CiD ads

BrynTheSkits · 2008/04/30

I keep getting constant popup's from CID ads, it's really annoying.

And can someone recommend free aniti-virus software while I try and get a copy of Norton?

btw here's my Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:36 a.m., on 1/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\hijack\HiJackThis.exe

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Second bat creative peak] C:\Documents and Settings\All Users\Application Data\Axis Readme Second Bat\real long.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Meow roam] C:\DOCUME~1\OEM\APPLIC~1\HEARTT~1\five blah balm.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PhanTim30] "C:\Program Files\PhanTim3\PhanTim3.exe" 0
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192660560218
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5575 bytes

noahdfear · 2008/04/30

You have a LOP infection. Did you install Messenger Plus 3? It's sponsor is a known distributor of the LOP infection. If you did, uninstall it via Add/Remove programs. If you still want to use Messenger Plus 3, re-install it and be sure to choose NOT to install the sponsor program. I personally don't feel it's right to use an app sponsored by distributors of malware, so therefore I don't recommend keeping it. Now, lets get rid of LOP.

Download NoLop by Skate_Punk_21 from here and save it to your desktop.

First close any other programs you have running as may require a reboot.

Double click NoLop.exe to run it

Now click the button labelled "Search and Destroy "

Your computer will now be scanned for infected files

When scanning is finished you will be prompted to reboot only if infected, click OK

Now click the "REBOOT" Button.

A Message should popup from NoLop. If not, double click the program again and it will finish

Please post the contents of C:\NoLop.log (opens in notepad)

Next, download Deckard's System Scanner (dss.exe) and save it to your desktop.

Close all applications and windows.

Double click on dss.exe to run it and follow the prompts.

When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

BrynTheSkits · 2008/05/01

Ok, I uninstalled Windows Plus 3, that's the last time I allow something to install sponcer programs, and I downloaded and ran NoLop, here are the results:

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\OEM\Desktop
[2/05/2008]
[12:47:13 a.m.]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Ocp
C:\Documents and Settings\All Users\Application Data\Axis Readme Second Bat -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Hewlett-packard
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Hp Product Assistant
C:\Documents and Settings\All Users\Application Data\Hpssupply -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Macromedia
C:\Documents and Settings\All Users\Application Data\Messenger Plus! -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Nfs Underground
C:\Documents and Settings\All Users\Application Data\Real -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Viewpoint -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Webreg
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Wlinstaller
C:\Documents and Settings\All Users\Application Data\{623d32e9-0c62-4453-ad44-98b31f52a5e1}
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Hp
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Oem\Application Data\Acccore
C:\Documents and Settings\Oem\Application Data\Adobe
C:\Documents and Settings\Oem\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Oem\Application Data\Cyberlink
C:\Documents and Settings\Oem\Application Data\Daemon Tools
C:\Documents and Settings\Oem\Application Data\Dvdcss
C:\Documents and Settings\Oem\Application Data\Fltk.org -- EMPTY Directory
C:\Documents and Settings\Oem\Application Data\Frostwire
C:\Documents and Settings\Oem\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Oem\Application Data\Hpappdata -- EMPTY Directory
C:\Documents and Settings\Oem\Application Data\Identities
C:\Documents and Settings\Oem\Application Data\Installshield
C:\Documents and Settings\Oem\Application Data\Macromedia
C:\Documents and Settings\Oem\Application Data\Media Player Classic
C:\Documents and Settings\Oem\Application Data\Microsoft
C:\Documents and Settings\Oem\Application Data\Microsoft Games
C:\Documents and Settings\Oem\Application Data\Mozilla
C:\Documents and Settings\Oem\Application Data\Msninstaller
C:\Documents and Settings\Oem\Application Data\Opera
C:\Documents and Settings\Oem\Application Data\Real -- EMPTY Directory
C:\Documents and Settings\Oem\Application Data\Securom
C:\Documents and Settings\Oem\Application Data\Sun
C:\Documents and Settings\Oem\Application Data\Utorrent
C:\Documents and Settings\Oem\Application Data\Vlc
C:\Documents and Settings\Oem\Application Data\Winamp
C:\Documents and Settings\Oem\Application Data\Winrar -- EMPTY Directory

It told me it found no infections and didn't prompt me to restart so I didn't, I then donwloaded and ran dss.exe, here is it's main.txt log:

Deckard's System Scanner v20071014.68
Run by OEM on 2008-05-02 00:58:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
63: 2008-05-01 12:58:08 UTC - RP63 - Deckard's System Scanner Restore Point
62: 2008-05-01 00:45:14 UTC - RP62 - System Checkpoint
61: 2008-04-28 10:26:35 UTC - RP61 - Removed Panzer Elite Action – Dunes of War Singleplayer Demo.
60: 2008-04-28 09:48:05 UTC - RP60 - Installed Panzer Elite Action – Dunes of War Singleplayer Demo.
59: 2008-04-28 05:39:23 UTC - RP59 - Installed Prey Demo

-- First Restore Point --
1: 2008-03-16 20:45:24 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as OEM.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:51 a.m., on 2/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\games\steam\steam.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Documents and Settings\OEM\Desktop\dss.exe
C:\hijack\OEM.exe

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "C:\DOCUME~1\OEM\LOCALS~1\Temp\MsgPlusUninstall.exe" /Cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192660560218
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5110 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe ",2

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 oUltraf - c:\documents and settings\oem\local settings\temp\oultraf.sys
R3 SunkFilt (Alcor Micro Corp Reader) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-04-02 and 2008-05-02 -----------------------------

2008-05-02 00:47:13 106 --a------ C:\delete.bat
2008-05-01 18:47:15 0 d-------- C:\Documents and Settings\OEM\Application Data\Help
2008-05-01 18:29:57 0 d-------- C:\Program Files\Gmask 1.70 English
2008-05-01 00:22:21 0 d-------- C:\hijack
2008-04-30 01:45:58 0 d-------- C:\Program Files\PhanTim3
2008-04-30 00:18:16 0 d-------- C:\Documents and Settings\OEM\Application Data\acccore
2008-04-30 00:17:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-30 00:17:55 0 d-------- C:\Program Files\Viewpoint
2008-04-30 00:17:52 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-30 00:17:52 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-30 00:17:41 0 d-------- C:\Program Files\Common Files\AOL
2008-04-30 00:17:14 0 d-------- C:\Program Files\AIM6
2008-04-28 16:56:10 0 d-------- C:\Documents and Settings\OEM\Shared
2008-04-28 16:56:05 0 d-------- C:\Documents and Settings\OEM\Incomplete <INCOMP~1>
2008-04-28 16:55:48 0 d-------- C:\Documents and Settings\OEM\Application Data\FrostWire
2008-04-28 16:52:34 0 d-------- C:\Program Files\Java
2008-04-28 16:52:33 0 d-------- C:\Program Files\Common Files\Java
2008-04-28 16:52:23 0 d-------- C:\Documents and Settings\OEM\Application Data\Sun
2008-04-28 16:49:28 0 d-------- C:\Program Files\FrostWire
2008-04-27 11:15:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-27 01:57:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Axis Readme Second Bat
2008-04-27 01:54:28 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-25 19:11:29 0 d-------- C:\Documents and Settings\OEM\Application Data\dvdcss
2008-04-25 12:25:10 462848 --a------ C:\WINDOWS\lame_enc.dll
2008-04-25 12:19:57 0 d-------- C:\Program Files\GoldWave
2008-04-24 16:44:00 0 d-------- C:\WINDOWS\pss
2008-04-23 23:38:05 49152 --a------ C:\WINDOWS\Iniexpander.exe
2008-04-23 23:35:22 69632 -ra------ C:\WINDOWS\system32\xmltok.dll
2008-04-23 23:35:22 36864 -ra------ C:\WINDOWS\system32\xmlparse.dll
2008-04-23 23:35:21 0 d-------- C:\Program Files\Ubi Soft
2008-04-23 21:36:53 0 d-------- C:\Documents and Settings\OEM\Application Data\WinRAR
2008-04-23 20:31:57 717296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-23 20:31:52 0 d-------- C:\Documents and Settings\OEM\Application Data\DAEMON Tools
2008-04-23 07:32:28 0 d-------- C:\Documents and Settings\OEM\Application Data\AdobeUM
2008-04-23 01:02:10 0 d-------- C:\Documents and Settings\OEM\Application Data\Media Player Classic
2008-04-23 00:00:29 0 dr-h----- C:\Documents and Settings\OEM\Application Data\SecuROM
2008-04-22 17:35:48 0 d-------- C:\Documents and Settings\OEM\Application Data\Microsoft Games
2008-04-22 14:41:14 0 d-------- C:\Program Files\uTorrent
2008-04-22 14:41:09 0 d-------- C:\Documents and Settings\OEM\Application Data\uTorrent
2008-04-22 00:46:17 0 d-------- C:\Documents and Settings\OEM\Application Data\fltk.org
2008-04-22 00:36:07 163840 --a------ C:\WINDOWS\system32\unrar.dll
2008-04-22 00:36:06 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-04-22 00:36:06 39936 --a------ C:\WINDOWS\system32\huffyuv.dll <Not Verified; Disappearing Inc.; Huffyuv>
2008-04-22 00:36:05 282624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-22 00:36:05 1559040 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-22 00:36:05 564224 --a------ C:\WINDOWS\system32\x264vfw.dll
2008-04-22 00:36:05 630784 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-04-22 00:36:05 438272 --a------ C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>
2008-04-22 00:36:05 144384 --a------ C:\WINDOWS\system32\Iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2008-04-22 00:36:04 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-04-22 00:36:04 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-22 00:36:04 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-04-22 00:36:04 740442 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-22 00:36:03 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-04-22 00:36:03 0 d-------- C:\Documents and Settings\OEM\Application Data\Real
2008-04-22 00:36:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Real
2008-04-21 22:34:09 0 d-------- C:\Documents and Settings\OEM\Application Data\HPAppData
2008-04-21 12:04:52 0 d---s---- C:\Documents and Settings\LocalService\UserData
2008-04-21 12:04:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\HP
2008-04-21 11:42:00 0 d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-21 11:40:16 0 d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-21 11:39:23 0 d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-21 11:39:22 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-21 11:39:11 0 d-------- C:\Program Files\Common Files\HP
2008-04-21 11:38:58 0 d-------- C:\Program Files\Hewlett-Packard
2008-04-21 11:38:49 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-21 11:38:11 0 d-------- C:\Program Files\HP
2008-04-21 11:37:24 2000 -----n--- C:\WINDOWS\hpomdl14.dat
2008-04-21 11:37:24 141136 --a------ C:\WINDOWS\hpoins14.dat
2008-04-21 11:37:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-20 10:41:53 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-20 01:22:19 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-19 23:19:11 0 d-------- C:\Documents and Settings\OEM\Application Data\vlc
2008-04-19 17:53:22 0 d-------- C:\Documents and Settings\OEM\Application Data\Mozilla
2008-04-19 17:22:49 0 d-------- C:\Program Files\VideoLAN
2008-04-19 12:47:24 0 d-------- C:\Program Files\Winamp
2008-04-19 12:47:24 0 d-------- C:\Documents and Settings\OEM\Application Data\Winamp
2008-04-19 12:28:29 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-04-19 12:27:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-18 21:29:32 0 d-------- C:\Documents and Settings\All Users\Application Data\NFS Underground
2008-04-18 21:29:01 0 d-------- C:\Program Files\Common Files\DirectX
2008-04-17 20:54:08 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-17 20:36:05 0 d-------- C:\WINDOWS\system32\QuickTime
2008-04-17 20:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Macromedia
2008-04-17 20:33:03 0 d-------- C:\Program Files\Macromedia
2008-04-17 20:33:03 0 d-------- C:\Program Files\Common Files\Macromedia
2008-04-17 20:21:59 0 d-------- C:\Documents and Settings\OEM\Contacts
2008-04-17 20:11:25 0 d-------- C:\WINDOWS\system32\AGEIA
2008-04-17 20:11:25 0 d-------- C:\Program Files\AGEIA Technologies
2008-04-17 20:11:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 19:34:17 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-17 19:34:14 0 d-------- C:\Program Files\Windows Live
2008-04-17 19:34:06 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-17 19:25:26 0 d-------- C:\Documents and Settings\OEM\Application Data\MSNInstaller
2008-04-17 18:57:22 0 d-------- C:\Documents and Settings\OEM\Application Data\Adobe
2008-04-16 17:34:06 0 d-------- C:\Documents and Settings\OEM\Application Data\Opera
2008-04-16 17:33:16 0 d-------- C:\Program Files\Opera
2008-04-16 10:37:07 0 d-------- C:\Downloaded
2008-04-16 09:13:19 0 d-------- C:\games
2008-04-04 10:40:44 0 d-------- C:\drivers

-- Find3M Report ---------------------------------------------------------------

2008-04-30 00:17:41 0 d-------- C:\Program Files\Common Files
2008-04-30 00:00:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-22 19:47:45 0 d-------- C:\Documents and Settings\OEM\Application Data\CyberLink
2008-04-17 20:36:51 0 d-------- C:\Documents and Settings\OEM\Application Data\Macromedia
2008-03-17 09:10:54 0 d-------- C:\Program Files\CyberLink
2008-03-17 08:58:26 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-17 08:56:06 0 d-------- C:\Program Files\Multimedia Card Reader
2008-03-17 08:53:22 0 d-------- C:\Program Files\Realtek
2008-03-17 08:53:16 0 d-------- C:\Documents and Settings\OEM\Application Data\InstallShield
2008-03-17 08:51:05 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-03-17 08:48:11 0 d-------- C:\Program Files\Intel

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
02/03/2007 04:52 p.m. 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
02/03/2007 04:52 p.m. 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [05/09/2007 09:13 p.m.]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [05/09/2007 09:13 p.m.]
"Persistence "= "C:\WINDOWS\system32\igfxpers.exe" [05/09/2007 09:13 p.m.]
"RTHDCPL "= "RTHDCPL.EXE" [19/09/2007 10:14 p.m. C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [03/08/2007 05:22 p.m. C:\WINDOWS\SkyTel.exe]
"Alcmtr "= "ALCMTR.EXE" [03/05/2005 10:43 p.m. C:\WINDOWS\Alcmtr.exe]
"Sunkist2k "= "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [25/02/2005 03:54 p.m.]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [23/11/2006 02:10 p.m.]
"LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [05/12/2006 09:55 p.m.]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [02/04/2008 06:49 a.m.]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [11/03/2007 09:34 p.m.]
"CoolSwitch "= "C:\WINDOWS\system32\taskswitch.exe" [19/03/2002 05:30 p.m.]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11 a.m.]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress "=" " []
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [28/07/2007 12:00 a.m.]
"Steam "= "c:\games\steam\steam.exe" [19/04/2008 11:18 a.m.]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" [26/03/2008 08:21 a.m.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"MessengerPlusLiveUninstall "= "C:\DOCUME~1\OEM\LOCALS~1\Temp\MsgPlusUninstall.exe" /Cleanup

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 11:44:06 p.m.]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/03/2007 9:26:24 p.m.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1575f1ee-f46c-11dc-982e-001d7d4e0555}]
AutoRun\command- I:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20e77100-8424-11dc-b462-ed8fa353e837}]
Auto\command- auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c17830cb-8422-11dc-b460-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2b4d318-01ce-11dd-9835-001d7d4e0555}]
AutoRun\command- I:\wd_windows_tools\setup.exe

*Newly Created Service* - OULTRAF

-- End of Deckard's System Scanner: finished at 2008-05-02 00:59:18 ------------

noahdfear · 2008/05/01

Looks like uninstalling Messenger Plus 3 took most of the LOP infection with it. Just a few stragglers to clean up. Scan again with HijackThis and place a check next to the following entry.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close all open browser windows then click Fix Checked. Close HijackThis.

Click Start>Run and type or copy then paste the first bolded command below in the Run dialog, then hit Enter. Now repeat with the second command.

sc stop oUltraf

sc delete oUltraf

Delete the following file and folders unless you know what they are and intend to keep them. The Application Data folder is a hidden folder, so you will need to set Windows to show hidden files and folders.

C:\delete.bat
C:\Program Files\Messenger Plus! Live
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Axis Readme Second Bat < this is a LOP folder

You have a flash drive infection. Please download Flash_Disinfector by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is an updated version that I need you to download.

Plug in your USB flash drive.

Double-click Flash_Disinfector.exe to run it.

Follow any prompts that may appear.

Your desktop will vanish for a while, and then reappear. This is normal.

Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Now we need to clean up some registry entries created by those flash drive infections. Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)
Code:
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1575f1ee-f46c-11dc-982e-001d7d4e0555}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20e77100-8424-11dc-b462-ed8fa353e837}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c17830cb-8422-11dc-b460-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2b4d318-01ce-11dd-9835-001d7d4e0555}]
Double click fix.reg and allow it to merge with the registry.

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot

Now, please do an online scan with Kaspersky WebScanner

Click Scan Now and Accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and one more fresh dss log.

Log in or Sign up

CiD ads

BrynTheSkits Inactive Thread Starter

noahdfear Inactive

BrynTheSkits Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

CiD ads

BrynTheSkits Inactive Thread Starter

noahdfear Inactive

BrynTheSkits Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches