Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE 8 and firefox keep opening pop-ups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: IE 8 and firefox keep opening pop-ups

Unread postby jmw3 » October 26th, 2009, 2:39 pm

Hi

Before running ComboFix again please ensure McAfee is properly disabled as it can cause problems with the cleaning process.
To disable McAfee follow the instructions in this animated gif:
Image


CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=46571
Collect::
c:\windows\system32\hopawiki.dll
c:\windows\system32\matumiga.exe
c:\windows\system32\sibofuda.exe
DirLook::
c:\program files\lu
Driver::
Fdaudyage
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here & save it to your desktop.
  • Save any unsaved work. TFC Cleaner will close all open application windows
  • Double-click TFC.exe to run the program, your desktop will temporarily disappear
  • If prompted, click Yes to reboot
Note: Save your work.. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take any longer than a couple of minutes & may only take a few seconds. Only if needed will you be prompted to reboot.

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
To post in next reply:
ComboFix log
Kaspersky Scan log
New HijackThis log
Update on how the computer is running / problems
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Re: IE 8 and firefox keep opening pop-ups

Unread postby mingxu16 » October 27th, 2009, 11:02 am

jmw3, the Kaspersky online scaner keeps asking me Java framework version 1.5 or later. But I have installed the most updated Java framework and rebooted the computer after installing it. Right now the "accept" button of the Kaspersky scaner is gray. what should I do next? Thank you so much for the help.
mingxu16
Regular Member
 
Posts: 30
Joined: October 13th, 2009, 7:25 pm

Re: IE 8 and firefox keep opening pop-ups

Unread postby Wingman » October 27th, 2009, 4:25 pm

Hello mingxu,
Sorry for the being absent for a bit... but you were in good hands with jmw3.
The KAS scanner is under going some changes and evidently still has a bug or two to workout. Please use this scanner instead.
Also, please include the ComboFix scan results from jmw3's previous post.

Step 1.
ESET NOD32 Online Scan
Note: You - will - need to use Internet Explorer for this scan!
Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.

McAfee Enterprise
  1. Click Start, Programs, McAfee, VirusScan Enterprise, VirusScan Console.
  2. Right-click Access Protection and select Disable.
  3. Close and exit McAfee

Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
** Make sure you are using an account that has Administrative privileges **
    Press the "ESET Online Scanner" button.
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click "Start"... a window will open... it may appear nothing is happening... please be patient.
  3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  4. Click "Start". Make sure that the options:
    • Remove found threats is UNCHECKED
    • Leave the "default" settings under Advanced as they are, if not set , please check:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
  5. Click "Start"... ESET scanner will begin to download the virus signatures database.
    When the signatures have been downloaded, the scan will start automatically.
  6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
  7. Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste the contents of log.txt in your next reply.

Remember to enable your Anti-virus protection... before continuing!

Step 2.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. ComboFix log
  3. ESET scan log
  4. New HijackThis log
  5. How is the computer behaving, still problems?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: IE 8 and firefox keep opening pop-ups

Unread postby mingxu16 » October 28th, 2009, 11:04 am

Thank both of you! I greatly appreciate your help. I will post the logs in separate replies.

Here is the Combofix log:


ComboFix 09-10-26.03 - mxu34 10/27/2009 10:24.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3074 [GMT -4:00]
Running from: c:\documents and settings\mxu34\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mxu34\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

file zipped: c:\windows\system32\hopawiki.dll
file zipped: c:\windows\system32\matumiga.exe
file zipped: c:\windows\system32\sibofuda.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hopawiki.dll
c:\windows\system32\matumiga.exe
c:\windows\system32\sibofuda.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Fdaudyage


((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-27 14:31 . 2009-10-27 14:31 16384 ----atw- c:\temp\Perflib_Perfdata_e8.dat
2009-10-24 17:00 . 2009-10-24 17:00 -------- d-----w- c:\program files\lu
2009-10-23 21:26 . 2009-10-23 21:26 -------- d-----w- C:\rsit
2009-10-20 21:18 . 2009-10-20 21:19 -------- d-----w- c:\documents and settings\mxu34\Application Data\CVS
2009-10-20 21:18 . 2009-10-20 21:18 -------- d-sh--w- c:\windows\ftpcache
2009-10-17 21:32 . 2009-10-17 21:32 -------- d-----w- c:\temp\TestEngDat64
2009-10-17 14:00 . 2009-10-26 13:48 -------- d-----w- c:\temp\Windows Live Toolbar
2009-10-17 14:00 . 2009-10-21 22:14 -------- d-----w- c:\temp\__SkypeIEToolbar_Cache
2009-10-16 22:44 . 2009-10-16 22:44 -------- d-----w- c:\documents and settings\mxu34\Application Data\CyberLink
2009-10-16 22:44 . 2009-10-16 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-10-16 20:45 . 2009-10-16 20:45 -------- d-----w- c:\program files\Common Files\Real
2009-10-16 20:07 . 2009-10-16 20:07 -------- d-----w- c:\documents and settings\ming\Application Data\Malwarebytes
2009-10-16 20:02 . 2009-10-16 20:02 -------- d-----w- c:\documents and settings\mxu34\Application Data\Malwarebytes
2009-10-16 20:01 . 2009-10-16 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-16 03:51 . 2009-10-16 03:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-10-09 10:26 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-10-09 10:26 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-10-04 17:00 . 2009-10-04 17:32 -------- d-----w- c:\documents and settings\ming\Application Data\ppStream
2009-10-02 23:16 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 23:27 . 2009-10-01 02:53 -------- d-----w- c:\program files\cctvbox
2009-09-30 23:22 . 2009-09-30 23:22 -------- d-----w- c:\documents and settings\mxu34\Application Data\CCTV
2009-09-30 23:19 . 2009-09-30 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\CCTV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 14:31 . 2009-06-28 19:24 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-27 13:14 . 2009-08-13 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-26 19:18 . 2009-08-20 23:10 -------- d-----w- c:\documents and settings\mxu34\Application Data\EndNote
2009-10-20 00:08 . 2009-08-13 16:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-13 23:45 . 2009-06-28 18:43 27839 ----a-w- c:\windows\system32\nvModes.dat
2009-10-04 17:41 . 2009-09-19 16:13 -------- d-----w- c:\program files\PPStream
2009-10-01 17:17 . 2009-09-19 16:14 -------- d-----w- c:\documents and settings\mxu34\Application Data\PPStream
2009-09-25 16:36 . 2009-09-23 22:56 -------- d-----w- c:\documents and settings\mxu34\Application Data\Skype
2009-09-25 14:31 . 2009-09-23 22:57 -------- d-----w- c:\documents and settings\mxu34\Application Data\skypePM
2009-09-23 22:57 . 2009-09-23 22:57 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-23 22:56 . 2009-09-23 22:55 -------- d-----r- c:\program files\Skype
2009-09-23 22:55 . 2009-09-23 22:55 -------- d-----w- c:\program files\Common Files\Skype
2009-09-23 22:55 . 2009-09-23 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-07 01:52 . 2009-09-07 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-09-07 01:51 . 2009-09-07 01:51 -------- d-----w- c:\documents and settings\mxu34\Application Data\Creative
2009-09-05 18:28 . 2009-09-05 18:28 -------- d-----w- c:\program files\Trend Micro
2009-09-05 18:18 . 2009-09-05 18:18 -------- d-----w- c:\program files\Panda Security
2009-09-05 18:06 . 2009-09-05 18:06 -------- d-----w- c:\program files\Windows Defender
2009-09-05 17:48 . 2009-06-28 19:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-08-29 01:18 . 2009-08-29 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-08-29 01:18 . 2009-08-29 01:18 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-08-29 01:17 . 2009-06-28 18:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-29 00:50 . 2009-08-29 00:50 -------- d-----w- c:\documents and settings\mxu34\Application Data\AdobeUM
2009-08-27 22:40 . 2009-06-28 19:09 90352 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 16:02 . 2009-08-20 19:20 0 ----a-w- c:\documents and settings\mxu34\Local Settings\Application Data\WavXMapDrive.bat
2009-08-22 15:54 . 2009-08-22 15:54 0 ----a-w- c:\documents and settings\ming\Local Settings\Application Data\WavXMapDrive.bat
2009-08-22 13:17 . 2009-06-28 19:26 68456 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-20 18:27 . 2009-06-28 19:26 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\WavXMapDrive.bat
2009-08-17 16:50 . 2009-08-17 16:50 0 ----a-w- c:\windows\nsreg.dat
2009-08-13 16:05 . 2009-06-28 18:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\lu ----

2009-10-24 17:00 . 2007-02-07 19:23 5137 ----a-w- c:\program files\lu\Readme.txt
2009-10-24 17:00 . 2006-07-21 12:03 12194 ----a-w- c:\program files\lu\lu-serve documentation v2.01.txt
2009-10-24 17:00 . 2007-02-07 19:18 10655 ----a-w- c:\program files\lu\lu.pl
2009-10-24 17:00 . 2007-02-07 19:20 1607349 ----a-w- c:\program files\lu\lu.exe
2009-10-24 17:00 . 2007-02-07 19:08 4536 ----a-w- c:\program files\lu\License.txt
2009-10-24 17:00 . 2007-02-07 19:09 9143 ----a-w- c:\program files\lu\License.pdf


((((((((((((((((((((((((((((( SnapShot@2009-10-26_13.53.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:41 . 2009-07-11 23:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2008-04-25 16:16 . 2009-10-27 13:13 80032 c:\windows\system32\perfc009.dat
- 2008-04-25 16:16 . 2009-10-26 13:23 80032 c:\windows\system32\perfc009.dat
- 2009-08-17 15:51 . 2009-08-17 15:51 27136 c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-08-17 15:51 . 2009-10-27 13:12 27136 c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-08-17 15:51 . 2009-08-17 15:51 12288 c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-08-17 15:51 . 2009-10-27 13:12 12288 c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-08-17 15:42 . 2009-08-17 15:43 35088 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-08-17 15:42 . 2009-10-27 13:13 35088 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-08-17 15:42 . 2009-08-17 15:43 18704 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-08-17 15:42 . 2009-10-27 13:13 18704 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-08-17 15:42 . 2009-10-27 13:13 20240 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-08-17 15:42 . 2009-08-17 15:43 20240 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-04-02 18:23 . 2009-04-02 18:23 10104 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\XLCALL32.DLL
+ 2009-04-03 22:01 . 2009-04-03 22:01 71504 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\XL12CNVP.DLL
+ 2009-04-03 21:57 . 2009-04-03 21:57 21320 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WRD12EXE.EXE
+ 2009-01-07 01:31 . 2009-01-07 01:31 48512 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PUBTRAP.DLL
+ 2009-08-17 15:51 . 2009-10-27 13:12 4096 c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-08-17 15:51 . 2009-08-17 15:51 4096 c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-04-25 16:16 . 2009-10-26 13:23 466982 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2009-10-27 13:13 466982 c:\windows\system32\perfh009.dat
+ 2009-10-27 13:14 . 2009-10-27 13:14 177664 c:\windows\Installer\26be5.msi
+ 2009-10-27 13:14 . 2009-10-27 13:14 140288 c:\windows\Installer\26bbc.msi
+ 2009-05-26 22:53 . 2009-05-26 22:53 579072 c:\windows\Installer\26b17.msp
+ 2008-11-05 16:02 . 2008-11-05 16:02 119296 c:\windows\Installer\26aec.msp
+ 2009-10-27 13:11 . 2009-10-27 13:11 248832 c:\windows\Installer\26ae2.msi
+ 2009-08-17 15:51 . 2009-10-27 13:12 135168 c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-08-17 15:51 . 2009-08-17 15:51 135168 c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-08-17 15:51 . 2009-10-27 13:12 282624 c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\fpicon.exe
- 2009-08-17 15:51 . 2009-08-17 15:51 282624 c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\fpicon.exe
- 2009-08-17 15:42 . 2009-08-17 15:43 327952 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\visicon.exe
+ 2009-08-17 15:42 . 2009-10-27 13:13 327952 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\visicon.exe
+ 2009-08-17 15:42 . 2009-10-27 13:13 217864 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\misc.exe
- 2009-08-17 15:42 . 2009-08-17 15:43 217864 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\misc.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-04-03 22:11 . 2009-04-03 22:11 408424 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WINWORD.EXE
+ 2009-03-06 07:41 . 2009-03-06 07:41 589704 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PUBCONV.DLL
+ 2009-01-08 14:59 . 2009-01-08 14:59 624520 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PTXT9.DLL
+ 2008-10-25 10:21 . 2008-10-25 10:21 136072 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PRTF9.DLL
+ 2009-08-13 16:02 . 2009-08-13 16:02 350064 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PPTPIA.DLL
+ 2009-04-03 22:04 . 2009-04-03 22:04 521064 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\POWERPNT.EXE
+ 2008-11-04 04:04 . 2008-11-04 04:04 498072 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\MORPH9.DLL
+ 2009-10-27 13:13 . 2009-10-27 13:13 350064 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
- 2009-08-13 16:02 . 2009-08-13 16:02 350064 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2009-05-04 11:46 . 2009-05-04 11:46 8299008 c:\windows\Installer\26bd2.msp
+ 2009-05-26 22:54 . 2009-05-26 22:54 4192768 c:\windows\Installer\26ba8.msp
+ 2009-05-04 11:47 . 2009-05-04 11:47 9124864 c:\windows\Installer\26b8d.msp
+ 2009-04-24 16:30 . 2009-04-24 16:30 2583552 c:\windows\Installer\26b76.msp
+ 2009-02-25 23:08 . 2009-02-25 23:08 8311808 c:\windows\Installer\26b54.msp
+ 2009-04-24 16:28 . 2009-04-24 16:28 4450816 c:\windows\Installer\26b3f.msp
+ 2009-08-18 16:56 . 2009-08-18 16:56 5020672 c:\windows\Installer\26b02.msp
+ 2009-04-24 16:29 . 2009-04-24 16:29 9013760 c:\windows\Installer\26adc.msp
- 2009-08-13 16:00 . 2009-08-27 22:04 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-08-13 16:00 . 2009-08-27 22:04 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-08-13 16:00 . 2009-10-27 13:14 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-04-03 21:57 . 2009-04-03 21:57 4671320 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WRD12CNV.DLL
+ 2009-04-03 22:04 . 2009-04-03 22:04 8468840 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PPCORE.DLL
+ 2009-03-06 07:41 . 2009-03-06 07:41 9589096 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\MSPUB.EXE
+ 2006-09-15 20:25 . 2006-09-15 20:25 3611416 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLFLTR.DAT
+ 2009-10-27 13:13 . 2009-10-27 13:13 15709696 c:\windows\Installer\26b28.msp
+ 2009-04-03 22:01 . 2009-04-03 22:01 15108448 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\XL12CNV.EXE
+ 2009-04-03 22:11 . 2009-04-03 22:11 17740136 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WWLIB.DLL
+ 2009-04-03 22:11 . 2009-04-03 22:11 18330984 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\EXCEL.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-28 86016]
"OA001Mon"="c:\windows\OA001Mon.exe" [2009-03-30 24576]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-02-19 357400]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-12 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-08-28 1630208]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-08-28 90112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-28 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Imapi Helper"=3 (0x3)
"WinDefend"=2 (0x2)
"MDM"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\mxu34\\My Documents\\Downloads\\ppstreamsetup.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Documents and Settings\\mxu34\\My Documents\\Downloads\\ppstreamsetup(2).exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\cctvbox\\tv\\CCTVPlayer.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\bin\\btwdins.exe"=
"c:\\Program Files\\Intel\\WiFi\\bin\\EvtEng.exe"=
"c:\\Program Files\\Common Files\\Intel\\WirelessCommon\\RegSrvc.exe"=
"c:\\Program Files\\Intel\\ASF Agent\\ASFAgent.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/5/2009 02:18 PM 28544]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 06:56 AM 133968]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 11:19 AM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 11:19 AM 20840]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [6/28/2009 03:09 PM 2058776]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/28/2009 05:35 PM 112512]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/28/2009 05:35 PM 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/28/2009 05:35 PM 244368]
R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [6/28/2009 05:35 PM 148056]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [6/28/2009 05:35 PM 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [6/28/2009 05:35 PM 280096]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/28/2009 03:20 PM 232744]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 06:28 AM 42832]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 07:19 PM 13592]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://site.cmbchina.com/download/CMBEdit.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\mxu34\Application Data\Mozilla\Firefox\Profiles\02m5a8a4.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 10:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3372)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\drivers\audio\r213367\stacsv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\combofix\CF30346.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-27 10:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-27 14:37
ComboFix2.txt 2009-10-26 13:54

Pre-Run: 118,716,518,400 bytes free
Post-Run: 118,611,177,472 bytes free

- - End Of File - - 6BF43374CFBB6A4927012CD931D6C628
mingxu16
Regular Member
 
Posts: 30
Joined: October 13th, 2009, 7:25 pm

Re: IE 8 and firefox keep opening pop-ups

Unread postby mingxu16 » October 28th, 2009, 11:11 am

ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d4ebc413ffd57f41b717a0336b3a4975
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-10-28 03:10:30
# local_time=2009-10-28 11:10:30 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 3643651 3643651 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=194819
# found=30
# cleaned=0
# scan_time=2054
C:\Documents and Settings\mxu34\My Documents\Downloads\SmitfraudFix.exe multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\mxu34\My Documents\Downloads\smitRem.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\Program Files\Mozilla Firefox\SmitfraudFix\restart.exe Win32/Shutdown.NAA application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\bipibunu.dll.vir a variant of Win32/Kryptik.AWO trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\febudipi.dll.vir a variant of Win32/Kryptik.AWO trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\gafuyowo.dll.vir a variant of Win32/Kryptik.AVG trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\nebiteda.dll.vir a variant of Win32/Kryptik.AYZ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\veketaha.dll.vir a variant of Win32/Kryptik.AWO trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wesokaru.dll.vir a variant of Win32/Kryptik.AYZ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\zehigipu.dll.vir a variant of Win32/KillAV.NGE trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP45\A0011610.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP71\A0022834.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP72\A0022894.exe multiple threats 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP72\A0022908.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP72\A0022911.exe Win32/Shutdown.NAA application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP73\A0025987.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP77\A0027976.dll a variant of Win32/Kryptik.AYZ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP78\A0028004.dll a variant of Win32/Kryptik.AYZ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP79\A0028140.dll a variant of Win32/Kryptik.AYZ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP80\A0028297.dll a variant of Win32/Kryptik.AWO trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP80\A0028298.dll a variant of Win32/Kryptik.AWO trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP80\A0028299.dll a variant of Win32/Kryptik.AVG trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP80\A0028303.dll a variant of Win32/Kryptik.AYZ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP80\A0028306.dll a variant of Win32/Kryptik.AWO trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP80\A0028307.dll a variant of Win32/Kryptik.AYZ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP80\A0028309.dll a variant of Win32/KillAV.NGE trojan 00000000000000000000000000000000 I
C:\Users\GT\Projects\community design\backup\CalTOXtemplate.XLS probably unknown MACRO virus 00000000000000000000000000000000 I
C:\Users\GT\Projects\community design\backup\start\backup\CalTOXtemplate.XLS probably unknown MACRO virus 00000000000000000000000000000000 I
C:\Users\GT\Projects\community design\thesis_material\start\backup\CalTOXtemplate.XLS probably unknown MACRO virus 00000000000000000000000000000000 I
mingxu16
Regular Member
 
Posts: 30
Joined: October 13th, 2009, 7:25 pm

Re: IE 8 and firefox keep opening pop-ups

Unread postby mingxu16 » October 28th, 2009, 11:12 am

HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:56, on 10/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r213367\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\OA001Mon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OA001Mon] C:\WINDOWS\OA001Mon.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-be ... canner.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coe.gt.buzz
O17 - HKLM\Software\..\Telephony: DomainName = coe.gt.buzz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coe.gt.buzz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = coe.gt.buzz,gt.buzz,ce.gatech.edu,cee.gatech.edu,gatech.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = coe.gt.buzz,gt.buzz,ce.gatech.edu,cee.gatech.edu,gatech.edu
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Credential Vault Host Control Service - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
O23 - Service: Credential Vault Host Storage - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r213367\stacsv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

--
End of file - 12729 bytes
mingxu16
Regular Member
 
Posts: 30
Joined: October 13th, 2009, 7:25 pm

Re: IE 8 and firefox keep opening pop-ups

Unread postby mingxu16 » October 28th, 2009, 11:14 am

Current problem,

I haven't see any automatic pop-ups for days. But my McAfee sometimes detectes virus. And the computer seems a little bit slow than before.

Thanks again for your help.
mingxu16
Regular Member
 
Posts: 30
Joined: October 13th, 2009, 7:25 pm

Re: IE 8 and firefox keep opening pop-ups

Unread postby Wingman » October 29th, 2009, 1:37 pm

Hello mingxu,
Thank you for providing the logs.
There are some files I would like to get more information on. We'll run them through an online file scan.

Please do not run any "fix" programs and/or remove any files unless instructed to do so, by me. I need to see what's present in order to properly diagnose the problem(s) and recommend corrective actions. Thanks.

Please read these instructions carefully before executing and then perform the steps, in the order given. lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.


Step 1.
Online Multi Antivirus file scan
Please go to either: Jotti or Virus Total and upload -only one file per scan- the following file(s) for scanning:

c:\program files\lu\lu.exe
c:\windows\system32\drivers\Asfalrt.sys
C:\Users\GT\Projects\community design\backup\CalTOXtemplate.XLS


Using Jotti
  1. Choose the appropriate language... once a language is selected, you'll see a message "Ready to receive files"
  2. Please copy and paste... the above full path and file name(s)...in the text box next to the Browse button.
  3. Click on Submit..button.
      If you receive the message: This file has been scanned before. The results for this previous scan are listed below.
      Please press the Scan again button, so your file will be scanned.
  4. The file will be uploaded and scanned by various antivirus scanners..this may take a few minutes.
  5. When all scans have completed... Highlight the results text from the Jotti's malware scan box.
  6. Copy the selected text... Open Notepad... Paste the contents into Notepad... Save the file to a convenient place.
  7. Please repeat this procedure for each file listed above.
  8. Paste the contents of all the Jotti scan results in your next reply.

Using Virus Total
  1. Please copy and paste... the above full path and file name(s)...in the text box next to the Browse button.
  2. Click on Send File...button.
  3. The file will be queued, uploaded and scanned by various antivirus scanners..this may take a few minutes.
      If you receive the message: File has already been analysed:
      Please press the Reanalyse file now button, so your file will be scanned.
  4. When the scan is completed...press the "Compact" icon
  5. The results will be shown in a grid like window... right-click on the text, choose Select All, then Copy the entire contents.
  6. Open Notepad...Paste the result contents into the Notepad window...Save this file to a convenient place.
  7. Please repeat this procedure for each file listed above.
  8. Paste the contents of all the Virus Total results in your next reply.

Step 2.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. Jotti or Virus Total scan results of 3 files
  3. How is the computer behaving, still problems?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: IE 8 and firefox keep opening pop-ups

Unread postby mingxu16 » October 29th, 2009, 5:53 pm

Thank you very much. I used Virus Total.

My McAfee just keeps reporting virus: Vundo.gen.w Trojan


lu.exe is actually a software provided by my employer to find contact information of fellow employees.

Here is the result of lu.exe:


File lu.exe received on 2009.10.29 21:46:31 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.29 -
AhnLab-V3 5.0.0.2 2009.10.29 -
AntiVir 7.9.1.50 2009.10.29 -
Antiy-AVL 2.0.3.7 2009.10.27 Flooder/Win32.UDP.gen
Authentium 5.1.2.4 2009.10.29 -
Avast 4.8.1351.0 2009.10.29 -
BitDefender 7.2 2009.10.29 -
CAT-QuickHeal 10.00 2009.10.29 -
ClamAV 0.94.1 2009.10.29 -
Comodo 2772 2009.10.29 -
DrWeb 5.0.0.12182 2009.10.29 -
eSafe 7.0.17.0 2009.10.29 Suspicious File
eTrust-Vet 35.1.7092 2009.10.29 -
F-Prot 4.5.1.85 2009.10.29 -
Fortinet 3.120.0.0 2009.10.29 -
GData 19 2009.10.29 -
Ikarus T3.1.1.72.0 2009.10.29 -
Jiangmin 11.0.800 2009.10.29 -
K7AntiVirus 7.10.883 2009.10.29 -
Kaspersky 7.0.0.125 2009.10.29 -
McAfee 5786 2009.10.29 -
McAfee+Artemis 5786 2009.10.29 -
McAfee-GW-Edition 6.8.5 2009.10.29 -
Microsoft 1.5202 2009.10.29 -
NOD32 4556 2009.10.29 -
Norman 6.03.02 2009.10.29 -
nProtect 2009.1.8.0 2009.10.29 -
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.29 -
Rising 21.53.34.00 2009.10.29 -
Sophos 4.47.0 2009.10.29 -
Sunbelt 3.2.1858.2 2009.10.29 -
Symantec 1.4.4.12 2009.10.29 -
TheHacker 6.5.0.2.056 2009.10.28 -
TrendMicro 8.950.0.1094 2009.10.29 -
VBA32 3.12.10.11 2009.10.29 -
VirusBuster 4.6.5.0 2009.10.29 -

Additional information
File size: 1607349 bytes
MD5...: 720c359c94107710503c4b2cfdb12f1c
SHA1..: 4cb245f257099ab30cb92faf2c1cae202a4ade3a
SHA256: 73060e0f7ca3cb54dc04c45324f92f0a942c2d22f4953fa0c01f05384ddb44b3
ssdeep: 24576:uWu54Pga1HqBfGQbiOXt2GW85SXgDlwzoeK0VGPxsoBQGAjuKabE7m8Dc:<BR>un54xoBznXt2GWEDlwzofJ666uKyE7m<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x67b0<BR>timedatestamp.....: 0x3bb8b21c (Mon Oct 01 18:12:44 2001)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x5000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x6000 0x1000 0xa00 7.20 0c31bfc035db47ab2619519a1fa439ea<BR>.rsrc 0x7000 0x1000 0xa00 3.09 94abe0c18c32569d61d9852957488ed6<BR><BR>( 2 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess<BR>&gt; MSVCRT.dll: atol<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)<BR>Win32 EXE Yoda's Crypter (34.3%)<BR>Win32 Executable Generic (11.0%)<BR>Win32 Dynamic Link Library (generic) (9.8%)<BR>Generic Win/DOS Executable (2.5%)
packers (Kaspersky): UPX, UPX
sigcheck:<BR>publisher....: IndigoSTAR Software<BR>copyright....: Copyright 1987-2000, Larry Wall, Binary build by IndigoSTAR Software., http://www.indigostar.com<BR>product......: IndigoPerl<BR>description..: Perl Command Line Interpreter<BR>original name: Perl.exe<BR>internal name: Perl.exe<BR>file version.: 5,6,1,626<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
packers (Antiy-AVL): UPX 0.89.6 - 1.02 / 1.05 - 1.22
packers (F-Prot): UPX
Last edited by mingxu16 on October 29th, 2009, 6:07 pm, edited 1 time in total.
mingxu16
Regular Member
 
Posts: 30
Joined: October 13th, 2009, 7:25 pm

Re: IE 8 and firefox keep opening pop-ups

Unread postby mingxu16 » October 29th, 2009, 6:00 pm

Asfalrt.sys


File Asfalrt.sys received on 2009.10.29 21:55:03 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.29 -
AhnLab-V3 5.0.0.2 2009.10.29 -
AntiVir 7.9.1.50 2009.10.29 -
Antiy-AVL 2.0.3.7 2009.10.27 -
Authentium 5.1.2.4 2009.10.29 -
Avast 4.8.1351.0 2009.10.29 -
AVG 8.5.0.423 2009.10.29 -
BitDefender 7.2 2009.10.29 -
CAT-QuickHeal 10.00 2009.10.29 -
ClamAV 0.94.1 2009.10.29 -
Comodo 2772 2009.10.29 -
DrWeb 5.0.0.12182 2009.10.29 -
eSafe 7.0.17.0 2009.10.29 -
eTrust-Vet 35.1.7092 2009.10.29 -
F-Prot 4.5.1.85 2009.10.29 -
Fortinet 3.120.0.0 2009.10.29 -
GData 19 2009.10.29 -
Ikarus T3.1.1.72.0 2009.10.29 -
Jiangmin 11.0.800 2009.10.29 -
K7AntiVirus 7.10.883 2009.10.29 -
Kaspersky 7.0.0.125 2009.10.29 -
McAfee 5786 2009.10.29 -
McAfee+Artemis 5786 2009.10.29 -
McAfee-GW-Edition 6.8.5 2009.10.29 -
Microsoft 1.5202 2009.10.29 -
NOD32 4556 2009.10.29 -
Norman 6.03.02 2009.10.29 -
nProtect 2009.1.8.0 2009.10.29 -
Panda 10.0.2.2 2009.10.29 -
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.29 -
Rising 21.53.34.00 2009.10.29 -
Sophos 4.47.0 2009.10.29 -
Sunbelt 3.2.1858.2 2009.10.29 -
Symantec 1.4.4.12 2009.10.29 -
TheHacker 6.5.0.2.056 2009.10.28 -
TrendMicro 8.950.0.1094 2009.10.29 -
VBA32 3.12.10.11 2009.10.29 -
ViRobot 2009.10.29.2011 2009.10.29 -
VirusBuster 4.6.5.0 2009.10.29 -

Additional information
File size: 42832 bytes
MD5...: acee9813685f4a03ee5a160057dd61a8
SHA1..: f1dfe481409eae1e683bd0ce0e26d239d0a1c2dc
SHA256: 20ca1a6aa0bae7b5a3871026c59711d5eea79dd764a59a31425654a8b1c62373
ssdeep: 768:ax6/HJX2Q4BVGTBPCJv1iOrlX2Z8UH+pGcDOvNL3emjbR:ax6vJX2Q49Jvrr<BR>lGyUH+pGcDOvNRfR<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0xc000<BR>timedatestamp.....: 0x46276045 (Thu Apr 19 12:27:49 2007)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 8 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>init 0x1000 0x497 0x600 4.86 e0248f75fb357dd6529fe937c71a42b6<BR>page 0x2000 0x6254 0x6400 6.60 f30abfce476df4e1044c60774ad0f376<BR>.text 0x9000 0x308 0x400 4.84 2e46fd6bc1eec683d795ac3bf5fba636<BR>.rdata 0xa000 0x21d 0x400 4.02 f7125c0fee385b7539ea71b6a807d03d<BR>.data 0xb000 0x488 0x400 0.70 a5f91fb942ed015ea5ff8763a57de2ea<BR>INIT 0xc000 0x4cc 0x600 4.72 c5ae9bb95274481be2eb0df523c7642b<BR>.rsrc 0xd000 0x478 0x600 2.59 bf577a0eae69834691d86f988a006207<BR>.reloc 0xe000 0x404 0x600 4.44 40e8bb4c076deca4db8c35b6efff5130<BR><BR>( 2 imports ) <BR>&gt; ntoskrnl.exe: KeInitializeMutex, IoDeleteDevice, IoDeleteSymbolicLink, IoCreateSymbolicLink, ObfDereferenceObject, ObReferenceObjectByPointer, IoGetDeviceObjectPointer, IoCreateDevice, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, IofCompleteRequest, DbgPrint, KeReleaseMutex, KeWaitForSingleObject, PsTerminateSystemThread, RtlWriteRegistryValue, KeSetPriorityThread, KeGetCurrentThread, KeSetEvent, ZwClose, RtlCopyUnicodeString, PsCreateSystemThread, KeCancelTimer, KeClearEvent, KeSetTimerEx, KeInitializeTimerEx, KeInitializeDpc, KeInitializeEvent, IofCallDriver, IoBuildDeviceIoControlRequest, MmUnmapIoSpace, MmMapIoSpace, ExFreePoolWithTag, ExAllocatePoolWithTag, ZwQueryValueKey, ZwOpenKey, KeTickCount, KeBugCheckEx, RtlAppendUnicodeToString, ObReferenceObjectByHandle, RtlQueryRegistryValues<BR>&gt; HAL.dll: HalGetBusDataByOffset, HalSetBusDataByOffset<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
sigcheck:<BR>publisher....: Intel Corporation<BR>copyright....: Copyright (c) 1997-2000 Intel Corporation<BR>product......: Intel Alert on LAN_ 2<BR>description..: Asfalrt Driver<BR>original name: Asfalrt.sys<BR>internal name: Asfalrt<BR>file version.: <BR>comments.....: n/a<BR>signers......: Intel Corporation<BR>VeriSign Class 3 Code Signing 2004 CA<BR>Class 3 Public Primary Certification Authority<BR>signing date.: 1:28 PM 4/19/2007<BR>verified.....: -<BR>
trid..: Generic Win/DOS Executable (49.9%)<BR>DOS Executable Generic (49.8%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
mingxu16
Regular Member
 
Posts: 30
Joined: October 13th, 2009, 7:25 pm

Re: IE 8 and firefox keep opening pop-ups

Unread postby mingxu16 » October 29th, 2009, 6:05 pm

CalTOXtemplate.XLS


File CalTOXtemplate.XLS received on 2009.10.29 22:02:23 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.29 -
AhnLab-V3 5.0.0.2 2009.10.29 -
AntiVir 7.9.1.50 2009.10.29 -
Antiy-AVL 2.0.3.7 2009.10.27 -
Authentium 5.1.2.4 2009.10.29 -
Avast 4.8.1351.0 2009.10.29 -
AVG 8.5.0.423 2009.10.29 -
BitDefender 7.2 2009.10.29 -
CAT-QuickHeal 10.00 2009.10.29 -
ClamAV 0.94.1 2009.10.29 -
Comodo 2772 2009.10.29 -
DrWeb 5.0.0.12182 2009.10.29 -
eSafe 7.0.17.0 2009.10.29 -
eTrust-Vet 35.1.7092 2009.10.29 -
F-Prot 4.5.1.85 2009.10.29 -
F-Secure 9.0.15370.0 2009.10.27 -
Fortinet 3.120.0.0 2009.10.29 -
GData 19 2009.10.29 -
Ikarus T3.1.1.72.0 2009.10.29 -
Jiangmin 11.0.800 2009.10.29 -
K7AntiVirus 7.10.883 2009.10.29 -
Kaspersky 7.0.0.125 2009.10.29 -
McAfee 5786 2009.10.29 -
McAfee+Artemis 5786 2009.10.29 -
McAfee-GW-Edition 6.8.5 2009.10.29 -
Microsoft 1.5202 2009.10.29 -
NOD32 4556 2009.10.29 probably unknown MACRO
Norman 6.03.02 2009.10.29 -
nProtect 2009.1.8.0 2009.10.29 -
Panda 10.0.2.2 2009.10.29 -
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.29 -
Rising 21.53.34.00 2009.10.29 -
Sophos 4.47.0 2009.10.29 -
Sunbelt 3.2.1858.2 2009.10.29 -
Symantec 1.4.4.12 2009.10.29 -
TheHacker 6.5.0.2.056 2009.10.28 -
TrendMicro 8.950.0.1094 2009.10.29 -
VBA32 3.12.10.11 2009.10.29 -
ViRobot 2009.10.29.2011 2009.10.29 -
VirusBuster 4.6.5.0 2009.10.29 -

Additional information
File size: 1534976 bytes
MD5...: 7508a053fb5c69e0530e3efc4c8ba264
SHA1..: 217c43358bb5bb5a67f9e57283ee24107442e9d4
SHA256: 018eab11cb1435f11902b8286dc222c6d252db015a4756f0dbcc5f577c1f3c75
ssdeep: 24576:Uo3clJVLN/1r43ayWIPI4dAzyO0Gt1y3pX+Vnj6p:pA7<BR>
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: iGrafx FlowCharter document (34.8%)<BR>Microsoft Excel sheet (31.2%)<BR>Microsoft Excel sheet (alternate) (25.5%)<BR>Generic OLE2 / Multistream Compound File (8.3%)
sigcheck:<BR>publisher....: n/a<BR>copyright....: n/a<BR>product......: n/a<BR>description..: n/a<BR>original name: n/a<BR>internal name: n/a<BR>file version.: n/a<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
mingxu16
Regular Member
 
Posts: 30
Joined: October 13th, 2009, 7:25 pm

Re: IE 8 and firefox keep opening pop-ups

Unread postby Wingman » October 30th, 2009, 7:23 am

Hello mingxu,
Thanks for getting the file scans done... looking at the results, anything flagged on these files appears to be a "false positive". Meaning there is nothing really wrong with the file and it's safe to continue using it. :)

You mentioned "your employer" regarding the LU software... please be advised, I asked you at the beginning if this computer was used for business or corporate matters and in good conscience, I feel must let you know:
Business or Corporate Computer
An extract taken from Malware Removal's rules:
If you ask for help and unknown to us, it involves a business computer, you need to understand that any damages resulting from our advice are YOUR RESPONSIBILITY.
If this machine is indeed used for some business activity... if you have an IT department, make them aware of the problems you are having. If your computer is infected (possibly others as well), your IT department needs to be aware of this, so they can devise a plan to minimize any business impact.

Can you please tell me when the McAfee software indicates the presence of the infection:
At system Startup?
While performing a certain function or using a particular program?
Is there a file associated with this virus message?

Please do not run any "fix" programs and/or remove any files unless instructed to do so, by me. I need to see what's present in order to properly diagnose the problem(s) and recommend corrective actions.
Please read these instructions carefully before executing and then perform the steps, in the order given. lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.


Step 1.
McAfee Virus Scan
  1. Please initiate a full system scan with your McAfee anti-virus software.
  2. Copy and paste the results of the scan in your next post.
If you can not copy/paste the scan results, please take note of any files flagged and any messages provided and
report them back to me in your reply.

Step 2.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. Answers to my McAfee questions.
  3. McAfee system scan results.
  4. How is the computer behaving, still problems?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: IE 8 and firefox keep opening pop-ups

Unread postby Wingman » November 1st, 2009, 11:20 am

3 Day Response
Hello...
It has been 2 days since my last post to you.
  • Do you still need help with this problem?
  • Do you need more time?
  • Are you having problems understanding or following my instructions?
Just let me know what's going on otherwise...
After 24 hrs., if you have not replied to this thread... it will be closed!
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: IE 8 and firefox keep opening pop-ups

Unread postby Carolyn » November 3rd, 2009, 9:08 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 273 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware