Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Noticed Firefox crashing, many popups now being blocked.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Noticed Firefox crashing, many popups now being blocked.

Unread postby kurry » November 20th, 2008, 5:33 pm

Well, it all started when firefox was closing almost instantly after opening, not crashing, just closing. Then many popups started launching when firefox wasn't even running. At this point I knew something was wrong, so i scanned my PC with avast! professional version 4.8. It showed 6 viruses, which as far as i know were hopefully removed. I also downloaded Spybot search & destroy and began scanning awhile ago. It's teatimer has been going crazy with what i would guess is the popup trying to launch itself. So far it has found Virtuemonde and Smitfraud.
It's been a long time since i've had malware and this is very frustrating :|
I've come to this forum because in the past you've done an amazing job :) so hopefully you can again

HJT log
Code: Select all
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32:46, on 20/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\Tablet.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
J:\RocketDock\RocketDock.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\rundll32.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [b8ebc631] rundll32.exe "C:\WINDOWS\system32\lyqbgrqh.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RocketDock] "J:\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: daoclf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8842 bytes



Thanks in advance
kurry
Active Member
 
Posts: 12
Joined: December 8th, 2007, 1:11 pm
Advertisement
Register to Remove

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby Sharagoz » November 20th, 2008, 6:41 pm

Hello kurry,
I guess saying "welcome back" is a bit inappropriate, so I wont 8)
You've definatly caught something that needs to be taken care of.

Please take note of the following before we begin the cleaning process:
  • The whole process will often take several days to complete, so please stay patient
  • Hang in there until I give you the 'All clean'. If you leave prematurely because your computer seems to be back to its old self, the risk of re-infection will be very high
  • Perform all actions in the order given
  • The instructions I give expect that you're using an account with administrator privileges and that the language of your operating system is English.
  • Dont be afraid to ask questions if something is unclear or you run into issues during cleaning steps
  • I recommend you read through each set of instructions before you actually perform them

1) Create an uninstall list
  • Launch Hijackthis
  • Click the Open the Misc Tools section button
  • Click the Open Uninstall Manager button.
  • Click the Save list button.
  • Include this log in your next reply

2) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby kurry » November 20th, 2008, 7:03 pm

When I click the "save list..." button when trying to get an un-install log, HJT just closes itself ? :(
kurry
Active Member
 
Posts: 12
Joined: December 8th, 2007, 1:11 pm

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby Sharagoz » November 21st, 2008, 4:30 am

I have prepared a fix for you and posted it for approval.
As I am only an undergrad at this uni I need to have all my fixes approved by a teacher before they can be posted.
The downside with this is that things take a little more time. The upside is that you'll have two set of eyes checking your logs, so you can be sure nothing will be missed, and the teachers here are among the best malware removers you'll find anywhere, online or not, so you can feel confident you are in the right hands.
The initial waiting time can take up to 48hrs, depending on how busy the teachers are, so please stay patient.
Once a teacher finds a free slot we'll be on our way to a clean computer, and the subsequent replies will usually be faster.
In the top left corner of your opening post there is a link called Subscribe topic. If you click it you will be subscribed to this thread and will receive instant email notification of new replies. For most people this works better than periodically checking back here to see if there's any new posts.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby kurry » November 21st, 2008, 11:52 am

Ah, ok I think I can wait :roll:
As of now, teatimer isn't misbehaving, but i'll hang in till i'm clean :bom:
kurry
Active Member
 
Posts: 12
Joined: December 8th, 2007, 1:11 pm

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby Sharagoz » November 22nd, 2008, 11:28 am

You need to disable TeaTimer, Ad-Watch and Avast before proceding.
If you are unsure how to do this, you can find instructions here

1) Download and Run ComboFix
  • Visit this webpage for download links and and instructions on how to properly run ComboFix:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
    Make sure you install the recovery consol as instructed beforehand
    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time and can be a lifesaver later.
    Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • Run ComboFix as instructed by the tutorial. When ComboFix is finished running, a log will be opened. Include this log in your next reply.

Enable your security software again after this step.

2) Rename HiJackThis and post a new log
HiJackThis needs to be renamed because an infection is preventing it from giving a complete log
  • You have HJT located here: C:\Program Files\HijackThis
  • Go to that folder and rename HiJackThis.exe to kurry.exe or another name of your choice other than HiJackThis.exe
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply

3) Create an uninstall list
  • Launch Hijackthis
  • Click the Open the Misc Tools section button
  • Click the Open Uninstall Manager button.
  • Click the Save list button.
  • Include this log in your next reply

Logs I need:
ComboFix log
New HJT log
Uninstall list
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby kurry » November 22nd, 2008, 12:23 pm

Ok, i've done that -- here are the results...



Combofix log
Code: Select all
ComboFix 08-11-21.05 - Compaq_Administrator 2008-11-22 15:44:30.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.238 [GMT 0:00]
Running from: c:\documents and settings\Compaq_Administrator\My Documents\Downloads\ComboFix.exe
 * Created a new restore point
.
[i] ADS - WINDOWS: deleted 24 bytes in 1 streams. [/i]

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ckveohyr.dll
c:\windows\system32\daoclf.dll
c:\windows\system32\ddcDwxyA.dll
c:\windows\system32\dKRtDfhk.ini
c:\windows\system32\dKRtDfhk.ini2
c:\windows\system32\efcAPFvv.dll
c:\windows\system32\feKkQqss.ini
c:\windows\system32\feKkQqss.ini2
c:\windows\system32\hdfniu.dll
c:\windows\system32\hqrgbqyl.ini
c:\windows\system32\jjycahei.dll
c:\windows\system32\kndugl.dll
c:\windows\system32\lydckh.dll
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\ssqQkKef.dll
c:\windows\system32\vfdigcks.dll
c:\windows\system32\wanpacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\yjosypys.dll
D:\Autorun.inf
J:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


(((((((((((((((((((((((((   Files Created from 2008-10-22 to 2008-11-22  )))))))))))))))))))))))))))))))
.

2008-11-22 14:05 . 2008-11-22 14:05	236	--a------	C:\sqmdata11.sqm
2008-11-22 14:05 . 2008-11-22 14:05	200	--a------	C:\sqmnoopt11.sqm
2008-11-22 13:12 . 2008-11-22 13:12	<DIR>	d--------	c:\program files\EA Games
2008-11-22 13:12 . 2007-10-12 15:14	3,734,536	--a------	c:\windows\system32\d3dx9_36.dll
2008-11-22 13:12 . 2007-05-16 16:45	3,497,832	--a------	c:\windows\system32\d3dx9_34.dll
2008-11-22 13:12 . 2007-10-12 15:14	1,374,232	--a------	c:\windows\system32\D3DCompiler_36.dll
2008-11-22 13:12 . 2007-05-16 16:45	1,124,720	--a------	c:\windows\system32\D3DCompiler_34.dll
2008-11-22 13:12 . 2007-10-02 09:56	444,776	--a------	c:\windows\system32\d3dx10_36.dll
2008-11-22 13:12 . 2007-05-16 16:45	443,752	--a------	c:\windows\system32\d3dx10_34.dll
2008-11-22 13:12 . 2007-10-22 03:39	267,272	--a------	c:\windows\system32\xactengine2_10.dll
2008-11-22 13:12 . 2007-07-20 00:57	267,112	--a------	c:\windows\system32\xactengine2_9.dll
2008-11-22 13:12 . 2007-06-20 20:46	266,088	--a------	c:\windows\system32\xactengine2_8.dll
2008-11-22 13:12 . 2007-10-22 03:37	17,928	--a------	c:\windows\system32\X3DAudio1_2.dll
2008-11-22 09:37 . 2008-11-22 09:37	236	--a------	C:\sqmdata10.sqm
2008-11-22 09:37 . 2008-11-22 09:37	200	--a------	C:\sqmnoopt10.sqm
2008-11-22 09:32 . 2008-11-22 09:32	236	--a------	C:\sqmdata09.sqm
2008-11-22 09:32 . 2008-11-22 09:32	200	--a------	C:\sqmnoopt09.sqm
2008-11-21 20:59 . 2008-11-21 20:59	41,472	--a------	c:\windows\system32\hqpvhooc.dll
2008-11-21 09:26 . 2008-11-21 09:26	236	--a------	C:\sqmdata08.sqm
2008-11-21 09:26 . 2008-11-21 09:26	200	--a------	C:\sqmnoopt08.sqm
2008-11-21 08:48 . 2008-11-21 08:48	41,472	--a------	c:\windows\system32\umaowcni.dll
2008-11-21 07:46 . 2008-11-21 07:46	236	--a------	C:\sqmdata07.sqm
2008-11-21 07:46 . 2008-11-21 07:46	200	--a------	C:\sqmnoopt07.sqm
2008-11-20 20:57 . 2008-11-20 20:57	41,472	--a------	c:\windows\system32\qdseqydh.dll
2008-11-20 19:42 . 2008-11-20 19:42	<DIR>	d--------	c:\program files\Spybot - Search & Destroy
2008-11-20 19:42 . 2008-11-20 20:52	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 19:41 . 2008-11-20 19:41	<DIR>	d--------	c:\program files\Ad-Aware
2008-11-20 19:41 . 2008-11-20 19:43	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-20 10:23 . 2008-11-20 10:23	<DIR>	d---s----	c:\documents and settings\Kim\UserData
2008-11-19 22:10 . 2008-11-19 22:10	41,472	--a------	c:\windows\system32\wqnnjbga.dll
2008-11-19 22:04 . 2008-11-19 22:04	<DIR>	d--------	c:\program files\Nero 9
2008-11-19 22:04 . 2008-11-19 22:04	<DIR>	d--------	c:\program files\Common Files\Nero
2008-11-19 21:50 . 2008-11-19 21:50	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\Sonic
2008-11-19 21:50 . 2008-11-19 21:50	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\Leadertech
2008-11-18 21:19 . 2008-11-18 21:19	236	--a------	C:\sqmdata06.sqm
2008-11-18 21:19 . 2008-11-18 21:19	200	--a------	C:\sqmnoopt06.sqm
2008-11-18 14:29 . 2008-11-20 10:23	<DIR>	d--------	c:\documents and settings\Kim\Tracing
2008-11-18 10:09 . 2008-11-18 10:09	200	--a------	C:\sqmnoopt05.sqm
2008-11-18 10:09 . 2008-11-18 10:09	200	--a------	C:\sqmdata05.sqm
2008-11-18 08:52 . 2006-09-01 12:57	<DIR>	d--------	c:\documents and settings\Kim\WINDOWS
2008-11-18 08:52 . 2008-11-20 10:23	<DIR>	d--------	c:\documents and settings\Kim
2008-11-17 22:29 . 2007-03-07 23:51	129,784	--a------	c:\windows\system32\pxafs.dll
2008-11-17 21:56 . 2008-11-21 08:41	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\SiteAdvisor
2008-11-17 21:56 . 2008-11-17 21:56	<DIR>	d--------	c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-17 21:56 . 2008-11-17 21:56	<DIR>	d--------	c:\documents and settings\All Users\Application Data\McAfee
2008-11-17 21:39 . 2008-11-17 21:42	<DIR>	d--------	c:\program files\foobar2000
2008-11-17 20:55 . 2008-11-17 20:56	<DIR>	d--------	c:\windows\system32\FLIQLO dir
2008-11-17 20:55 . 2008-11-17 20:55	532,480	--a------	c:\windows\system32\FLIQLO.scr
2008-11-17 20:42 . 2008-11-17 20:42	<DIR>	d--------	c:\program files\CD Art Display
2008-11-17 20:42 . 2003-01-27 14:27	94,208	--a------	c:\windows\system32\wmpuice.dll
2008-11-17 20:42 . 2008-08-24 21:33	69,632	--a------	c:\windows\cadSSaver.scr
2008-11-17 20:15 . 2008-11-22 14:05	<DIR>	d--------	c:\program files\Avast4
2008-11-16 20:45 . 2008-11-16 20:45	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\CyberLink
2008-11-16 20:41 . 2008-11-16 20:42	<DIR>	d--------	c:\program files\InterActual
2008-11-16 19:08 . 2008-11-16 19:08	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Blizzard
2008-11-16 16:23 . 2008-11-16 16:23	<DIR>	d--------	c:\program files\DVD Flick
2008-11-16 16:23 . 2008-11-16 17:06	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\DVD Flick
2008-11-16 16:23 . 2004-03-09 00:00	662,288	--a------	c:\windows\system32\mscomct2.ocx
2008-11-16 16:23 . 1998-06-24 00:00	164,144	--a------	c:\windows\system32\comct232.ocx
2008-11-16 16:23 . 2003-01-26 13:41	40,960	--a------	c:\windows\system32\ssubtmr6.dll
2008-11-16 16:23 . 2007-08-31 18:36	36,864	--a------	c:\windows\system32\trayicon_handler.ocx
2008-11-16 16:23 . 2008-08-31 13:27	28,672	--a------	c:\windows\system32\mousewheel.ocx
2008-11-16 16:12 . 2006-09-01 12:57	<DIR>	d--------	c:\documents and settings\Guest\WINDOWS
2008-11-16 16:12 . 2008-11-16 16:12	<DIR>	d--------	c:\documents and settings\Guest
2008-11-16 14:21 . 2008-11-16 14:21	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Last.fm
2008-11-16 14:19 . 2008-11-16 14:19	<DIR>	d--------	c:\program files\Last.fm
2008-11-16 13:29 . 2008-11-16 13:29	<DIR>	d--------	c:\program files\BootSkin
2008-11-16 13:29 . 2008-11-16 13:30	162,432	--a------	c:\windows\system32\drivers\vidstub.sys
2008-11-16 12:57 . 2008-11-16 12:57	<DIR>	d--------	c:\program files\Logon Loader
2008-11-16 09:17 . 2008-11-16 09:17	<DIR>	d--------	c:\program files\Common Files\Blizzard Entertainment
2008-11-16 09:11 . 2008-11-16 09:15	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\Otto
2008-11-16 09:11 . 2008-11-16 09:15	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Otto
2008-11-15 23:55 . 2008-11-15 23:55	<DIR>	d--------	c:\documents and settings\All Users\Application Data\SlySoft
2008-11-15 23:52 . 2008-11-15 23:52	<DIR>	d--------	c:\program files\SlySoft
2008-11-15 23:44 . 2008-11-15 23:44	<DIR>	d--------	c:\program files\Handbrake
2008-11-15 23:41 . 2008-11-15 23:41	236	--a------	C:\sqmdata04.sqm
2008-11-15 23:41 . 2008-11-15 23:41	200	--a------	C:\sqmnoopt04.sqm
2008-11-15 23:36 . 2008-11-15 23:36	<DIR>	d--------	c:\windows\system32\XPSViewer
2008-11-15 23:36 . 2008-11-15 23:36	<DIR>	d--------	c:\program files\Reference Assemblies
2008-11-15 23:36 . 2008-11-15 23:36	<DIR>	d--------	c:\program files\MSBuild
2008-11-15 23:35 . 2008-07-06 12:06	1,676,288	--a------	c:\windows\system32\xpssvcs.dll
2008-11-15 23:35 . 2008-07-06 12:06	1,676,288	--a------	c:\windows\system32\dllcache\xpssvcs.dll
2008-11-15 23:35 . 2008-07-06 10:50	597,504	--a------	c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-11-15 23:35 . 2008-07-06 12:06	575,488	--a------	c:\windows\system32\xpsshhdr.dll
2008-11-15 23:35 . 2008-07-06 12:06	575,488	--a------	c:\windows\system32\dllcache\xpsshhdr.dll
2008-11-15 23:35 . 2008-07-06 12:06	117,760	--a------	c:\windows\system32\prntvpt.dll
2008-11-15 23:35 . 2008-07-06 12:06	89,088	--a------	c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-11-15 23:33 . 2008-11-15 23:39	<DIR>	d--------	c:\windows\NV32401520.TMP
2008-11-15 23:33 . 2008-11-20 19:39	<DIR>	d--------	c:\program files\Common Files\Wise Installation Wizard
2008-11-15 23:33 . 2008-10-07 13:33	201,157	--a------	c:\windows\system32\nvapps.nvb
2008-11-15 23:31 . 2008-11-15 23:31	<DIR>	d--------	c:\program files\MSXML 6.0
2008-11-15 23:31 . 2008-11-15 23:31	<DIR>	d--------	C:\NVIDIA
2008-11-15 23:27 . 2008-11-15 23:27	<DIR>	d--------	c:\program files\SystemRequirementsLab
2008-11-15 23:27 . 2008-11-15 23:27	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\SystemRequirementsLab
2008-11-15 23:26 . 2008-11-15 23:26	<DIR>	d--------	c:\windows\Sun
2008-11-15 13:22 . 2008-11-15 13:22	<DIR>	d--------	c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-15 13:12 . 2008-11-15 13:12	<DIR>	d--------	c:\program files\Wacom
2008-11-15 13:12 . 2000-11-22 11:40	1,682,273	--a------	c:\windows\system32\TabCP-En.znc
2008-11-15 13:12 . 2000-11-29 17:25	856,064	--a------	c:\windows\system32\Tablet.cpl
2008-11-15 13:12 . 2000-11-29 20:49	450,560	--a------	c:\windows\system32\Tablet.exe
2008-11-15 13:12 . 2000-11-29 20:49	90,112	--a------	c:\windows\system32\Wintab32.dll
2008-11-15 13:12 . 1999-12-21 15:53	53,248	--a------	c:\windows\system32\TabUnst.dll
2008-11-15 13:12 . 2000-11-29 20:49	49,152	--a------	c:\windows\system32\TabHook.dll
2008-11-15 13:12 . 2000-10-20 10:51	24,320	--a------	c:\windows\system32\drivers\penclass.sys
2008-11-15 13:12 . 1999-05-07 09:12	15,744	--a------	c:\windows\system32\wintab.dll
2008-11-15 13:12 . 2008-11-22 16:10	296	--a------	c:\windows\system32\wacom.dat
2008-11-15 13:11 . 2000-01-05 14:14	36,864	--a------	c:\windows\system32\pencls32.dll
2008-11-15 11:27 . 2008-11-15 11:27	<DIR>	d--------	c:\program files\Bonjour
2008-11-15 11:24 . 2008-11-15 11:24	<DIR>	d--------	c:\program files\Common Files\Macrovision Shared
2008-11-15 11:23 . 2008-11-15 11:23	236	--a------	C:\sqmdata03.sqm
2008-11-15 11:23 . 2008-11-15 11:23	200	--a------	C:\sqmnoopt03.sqm
2008-11-14 09:32 . 2008-11-14 09:32	236	--a------	C:\sqmdata02.sqm
2008-11-14 09:32 . 2008-11-14 09:32	200	--a------	C:\sqmnoopt02.sqm
2008-11-13 23:59 . 2008-11-13 23:59	236	--a------	C:\sqmdata01.sqm
2008-11-13 23:59 . 2008-11-13 23:59	200	--a------	C:\sqmnoopt01.sqm
2008-11-11 17:22 . 2008-11-11 17:22	<DIR>	d--------	c:\program files\simplemu
2008-11-10 22:41 . 2008-11-10 22:42	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\vlc
2008-11-10 22:41 . 2008-11-19 16:48	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\dvdcss
2008-11-10 22:39 . 2008-11-10 22:39	<DIR>	d--------	c:\program files\VideoLAN
2008-11-10 21:13 . 2008-06-10 02:32	73,728	--a------	c:\windows\system32\javacpl.cpl
2008-11-10 21:12 . 2008-11-10 21:14	<DIR>	d--------	c:\program files\FrostWire
2008-11-10 18:03 . 2008-11-10 18:49	<DIR>	d--------	C:\illusion
2008-11-10 17:57 . 2005-05-26 15:34	2,297,552	--a------	c:\windows\system32\d3dx9_26.dll
2008-11-09 01:04 . 2008-11-09 01:04	236	--a------	C:\sqmdata00.sqm
2008-11-09 01:04 . 2008-11-09 01:04	200	--a------	C:\sqmnoopt00.sqm

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 11:30	---------	d-----w	c:\program files\Common Files\Adobe
2008-11-13 23:57	---------	d-----w	c:\program files\Symantec
2008-11-13 23:57	---------	d-----w	c:\program files\Common Files\Symantec Shared
2008-11-13 23:57	---------	d-----w	c:\documents and settings\All Users\Application Data\Symantec
2008-11-10 21:13	---------	d-----w	c:\program files\Java
2008-11-06 11:32	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-11-06 11:20	---------	d-----w	c:\program files\Common Files\InstallShield
2008-10-24 11:10	453,632	----a-w	c:\windows\system32\drivers\mrxsmb.sys
2008-10-07 13:33	6,133,856	----a-w	c:\windows\system32\drivers\nv4_mini.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-09 3513344]
"Google Update"="c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-06 133104]
"RocketDock"="j:\rocketdock\RocketDock.exe" [2007-09-02 495616]
"Steam"="c:\program files\Steam\Steam.exe" [2008-11-08 1410296]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 c:\windows\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-09-01 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-01 27136]

c:\documents and settings\Kim\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-01 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\resources\\LoginUI\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=daoclf.dll kndugl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Red Alert 3\\Data\\ra3_1.3.game"=
"c:\\Program Files\\Steam\\steamapps\\rpowton\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\rpowton\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-20 110160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-20 20560]
R3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\DRIVERS\WlanUZXP.sys [2008-11-06 437760]
S3 AFGMp50;AFGMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\AFGMp50.sys []
S3 AFGSp50;AFGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\AFGSp50.sys []
S3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS []
.
- - - - ORPHANS REMOVED - - - -

BHO-{25401087-D0F5-4157-B9C0-A6C4E261B021} - (no file)
BHO-{4E007A5F-299F-44FC-8B6B-F06B61867A2E} - c:\windows\system32\iifgEtuu.dll
BHO-{70DFDC90-21D2-4DC4-B66D-D0430B6CC90D} - c:\windows\system32\ddcApnLd.dll
BHO-{B2594244-C6CC-4EA9-B497-F15845196C9B} - c:\windows\system32\khfDtRKd.dll
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-b8ebc631 - c:\windows\system32\lyqbgrqh.dll
HKLM-Run-PCDrProfiler - (no file)
ShellExecuteHooks-{4E007A5F-299F-44FC-8B6B-F06B61867A2E} - c:\windows\system32\iifgEtuu.dll
Notify-iifgEtuu - iifgEtuu.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\1depm00d.default\
FF -: plugin - c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 16:09:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ad-Aware\aawservice.exe
c:\program files\Avast4\aswUpdSv.exe
c:\program files\Avast4\ashServ.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\Tablet.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Avast4\ashMaiSv.exe
c:\program files\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\hp\KBD\kbd.exe
.
**************************************************************************
.
Completion time: 2008-11-22 16:14:39 - machine was rebooted
ComboFix-quarantined-files.txt  2008-11-22 16:14:34

Pre-Run: 84,432,334,848 bytes free
Post-Run: 86,195,367,936 bytes free

281	--- E O F ---	2008-11-16 21:01:22




HJT log
Code: Select all
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:19:09, on 22/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\Tablet.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
J:\RocketDock\RocketDock.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\HijackThis\kurry.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RocketDock] "J:\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: daoclf.dll kndugl.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8204 bytes


and the HJT un-install list :)

Code: Select all
Ad-Aware
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Reader 7.0.5
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
AnyDVD
avast! Antivirus
BootSkin
CCleaner (remove only)
CD Art Display 2.0
Choice Guard
Command & Conquer™ Red Alert™ 3
Contacts
Counter-Strike: Source
Diablo II
DVD Flick
Enhanced Multimedia Keyboard Solution
FLIQLO Screen Saver
foobar2000 v0.9.5.2
FrostWire 4.17.1
GemMaster Mystic
Google Toolbar for Internet Explorer
Hamachi 1.0.3.0
Handbrake 0.9.2
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Software Update
IconPackager
ILLUSION ???~????
InterActual Player
Internet Services
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 7
Last.fm 1.5.2.38918
Logon Loader 3.0
Macromedia Flash Player 8
Mercenaries 2: World in Flames™ (DEMO)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Works
Mozilla Firefox (3.0.4)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MyPhoneExplorer
Nero 9.0.9.4 Lite
NVIDIA Drivers
Otto
PC-Doctor 5 for Windows
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
RealPlayer
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Segoe UI
SimpleMU MUD Client
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Steam
System Requirements Lab
Team Fortress 2
Titan Quest
Titan Quest: Immortal Throne
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB953356)
VLC media player 0.9.6
Wacom Tablet Driver
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Beta (all programs)
Windows Live Beta (all programs)
Windows Live Call
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB912067
XP Vista Pack
ZyXEL G-202 Wireless Adapter Utility
kurry
Active Member
 
Posts: 12
Joined: December 8th, 2007, 1:11 pm

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby Sharagoz » November 23rd, 2008, 11:33 am

P2P warning
You have FrostWire installed on your computer. This is a peer-to-peer program used to share files between computers.
There are several issues related to this:
  • P2P programs are notorious for being bundled with unwanted adware/spyware programs
  • Poorly configured P2P programs can share more files than you want them too, including personal files
  • Since its impossible to establish the source of which you are copying files from, you will always be at a certan risk every time you download a file. Malware written to spesifically spread through P2P networks are becoming an increasing problem and may be the source of your current infection. Even if you can trust the P2P program itself, you can never trust the sources you download from.

By MWR policy I am forced to ask that you uninstall this program if you wish me to further help you with your malware issues.
For more info, read MWR policy on P2P programs

To uninstall the program, go to Add/Remove Programs and uninstall the following:
FrostWire 4.17.1

New uninstall list
  • Launch Hijackthis
  • Click the Open the Misc Tools section button
  • Click the Open Uninstall Manager button.
  • Click the Save list button.
  • Include this log in your next reply

Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply

Logs I need:
Uninstall list
New HJT log
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby kurry » November 24th, 2008, 3:53 pm

I've un-installed Frostwire, new logs for you

HJT
Code: Select all
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:51:55, on 24/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
J:\RocketDock\RocketDock.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Last.fm\LastFM.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\foobar2000\foobar2000.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\kurry.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {25401087-D0F5-4157-B9C0-A6C4E261B021} - (no file)
O2 - BHO: (no name) - {4E007A5F-299F-44FC-8B6B-F06B61867A2E} - (no file)
O2 - BHO: (no name) - {70DFDC90-21D2-4DC4-B66D-D0430B6CC90D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B2594244-C6CC-4EA9-B497-F15845196C9B} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RocketDock] "J:\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: daoclf.dll kndugl.dll
O20 - Winlogon Notify: iifgEtuu - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8340 bytes



Un-install list
Code: Select all
Ad-Aware
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Reader 7.0.5
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
AnyDVD
avast! Antivirus
BootSkin
CCleaner (remove only)
CD Art Display 2.0
Choice Guard
Command & Conquer™ Red Alert™ 3
Contacts
Counter-Strike: Source
Diablo II
DVD Flick
Enhanced Multimedia Keyboard Solution
FLIQLO Screen Saver
foobar2000 v0.9.5.2
GemMaster Mystic
Google Toolbar for Internet Explorer
Hamachi 1.0.3.0
Handbrake 0.9.2
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Software Update
IconPackager
ILLUSION ???~????
InterActual Player
Internet Services
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 7
Last.fm 1.5.2.38918
Logon Loader 3.0
Macromedia Flash Player 8
Mercenaries 2: World in Flames™ (DEMO)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Works
Mozilla Firefox (3.0.4)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MyPhoneExplorer
Nero 9.0.9.4 Lite
NVIDIA Drivers
Otto
PC-Doctor 5 for Windows
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Rainmeter (remove only)
RealPlayer
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Segoe UI
SimpleMU MUD Client
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Steam
System Requirements Lab
Team Fortress 2
Titan Quest
Titan Quest: Immortal Throne
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB953356)
VLC media player 0.9.6
Wacom Tablet Driver
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Beta (all programs)
Windows Live Beta (all programs)
Windows Live Call
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB912067
XP Vista Pack
ZyXEL G-202 Wireless Adapter Utility


:)
kurry
Active Member
 
Posts: 12
Joined: December 8th, 2007, 1:11 pm

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby Sharagoz » November 25th, 2008, 3:05 pm

1) Move ComboFix
You did not run ComboFix directly from your desktop as instructed.
You have ComboFix locate here:
c:\documents and settings\Compaq_Administrator\My Documents\Downloads\ComboFix.exe
Please move ComboFix from there to your desktop before proceding. It needs to be located directly on your desktop.

You need to disable TeaTimer, Ad-Watch and Avast again before proceding.

2) Run ComboFix with CFScript
  • Right-click on your desktop, select New -> Text file
  • Name the file CFScript.txt
  • Open CFScript.txt and copy the contents of the code box below into it, save and close
    Code: Select all
    DirLook::
    C:\documents and settings\Kim\Tracing
    C:\documents and settings\Kim\WINDOWS
    C:\documents and settings\Guest\WINDOWS
    C:\illusion
    
    File::
    c:\windows\system32\hqpvhooc.dll
    c:\windows\system32\umaowcni.dll
    c:\windows\system32\qdseqydh.dll
    c:\windows\system32\wqnnjbga.dll
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    
    [-hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{25401087-D0F5-4157-B9C0-A6C4E261B021}]
    [-hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{4E007A5F-299F-44FC-8B6B-F06B61867A2E}]
    [-hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{70DFDC90-21D2-4DC4-B66D-D0430B6CC90D}]
    [-hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{B2594244-C6CC-4EA9-B497-F15845196C9B}]
    
  • Drag CFScript.txt on top of the ComboFix.exe icon and release
  • ComboFix will start if you did this correctly
  • When ComboFix has finished scanning, a log will open
  • Include this log in your next reply

Enable your security software again after this step.

Firewall warning:
You have Windows firewall disabled and I see no signs of a 3rd party firewall on your computer.
I strongly recommend you enable the firewall unless you got a good reason not to.
To do so, do the following:
  • Press the windows key and the R key at the same time to open the Run dialog box
  • Type in firewall.cpl and press Enter
  • Turn on the firewall and press OK

3) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply

Logs I need:
ComboFix log
New HJT log

You have an uninstall entry that looks like this:
ILLUSION ???~????
Do you know what this is?
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby kurry » November 27th, 2008, 4:26 pm

That's all done, here's your logs.
As for the Illusion entry, i'm not going to hide my shame.. that's a lewd game i acquired a long time ago, i'm VERY sure this isn't malware. There haven't been any changes in it for a long time.

Code: Select all
ComboFix 08-11-21.05 - Compaq_Administrator 2008-11-27 20:14:53.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.131 [GMT 0:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
c:\windows\system32\hqpvhooc.dll
c:\windows\system32\qdseqydh.dll
c:\windows\system32\umaowcni.dll
c:\windows\system32\wqnnjbga.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hqpvhooc.dll
c:\windows\system32\qdseqydh.dll
c:\windows\system32\umaowcni.dll
c:\windows\system32\wqnnjbga.dll

.
(((((((((((((((((((((((((   Files Created from 2008-10-27 to 2008-11-27  )))))))))))))))))))))))))))))))
.

2008-11-27 19:56 . 2008-11-27 19:56	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\AdobeUM
2008-11-27 19:55 . 2008-11-27 19:55	<DIR>	d--------	c:\program files\Launchy
2008-11-27 19:55 . 2008-11-27 19:55	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\Launchy
2008-11-27 16:33 . 2008-11-27 16:33	<DIR>	d--------	c:\program files\Start Killer
2008-11-27 08:35 . 2008-11-27 08:35	236	--a------	C:\sqmdata12.sqm
2008-11-27 08:35 . 2008-11-27 08:35	200	--a------	C:\sqmnoopt12.sqm
2008-11-23 09:59 . 2008-11-23 10:07	<DIR>	d--------	c:\program files\Rainmeter
2008-11-22 14:05 . 2008-11-22 14:05	236	--a------	C:\sqmdata11.sqm
2008-11-22 14:05 . 2008-11-22 14:05	200	--a------	C:\sqmnoopt11.sqm
2008-11-22 13:12 . 2008-11-22 13:12	<DIR>	d--------	c:\program files\EA Games
2008-11-22 13:12 . 2007-10-12 15:14	3,734,536	--a------	c:\windows\system32\d3dx9_36.dll
2008-11-22 13:12 . 2007-05-16 16:45	3,497,832	--a------	c:\windows\system32\d3dx9_34.dll
2008-11-22 13:12 . 2007-10-12 15:14	1,374,232	--a------	c:\windows\system32\D3DCompiler_36.dll
2008-11-22 13:12 . 2007-05-16 16:45	1,124,720	--a------	c:\windows\system32\D3DCompiler_34.dll
2008-11-22 13:12 . 2007-10-02 09:56	444,776	--a------	c:\windows\system32\d3dx10_36.dll
2008-11-22 13:12 . 2007-05-16 16:45	443,752	--a------	c:\windows\system32\d3dx10_34.dll
2008-11-22 13:12 . 2007-10-22 03:39	267,272	--a------	c:\windows\system32\xactengine2_10.dll
2008-11-22 13:12 . 2007-07-20 00:57	267,112	--a------	c:\windows\system32\xactengine2_9.dll
2008-11-22 13:12 . 2007-06-20 20:46	266,088	--a------	c:\windows\system32\xactengine2_8.dll
2008-11-22 13:12 . 2007-10-22 03:37	17,928	--a------	c:\windows\system32\X3DAudio1_2.dll
2008-11-22 09:37 . 2008-11-22 09:37	236	--a------	C:\sqmdata10.sqm
2008-11-22 09:37 . 2008-11-22 09:37	200	--a------	C:\sqmnoopt10.sqm
2008-11-22 09:32 . 2008-11-22 09:32	236	--a------	C:\sqmdata09.sqm
2008-11-22 09:32 . 2008-11-22 09:32	200	--a------	C:\sqmnoopt09.sqm
2008-11-21 09:26 . 2008-11-21 09:26	236	--a------	C:\sqmdata08.sqm
2008-11-21 09:26 . 2008-11-21 09:26	200	--a------	C:\sqmnoopt08.sqm
2008-11-21 07:46 . 2008-11-21 07:46	236	--a------	C:\sqmdata07.sqm
2008-11-21 07:46 . 2008-11-21 07:46	200	--a------	C:\sqmnoopt07.sqm
2008-11-20 19:42 . 2008-11-20 19:42	<DIR>	d--------	c:\program files\Spybot - Search & Destroy
2008-11-20 19:42 . 2008-11-20 20:52	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 19:41 . 2008-11-20 19:41	<DIR>	d--------	c:\program files\Ad-Aware
2008-11-20 19:41 . 2008-11-20 19:43	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-20 10:23 . 2008-11-20 10:23	<DIR>	d---s----	c:\documents and settings\Kim\UserData
2008-11-19 22:04 . 2008-11-19 22:04	<DIR>	d--------	c:\program files\Nero 9
2008-11-19 22:04 . 2008-11-19 22:04	<DIR>	d--------	c:\program files\Common Files\Nero
2008-11-19 21:50 . 2008-11-19 21:50	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\Sonic
2008-11-19 21:50 . 2008-11-19 21:50	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\Leadertech
2008-11-18 21:19 . 2008-11-18 21:19	236	--a------	C:\sqmdata06.sqm
2008-11-18 21:19 . 2008-11-18 21:19	200	--a------	C:\sqmnoopt06.sqm
2008-11-18 14:29 . 2008-11-20 10:23	<DIR>	d--------	c:\documents and settings\Kim\Tracing
2008-11-18 10:09 . 2008-11-18 10:09	200	--a------	C:\sqmnoopt05.sqm
2008-11-18 10:09 . 2008-11-18 10:09	200	--a------	C:\sqmdata05.sqm
2008-11-18 08:52 . 2006-09-01 12:57	<DIR>	d--------	c:\documents and settings\Kim\WINDOWS
2008-11-18 08:52 . 2008-11-20 10:23	<DIR>	d--------	c:\documents and settings\Kim
2008-11-17 22:29 . 2007-03-07 23:51	129,784	--a------	c:\windows\system32\pxafs.dll
2008-11-17 21:56 . 2008-11-24 19:16	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\SiteAdvisor
2008-11-17 21:56 . 2008-11-17 21:56	<DIR>	d--------	c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-17 21:56 . 2008-11-17 21:56	<DIR>	d--------	c:\documents and settings\All Users\Application Data\McAfee
2008-11-17 21:39 . 2008-11-17 21:42	<DIR>	d--------	c:\program files\foobar2000
2008-11-17 20:55 . 2008-11-17 20:56	<DIR>	d--------	c:\windows\system32\FLIQLO dir
2008-11-17 20:55 . 2008-11-17 20:55	532,480	--a------	c:\windows\system32\FLIQLO.scr
2008-11-17 20:42 . 2008-11-27 16:59	<DIR>	d--------	c:\program files\CD Art Display
2008-11-17 20:42 . 2003-01-27 14:27	94,208	--a------	c:\windows\system32\wmpuice.dll
2008-11-17 20:42 . 2008-08-24 21:33	69,632	--a------	c:\windows\cadSSaver.scr
2008-11-17 20:15 . 2008-11-27 19:58	<DIR>	d--------	c:\program files\Avast4
2008-11-16 20:45 . 2008-11-16 20:45	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\CyberLink
2008-11-16 20:41 . 2008-11-16 20:42	<DIR>	d--------	c:\program files\InterActual
2008-11-16 19:08 . 2008-11-16 19:08	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Blizzard
2008-11-16 16:23 . 2008-11-16 16:23	<DIR>	d--------	c:\program files\DVD Flick
2008-11-16 16:23 . 2008-11-16 17:06	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\DVD Flick
2008-11-16 16:23 . 2004-03-09 00:00	662,288	--a------	c:\windows\system32\mscomct2.ocx
2008-11-16 16:23 . 1998-06-24 00:00	164,144	--a------	c:\windows\system32\comct232.ocx
2008-11-16 16:23 . 2003-01-26 13:41	40,960	--a------	c:\windows\system32\ssubtmr6.dll
2008-11-16 16:23 . 2007-08-31 18:36	36,864	--a------	c:\windows\system32\trayicon_handler.ocx
2008-11-16 16:23 . 2008-08-31 13:27	28,672	--a------	c:\windows\system32\mousewheel.ocx
2008-11-16 16:12 . 2006-09-01 12:57	<DIR>	d--------	c:\documents and settings\Guest\WINDOWS
2008-11-16 16:12 . 2008-11-16 16:12	<DIR>	d--------	c:\documents and settings\Guest
2008-11-16 14:21 . 2008-11-16 14:21	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Last.fm
2008-11-16 14:19 . 2008-11-16 14:19	<DIR>	d--------	c:\program files\Last.fm
2008-11-16 13:29 . 2008-11-16 13:29	<DIR>	d--------	c:\program files\BootSkin
2008-11-16 13:29 . 2008-11-16 13:30	162,432	--a------	c:\windows\system32\drivers\vidstub.sys
2008-11-16 12:57 . 2008-11-16 12:57	<DIR>	d--------	c:\program files\Logon Loader
2008-11-16 09:17 . 2008-11-16 09:17	<DIR>	d--------	c:\program files\Common Files\Blizzard Entertainment
2008-11-16 09:11 . 2008-11-16 09:15	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\Otto
2008-11-16 09:11 . 2008-11-16 09:15	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Otto
2008-11-15 23:55 . 2008-11-15 23:55	<DIR>	d--------	c:\documents and settings\All Users\Application Data\SlySoft
2008-11-15 23:52 . 2008-11-15 23:52	<DIR>	d--------	c:\program files\SlySoft
2008-11-15 23:44 . 2008-11-15 23:44	<DIR>	d--------	c:\program files\Handbrake
2008-11-15 23:41 . 2008-11-15 23:41	236	--a------	C:\sqmdata04.sqm
2008-11-15 23:41 . 2008-11-15 23:41	200	--a------	C:\sqmnoopt04.sqm
2008-11-15 23:36 . 2008-11-15 23:36	<DIR>	d--------	c:\windows\system32\XPSViewer
2008-11-15 23:36 . 2008-11-15 23:36	<DIR>	d--------	c:\program files\Reference Assemblies
2008-11-15 23:36 . 2008-11-15 23:36	<DIR>	d--------	c:\program files\MSBuild
2008-11-15 23:35 . 2008-07-06 12:06	1,676,288	--a------	c:\windows\system32\xpssvcs.dll
2008-11-15 23:35 . 2008-07-06 12:06	1,676,288	--a------	c:\windows\system32\dllcache\xpssvcs.dll
2008-11-15 23:35 . 2008-07-06 10:50	597,504	--a------	c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-11-15 23:35 . 2008-07-06 12:06	575,488	--a------	c:\windows\system32\xpsshhdr.dll
2008-11-15 23:35 . 2008-07-06 12:06	575,488	--a------	c:\windows\system32\dllcache\xpsshhdr.dll
2008-11-15 23:35 . 2008-07-06 12:06	117,760	--a------	c:\windows\system32\prntvpt.dll
2008-11-15 23:35 . 2008-07-06 12:06	89,088	--a------	c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-11-15 23:33 . 2008-11-15 23:39	<DIR>	d--------	c:\windows\NV32401520.TMP
2008-11-15 23:33 . 2008-11-20 19:39	<DIR>	d--------	c:\program files\Common Files\Wise Installation Wizard
2008-11-15 23:33 . 2008-10-07 13:33	201,157	--a------	c:\windows\system32\nvapps.nvb
2008-11-15 23:31 . 2008-11-15 23:31	<DIR>	d--------	c:\program files\MSXML 6.0
2008-11-15 23:31 . 2008-11-15 23:31	<DIR>	d--------	C:\NVIDIA
2008-11-15 23:27 . 2008-11-15 23:27	<DIR>	d--------	c:\program files\SystemRequirementsLab
2008-11-15 23:27 . 2008-11-15 23:27	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\SystemRequirementsLab
2008-11-15 23:26 . 2008-11-15 23:26	<DIR>	d--------	c:\windows\Sun
2008-11-15 13:22 . 2008-11-15 13:22	<DIR>	d--------	c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-15 13:12 . 2008-11-15 13:12	<DIR>	d--------	c:\program files\Wacom
2008-11-15 13:12 . 2000-11-22 11:40	1,682,273	--a------	c:\windows\system32\TabCP-En.znc
2008-11-15 13:12 . 2000-11-29 17:25	856,064	--a------	c:\windows\system32\Tablet.cpl
2008-11-15 13:12 . 2000-11-29 20:49	450,560	--a------	c:\windows\system32\Tablet.exe
2008-11-15 13:12 . 2000-11-29 20:49	90,112	--a------	c:\windows\system32\Wintab32.dll
2008-11-15 13:12 . 1999-12-21 15:53	53,248	--a------	c:\windows\system32\TabUnst.dll
2008-11-15 13:12 . 2000-11-29 20:49	49,152	--a------	c:\windows\system32\TabHook.dll
2008-11-15 13:12 . 2000-10-20 10:51	24,320	--a------	c:\windows\system32\drivers\penclass.sys
2008-11-15 13:12 . 1999-05-07 09:12	15,744	--a------	c:\windows\system32\wintab.dll
2008-11-15 13:12 . 2008-11-27 15:48	296	--a------	c:\windows\system32\wacom.dat
2008-11-15 13:11 . 2000-01-05 14:14	36,864	--a------	c:\windows\system32\pencls32.dll
2008-11-15 11:27 . 2008-11-15 11:27	<DIR>	d--------	c:\program files\Bonjour
2008-11-15 11:24 . 2008-11-15 11:24	<DIR>	d--------	c:\program files\Common Files\Macrovision Shared
2008-11-15 11:23 . 2008-11-15 11:23	236	--a------	C:\sqmdata03.sqm
2008-11-15 11:23 . 2008-11-15 11:23	200	--a------	C:\sqmnoopt03.sqm
2008-11-14 09:32 . 2008-11-14 09:32	236	--a------	C:\sqmdata02.sqm
2008-11-14 09:32 . 2008-11-14 09:32	200	--a------	C:\sqmnoopt02.sqm
2008-11-13 23:59 . 2008-11-13 23:59	236	--a------	C:\sqmdata01.sqm
2008-11-13 23:59 . 2008-11-13 23:59	200	--a------	C:\sqmnoopt01.sqm
2008-11-11 17:22 . 2008-11-11 17:22	<DIR>	d--------	c:\program files\simplemu
2008-11-10 22:41 . 2008-11-10 22:42	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\vlc
2008-11-10 22:41 . 2008-11-19 16:48	<DIR>	d--------	c:\documents and settings\Compaq_Administrator\Application Data\dvdcss
2008-11-10 22:39 . 2008-11-10 22:39	<DIR>	d--------	c:\program files\VideoLAN
2008-11-10 21:13 . 2008-06-10 02:32	73,728	--a------	c:\windows\system32\javacpl.cpl
2008-11-10 18:03 . 2008-11-10 18:49	<DIR>	d--------	C:\illusion
2008-11-10 17:57 . 2005-05-26 15:34	2,297,552	--a------	c:\windows\system32\d3dx9_26.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 11:30	---------	d-----w	c:\program files\Common Files\Adobe
2008-11-13 23:57	---------	d-----w	c:\program files\Symantec
2008-11-13 23:57	---------	d-----w	c:\program files\Common Files\Symantec Shared
2008-11-13 23:57	---------	d-----w	c:\documents and settings\All Users\Application Data\Symantec
2008-11-10 21:13	---------	d-----w	c:\program files\Java
2008-11-06 11:32	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-11-06 11:20	---------	d-----w	c:\program files\Common Files\InstallShield
2008-10-24 11:10	453,632	----a-w	c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10	453,632	----a-w	c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 15:07	99,904	----a-w	c:\windows\system32\drivers\AnyDVD.sys
2008-10-16 14:13	202,776	----a-w	c:\windows\system32\wuweb.dll
2008-10-16 14:13	202,776	----a-w	c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13	1,809,944	----a-w	c:\windows\system32\wuaueng.dll
2008-10-16 14:13	1,809,944	----a-w	c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12	561,688	----a-w	c:\windows\system32\wuapi.dll
2008-10-16 14:12	561,688	----a-w	c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12	323,608	----a-w	c:\windows\system32\wucltui.dll
2008-10-16 14:12	323,608	----a-w	c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09	92,696	----a-w	c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09	92,696	----a-w	c:\windows\system32\cdm.dll
2008-10-16 14:09	51,224	----a-w	c:\windows\system32\wuauclt.exe
2008-10-16 14:09	51,224	----a-w	c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09	43,544	----a-w	c:\windows\system32\wups2.dll
2008-10-16 14:08	34,328	----a-w	c:\windows\system32\wups.dll
2008-10-16 14:08	34,328	----a-w	c:\windows\system32\dllcache\wups.dll
2008-10-15 16:57	332,800	----a-w	c:\windows\system32\dllcache\netapi32.dll
2008-09-30 16:43	1,286,152	----a-w	c:\windows\system32\msxml4.dll
2008-09-15 11:57	1,846,016	----a-w	c:\windows\system32\win32k.sys
2008-09-15 11:57	1,846,016	----a-w	c:\windows\system32\dllcache\win32k.sys
2008-09-09 00:03	51,712	----a-w	c:\windows\system32\sirenacm.dll
2008-09-04 16:42	1,106,944	----a-w	c:\windows\system32\msxml3.dll
2008-09-04 16:42	1,106,944	----a-w	c:\windows\system32\dllcache\msxml3.dll
2008-08-29 20:06	1,350,664	----a-w	c:\windows\system32\msxml6.dll
2008-08-28 10:04	333,056	----a-w	c:\windows\system32\dllcache\srv.sys
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\Guest\WINDOWS ----


---- Directory of c:\documents and settings\Kim\Tracing ----

2008-11-20 10:23	0	--a------	c:\documents and settings\Kim\Tracing\WindowsLiveMessenger-uccapi-0.uccapilog 

---- Directory of c:\documents and settings\Kim\WINDOWS ----



(((((((((((((((((((((((((((((   snapshot@2008-11-22_16.14.08.68   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-22 00:28:36	343,424	----a-w	c:\windows\system32\FNTCACHE.DAT
+ 2008-11-24 18:50:28	345,016	----a-w	c:\windows\system32\FNTCACHE.DAT
+ 2008-10-16 14:08:58	34,328	----a-w	c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 14:09:44	43,544	----a-w	c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
+ 2008-11-27 15:48:23	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_1d8.dat
+ 2008-11-27 16:06:51	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_784.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-09 3513344]
"Google Update"="c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-06 133104]
"RocketDock"="j:\rocketdock\RocketDock.exe" [2007-09-02 495616]
"Steam"="c:\program files\Steam\Steam.exe" [2008-11-08 1410296]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 c:\windows\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"PCDrProfiler"="" [BU]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-09-01 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-01 27136]

c:\documents and settings\Kim\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-01 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-11-27 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\resources\\LoginUI\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgEtuu]
 [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Red Alert 3\\Data\\ra3_1.3.game"=
"c:\\Program Files\\Steam\\steamapps\\rpowton\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\rpowton\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-20 110160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-20 20560]
R3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\DRIVERS\WlanUZXP.sys [2008-11-06 437760]
S3 AFGMp50;AFGMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\AFGMp50.sys []
S3 AFGSp50;AFGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\AFGSp50.sys []
S3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS []

*Newly Created Service* - CATCHME
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 20:17:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-27 20:18:41
ComboFix-quarantined-files.txt  2008-11-27 20:18:38
ComboFix2.txt  2008-11-22 16:14:41

Pre-Run: 86,129,291,264 bytes free
Post-Run: 86,116,220,928 bytes free

270	--- E O F ---	2008-11-16 21:01:22


HJT log
Code: Select all
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:25:21, on 27/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
J:\RocketDock\RocketDock.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Start Killer\StartKiller.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\7-Zip\7zFM.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\kurry.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {25401087-D0F5-4157-B9C0-A6C4E261B021} - (no file)
O2 - BHO: (no name) - {4E007A5F-299F-44FC-8B6B-F06B61867A2E} - (no file)
O2 - BHO: (no name) - {70DFDC90-21D2-4DC4-B66D-D0430B6CC90D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B2594244-C6CC-4EA9-B497-F15845196C9B} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RocketDock] "J:\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: iifgEtuu - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8432 bytes



Thanks for the help again :lol: :)
kurry
Active Member
 
Posts: 12
Joined: December 8th, 2007, 1:11 pm

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby Sharagoz » November 28th, 2008, 5:08 am

Disable your security software like in the previous procedures.
Having it enabled may result in unwanted interference and will increase scan times.
Last time the fix did not work properly and the reason is probably that Spybot's Teatimer was still running.


1) Fix bad entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a checkmark next to the below lines if they are listed

    O2 - BHO: (no name) - {25401087-D0F5-4157-B9C0-A6C4E261B021} - (no file)
    O2 - BHO: (no name) - {4E007A5F-299F-44FC-8B6B-F06B61867A2E} - (no file)
    O2 - BHO: (no name) - {70DFDC90-21D2-4DC4-B66D-D0430B6CC90D} - (no file)
    O2 - BHO: (no name) - {B2594244-C6CC-4EA9-B497-F15845196C9B} - (no file)
    O20 - Winlogon Notify: iifgEtuu - C:\WINDOWS\

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis

Restart your computer after this step

2) Download and run CCleaner
If your version of CCleaner is the latest version (213), skip the downloading+installation steps and move straight to cleaning.
  • Download CCleaner from here
  • Install and launch CCleaner
  • Click the Options button and select Advanced
  • Uncheck the option "Only delete files in Windows Temp folders older than 48 hours"
  • Click the Cleaner button
  • If you wish to avoid being logged out of all websites you're currently logged into, make sure Cookies are unchecked for the web browser(s) you use. Internet Explorer is located under the Windows tab, other browsers are located under the Applications tab
  • Click the Run Cleaner button at the bottom right of the window
  • Click Yes at the prompt and let the cleaner finish
Note:
If there are more than one user account on this computer, run CCleaner using this procedure on all other user accounts as well

3) Download and Run Malwarebytes Anti-Malware
  • Download Malwarebytes' Anti-Malware and install the program
  • At the end, make sure a checkmark is placed next to:
    o Update Malwarebytes' Anti-Malware
    o Launch Malwarebytes' Anti-Malware
  • Click Finish
  • If an update is found, it will download and install the latest version
  • Once the program has loaded, click Check for updates
  • Click select Perform full scan, then click Scan to start scanning
  • When the scan is complete, click OK, then Show Results to view the results
  • Make sure that everything is checked, and click Remove Selected
  • When completed, a log will open in Notepad. Include this log in your next reply
Note:
If you for some reason lose the log, it can be retrieved manually from this location:
C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Enable your security software again after this step.

4) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply

Logs I need:
Malwarebytes log
New HJT log

How is the computer running? Are you still experiencing malware problems?
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby kurry » November 28th, 2008, 2:00 pm

Okay, here's the logs.

Malwarebytes
Code: Select all
Malwarebytes' Anti-Malware 1.30
Database version: 1431
Windows 5.1.2600 Service Pack 2

28/11/2008 16:50:33
mbam-log-2008-11-28 (16-50-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 138442
Time elapsed: 36 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\daoclf.dll.vir (Trojan.Vundo) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lydckh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vfdigcks.dll.vir (Trojan.Vundo) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yjosypys.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP30\A0009280.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP30\A0009281.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP30\A0009285.dll (Trojan.Vundo) -> Delete on reboot.
C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP30\A0009306.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP33\A0010649.dll (Trojan.Vundo) -> Delete on reboot.
C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP33\A0010658.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP33\A0010660.dll (Trojan.Vundo) -> Delete on reboot.
C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP33\A0010661.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


HJT (I took this after I re-booted.)
Code: Select all
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:57:44, on 28/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
J:\RocketDock\RocketDock.exe
C:\WINDOWS\arservice.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\CD Art Display\CAD.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\HijackThis\kurry.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {25401087-D0F5-4157-B9C0-A6C4E261B021} - (no file)
O2 - BHO: (no name) - {4E007A5F-299F-44FC-8B6B-F06B61867A2E} - (no file)
O2 - BHO: (no name) - {70DFDC90-21D2-4DC4-B66D-D0430B6CC90D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B2594244-C6CC-4EA9-B497-F15845196C9B} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RocketDock] "J:\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: iifgEtuu - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 9063 bytes



As for the PC's behaviour, everything is functioning fine except for firefox.
Most of the pop-ups haven't been popping any more, but i understand that doesn't necessarily mean i'm clean so i've stuck with this thread to become so.
kurry
Active Member
 
Posts: 12
Joined: December 8th, 2007, 1:11 pm

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby Sharagoz » November 28th, 2008, 2:50 pm

There are some entries in your HJT log that refuse to go willingly. Lets try to get rid of them in safe mode.

Boot into safe mode by following this guide:
How to boot into safe mode safely

1) Fix bad entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a checkmark next to the below lines if they are listed

    O2 - BHO: (no name) - {25401087-D0F5-4157-B9C0-A6C4E261B021} - (no file)
    O2 - BHO: (no name) - {4E007A5F-299F-44FC-8B6B-F06B61867A2E} - (no file)
    O2 - BHO: (no name) - {70DFDC90-21D2-4DC4-B66D-D0430B6CC90D} - (no file)
    O2 - BHO: (no name) - {B2594244-C6CC-4EA9-B497-F15845196C9B} - (no file)
    O20 - Winlogon Notify: iifgEtuu - C:\WINDOWS\

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis

Restart your computer back into normal mode

2) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply


everything is functioning fine except for firefox.
Most of the pop-ups haven't been popping any more

What kind of problems are you having with firefox?
When you say "most" of the popups are gone, does that mean you are still experiencing popups?
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Noticed Firefox crashing, many popups now being blocked.

Unread postby kurry » November 28th, 2008, 4:10 pm

Seems like they're still not being removed.. here's the log
Code: Select all
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:00:58, on 28/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
J:\RocketDock\RocketDock.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\HijackThis\kurry.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {25401087-D0F5-4157-B9C0-A6C4E261B021} - (no file)
O2 - BHO: (no name) - {4E007A5F-299F-44FC-8B6B-F06B61867A2E} - (no file)
O2 - BHO: (no name) - {70DFDC90-21D2-4DC4-B66D-D0430B6CC90D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B2594244-C6CC-4EA9-B497-F15845196C9B} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RocketDock] "J:\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: iifgEtuu - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 9141 bytes


As for the popups, i worded that wrong. No, i'm not getting any popups at the minute and i've just tested firefox and it seems to be working fine... :shock:
Could it be that the infection is solved; or it's just not showing any effect?
kurry
Active Member
 
Posts: 12
Joined: December 8th, 2007, 1:11 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 497 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware