2
SHA256: facd5600788dd580d71c176efcfd1eeea576d0e415e1854b41c3d503998cd1e8
ssdeep: 6144:dWF2cNUTdsHoj+Tl39kWJpAcETNBaur8baoSfbY:dW5oTWX2jau4aoSzY
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x750e0
timedatestamp.....: 0x474423a6 (Wed Nov 21 12:25:10 2007)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x45000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x46000 0x30000 0x2fe00 8.00 6a39b86ef21979a52ebdb438b3e0f4cf
.rsrc 0x76000 0x8000 0x7a00 5.04 c3bf662a7703ed0f4980950e809fdb7f

( 12 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> COMCTL32.dll: -
> comdlg32.dll: GetOpenFileNameA
> GDI32.dll: BitBlt
> ole32.dll: CoInitialize
> OLEAUT32.dll: -
> SHELL32.dll: DragFinish
> USER32.dll: GetDC
> VERSION.dll: VerQueryValueA
> WINMM.dll: mixerOpen
> WSOCK32.dll: -

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
packers (Kaspersky): UPX
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=0D1959C3F692E8BDB4C00345E5A0BB00ADF6F4B7' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=0D1959C3F692E8BDB4C00345E5A0BB00ADF6F4B7</a>
sigcheck:
publisher....: n/a
copyright....:
product......:
description..:
original name:
internal name:
file version.: 1, 0, 47, 05
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
packers (F-Prot): UPX_LZMA
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 17th, 2010, 3:23 pm

Hi Occam,

The updated VT scan suggests that the GridMove detection is a false positive.

Please continue with the Rootrepeal and RSIT scans.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 20th, 2010, 10:42 am

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/07/20 08:14
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xAA14E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B34000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xA8EA0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\winnt\system32\config\systemprofile\cookies\system@doubleclick[1].txt
Status: Size mismatch (API: 116, Raw: 95)

Path: c:\winnt\system32\config\systemprofile\cookies\system@ad.yieldmanager[1].txt
Status: Size mismatch (API: 711, Raw: 676)

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1D82VJTL\2566939218_1ef8fd01b6_s[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\338DNG10\connection_core-min[2].js
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\338DNG10\hqdefault[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BT588ZYJ\common[2].css
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BT588ZYJ\crossdomain[2].xml
Status: Visible to the Windows API, but not on disk.

Path: c:\winnt\system32\config\systemprofile\local settings\temporary internet files\content.ie5\e6dhdwkj\hqdefault[1].jpg
Status: Size mismatch (API: 13984, Raw: 15891)

Path: c:\winnt\system32\config\systemprofile\local settings\temporary internet files\content.ie5\e6dhdwkj\badge_code_v2[1].gne
Status: Size mismatch (API: 1433, Raw: 1408)

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E6DHDWKJ\badge_code_v2[2].gne
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E6DHDWKJ\styled_popovers_and_lightboxes[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F7U15BJX\account-title-03[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F7U15BJX\styles[1].css
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FO54CREJ\2955651501_3d68c81e6a_s[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FO54CREJ\3387670569_1f586182cc_s[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FO54CREJ\navbar[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\imp[1].php%3Faff_id%3D14976&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\imp[1].php%3Faff_id%3D5918&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\imp[1].php%3Faff_id%3D5918&r=0&SIG=10v9d8m9u;x-cookie=7at127u64ooiq&o=4&f=i2
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\imp[1].php%3Fzoneid%3D145794%26cb%3DINSERT_RANDOM_NUMBER_HERE&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\imp[1].php&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\imp[2].php%3Faff_id%3D5918&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\imp[2].php%3Fzoneid%3D145794%26cb%3DINSERT_RANDOM_NUMBER_HERE&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\imp[2].php&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\json[1].php&cid=oxpv1%3A79645-141200-297246-35044-145796&hrid=27f8ecb003413c29d257ecfaa33ba51c-1279635462
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\st[1]
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\st[2]
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTAZWHA7\st[3]
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GXIBGTMN\imp[1].php%3Faff_id%3D23514&r=0&SIG=10v31le9d;x-cookie=6iz7ptu64op5f&o=4&f=xy
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HDXIBNDM\jsonpoll[1]
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HDXIBNDM\ads[1].php
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HDXIBNDM\imp[1].php%3Faff_id%3D23514&r=0&SIG=10vghsvnm;x-cookie=n0h7vvg64op5e&o=4&f=su
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HDXIBNDM\imp[1].php%3Fzoneid%3D145794%26cb%3DINSERT_RANDOM_NUMBER_HERE&r=0&SIG=10vnd4vm6;x-cookie=176cfo964op8p&o=4&f=rh
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HPJREO6T\imp[1].com%2Fgoad%2F%3Faff_id%3D11052&r=0&SIG=10vaagc9h;x-cookie=n5fq5dg64op1h&o=4&f=ez
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HPJREO6T\imp[1].php%3Fzoneid%3D145794%26cb%3DINSERT_RANDOM_NUMBER_HERE&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HPJREO6T\imp[1].php&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HPJREO6T\imp[2].php&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HPJREO6T\json[1].php&cid=oxpv1%3A79645-141200-297246-35044-145268&hrid=29102dff37eca8d51a1a48a0c26f8bf2-1279635750
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HPJREO6T\json[1].php&cid=oxpv1%3A79645-141200-297246-35044-145268&hrid=6c8a2931b00b6068bb415cb416cc9d4f-1279635489
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HPJREO6T\json[1].php&cid=oxpv1%3A79645-141200-297246-35044-145796&hrid=36b88f14f62fa7ebd87ba4a8b8ab23b7-1279635517
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KTE3GXAB\imp[1].php%3Faff_id%3D23514&r=0&SIG=10vghsvnm;x-cookie=n0h7vvg64op5e&o=4&f=su
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KTE3GXAB\imp[1].php%3Fzoneid%3D145268%26cb%3DINSERT_RANDOM_NUMBER_HERE&r=0&SIG=10vnd4vm6;x-cookie=176cfo964op8p&o=4&f=rh
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KTE3GXAB\imp[1].php&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KTE3GXAB\imp[2].php&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q6JF5KNR\jstag[1]
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q6JF5KNR\imp[1].php%3Faff_id%3D23514&r=0&SIG=10v31le9d;x-cookie=6iz7ptu64op5f&o=4&f=xy
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q6JF5KNR\imp[1].php%3Faff_id%3D5918&r=0&SIG=10v9d8m9u;x-cookie=7at127u64ooiq&o=4&f=i2
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q6JF5KNR\imp[1].php%3Fzoneid%3D145796%26cb%3DINSERT_RANDOM_NUMBER_HERE&r=0&SIG=10vaagc9h;x-cookie=n5fq5dg64op1h&o=4&f=ez
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q6JF5KNR\imp[1].php&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q6JF5KNR\ads[1].php
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q6JF5KNR\ads[2].php
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q6JF5KNR\CAS5ARKL.htm
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q6JF5KNR\imp[1].php%3Fct%3D1%26zoneid%3D67%26cb%3DINSERT_RANDOM_NUMBER_HERE&r=0
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q6JF5KNR\st[9]
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QLV3OU8W\imp[1].com%2Fadserv%2F%3Faff_id%3D19494&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QLV3OU8W\imp[1].com%2Fgoad%2F%3Faff_id%3D11052&r=0&SIG=10vaagc9h;x-cookie=n5fq5dg64op1h&o=4&f=ez
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QLV3OU8W\CAKP6VC9.htm
Status: Locked to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QLV3OU8W\imp[2].com%2Fadserv%2F%3Faff_id%3D19494&r=0
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QLV3OU8W\json[1].net%2Fst%3Fad_type%3Diframe%26ad_size%3D160x600%26section%3D848449
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QLV3OU8W\json[1].php&cid=oxpv1%3A79645-141200-297246-35044-145794&hrid=22d7f151e647a5dfffe7769b508adfbc-1279635462
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QLV3OU8W\json[1].php&cid=oxpv1%3A79645-141200-297246-35044-145794&hrid=a4b64598d6b8b6f71692e3d18d664ab7-1279635750
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QLV3OU8W\CAEN4PA7.htm
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QLV3OU8W\jstag[1]
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SUAM3AXL\index[26].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZNCXUCI9\quant[2].js
Status: Invisible to the Windows API!

==EOF==
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 20th, 2010, 10:52 am

Logfile of random's system information tool 1.08 (written by random/random)
Run by User at 2010-07-20 08:42:42
Microsoft Windows XP Professional Service Pack 3
System drive C: has 98 GB (86%) free of 114 GB
Total RAM: 1014 MB (10% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:43:14 AM, on 7/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINNT\system32\igfxsrvc.exe
\Sean2\c\Program Files\PureText\PureText.exe
C:\Program Files\AutoMate4\Automate.exe
C:\Program Files\GridMove\GridMove.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\wdfmgr.exe
C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\User\Desktop\RootRepeal.exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\WINNT\system32\wbem\wmiprvse.exe
C:\Program Files\trend micro\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [TridentWatchDog] twatdog.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINNT\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [PureText] "\\Sean2\c\Program Files\PureText\PureText.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: GridMove.lnk = C:\Program Files\GridMove\GridMove.exe
O4 - Startup: QuickMonth Calendar.lnk = C:\WINNT\qmc.exe
O4 - Startup: WallMaster Pro.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoMate Task Service.lnk = C:\Program Files\AutoMate4\Automate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4457702253
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe

--
End of file - 8460 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\MP Scheduled Scan.job
C:\WINNT\tasks\SDMsgUpdate (SD).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-05-27 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-05-27 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2004-03-23 196608]
"RegServer"=C:\WINNT\system32\regserve.exe [2003-03-16 24576]
"TridentWatchDog"=C:\WINNT\system32\twatdog.exe [2003-03-16 53248]
"NvCplDaemon"=C:\WINNT\system32\NvCpl.dll [2005-12-16 7340032]
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect []
"RTHDCPL"=C:\WINNT\RTHDCPL.EXE [2008-02-27 16384512]
"NVRotateSysTray"=C:\WINNT\system32\nvsysrot.dll [2005-12-16 49152]
"IgfxTray"=C:\WINNT\system32\igfxtray.exe [2008-02-28 141848]
"HotKeysCmds"=C:\WINNT\system32\hkcmd.exe [2008-02-28 166424]
"Persistence"=C:\WINNT\system32\igfxpers.exe [2008-02-28 137752]
"MSSE"=c:\Program Files\Microsoft Security Essentials\msseces.exe [2010-06-01 1093208]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"TMRUBottedTray"=C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe [2007-12-19 288088]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PureText"=\\Sean2\c\Program Files\PureText\PureText.exe [2003-08-21 28672]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk - C:\WINNT\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
AutoMate Task Service.lnk - C:\Program Files\AutoMate4\Automate.exe

C:\Documents and Settings\User\Start Menu\Programs\Startup
GridMove.lnk - C:\Program Files\GridMove\GridMove.exe
QuickMonth Calendar.lnk - C:\WINNT\qmc.exe
WallMaster Pro.lnk - C:\Program Files\WallMaster\wallmast.exe
Yahoo! Widgets.lnk - C:\Program Files\Yahoo! Widgets\YahooWidgets.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINNT\system32\igfxdev.dll [2008-02-15 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINNT\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoHelp"=1
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoHelp"=1
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-07-20 08:42:42 ----D---- C:\rsit
2010-07-20 08:23:28 ----A---- C:\RootRepeal report 07-20-10 (08-23-28).txt
2010-07-15 08:19:19 ----A---- C:\WINNT\sigcheck.exe
2010-07-15 08:19:19 ----A---- C:\looklog.txt
2010-07-15 08:17:55 ----ASH---- C:\pagefile.sys
2010-07-15 08:11:31 ----D---- C:\WINNT\maxdrive
2010-07-15 08:11:31 ----A---- C:\WINNT\look.bat
2010-07-14 16:49:28 ----SHD---- C:\RECYCLER
2010-07-14 15:06:57 ----A---- C:\ComboFix.txt
2010-07-14 08:46:53 ----RASHD---- C:\cmdcons
2010-07-14 08:31:14 ----A---- C:\WINNT\zip.exe
2010-07-14 08:31:14 ----A---- C:\WINNT\SWXCACLS.exe
2010-07-14 08:31:14 ----A---- C:\WINNT\SWSC.exe
2010-07-14 08:31:14 ----A---- C:\WINNT\SWREG.exe
2010-07-14 08:31:14 ----A---- C:\WINNT\sed.exe
2010-07-14 08:31:14 ----A---- C:\WINNT\PEV.exe
2010-07-14 08:31:14 ----A---- C:\WINNT\NIRCMD.exe
2010-07-14 08:31:14 ----A---- C:\WINNT\MBR.exe
2010-07-14 08:31:14 ----A---- C:\WINNT\grep.exe
2010-07-14 08:24:15 ----D---- C:\Qoobox
2010-07-13 15:40:38 ----D---- C:\_OTL
2010-07-13 15:40:14 ----D---- C:\WINNT\ERDNT
2010-07-12 14:28:20 ----A---- C:\TDSSKiller.2.3.2.2_12.07.2010_14.28.20_log.txt
2010-07-12 02:12:59 ----A---- C:\WINNT\system32\drivers\sksxxdma.sys
2010-07-11 13:36:57 ----A---- C:\WINNT\system32\hidserv.dll
2010-07-11 13:36:49 ----A---- C:\WINNT\system32\drivers\kbdhid.sys
2010-07-07 16:24:39 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-07-07 16:24:38 ----D---- C:\Program Files\Common Files\Java
2010-07-07 16:24:14 ----A---- C:\WINNT\system32\javaws.exe
2010-07-07 16:24:14 ----A---- C:\WINNT\system32\javaw.exe
2010-07-07 16:24:14 ----A---- C:\WINNT\system32\java.exe
2010-07-07 16:24:14 ----A---- C:\WINNT\system32\deployJava1.dll
2010-07-06 10:29:57 ----D---- C:\Documents and Settings\User\Application Data\Malwarebytes
2010-07-06 10:29:51 ----A---- C:\WINNT\system32\drivers\mbamswissarmy.sys
2010-07-06 10:29:49 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-07-06 10:29:49 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-07-06 10:29:49 ----A---- C:\WINNT\system32\drivers\mbam.sys
2010-07-05 09:24:30 ----A---- C:\WINNT\system32\drivers\REDBOOK.SYS
2010-07-02 17:06:36 ----D---- C:\Documents and Settings\All Users\Application Data\Altium2004_SP4
2010-07-02 17:03:40 ----D---- C:\Documents and Settings\User\Application Data\Altium2004_SP4
2010-07-02 16:45:31 ----D---- C:\Program Files\Common Files\WexTech Shared
2010-07-02 16:45:31 ----D---- C:\Program Files\Common Files\Novell Shared
2010-07-02 16:45:31 ----D---- C:\Program Files\Common Files\Lhspf
2010-06-30 01:12:41 ----D---- C:\Program Files\HiJackThis
2010-06-30 00:21:47 ----D---- C:\c9b20ff71cffe5f758bc
2010-06-29 21:46:23 ----D---- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2010-06-29 21:38:52 ----A---- C:\WINNT\BDTSupport.dll.old
2010-06-29 21:38:50 ----A---- C:\WINNT\PCTBDCore.dll.old
2010-06-29 21:36:19 ----D---- C:\Program Files\Spyware Doctor
2010-06-29 21:36:02 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-06-24 20:49:37 ----A---- C:\WINNT\system32\wmpns.dll
2010-06-23 22:12:35 ----A---- C:\WINNT\QScreenCapt.ini
2010-06-23 22:09:58 ----D---- C:\Program Files\Paint.NET
2010-06-23 21:37:17 ----D---- C:\temp
2010-06-22 21:08:47 ----D---- C:\Program Files\Arachnophilia
2010-06-21 08:01:43 ----D---- C:\Documents and Settings\All Users\Application Data\Altium2004_SP3
2010-06-21 08:00:51 ----D---- C:\Documents and Settings\User\Application Data\Altium2004_SP3
2010-06-21 08:00:49 ----D---- C:\Documents and Settings\All Users\Application Data\Altium2004_SP2Security

======List of files/folders modified in the last 1 months======

2010-07-20 08:43:14 ----D---- C:\WINNT\Temp
2010-07-20 08:43:14 ----D---- C:\Program Files\Trend Micro
2010-07-20 08:42:39 ----D---- C:\WINNT\Prefetch
2010-07-20 08:14:37 ----D---- C:\WINNT\system32\drivers
2010-07-16 11:55:20 ----D---- C:\WINNT\system32\CatRoot2
2010-07-15 21:41:59 ----SD---- C:\WINNT\Tasks
2010-07-15 21:41:03 ----D---- C:\WINNT\system32
2010-07-15 21:41:03 ----A---- C:\WINNT\system32\PerfStringBackup.INI
2010-07-15 21:37:00 ----A---- C:\WINNT\ModemLog_Conexant HDA D330 MDC V.92 Modem.txt
2010-07-15 21:36:26 ----RD---- C:\Program Files
2010-07-15 21:35:32 ----A---- C:\WINNT\SchedLgU.Txt
2010-07-15 08:19:19 ----D---- C:\WINNT
2010-07-14 15:05:18 ----A---- C:\WINNT\system.ini
2010-07-14 15:05:10 ----D---- C:\WINNT\system32\drivers\etc
2010-07-14 15:02:52 ----D---- C:\WINNT\AppPatch
2010-07-14 15:02:48 ----D---- C:\Program Files\Common Files
2010-07-14 08:46:57 ----RASH---- C:\boot.ini
2010-07-14 08:31:13 ----SHD---- C:\System Volume Information
2010-07-14 08:31:13 ----D---- C:\WINNT\system32\Restore
2010-07-14 08:21:59 ----D---- C:\Documents and Settings\User\Application Data\TeraCopy
2010-07-13 08:20:46 ----D---- C:\WINNT\provisioning
2010-07-11 13:37:02 ----RSHDC---- C:\WINNT\system32\dllcache
2010-07-11 13:36:33 ----HD---- C:\WINNT\inf
2010-07-09 13:38:31 ----D---- C:\Documents and Settings\User\Application Data\SmartDraw
2010-07-08 17:04:42 ----D---- C:\Program Files\Mozilla Firefox
2010-07-07 22:47:42 ----SHD---- C:\WINNT\CSC
2010-07-07 16:24:39 ----SHD---- C:\WINNT\Installer
2010-07-07 16:24:11 ----D---- C:\Program Files\Java
2010-07-06 12:46:19 ----HDC---- C:\WINNT\$NtUninstallKB978706_0$
2010-07-05 09:53:58 ----D---- C:\WINNT\system32\config
2010-07-03 07:27:48 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-07-02 16:56:42 ----D---- C:\Program Files\Altium2004 SP3
2010-07-02 16:17:54 ----D---- C:\WINNT\system32\appmgmt
2010-06-30 23:14:17 ----SD---- C:\Documents and Settings\User\Application Data\Microsoft
2010-06-30 14:08:14 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2010-06-30 01:03:04 ----D---- C:\WINNT\WinSxS
2010-06-29 14:56:16 ----D---- C:\Program Files\Microsoft Security Essentials
2010-06-23 22:11:03 ----RSD---- C:\WINNT\assembly
2010-06-22 16:17:17 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-06-21 10:26:17 ----D---- C:\Documents and Settings\User\Application Data\Adobe
2010-06-21 08:43:47 ----A---- C:\WINNT\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 iaStor;Intel AHCI Controller; C:\WINNT\system32\DRIVERS\iaStor.sys [2007-07-12 305176]
R0 ohci1394;OHCI Compliant IEEE 1394 Host Controller; C:\WINNT\System32\DRIVERS\ohci1394.sys [2008-04-13 61696]
R1 intelppm;Intel Processor Driver; C:\WINNT\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 MpFilter;Microsoft Malware Protection Driver; C:\WINNT\system32\DRIVERS\MpFilter.sys [2010-03-25 151216]
R1 truecrypt;truecrypt; C:\WINNT\System32\drivers\truecrypt.sys [2007-05-03 188672]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINNT\System32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 altio;altio; \??\C:\WINNT\system32\altio.sys []
R2 mdmxsdk;mdmxsdk; C:\WINNT\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINNT\System32\DRIVERS\Apfiltr.sys [2004-05-08 101833]
R3 Arp1394;1394 ARP Client Protocol; C:\WINNT\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINNT\system32\DRIVERS\b57xp32.sys [2007-03-13 160256]
R3 guardian2;guardian2; C:\WINNT\System32\Drivers\oz776.sys [2007-12-23 68696]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINNT\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DPV;HSF_DPV; C:\WINNT\system32\DRIVERS\HSF_DPV.sys [2007-08-02 989952]
R3 HSFHWAZL;HSFHWAZL; C:\WINNT\system32\DRIVERS\HSFHWAZL.sys [2007-08-02 211200]
R3 ialm;ialm; C:\WINNT\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
R3 NETw5x32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit; C:\WINNT\system32\DRIVERS\NETw5x32.sys [2008-08-29 3632384]
R3 NIC1394;1394 Net Driver; C:\WINNT\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 pcouffin;VSO Software pcouffin; C:\WINNT\System32\Drivers\pcouffin.sys [2010-06-20 47360]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINNT\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 TMPassthruMP;TMPassthruMP; C:\WINNT\system32\DRIVERS\TMPassthru.sys [2007-11-27 35216]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINNT\system32\DRIVERS\HSF_CNXT.sys [2007-08-02 731136]
S1 fkwzgmie;fkwzgmie; \??\C:\WINNT\system32\drivers\fkwzgmie.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINNT\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 aeaudio;aeaudio; C:\WINNT\system32\drivers\aeaudio.sys [2005-04-04 129280]
S3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\WINNT\System32\DRIVERS\AGRSM.sys [2006-11-28 1161888]
S3 ATSWPDRV;AuthenTec TruePrint USB Driver (AES2500); C:\WINNT\System32\Drivers\ATSwpDrv.sys [2005-04-11 116594]
S3 catchme;catchme; \??\C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys []
S3 E1000;Intel(R) PRO/1000 Adapter Driver; C:\WINNT\System32\DRIVERS\e1000325.sys [2004-10-26 125952]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINNT\System32\DRIVERS\e100b325.sys [2005-04-15 140800]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINNT\system32\DRIVERS\e1e5132.sys [2008-02-27 254872]
S3 HECI;Intel(R) Management Engine Interface; C:\WINNT\system32\DRIVERS\HECI.sys [2007-04-06 44800]
S3 HidUsb;Microsoft HID Class Driver; C:\WINNT\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HSXHWAZL;HSXHWAZL; C:\WINNT\system32\DRIVERS\HSXHWAZL.sys []
S3 IFXTPM;IFXTPM; C:\WINNT\System32\DRIVERS\IFXTPM.SYS [2005-06-10 35968]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINNT\system32\drivers\RtkHDAud.sys [2008-02-27 4608000]
S3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit; C:\WINNT\system32\DRIVERS\NETw3x32.sys [2006-11-15 1711488]
S3 NETw4x32;Intel(R) Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINNT\system32\DRIVERS\NETw4x32.sys [2007-06-21 2208512]
S3 nv;nv; C:\WINNT\System32\DRIVERS\nv4_mini.sys [2005-12-16 3608224]
S3 Rasirda;WAN Miniport (IrDA); C:\WINNT\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 rootrepeal;rootrepeal; \??\C:\WINNT\system32\drivers\rootrepeal.sys []
S3 sdbus;sdbus; C:\WINNT\System32\DRIVERS\sdbus.sys [2008-04-13 79232]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINNT\System32\DRIVERS\smcirda.sys [2001-09-11 38425]
S3 smwdm;smwdm; C:\WINNT\system32\drivers\smwdm.sys [2005-04-04 259648]
S3 TcUsb;TC USB Kernel Driver; C:\WINNT\System32\Drivers\tcusb.sys [2007-11-30 46992]
S3 TMPassthru;Trend Micro Passthru Ndis Service; C:\WINNT\system32\DRIVERS\TMPassthru.sys [2007-11-27 35216]
S3 tridxp4;tridxp4; C:\WINNT\System32\DRIVERS\tridxp4m.sys [2003-06-02 189440]
S3 tsdhd;TOSHIBA SD Card Host Controller Driver; C:\WINNT\System32\DRIVERS\tsdhd.sys [2003-02-10 25888]
S3 usbstor;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 w29n51;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows XP; C:\WINNT\System32\DRIVERS\w29n51.sys [2005-09-12 3298432]
S3 w70n51;Intel(R) PRO/Wireless 2100 Adapter Driver; C:\WINNT\System32\DRIVERS\w70n51.sys [2003-12-05 979840]
S3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINNT\System32\DRIVERS\yk51x86.sys [2004-11-26 224000]
S4 agp440;Intel AGP Bus Filter; C:\WINNT\System32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINNT\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINNT\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINNT\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINNT\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 sisagp;SIS AGP Bus Filter; C:\WINNT\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINNT\System32\DRIVERS\viaagp.sys [2008-04-13 42240]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINNT\System32\drivers\ws2ifsl.sys [2002-08-29 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-12 153376]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2010-03-25 17904]
R2 RUBotted;Trend Micro RUBotted Service; C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe [2007-12-19 517456]
R2 SNMP;SNMP Service; C:\WINNT\System32\snmp.exe [2008-04-13 33280]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINNT\System32\wdfmgr.exe [2005-01-28 38912]
S2 Fax;Fax; C:\WINNT\system32\fxssvc.exe [2008-04-13 267776]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINNT\system32\nvsvc32.exe [2005-12-16 143428]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2010-05-20 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SNMPTRAP;SNMP Trap Service; C:\WINNT\System32\snmptrap.exe [2008-04-13 8704]

-----------------EOF-----------------
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 20th, 2010, 10:53 am

info.txt logfile of random's system information tool 1.08 2010-07-20 08:43:22

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
Adobe Acrobat 7.0 Professional-->msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player 10 ActiveX-->C:\WINNT\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex
Adobe Flash Player 10 Plugin-->C:\WINNT\system32\Macromed\Flash\FlashUtil10h_Plugin.exe -maintain plugin
Altium Designer 2004 (SP3)-->MsiExec.exe /I{37CFC56D-8602-4E25-AB1E-DDA891F52C01}
Altium Designer 2004 Service Pack 4-->C:\PROGRA~1\ALTIUM~1\System\UNINST~1\ALTIUM~1\UNWISE.EXE /R C:\PROGRA~1\ALTIUM~1\System\UNINST~1\ALTIUM~1\Install.log
AutoMate 4-->C:\PROGRA~1\AUTOMA~1\UNWISE.EXE C:\PROGRA~1\AUTOMA~1\INSTALL.LOG
Color LaserJet 2600n-->C:\Program Files\Zenographics\{A2580895-7BB1-4B81-94F2-B96DB9E469EF}\SETUP.EXE -u "HPCLJKCInstaller.dll=CLJ2600.INF"
Conexant HDA D330 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\UIU32m.exe -U -Idel000f5.INF
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DVDFab 7.0.1.2 Beta (05/03/2010)-->"C:\Program Files\DVDFab 7\unins000.exe"
GridMove V1.19.53-->"C:\Program Files\GridMove\unins000.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINNT\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7}
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINNT\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINNT\$NtUninstallKB952287$\spuninst\spuninst.exe"
Icon Restore 1.0-->C:\WINNT\unins000.exe
Intel(R) Graphics Media Accelerator Driver-->C:\WINNT\system32\igxpun.exe -uninstall
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Internet Explorer Q903235-->C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
InterVideo XPack (DVD Only)-->"C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
Java(TM) 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Antimalware-->MsiExec.exe /X{E62A1F01-07B7-4541-A835-EE5B0BF064C2}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINNT\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINNT\muninst.exe C:\WINNT\INF\KB870669.inf
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISER /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{91120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Security Essentials-->C:\Program Files\Microsoft Security Essentials\setup.exe /x
Microsoft Security Essentials-->MsiExec.exe /I{EF98A02A-1748-4762-9B7D-5ED1600520D5}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Mozilla Firefox (3.6.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
MuvEnum Address Bar - Windows Explorer Extension-->C:\Program Files\MuvEnum AddressBar\uninstall.exe
NameIt-->C:\WINNT\IsUninst.exe -f"C:\Program Files\NameIt\Uninst.isu"
NEF Codec-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A89768CF-CD21-44FD-A723-16D5A8557415}\Setup.exe" -l0x9 -removeonly
NVIDIA Drivers-->C:\WINNT\system32\nvudisp.exe UninstallGUI
Paint.NET v3.20-->MsiExec.exe /X{C1CAAF9E-2A80-4AD0-8D9A-B4327966249F}
QuickMonth Calendar 1.1-->"C:\WINNT\unins001.exe"
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB960003)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F04F8702-18D0-458D-921E-146FB7CD38CF}
Security Update for Microsoft Office Excel 2007 (KB959997)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {9EAC3AEC-5C81-4856-A05B-DE9DC236D740}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Windows Media Player (KB952069)-->"C:\WINNT\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINNT\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINNT\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINNT\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINNT\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINNT\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINNT\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINNT\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINNT\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINNT\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINNT\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINNT\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINNT\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINNT\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINNT\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINNT\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINNT\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINNT\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINNT\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINNT\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINNT\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINNT\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINNT\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINNT\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINNT\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINNT\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINNT\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINNT\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINNT\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINNT\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINNT\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINNT\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINNT\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINNT\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINNT\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINNT\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINNT\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINNT\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINNT\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINNT\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINNT\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINNT\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINNT\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINNT\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINNT\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINNT\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINNT\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINNT\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINNT\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINNT\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINNT\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINNT\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINNT\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINNT\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINNT\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINNT\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINNT\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINNT\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINNT\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINNT\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINNT\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINNT\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINNT\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINNT\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINNT\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINNT\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINNT\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINNT\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981349)-->"C:\WINNT\$NtUninstallKB981349$\spuninst\spuninst.exe"
SmartDraw 7-->C:\PROGRA~1\SMARTD~1\UNWISE.EXE C:\PROGRA~1\SMARTD~1\INSTALL.LOG
TeraCopy 1.22-->"C:\Program Files\TeraCopy\unins000.exe"
TOSHIBA Software Modem-->Tosmreg -U
Trend Micro RUBotted-->C:\Program Files\InstallShield Installation Information\{12650598-D7B9-4FB5-91B2-2CAA641AC589}\setup.exe -runfromtemp -l0x0009 -removeonly
TrueCrypt-->"C:\Program Files\TrueCrypt\TrueCrypt Setup.exe" /u C:\Program Files\TrueCrypt\
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Access 2007 Help (KB963663)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office Infopath 2007 Help (KB963662)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {716B81B8-B13C-41DF-8EAC-7A2F656CAB63}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Microsoft Office Outlook 2007 Help (KB957246)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {6F0E4983-E419-4591-B7DD-EFB0073D3E47}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Publisher 2007 Help (KB963667)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2E40DE55-B289-4C8B-8901-5D369B16814F}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Update for Office 2007 (KB932080)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Windows XP (KB955839)-->"C:\WINNT\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINNT\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINNT\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update for Windows XP (KB980182)-->"C:\WINNT\$NtUninstallKB980182$\spuninst\spuninst.exe"
WallMaster Pro-->C:\PROGRA~1\WALLMA~1\UNWISE.EXE C:\PROGRA~1\WALLMA~1\INSTALL.LOG
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Connect-->"C:\WINNT\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager-->C:\WINNT\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Widgets-->C:\PROGRA~1\YAHOO!~1\uninstall.exe

======Security center information======

AV: Microsoft Security Essentials

======System event log======

Computer Name: LATITUDE
Event Code: 4
Message: Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 389
Source Name: b57w2k
Time Written: 20100508140753.000000-360
Event Type: warning
User:

Computer Name: TEST2
Event Code: 4
Message: Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 368
Source Name: b57w2k
Time Written: 20100508140514.000000-360
Event Type: warning
User:

Computer Name: TEST
Event Code: 262
Message: The service "NetFxUpdate_v1.1.4322" vetoed a power event request.

Record Number: 110
Source Name: PlugPlayManager
Time Written: 20100507100647.000000-360
Event Type: warning
User:

Computer Name: TEST
Event Code: 3033
Message: The redirector was unable to register the address for transport NetBT_Tcpip_{876B212A-098F-49F8-87E5 for the following reason: . Transport has been taken offline.

Record Number: 16
Source Name: MRxSmb
Time Written: 20100507095909.000000-360
Event Type: warning
User:

Computer Name: TEST
Event Code: 4321
Message: The name "TEST :0" could not be registered on the Interface with IP address 10.101.4.107.
The machine with the IP address 10.8.4.21 did not allow the name to be claimed by
this machine.

Record Number: 15
Source Name: NetBT
Time Written: 20100507095909.000000-360
Event Type: error
User:

=====Application event log=====

Computer Name: TEST
Event Code: 1020
Message: Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Record Number: 23
Source Name: ASP.NET 2.0.50727.0
Time Written: 20100507100746.000000-360
Event Type: warning
User:

Computer Name: TEST
Event Code: 1517
Message: Windows saved user TEST\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 8
Source Name: Userenv
Time Written: 20100507100437.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: TEST
Event Code: 32066
Message: At least one of the devices in the outgoing routing group is not valid.
Group name: '<All devices>'

Record Number: 3
Source Name: Microsoft Fax
Time Written: 20100507095901.000000-360
Event Type: warning
User:

Computer Name: TEST
Event Code: 1015
Message: TraceLevel parameter not located in registry;
Default trace level used is 32.

Record Number: 2
Source Name: EvntAgnt
Time Written: 20100507095859.000000-360
Event Type: warning
User:

Computer Name: TEST
Event Code: 1003
Message: TraceFileName parameter not located in registry;
Default trace file used is .

Record Number: 1
Source Name: EvntAgnt
Time Written: 20100507095859.000000-360
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"IMAGE"=TOSHPRODSP2-06092006-1100
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Altium2004 SP3\System
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=0f0b
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"AltiumPath"=C:\Program Files\Altium2004 SP3\System

-----------------EOF-----------------
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 20th, 2010, 2:40 pm

Hi Occam,

This is proving difficult to isolate so we need to double check every possible cause.

I see you have an automation program named AutoMate 4, are you aware that this is installed?

You have the snmp service enabled which is unusual, are you aware?

Please describe the popups that you see, are they always adverts for the same sites and products? Do they only happen when IE is open or do they happen when the computer is idle with no windows open?

I think at this stage we need to update Internet Explorer from version 6 to version 8. Microsoft are keen to get everyone off version 6 for security reasons. Please visit the Microsoft Update site and install all available security updates.

Please also run another scan with Malwarebytes and post the log in your next reply.


Next download Bootkit remover and save it to you're Desktop.


Note: This is a rar file if you do not have a program to open it then download and install Peazip

  • Extract (unzip) Remover.exe to your desktop.
  • Double click Remover.exe to run it.
  • It will show a Black screen with some data on it.
  • Right click on the screen and select > Select All and press Control+C
  • Open Notepad (Start, All Programs, Accessories), and press Control+V
  • Post the contents of the resulting Notepad file here please.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 20th, 2010, 4:44 pm

Automate: Yes, I installed Automate. Same version on multiple PCs. I've been using it to kill the adverts. Coincidentally and unfortunately, at some point, one of the malware removal tools removed the license for Automate.

SNMP: I do not recall doing anything with this; it may have been enabled when I got the machine. It's an ex-enterprise machine, and was preloaded with Windows already installed.


The advertisements are about 80% the same, and 20% different.

Sometimes they pop up in small windows, with messages like "Are you sure you want to navigate away from this page?". Of course, despite seeing the windows many times, I don't recall the exact text, which I suppose means it's not very effective advertising. They are plain text, with emphasis added with asterisks and exclamation points. There are only two or three variants of this flavor.

Other times ads pop up in maximized windows. These are usually ads for more legitimate businesses such as GM, cell phone companies, and the like. These contain backgrounds, colors, graphics, and professionally done layout. To date I have not seen one of these ads re-occur, they are all different from each other.

It's possible these ads are from two different malware programs. They are very different from each other.

I have never clicked any of them, so I don't know what might happen.

The ads pop up when IE is *not* running. If I leave my computer on and unattended during the night, I'll get a round dozen windows open, 80% dialog-box plain text and one or two full-page professional ads.

It can also go many hours without a single pop-up occurring, as evidenced by our last try with this problem.

I will see what I can do with the next program. If nothing else I hope it will help someone else out there.
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 21st, 2010, 12:34 am

"Files required to use Windows Update are no longer registered or installed on your computer."

At this point I'm officially giving up and reformatting the computer. Apologies to you, deltalima, for not sticking it out, but I simply need to have my PC back in working order. Please accept my sincere appreciation for the time and effort you put into helping to resolve my problems.

I hope this will somehow prove useful to other people in the future. I also hope there's a special circle of hell reserved for the unspeakable moron that wrote this malware in the first place.
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 21st, 2010, 2:01 am

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: aac7d8a98e39dfde27285ef395e66821

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...


FWIW, I looked at the MBR with WinHex, and it looks substantially the same as the 'backup' MBR on the same disk. I couldn't see any differences in the actual bootloader code section.
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 21st, 2010, 2:03 am

Note that the ads are targeted according to IP. Twice now a full-screen ad has popped up for services specific to my province (in Canada) - youngfreealberta.com, a banking service site. I recall seeing other ads that were localized as well.
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware