Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help! Random popups in Mozilla Firefox from 82.98.235.111

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby whitemystu » February 1st, 2009, 12:15 am

For the past 2 weeks or so, my computer has been slowing down and there have been tons of random pop-ups in Mozilla Firefox. Some of them have are from 82.98.235.111 and others are from adsense (if I remember correctly). Then there are a lot of random other ones. Also, I've noticed that when I try to search in the swagbucks search engine, I can't directly click on the link otherwise it doesn't work - but Google search seems to work alright. Mozilla Firefox has frozen up a couple of times (and I could navigate around the site, but strangely enough the text of the window disappeared and was replaced by ---- or nothing. So the tabs were still there but they were blank. It seems to only have affected Mozilla Firefox since Google Chrome seems to work fine.

Please let me know what to do to get rid of this spyware or whatever it is that is plaguing my computer! Thank you so much in advance!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:58 PM, on 1/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\lkcitdl.exe
F:\WINDOWS\system32\lkads.exe
F:\WINDOWS\system32\lktsrv.exe
F:\Program Files\National Instruments\MAX\nimxs.exe
F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
F:\WINDOWS\system32\nisvcloc.exe
F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\WLTRYSVC.EXE
F:\WINDOWS\System32\bcmwltry.exe
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\System32\igfxtray.exe
F:\WINDOWS\System32\hkcmd.exe
F:\WINDOWS\System32\igfxpers.exe
F:\WINDOWS\System32\WLTRAY.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\AIM\aim.exe
F:\Program Files\Skype\Phone\Skype.exe
F:\Program Files\Veoh Networks\Veoh\VeohClient.exe
F:\Documents and Settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
F:\Program Files\Impulse\PolicyKey.exe
F:\Program Files\3M\PSNLite\PsnLite.exe
F:\PROGRA~1\3M\PSNLite\PSNGive.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\DOCUME~1\g-race\LOCALS~1\Temp\RtkBtMnt.exe
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\g-race\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C8C6E91-E7C7-488B-AEB1-0D04A289F394} - (no file)
O2 - BHO: (no name) - {2AFBA3E2-30EC-4C71-A9B0-ADA545CF0120} - (no file)
O2 - BHO: (no name) - {4A3C3B9C-38C5-49FC-8DB2-383594535A47} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {75D7747F-422C-4712-A937-FA69013E1B6C} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {DB558CD3-0EFA-4C6C-90CB-55B8A48CC755} - (no file)
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - F:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] F:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] F:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [INPROCOMMWireless] F:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-Watch] F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Veoh] "F:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Google Update] "F:\Documents and Settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VeohPlugin] "F:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PolicyKey.lnk = F:\Program Files\Impulse\PolicyKey.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = F:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wkpvzh.dll zolboo.dll esevlq.dll
O20 - Winlogon Notify: byXPGVpO - F:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - F:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - F:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - F:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - F:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - F:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - F:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - F:\WINDOWS\system32\OpcEnum.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - F:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10713 bytes
whitemystu
Active Member
 
Posts: 6
Joined: February 1st, 2009, 12:06 am
Advertisement
Register to Remove

Re: Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby Bv202 » February 4th, 2009, 7:22 am

Welcome to Malware Removal!
My name is Bjorn, known as Bv202 on this forum and I'll be happy to assist you with all your malware problems you have on your computer.

Before we start fixing your computer, there are a few points you need to know:
  • Please don't start a new topic, but reply on this one.
  • If you don't understand something, please ask!
  • If you find any new problems and/or details, please post them!
  • Please always try to reply within 5 days. If you know you won't be able to reply for any reason, please tell me so we don't close your thread.
  • As I'm still in training here at Malware Removal, all my posts needs to be checked by an expert first.

Remember: absence of symptoms does not mean your computer is clean!!
Please reply to this topic until I say your computer is clean.

I'm now researching your log. Once it's done, I'll be back to you.

In the meantime, please do this:
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby whitemystu » February 4th, 2009, 10:51 pm

Thanks for your assistance, Bjorn!

Here is the notepad file you requested:

Acoustica MP3 Audio Mixer
Ad-Aware
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop CS
Adobe Reader 8.1.2
Adobe Shockwave Player
AOL Instant Messenger
Apple Software Update
Atheros for Acer Driver 5.3.0.45_Foxconn Installation Program
Atheros Wireless LAN
Audacity 1.2.6
Broadcom 802.11 Network Adapter
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PIXMA iP3000
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
CourseSmart Bookshelf
Google Talk Plugin
HijackThis 2.0.2
Impulse
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LiveUpdate 3.0 (Symantec Corporation)
Logitech QuickCam Software
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Office XP Professional
Microsoft Silverlight
middle_man
Mozilla Firefox (3.0.6)
MSXML 6.0 Parser (KB925673)
National Instruments Software
Orbit Downloader
Post-it® Software Notes Lite
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Skype™ 3.5
Spybot - Search & Destroy
Swag Bucks Toolbar
Symantec AntiVirus
TUGZip 3.4
Update for Windows XP (KB898461)
Veoh Web Player Beta
VeohTV BETA
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
VistaBootPRO 3.3
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 2
XP Codec Pack

Please let me know what to do next!


Thanks,
Grace
whitemystu
Active Member
 
Posts: 6
Joined: February 1st, 2009, 12:06 am

Re: Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby Bv202 » February 5th, 2009, 11:34 am

Hi Whitemystu

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby whitemystu » February 6th, 2009, 12:58 am

Here is the requested information:

Thanks,
Grace

ComboFix text --->

ComboFix 09-02-05.01 - g-race 2009-02-05 15:47:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.477 [GMT -8:00]
Running from: f:\documents and settings\g-race\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
f:\windows\system32\Desktop_.ini
f:\windows\system32\drivers\npf.sys
f:\windows\system32\esevlq.dll
f:\windows\system32\kwhsgs.dll
f:\windows\system32\packet.dll
f:\windows\system32\pthreadVC.dll
f:\windows\system32\qhbglway.dll
f:\windows\system32\ralhsd(2).dll
f:\windows\system32\ssukxhno.dll
f:\windows\system32\vtyogqoh.dll
f:\windows\system32\WanPacket.dll
f:\windows\system32\wkpvzh.dll
f:\windows\system32\wpcap.dll
f:\windows\Tasks\htqmmihf.job
f:\windows\Tasks\ofaeqthz.job

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-02 19:09 . 2009-02-02 19:09 <DIR> d-------- F:\My Videos
2009-01-31 20:08 . 2009-01-31 20:08 <DIR> d-------- f:\program files\Trend Micro
2009-01-26 20:18 . 2004-08-04 00:56 152,576 --a------ f:\windows\system32\irftp.exe
2009-01-26 20:18 . 2004-08-04 00:56 152,576 --a--c--- f:\windows\system32\dllcache\irftp.exe
2009-01-26 20:18 . 2004-08-04 00:56 27,136 --a------ f:\windows\system32\irmon.dll
2009-01-26 20:18 . 2004-08-04 00:56 27,136 --a--c--- f:\windows\system32\dllcache\irmon.dll
2009-01-26 20:18 . 2004-08-04 00:56 8,192 --a------ f:\windows\system32\wshirda.dll
2009-01-26 20:18 . 2004-08-04 00:56 8,192 --a--c--- f:\windows\system32\dllcache\wshirda.dll
2009-01-24 00:07 . 2009-01-23 23:13 15,688 --a------ f:\windows\system32\lsdelete.exe
2009-01-23 23:13 . 2009-01-23 23:12 64,160 --a------ f:\windows\system32\drivers\Lbd.sys
2009-01-23 23:08 . 2009-01-23 23:08 <DIR> d-------- f:\program files\Lavasoft
2009-01-23 23:08 . 2009-01-23 23:18 <DIR> d--h-c--- f:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-21 23:00 . 2009-01-21 23:00 <DIR> d-------- f:\documents and settings\g-race\DoctorWeb
2009-01-19 22:08 . 2009-01-24 14:57 4 --a------ f:\windows\tpjqrast
2009-01-15 23:25 . 2009-01-15 23:25 410,984 --a------ f:\windows\system32\deploytk.dll
2009-01-13 22:37 . 2009-01-13 22:37 <DIR> d-------- f:\program files\CourseSmart
2009-01-13 22:30 . 2009-01-13 22:30 <DIR> d-------- f:\program files\MSBuild
2009-01-13 22:27 . 2009-01-13 22:36 <DIR> d-------- f:\windows\system32\XPSViewer
2009-01-13 22:26 . 2009-01-13 22:26 <DIR> d-------- f:\program files\Reference Assemblies
2009-01-13 22:25 . 2006-06-29 13:07 14,048 --a------ f:\windows\system32\spmsg2.dll
2009-01-11 00:54 . 2009-01-11 01:23 <DIR> d-------- f:\program files\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 23:41 --------- d-----w f:\documents and settings\g-race\Application Data\Skype
2009-02-05 02:49 --------- d-----w f:\program files\BitLord
2009-01-28 05:52 --------- d-----w f:\program files\Veoh Networks
2009-01-24 21:05 --------- d-----w f:\program files\Malwarebytes' Anti-Malware
2009-01-24 07:13 --------- d-----w f:\documents and settings\All Users\Application Data\Lavasoft
2009-01-20 21:03 --------- d-----w f:\documents and settings\g-race\Application Data\ZoomBrowser EX
2009-01-20 20:57 --------- d-----w f:\documents and settings\All Users\Application Data\ZoomBrowser
2009-01-20 06:02 --------- d-----w f:\program files\Symantec AntiVirus
2009-01-16 07:24 --------- d-----w f:\program files\Java
2009-01-15 00:11 38,496 ----a-w f:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 00:11 15,504 ----a-w f:\windows\system32\drivers\mbam.sys
2009-01-02 10:45 --------- d-----w f:\program files\Impulse
2008-12-27 07:41 --------- d-----w f:\documents and settings\g-race\Application Data\Orbit
2008-12-27 07:31 --------- d-----w f:\documents and settings\g-race\Application Data\PRODEGETOOLBAR680
2008-12-27 07:29 --------- d-----w f:\program files\prodegetoolbar680
2008-12-25 10:50 --------- d--h--w f:\program files\InstallShield Installation Information
2008-12-25 10:50 --------- d-----w f:\program files\Logitech
2008-12-25 10:50 --------- d-----w f:\program files\Common Files\Logitech
2008-06-10 03:33 0 -c--a-w f:\program files\temp01
2007-11-23 22:42 25,280 -c--a-w f:\documents and settings\g-race\Application Data\GDIPFONTCACHEV1.DAT
2007-02-08 18:48 133,920 ----a-w f:\program files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_15.43.04.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-05 23:24:55 66,778 ----a-w f:\windows\system32\perfc009.dat
+ 2009-02-05 23:44:13 66,778 ----a-w f:\windows\system32\perfc009.dat
- 2009-02-05 23:24:55 428,160 ----a-w f:\windows\system32\perfh009.dat
+ 2009-02-05 23:44:13 428,160 ----a-w f:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="f:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"AIM"="f:\program files\AIM\aim.exe" [2006-08-01 67112]
"Skype"="f:\program files\Skype\Phone\Skype.exe" [2007-08-25 23090984]
"Veoh"="f:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"Google Update"="f:\documents and settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]
"SpybotSD TeaTimer"="f:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"VeohPlugin"="f:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-12-16 3528440]
"eNMTray.exe"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="f:\windows\System32\igfxtray.exe" [2006-06-13 94208]
"igfxhkcmd"="f:\windows\System32\hkcmd.exe" [2006-06-13 77824]
"igfxpers"="f:\windows\System32\igfxpers.exe" [2006-06-13 118784]
"Broadcom Wireless Manager UI"="f:\windows\System32\WLTRAY.exe" [2005-11-11 1236992]
"INPROCOMMWireless"="f:\program files\Atheros\Wireless\Utility\WlanUtil.exe" [BU]
"ccApp"="f:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="f:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"IMJPMIG8.1"="f:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="f:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"MSPY2002"="f:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="f:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="f:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-28 185872]
"Ad-Watch"="f:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-30 509784]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 f:\windows\RTHDCPL.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 f:\windows\system32\bthprops.cpl]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - f:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-09 113664]
Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
PolicyKey.lnk - f:\program files\Impulse\PolicyKey.exe [2005-10-04 573440]
Post-itr Software Notes Lite.lnk - f:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPGVpO]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wkpvzh.dll esevlq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\AIM\\aim.exe"=
"f:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"f:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"f:\\Program Files\\MSN Messenger\\livecall.exe"=
"f:\\Documents and Settings\\g-race\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"f:\\Documents and Settings\\g-race\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"f:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R0 Lbd;Lbd;f:\windows\system32\drivers\Lbd.sys [2009-01-23 64160]
R2 EpmPsd;Acer EPM Power Scheme Driver;f:\windows\system32\drivers\epm-psd.sys [2007-08-21 4096]
R2 EpmShd;Acer EPM System Hardware Driver;f:\windows\system32\drivers\epm-shd.sys [2007-08-21 78208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-19 99376]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 Atdydi;Atdydi; [x]
S3 SavRoam;SAVRoam;f:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 f:\windows\Tasks\Ad-Aware Update (Weekly).job
- f:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-30 23:13]

2009-02-05 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1767777339-725345543-1003.job
- f:\documents and settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 20:35]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C8C6E91-E7C7-488B-AEB1-0D04A289F394} - (no file)
BHO-{2AFBA3E2-30EC-4C71-A9B0-ADA545CF0120} - (no file)
BHO-{4A3C3B9C-38C5-49FC-8DB2-383594535A47} - (no file)
BHO-{75D7747F-422C-4712-A937-FA69013E1B6C} - (no file)
BHO-{DB558CD3-0EFA-4C6C-90CB-55B8A48CC755} - (no file)


.
------- Supplementary Scan -------
.
IE: &Download by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\g-race\Application Data\Mozilla\Firefox\Profiles\vl7q6iu5.default\
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: f:\documents and settings\g-race\Application Data\Mozilla\Firefox\Profiles\vl7q6iu5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: f:\documents and settings\g-race\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: f:\documents and settings\g-race\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: f:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: f:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: f:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 15:49:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
f:\windows\System32\BCMLogon.dll
.
Completion time: 2009-02-05 15:51:14
ComboFix-quarantined-files.txt 2009-02-05 23:51:07

Pre-Run: 1,263,685,632 bytes free
Post-Run: 1,248,030,720 bytes free

203 --- E O F --- 2008-09-02 09:40:21








HijackThis log ------------>


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:21 PM, on 2/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\lkcitdl.exe
F:\WINDOWS\System32\igfxtray.exe
F:\WINDOWS\System32\hkcmd.exe
F:\WINDOWS\System32\igfxpers.exe
F:\WINDOWS\System32\WLTRAY.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\lkads.exe
F:\Program Files\Veoh Networks\Veoh\VeohClient.exe
F:\WINDOWS\system32\lktsrv.exe
F:\Documents and Settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
F:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
F:\Program Files\National Instruments\MAX\nimxs.exe
F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
F:\Program Files\Impulse\PolicyKey.exe
F:\Program Files\3M\PSNLite\PsnLite.exe
F:\WINDOWS\system32\nisvcloc.exe
F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\3M\PSNLite\PSNGive.exe
F:\WINDOWS\System32\WLTRYSVC.EXE
F:\WINDOWS\System32\bcmwltry.exe
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\AIM\aim.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C8C6E91-E7C7-488B-AEB1-0D04A289F394} - (no file)
O2 - BHO: (no name) - {2AFBA3E2-30EC-4C71-A9B0-ADA545CF0120} - (no file)
O2 - BHO: (no name) - {4A3C3B9C-38C5-49FC-8DB2-383594535A47} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {75D7747F-422C-4712-A937-FA69013E1B6C} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {DB558CD3-0EFA-4C6C-90CB-55B8A48CC755} - (no file)
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - F:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] F:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] F:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [INPROCOMMWireless] F:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-Watch] F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Veoh] "F:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Google Update] "F:\Documents and Settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VeohPlugin] "F:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PolicyKey.lnk = F:\Program Files\Impulse\PolicyKey.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = F:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wkpvzh.dll esevlq.dll
O20 - Winlogon Notify: byXPGVpO - F:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - F:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - F:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - F:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - F:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - F:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - F:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - F:\WINDOWS\system32\OpcEnum.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - F:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10477 bytes
whitemystu
Active Member
 
Posts: 6
Joined: February 1st, 2009, 12:06 am

Re: Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby Bv202 » February 8th, 2009, 9:18 am

I'm sorry for the delay.

Hi Whitemystu

From your logs I can see you've ran ComboFix yourself. Please note that ComboFix is a very powerful tool and should NOT be used unsupervised!


Remove P2P software
While looking over your log, I have noticed the following Peer-to-Peer filesharing programs are present on your computer:

BitLord

These programs are the #1 source of infected systems. Although the software itself can be clean, the files you download are often infected with malware. Because of this, we do not allow P2P software present on machines we're cleaning anymore..

This means you must remove the above Peer-to-Peer filesharing programs and any others present on your machine. For an fully explanation of our policy, please read the following P2P Program Policy.

Please uninstall this by deleting the folder f:\program files\BitLord


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File:: 
    f:\windows\tpjqrast
    
    Folder::
    f:\program files\prodegetoolbar680
    
    Driver::
    Atdydi
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPGVpO]
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


FIX HIJACKTHIS ENTRIES
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {0C8C6E91-E7C7-488B-AEB1-0D04A289F394} - (no file)
O2 - BHO: (no name) - {2AFBA3E2-30EC-4C71-A9B0-ADA545CF0120} - (no file)
O2 - BHO: (no name) - {4A3C3B9C-38C5-49FC-8DB2-383594535A47} - (no file)
O2 - BHO: (no name) - {75D7747F-422C-4712-A937-FA69013E1B6C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {DB558CD3-0EFA-4C6C-90CB-55B8A48CC755} - (no file)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.

In your next reply, please post:
1) The ComboFix log
2) A new HijackThis log
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby whitemystu » February 8th, 2009, 6:45 pm

Sorry about that. I removed BitLord from my applications, but I guess the file was still there. I have deleted the folder.

Here are the requested logs.

Thanks!
Grace

ComboFIX log:

ComboFix 09-02-05.01 - g-race 2009-02-08 14:06:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.416 [GMT -8:00]
Running from: f:\documents and settings\g-race\Desktop\ComboFix.exe
Command switches used :: f:\documents and settings\g-race\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
f:\windows\tpjqrast
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\program files\prodegetoolbar680
f:\program files\prodegetoolbar680\install.ico
f:\program files\prodegetoolbar680\toolbar.ini
f:\program files\prodegetoolbar680\uninstall.exe
f:\windows\tpjqrast

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Atdydi


((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-02 19:09 . 2009-02-02 19:09 <DIR> d-------- F:\My Videos
2009-01-31 20:08 . 2009-01-31 20:08 <DIR> d-------- f:\program files\Trend Micro
2009-01-26 20:18 . 2004-08-04 00:56 152,576 --a------ f:\windows\system32\irftp.exe
2009-01-26 20:18 . 2004-08-04 00:56 152,576 --a--c--- f:\windows\system32\dllcache\irftp.exe
2009-01-26 20:18 . 2004-08-04 00:56 27,136 --a------ f:\windows\system32\irmon.dll
2009-01-26 20:18 . 2004-08-04 00:56 27,136 --a--c--- f:\windows\system32\dllcache\irmon.dll
2009-01-26 20:18 . 2004-08-04 00:56 8,192 --a------ f:\windows\system32\wshirda.dll
2009-01-26 20:18 . 2004-08-04 00:56 8,192 --a--c--- f:\windows\system32\dllcache\wshirda.dll
2009-01-24 00:07 . 2009-01-23 23:13 15,688 --a------ f:\windows\system32\lsdelete.exe
2009-01-23 23:13 . 2009-01-23 23:12 64,160 --a------ f:\windows\system32\drivers\Lbd.sys
2009-01-23 23:08 . 2009-01-23 23:08 <DIR> d-------- f:\program files\Lavasoft
2009-01-23 23:08 . 2009-01-23 23:18 <DIR> d--h-c--- f:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-21 23:00 . 2009-01-21 23:00 <DIR> d-------- f:\documents and settings\g-race\DoctorWeb
2009-01-15 23:25 . 2009-01-15 23:25 410,984 --a------ f:\windows\system32\deploytk.dll
2009-01-13 22:37 . 2009-01-13 22:37 <DIR> d-------- f:\program files\CourseSmart
2009-01-13 22:30 . 2009-01-13 22:30 <DIR> d-------- f:\program files\MSBuild
2009-01-13 22:27 . 2009-01-13 22:36 <DIR> d-------- f:\windows\system32\XPSViewer
2009-01-13 22:26 . 2009-01-13 22:26 <DIR> d-------- f:\program files\Reference Assemblies
2009-01-13 22:25 . 2006-06-29 13:07 14,048 --a------ f:\windows\system32\spmsg2.dll
2009-01-11 00:54 . 2009-01-11 01:23 <DIR> d-------- f:\program files\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 22:12 --------- d-----w f:\documents and settings\g-race\Application Data\Skype
2009-01-28 05:52 --------- d-----w f:\program files\Veoh Networks
2009-01-24 21:05 --------- d-----w f:\program files\Malwarebytes' Anti-Malware
2009-01-24 07:13 --------- d-----w f:\documents and settings\All Users\Application Data\Lavasoft
2009-01-20 21:03 --------- d-----w f:\documents and settings\g-race\Application Data\ZoomBrowser EX
2009-01-20 20:57 --------- d-----w f:\documents and settings\All Users\Application Data\ZoomBrowser
2009-01-20 06:02 --------- d-----w f:\program files\Symantec AntiVirus
2009-01-16 07:24 --------- d-----w f:\program files\Java
2009-01-15 00:11 38,496 ----a-w f:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 00:11 15,504 ----a-w f:\windows\system32\drivers\mbam.sys
2009-01-02 10:45 --------- d-----w f:\program files\Impulse
2008-12-27 07:41 --------- d-----w f:\documents and settings\g-race\Application Data\Orbit
2008-12-27 07:31 --------- d-----w f:\documents and settings\g-race\Application Data\PRODEGETOOLBAR680
2008-12-25 10:50 --------- d--h--w f:\program files\InstallShield Installation Information
2008-12-25 10:50 --------- d-----w f:\program files\Logitech
2008-12-25 10:50 --------- d-----w f:\program files\Common Files\Logitech
2008-06-10 03:33 0 -c--a-w f:\program files\temp01
2007-11-23 22:42 25,280 -c--a-w f:\documents and settings\g-race\Application Data\GDIPFONTCACHEV1.DAT
2007-02-08 18:48 133,920 ----a-w f:\program files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_15.43.04.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w f:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-05 23:24:55 66,778 ----a-w f:\windows\system32\perfc009.dat
+ 2009-02-05 23:44:13 66,778 ----a-w f:\windows\system32\perfc009.dat
- 2009-02-05 23:24:55 428,160 ----a-w f:\windows\system32\perfh009.dat
+ 2009-02-05 23:44:13 428,160 ----a-w f:\windows\system32\perfh009.dat
+ 2009-02-08 22:11:01 16,384 ----atw f:\windows\Temp\Perflib_Perfdata_4a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="f:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"AIM"="f:\program files\AIM\aim.exe" [2006-08-01 67112]
"Skype"="f:\program files\Skype\Phone\Skype.exe" [2007-08-25 23090984]
"Veoh"="f:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"Google Update"="f:\documents and settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]
"SpybotSD TeaTimer"="f:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"VeohPlugin"="f:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-12-16 3528440]
"eNMTray.exe"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="f:\windows\System32\igfxtray.exe" [2006-06-13 94208]
"igfxhkcmd"="f:\windows\System32\hkcmd.exe" [2006-06-13 77824]
"igfxpers"="f:\windows\System32\igfxpers.exe" [2006-06-13 118784]
"Broadcom Wireless Manager UI"="f:\windows\System32\WLTRAY.exe" [2005-11-11 1236992]
"INPROCOMMWireless"="f:\program files\Atheros\Wireless\Utility\WlanUtil.exe" [BU]
"ccApp"="f:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="f:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"IMJPMIG8.1"="f:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="f:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"MSPY2002"="f:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="f:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="f:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-28 185872]
"Ad-Watch"="f:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-30 509784]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 f:\windows\RTHDCPL.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 f:\windows\system32\bthprops.cpl]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - f:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-09 113664]
Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
PolicyKey.lnk - f:\program files\Impulse\PolicyKey.exe [2005-10-04 573440]
Post-itr Software Notes Lite.lnk - f:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPGVpO]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\AIM\\aim.exe"=
"f:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"f:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"f:\\Program Files\\MSN Messenger\\livecall.exe"=
"f:\\Documents and Settings\\g-race\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"f:\\Documents and Settings\\g-race\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"f:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R0 Lbd;Lbd;f:\windows\system32\drivers\Lbd.sys [2009-01-23 64160]
R2 EpmPsd;Acer EPM Power Scheme Driver;f:\windows\system32\drivers\epm-psd.sys [2007-08-21 4096]
R2 EpmShd;Acer EPM System Hardware Driver;f:\windows\system32\drivers\epm-shd.sys [2007-08-21 78208]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-19 99376]
S3 SavRoam;SAVRoam;f:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 f:\windows\Tasks\Ad-Aware Update (Weekly).job
- f:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-30 23:13]

2009-02-08 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1767777339-725345543-1003.job
- f:\documents and settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 20:35]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C8C6E91-E7C7-488B-AEB1-0D04A289F394} - (no file)
BHO-{2AFBA3E2-30EC-4C71-A9B0-ADA545CF0120} - (no file)
BHO-{4A3C3B9C-38C5-49FC-8DB2-383594535A47} - (no file)
BHO-{75D7747F-422C-4712-A937-FA69013E1B6C} - (no file)
BHO-{DB558CD3-0EFA-4C6C-90CB-55B8A48CC755} - (no file)


.
------- Supplementary Scan -------
.
IE: &Download by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\g-race\Application Data\Mozilla\Firefox\Profiles\vl7q6iu5.default\
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: f:\documents and settings\g-race\Application Data\Mozilla\Firefox\Profiles\vl7q6iu5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: f:\documents and settings\g-race\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: f:\documents and settings\g-race\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: f:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: f:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: f:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 14:11:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
f:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
f:\program files\Common Files\Symantec Shared\ccSetMgr.exe
f:\program files\Symantec AntiVirus\DefWatch.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\windows\system32\lkcitdl.exe
f:\windows\system32\lkads.exe
f:\windows\system32\lktsrv.exe
f:\program files\National Instruments\MAX\nimxs.exe
f:\program files\National Instruments\Shared\Security\nidmsrv.exe
f:\windows\system32\nisvcloc.exe
f:\windows\system32\rundll32.exe
f:\program files\National Instruments\Shared\Tagger\tagsrv.exe
f:\windows\system32\wdfmgr.exe
f:\windows\system32\WLTRYSVC.EXE
f:\windows\system32\BCMWLTRY.EXE
f:\program files\Canon\CAL\CALMAIN.exe
f:\progra~1\3M\PSNLite\PSNGive.exe
f:\windows\system32\wbem\unsecapp.exe
f:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-08 14:16:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-08 22:16:38
ComboFix2.txt 2009-02-05 23:51:16

Pre-Run: 2,352,005,120 bytes free
Post-Run: 2,267,267,072 bytes free

219 --- E O F --- 2008-09-02 09:40:21





--------------------------------




HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:59 PM, on 2/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\lkcitdl.exe
F:\WINDOWS\System32\igfxtray.exe
F:\WINDOWS\System32\hkcmd.exe
F:\WINDOWS\System32\igfxpers.exe
F:\WINDOWS\System32\WLTRAY.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\system32\lkads.exe
F:\WINDOWS\system32\lktsrv.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\Program Files\National Instruments\MAX\nimxs.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\nisvcloc.exe
F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
F:\Program Files\AIM\aim.exe
F:\Program Files\Skype\Phone\Skype.exe
F:\Program Files\Veoh Networks\Veoh\VeohClient.exe
F:\WINDOWS\System32\svchost.exe
F:\Documents and Settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
F:\WINDOWS\System32\WLTRYSVC.EXE
F:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
F:\WINDOWS\System32\bcmwltry.exe
F:\Program Files\Impulse\PolicyKey.exe
F:\Program Files\3M\PSNLite\PsnLite.exe
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\PROGRA~1\3M\PSNLite\PSNGive.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - F:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] F:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] F:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [INPROCOMMWireless] F:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-Watch] F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Veoh] "F:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Google Update] "F:\Documents and Settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VeohPlugin] "F:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PolicyKey.lnk = F:\Program Files\Impulse\PolicyKey.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = F:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - F:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - F:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - F:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - F:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - F:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - F:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - F:\WINDOWS\system32\OpcEnum.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - F:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10042 bytes
whitemystu
Active Member
 
Posts: 6
Joined: February 1st, 2009, 12:06 am

Re: Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby Bv202 » February 9th, 2009, 1:19 pm

Hi whitemystu

Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply.

In your next reply, please post:
1) The Kaspersky report
2) A new HijackThis log
3) How is the computer running now?
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby whitemystu » February 10th, 2009, 2:52 am

Here's the requested information.

Thanks!
Grace


Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, February 09, 2009 22:56:14
Records in database: 1776014
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 127320
Threat name: 10
Infected objects: 18
Suspicious objects: 0
Duration of the scan: 02:40:26


File name / Threat name / Threats count
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08400001\484F7944.VBN Infected: Trojan-Downloader.Win32.Agent.pxj 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08400002\484F794F.VBN Infected: not-a-virus:Server-Proxy.Win32.Bouncer.a 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09E80000\49EF8E72.VBN Infected: Trojan-GameThief.Win32.OnLineGames.spo 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A200000\4B2C727F.VBN Infected: Trojan-Downloader.Win32.Small.acza 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0001\4CBE38F0.VBN Infected: Trojan.BAT.Agent.gk 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0001\4CBE38F0.VBN Infected: not-a-virus:Server-Proxy.Win32.Bouncer.a 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0000\4CFE87C7.VBN Infected: Backdoor.Win32.UltimateDefender.gen 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0001\4D4CB394.VBN Infected: Backdoor.Win32.UltimateDefender.gen 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640000\4EFC7603.VBN Infected: Trojan-GameThief.Win32.Nilage.bqc 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640001\4EFC7618.VBN Infected: Trojan-GameThief.Win32.Nilage.bqc 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF40000\4FFF733D.VBN Infected: Trojan-GameThief.Win32.Nilage.bqc 1
F:\Qoobox\Quarantine\F\WINDOWS\system32\esevlq.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gml 1
F:\Qoobox\Quarantine\F\WINDOWS\system32\kwhsgs.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gjj 1
F:\Qoobox\Quarantine\F\WINDOWS\system32\qhbglway.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gjj 1
F:\Qoobox\Quarantine\F\WINDOWS\system32\ralhsd(2).dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gjn 1
F:\Qoobox\Quarantine\F\WINDOWS\system32\ssukxhno.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gml 1
F:\Qoobox\Quarantine\F\WINDOWS\system32\vtyogqoh.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gjj 1
F:\Qoobox\Quarantine\F\WINDOWS\system32\wkpvzh.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gjj 1

The selected area was scanned.









--------------------------------------------

New HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:53 PM, on 2/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\lkcitdl.exe
F:\WINDOWS\System32\igfxtray.exe
F:\WINDOWS\System32\hkcmd.exe
F:\WINDOWS\System32\igfxpers.exe
F:\WINDOWS\System32\WLTRAY.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\system32\lkads.exe
F:\WINDOWS\system32\lktsrv.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\Program Files\National Instruments\MAX\nimxs.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\system32\nisvcloc.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
F:\Program Files\AIM\aim.exe
F:\Program Files\Skype\Phone\Skype.exe
F:\Program Files\Veoh Networks\Veoh\VeohClient.exe
F:\WINDOWS\System32\svchost.exe
F:\Documents and Settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
F:\WINDOWS\System32\WLTRYSVC.EXE
F:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
F:\WINDOWS\System32\bcmwltry.exe
F:\Program Files\Impulse\PolicyKey.exe
F:\Program Files\3M\PSNLite\PsnLite.exe
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\PROGRA~1\3M\PSNLite\PSNGive.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\internet explorer\iexplore.exe
F:\Program Files\Java\jre6\bin\java.exe
F:\Documents and Settings\g-race\Local Settings\Temp\jkos-g-race\binaries\ScanningProcess.exe
F:\Documents and Settings\g-race\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - F:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] F:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] F:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [INPROCOMMWireless] F:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-Watch] F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Veoh] "F:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Google Update] "F:\Documents and Settings\g-race\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VeohPlugin] "F:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PolicyKey.lnk = F:\Program Files\Impulse\PolicyKey.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = F:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - F:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - F:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - F:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - F:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - F:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - F:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - F:\WINDOWS\system32\OpcEnum.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - F:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10265 bytes

-------------------

I haven't had any popups recently! The computer seems to be a little laggy, but I don't think it's related to this anymore? Also, searching through swagbucks.com seems to work again - no more redirecting windows.

Is my system clean now? (Thanks so much for your help btw!)
whitemystu
Active Member
 
Posts: 6
Joined: February 1st, 2009, 12:06 am

Re: Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby Bv202 » February 10th, 2009, 1:47 pm

Hi whitemystu

As your log files are looking clean, I don't think the "lag" is caused by malware. Please read What to do if your Computer is running slowly and follow these steps, then have a look if it made any difference :)


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Image
The above procedure will uninstall ComboFix. It will reset your System Restore and clear out the backups and quarantines created during the course of this fix.


Congratulations, your machine appears to be clean! :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Make sure you enable Automatic Updates for your computer. You can set this in the control panel -> windows update.
An alternative way is to visit Microsoft often to get the latest updates for your computer:
http://www.update.microsoft.com
Note: I see you are running SP2. It's recommended to update to SP3 if you have the time and resources for it. A service pack contains lot of security fixes and general updates.
From your log I can see you're still using Internet Explorer 6. I know you're a FireFox user, but it's still recommended to upgrade as it contains a lot of bug and security fixes.

Here are some free programs I recommend that could help you improve your computer's security.

Malwarebytes' Anti-Malware
Download it from here. Click "Download" and you'll get redirected to download.com, where you can download the product. You can also buy this program, which gives you real-time protection against common malware. However, you can use the free program to scan and remove any infections found.

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

FIREWALL
I can't see any firewall in your HijackThis log, so i assume you use windows firewall.
Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.
It's preferable to install one of the suggested firewalls.

FREE FIREWALLS
  • Comodo
    When installing, it will ask you to install Anti-Virus functionality. Please uncheck "install comodo antivirus (recommended)" unless you've uninstalled you're AV. NEVER have 2 or more Anti-Virus programs on your computer; it will cause performance loss and/or other problems.
  • Online Armor
  • Sunbelt Kerio

Tutorial about Firewalls can be found here


Read some information here how to prevent Malware.


Happy safe surfing!

Please reply once more to this thread so we know it can be closed. If you have any questions left, it's now the time to ask! :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Help! Random popups in Mozilla Firefox from 82.98.235.111

Unread postby Shaba » February 13th, 2009, 12:18 pm

whitemystu this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 489 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware