1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Popups

Discussion in 'Malware and Virus Removal Archive' started by roger184, 2007/07/14.

  1. 2007/07/14
    roger184

    roger184 Inactive Thread Starter

    Joined:
    2007/07/14
    Messages:
    2
    Likes Received:
    0
    Hello, I've been experiencing a large number of popups as of this past week. I have also been having a problem with a program called "Outerinfo" that creates popunders that aren't IE windows.

    Any help is much appreciated.

    Logfile of HijackThis v1.99.1
    Scan saved at 8:42:11 PM, on 7/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Tom's Stuff\iTunes\iTunesHelper.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adams.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Adams NetWorks
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu4\toolbaru.dll
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu4\toolbaru.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu4\toolbaru.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [itunesff] C:\WINDOWS\SYSTEM32\itunesff.exe -go -c6 -w
    O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Tom's Stuff\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{95AECDA9-DC28-4E5D-A62B-0E8AF2368182}: NameServer = 216.138.0.4 216.138.0.11
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
    roger184,
    #1
  2. 2007/07/15
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi roger184
    Welcome to Windowsbbs

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    Outerinfo

    Please note any other programs that you dont recognize in that list and post them in your next response

    Next do this.

    Download ComboFix from Here or [color= "Red"]Here[/color] to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Please post the ComboFix log and a new HJT log.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2007/07/15
    roger184

    roger184 Inactive Thread Starter

    Joined:
    2007/07/14
    Messages:
    2
    Likes Received:
    0
    I don't see Outerinfo in the Add/Remove programs list, but there are some others that I don't recognize:

    Spy-Sheriff
    Viewpoint Media Player (Remove Only)
    Modem Helper


    Combofix Log:

    "dell" - 2007-07-15 12:43:44 - ComboFix 07-07-13.8 - Service Pack 2 NTFS


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\dell\APPLIC~1.\wnsxs~1
    C:\DOCUME~1\dell\MYDOCU~1.\asks~1
    C:\DOCUME~1\dell\MYDOCU~1.\ppatch~1
    C:\Program Files\Common Files\pppatc~1
    C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
    C:\Program Files\inetget2
    C:\Program Files\inetget2\install.exe
    C:\Program Files\poolsv
    C:\Program Files\racle~1
    C:\Program Files\sks~1
    C:\temp\tn3
    C:\WINDOWS\b122.exe
    C:\WINDOWS\b136.exe
    C:\WINDOWS\poolsv.exe
    C:\WINDOWS\retadpu11.exe
    C:\WINDOWS\retadpu72.exe
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\pcs
    C:\WINDOWS\system32\sdr.exe
    C:\WINDOWS\system32\t.exe
    C:\WINDOWS\system32\test.exe
    C:\WINDOWS\uninstall_nmon.vbs
    C:\WINDOWS\xmlhelper2.dll


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_CMDSERVICE
    -------\LEGACY_CORE
    -------\LEGACY_NETWORK_MONITOR
    -------\cmdService
    -------\core


    ((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


    2007-07-15 12:43 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-14 20:09 7,291 --a------ C:\sysybgv.exe
    2007-07-14 18:18 7,291 --a------ C:\sysoyaa.exe
    2007-07-14 18:12 7,291 --a------ C:\syszppg.exe
    2007-07-14 15:58 7,291 --a------ C:\syspmey.exe
    2007-07-14 15:47 7,291 --a------ C:\sysxldo.exe
    2007-07-14 07:18 <DIR> d-------- C:\Program Files\ISM
    2007-07-13 15:11 15,950 --a------ C:\WINDOWS\SYSTEM32\winmds.exe
    2007-07-08 19:42 6,743 --a------ C:\syspglf.exe
    2007-07-05 10:39 22,592 --a------ C:\WINDOWS\SYSTEM32\05iL28s6.exe
    2007-07-03 14:46 126,976 --a------ C:\WINDOWS\xhelper.dll
    2007-07-03 12:29 <DIR> d--hs---- C:\WINDOWS\ZGVsbA
    2007-07-03 12:29 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
    2007-06-29 14:59 122,880 --a------ C:\WINDOWS\xmlhelper4.dll
    2007-06-25 19:27 <DIR> d-------- C:\Tonya's Pictures


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-04 19:25:51 2,222 ----a-w C:\WINDOWS\system32\tmp.reg
    2007-06-22 16:45:04 -------- d-----w C:\Program Files\America Online 8.0
    2007-06-06 20:05:37 -------- d-----w C:\Program Files\3DO
    2007-06-01 02:44:07 587 ----a-w C:\WINDOWS\EReg077.dat
    2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2004-10-11 16:18:24 457 ----a-w C:\Program Files\INSTALL.LOG
    2004-09-01 21:42:43 4,096 ----a-w C:\Program Files\pl.exe
    2004-07-30 16:21:52 25,456 ----a-w C:\Program Files\adupdmanager.xml
    2004-01-27 19:23:24 3,149 ----a-w C:\Program Files\Common Files\remove_tools.html
    2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\ZGVsbA\t3pPvE.vbs


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{055FD26D-3A88-4e15-963D-DC8493744B1D}]
    2006-10-10 12:18 701952 --a------ C:\Program Files\ICQToolbar\tbu4\toolbaru.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2001-04-16 17:39 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
    2007-07-03 14:57 126976 --a------ C:\WINDOWS\xhelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    2002-11-15 00:09 112248 --a------ C:\Program Files\Norton AntiVirus\NavShExt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DwlClient "= "C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2006-11-02 21:09]
    "ICQ Lite "= "C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 05:06]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
    "iTunesHelper "= "C:\Tom's Stuff\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
    "ICQ Lite "=C:\Program Files\ICQLite\ICQLite.exe -trayboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dell^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
    path=C:\Documents and Settings\dell\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
    backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
    BCMSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
    "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    C:\WINDOWS\system32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo 820 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
    C:\Program Files\ICQLite\ICQLite.exe -minimize

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sais]
    c:\program files\180solutions\sais.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Setting]
    sysweb.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
    "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32 Explorer]
    C:\WINDOWS\System32\explorer32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32SystemMonitor]
    C:\WINDOWS\Okk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdControl]
    C:\Program Files\Windows AdControl\WinAdCtl.exe


    Contents of the 'Scheduled Tasks' folder
    2006-12-01 01:09:47 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2007-07-05 15:39:06 C:\WINDOWS\tasks\At1.job
    2007-07-09 14:01:15 C:\WINDOWS\tasks\At10.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At100.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At101.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At102.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At103.job
    2007-07-14 17:54:14 C:\WINDOWS\tasks\At104.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At105.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At106.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At107.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At108.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At109.job
    2007-07-12 15:01:21 C:\WINDOWS\tasks\At11.job
    2007-07-14 18:06:38 C:\WINDOWS\tasks\At110.job
    2007-07-14 19:21:58 C:\WINDOWS\tasks\At111.job
    2007-07-14 20:39:14 C:\WINDOWS\tasks\At112.job
    2007-07-14 23:19:04 C:\WINDOWS\tasks\At113.job
    2007-07-14 23:18:59 C:\WINDOWS\tasks\At114.job
    2007-07-14 23:18:54 C:\WINDOWS\tasks\At115.job
    2007-07-15 01:06:41 C:\WINDOWS\tasks\At116.job
    2007-07-15 01:06:45 C:\WINDOWS\tasks\At117.job
    2007-07-15 03:04:07 C:\WINDOWS\tasks\At118.job
    2007-07-15 03:03:55 C:\WINDOWS\tasks\At119.job
    2007-07-12 16:01:23 C:\WINDOWS\tasks\At12.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At120.job
    2007-07-12 17:00:30 C:\WINDOWS\tasks\At13.job
    2007-07-14 18:01:23 C:\WINDOWS\tasks\At14.job
    2007-07-14 19:00:30 C:\WINDOWS\tasks\At15.job
    2007-07-14 20:00:30 C:\WINDOWS\tasks\At16.job
    2007-07-14 21:00:30 C:\WINDOWS\tasks\At17.job
    2007-07-14 22:00:30 C:\WINDOWS\tasks\At18.job
    2007-07-14 23:00:30 C:\WINDOWS\tasks\At19.job
    2007-07-05 15:39:06 C:\WINDOWS\tasks\At2.job
    2007-07-15 00:00:30 C:\WINDOWS\tasks\At20.job
    2007-07-15 01:00:30 C:\WINDOWS\tasks\At21.job
    2007-07-15 02:00:30 C:\WINDOWS\tasks\At22.job
    2007-07-15 03:00:30 C:\WINDOWS\tasks\At23.job
    2007-07-05 15:39:06 C:\WINDOWS\tasks\At24.job
    2007-07-05 15:49:43 C:\WINDOWS\tasks\At25.job
    2007-07-05 15:49:43 C:\WINDOWS\tasks\At26.job
    2007-07-05 15:49:43 C:\WINDOWS\tasks\At27.job
    2007-07-05 15:49:43 C:\WINDOWS\tasks\At28.job
    2007-07-05 15:49:43 C:\WINDOWS\tasks\At29.job
    2007-07-05 15:39:06 C:\WINDOWS\tasks\At3.job
    2007-07-05 15:49:43 C:\WINDOWS\tasks\At30.job
    2007-07-05 15:49:43 C:\WINDOWS\tasks\At31.job
    2007-07-14 17:54:14 C:\WINDOWS\tasks\At32.job
    2007-07-09 00:13:07 C:\WINDOWS\tasks\At33.job
    2007-07-09 18:31:14 C:\WINDOWS\tasks\At34.job
    2007-07-12 15:30:15 C:\WINDOWS\tasks\At35.job
    2007-07-12 18:16:15 C:\WINDOWS\tasks\At36.job
    2007-07-12 18:16:02 C:\WINDOWS\tasks\At37.job
    2007-07-14 18:06:35 C:\WINDOWS\tasks\At38.job
    2007-07-14 19:22:00 C:\WINDOWS\tasks\At39.job
    2007-07-05 15:39:06 C:\WINDOWS\tasks\At4.job
    2007-07-14 20:39:12 C:\WINDOWS\tasks\At40.job
    2007-07-14 23:19:11 C:\WINDOWS\tasks\At41.job
    2007-07-14 23:19:17 C:\WINDOWS\tasks\At42.job
    2007-07-14 23:19:14 C:\WINDOWS\tasks\At43.job
    2007-07-15 01:06:58 C:\WINDOWS\tasks\At44.job
    2007-07-15 01:06:47 C:\WINDOWS\tasks\At45.job
    2007-07-15 03:03:57 C:\WINDOWS\tasks\At46.job
    2007-07-15 03:04:10 C:\WINDOWS\tasks\At47.job
    2007-07-05 15:49:43 C:\WINDOWS\tasks\At48.job
    2007-07-06 14:10:48 C:\WINDOWS\tasks\At49.job
    2007-07-05 15:39:06 C:\WINDOWS\tasks\At5.job
    2007-07-06 14:10:48 C:\WINDOWS\tasks\At50.job
    2007-07-06 14:10:48 C:\WINDOWS\tasks\At51.job
    2007-07-06 14:10:48 C:\WINDOWS\tasks\At52.job
    2007-07-06 14:10:48 C:\WINDOWS\tasks\At53.job
    2007-07-06 14:10:48 C:\WINDOWS\tasks\At54.job
    2007-07-06 14:10:48 C:\WINDOWS\tasks\At55.job
    2007-07-14 17:54:14 C:\WINDOWS\tasks\At56.job
    2007-07-09 00:13:07 C:\WINDOWS\tasks\At57.job
    2007-07-09 18:31:14 C:\WINDOWS\tasks\At58.job
    2007-07-12 15:30:12 C:\WINDOWS\tasks\At59.job
    2007-07-05 15:39:06 C:\WINDOWS\tasks\At6.job
    2007-07-12 18:16:17 C:\WINDOWS\tasks\At60.job
    2007-07-12 18:39:04 C:\WINDOWS\tasks\At61.job
    2007-07-14 18:06:40 C:\WINDOWS\tasks\At62.job
    2007-07-14 19:22:01 C:\WINDOWS\tasks\At63.job
    2007-07-14 20:39:19 C:\WINDOWS\tasks\At64.job
    2007-07-14 23:18:57 C:\WINDOWS\tasks\At65.job
    2007-07-14 23:19:00 C:\WINDOWS\tasks\At66.job
    2007-07-14 23:19:06 C:\WINDOWS\tasks\At67.job
    2007-07-15 01:06:43 C:\WINDOWS\tasks\At68.job
    2007-07-15 01:06:51 C:\WINDOWS\tasks\At69.job
    2007-07-05 15:39:06 C:\WINDOWS\tasks\At7.job
    2007-07-15 03:03:53 C:\WINDOWS\tasks\At70.job
    2007-07-15 03:04:02 C:\WINDOWS\tasks\At71.job
    2007-07-06 14:10:48 C:\WINDOWS\tasks\At72.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At73.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At74.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At75.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At76.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At77.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At78.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At79.job
    2007-07-14 12:01:27 C:\WINDOWS\tasks\At8.job
    2007-07-14 17:54:14 C:\WINDOWS\tasks\At80.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At81.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At82.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At83.job
    2007-07-12 18:16:21 C:\WINDOWS\tasks\At84.job
    2007-07-12 18:16:13 C:\WINDOWS\tasks\At85.job
    2007-07-14 18:06:34 C:\WINDOWS\tasks\At86.job
    2007-07-14 19:22:03 C:\WINDOWS\tasks\At87.job
    2007-07-14 20:39:17 C:\WINDOWS\tasks\At88.job
    2007-07-14 23:19:08 C:\WINDOWS\tasks\At89.job
    2007-07-08 13:01:17 C:\WINDOWS\tasks\At9.job
    2007-07-14 23:18:53 C:\WINDOWS\tasks\At90.job
    2007-07-14 23:19:02 C:\WINDOWS\tasks\At91.job
    2007-07-15 01:06:49 C:\WINDOWS\tasks\At92.job
    2007-07-15 01:06:54 C:\WINDOWS\tasks\At93.job
    2007-07-15 03:03:47 C:\WINDOWS\tasks\At94.job
    2007-07-15 03:03:51 C:\WINDOWS\tasks\At95.job
    2007-07-12 15:41:06 C:\WINDOWS\tasks\At96.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At97.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At98.job
    2007-07-13 20:11:22 C:\WINDOWS\tasks\At99.job
    2007-07-14 01:00:09 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
    2004-01-14 03:03:34 C:\WINDOWS\tasks\Symantec NetDetect.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-15 12:47:53
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\$_hpcst$.hpc:lreok 26624 bytes executable
    C:\WINDOWS\SETUPACT.LOG:nyczm 93184 bytes executable

    scan completed successfully
    hidden files: 2

    **************************************************************************

    Completion time: 2007-07-15 12:49:43 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-15 12:49

    --- E O F ---



    HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:56:18 PM, on 7/15/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Tom's Stuff\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\SYSTEM32\spider.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\program files\internet explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adams.net/
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu4\toolbaru.dll
    O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu4\toolbaru.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu4\toolbaru.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Tom's Stuff\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{95AECDA9-DC28-4E5D-A62B-0E8AF2368182}: NameServer = 216.138.0.4 216.138.0.11
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
    roger184,
    #3
  5. 2007/07/15
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi roger184

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    Spy-Sheriff

    Please download SmitfraudFix (by S!Ri) to your Desktop.

    Double-click SmitfraudFix.exe
    Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm


    Now Please do this.

    Please follow these instructions exactly as given.

    Now download AVG Anti-Spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
    6. Under "Reports "
      • Select "Automatically generate report after every scan "
      • Un-Select "Only if threats were found "
    Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
    1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
    2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
    4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    5. If you have any infections you will prompted, then select "Apply all actions "
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

    Please post the simtfraud log, AVG log, and please run ComboFix again and post a new Combofix log.

    Thanks
    Geri
     
    Geri,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...