Please I need some help. [Annoying popups]

My computer at work has a whole lot of popups from Betzip.com, Yourtopbrand.com ,Broadcaster.com, and many more. And I think it got there from the other receptionist downloading things. Anyway our computer guy is out of town for a month and I cant work like this for a month. So can someone let me know the first thing I should do. I did many scans. Windows live onecare, Ad - Aware, S&D, AVG, and the popups wont stop. Please Please Please can someone help me.

 

Hi and welcome.

Hopefully you find your thread.

Let's see what is going on here.

Download Hijack This from:

http://hijack1.trend-braintree.com/hjt/eval/HJTInstall.exe
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTinstall.exe

Save the setup file on your desktop
Double click on it and by default it should install to C:\Program Files\Hijack This
Continue through the setup and have it create a desktop icon for you
Follow all the prompts, click Finish, and have it start Hijack This
Click the "Do a System Scan and Save a Log File" option
Save the log file and then it should open with Notepad

Go to Edit, Select All and then Edit, Paste to paste the contents of the log here
Make sure you DO NOT fix anything with Hijack This yet. Most of the things in the log are normal or required.

Thanks

 

Blender thank you so much for responding so fast.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:03 AM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Defrag.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlsstratus.com/Login.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11978EAF-7B5F-4A3F-A59B-C37C13478D74} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {91C48C25-395F-48FF-A257-626727DA5482} - C:\Program Files\NetMeeting\vixy83122.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {e5c3f224-94b7-41d7-99df-dff10d451232} - C:\WINDOWS\system32\rfpydgo.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] "C:\WINDOWS\system32\mobsync.exe" /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\Software\..\Telephony: DomainName = dartcapital.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dartcapital.local
O20 - Winlogon Notify: mljge - C:\WINDOWS\system32\mljge.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7256 bytes

 

ok i am not an expert here but i belive that problems also could be:


O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {11978EAF-7B5F-4A3F-A59B-C37C13478D74} - (no file)
O2 - BHO: (no name) - {91C48C25-395F-48FF-A257-626727DA5482} - C:\Program Files\NetMeeting\vixy83122.dll (file missing)O2 - BHO: (no name) - {e5c3f224-94b7-41d7-99df-dff10d451232} - C:\WINDOWS\system32\rfpydgo.dll (file missing)
O20 - Winlogon Notify: mljge - C:\WINDOWS\system32\mljge.dll (file missing)



dont listen to me i am just begginer,just wanna see if i was right.

 

@ PeteC

It was me who asked TeMerc to move(split) post here since it was tagged onto another thread. (this is the reason there was no title)

Petag21:

Please follow what I am telling you in regards to fixes.
Likely more going on than what fball pointed out.

1. Download this file and save it to your desktop.

In the event you already have Combofix, please delete it as this is a new version I need you to download.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Thanks

 

"Reception" - 2007-07-26 9:02:11 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\RECEPT~1\APPLIC~1.\fnts~1
C:\DOCUME~1\RECEPT~1\APPLIC~1.\smbols~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\temp\tn3
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\L3\wr716.exe
C:\WINDOWS\system32\L5
C:\WINDOWS\system32\L7
C:\WINDOWS\system32\L9
C:\WINDOWS\system32\win
C:\WINDOWS\wbun.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\core


((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))


2007-07-26 08:39 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-25 08:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-24 11:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-24 11:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-24 09:39 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-07-24 08:50 81,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
2007-07-24 08:50 105,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys
2007-07-24 08:49 67,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys
2007-07-24 08:48 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-07-24 08:28 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-24 08:28 208,248 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-23 16:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-23 16:10 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\Google
2007-07-23 15:48 <DIR> d-------- C:\Program Files\Google
2007-07-23 15:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-23 15:47 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-07-23 15:13 164 --a------ C:\install.dat
2007-07-23 14:54 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\SpywareRemover
2007-07-23 12:12 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-07-23 11:54 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-07-23 11:25 6,471 --ahs---- C:\WINDOWS\SYSTEM32\vycdd.bak1
2007-07-23 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-23 10:22 6,471 --ahs---- C:\WINDOWS\SYSTEM32\egjlm.bak1
2007-07-23 10:17 <DIR> d-------- C:\WINDOWS\SYSTEM32\L11
2007-07-23 10:17 <DIR> d-------- C:\Temp\0c2
2007-07-23 10:16 <DIR> d-------- C:\Temp\brr
2007-07-23 10:16 <DIR> d-------- C:\Temp
2007-07-23 09:39 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\Yahoo!
2007-07-23 09:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-23 09:18 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-20 15:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-07-09 13:40 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\AdobeUM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 16:12:59 -------- d-----w C:\Program Files\MUSICMATCH
2007-06-13 17:33:56 -------- d-----w C:\DOCUME~1\RECEPT~1\APPLIC~1\Move Networks
2007-06-12 14:41:11 -------- d-----w C:\Program Files\Dell
2007-06-12 14:39:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11978EAF-7B5F-4A3F-A59B-C37C13478D74}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91C48C25-395F-48FF-A257-626727DA5482}]
C:\Program Files\NetMeeting\vixy83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e5c3f224-94b7-41d7-99df-dff10d451232}]
C:\WINDOWS\system32\rfpydgo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]
"OneCareUI "= "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-07-10 11:12]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-07-23 16:11]

C:\Documents and Settings\reception\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljge]
C:\WINDOWS\system32\mljge.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall; "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe "
R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R2 OneCareMP;OneCare AntiSpyware and AntiVirus; "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe "
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\system32\drivers\NSDriver.sys
S3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\RECEPT~1\LOCALS~1\Temp\tni3B.tmp
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


Contents of the 'Scheduled Tasks' folder
2007-07-23 19:58:29 C:\WINDOWS\tasks\SpywareRemover Scheduled Scan.job
2007-07-26 14:18:33 C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_dartcapital_reception.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 09:17:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-26 9:21:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-26 09:21

--- E O F ---
------------------------------------------------------------------



One quick question. Am I still not fixing anything with hijack this?
And thank you again.

 

Hi,

Sorry to keep you waiting.

Copy the following text to a new notepad file
Save as file name CFScript.txt
As file types: All files (*)
Save it to your desktop.

Code:

File::
C:\WINDOWS\SYSTEM32\vycdd.bak1
C:\WINDOWS\SYSTEM32\egjlm.bak1

Folder::
C:\WINDOWS\SYSTEM32\L11
C:\Temp\0c2
C:\Temp\brr

Registry:
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljge]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{91C48C25-395F-48FF-A257-626727DA5482}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{e5c3f224-94b7-41d7-99df-dff10d451232}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91C48C25-395F-48FF-A257-626727DA5482}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e5c3f224-94b7-41d7-99df-dff10d451232}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11978EAF-7B5F-4A3F-A59B-C37C13478D74}]

Drag CFScript.txt on top of ComboFix.exe

like this:



Doing this will cause ComboFix to start.
You may loose desktop while it is scanning. It will return to normal once done.
Notepad should open with new log.

Post the new ComboFix.txt please.

Please post fresh hijackthis log.
I meant to ask for that in my last post.

I don't fix much with Hijackthis. Most of the nasties in HJT I included in the CFScript fix.
As you can see with comboFix log it removed ALOT of stuff.

I figured there was going to be a fair bit of trash so hit it hard.

Aside your ComboFix log and new Hijackthis I want to do an online scan as well.

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save report button.
• Call it Kaspersky.txt
• Expand the arrow beside "file types" and save as .txt file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

*Note2
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.

If the Kaspersky log is monster size or contains personal info you don't want displayed you can upload it here please:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

please leave a link to this thread at that site so I can ID the log.

Thanks

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44, on 2007-07-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlsstratus.com/Login.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11978EAF-7B5F-4A3F-A59B-C37C13478D74} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {91C48C25-395F-48FF-A257-626727DA5482} - C:\Program Files\NetMeeting\vixy83122.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {e5c3f224-94b7-41d7-99df-dff10d451232} - C:\WINDOWS\system32\rfpydgo.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\Software\..\Telephony: DomainName = dartcapital.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dartcapital.local
O20 - Winlogon Notify: mljge - C:\WINDOWS\system32\mljge.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6776 bytes

 

"Reception" - 2007-07-26 9:02:11 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\RECEPT~1\APPLIC~1.\fnts~1
C:\DOCUME~1\RECEPT~1\APPLIC~1.\smbols~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\temp\tn3
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\L3\wr716.exe
C:\WINDOWS\system32\L5
C:\WINDOWS\system32\L7
C:\WINDOWS\system32\L9
C:\WINDOWS\system32\win
C:\WINDOWS\wbun.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\core


((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))


2007-07-26 08:39 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-25 08:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-24 11:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-24 11:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-24 09:39 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-07-24 08:50 81,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
2007-07-24 08:50 105,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys
2007-07-24 08:49 67,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys
2007-07-24 08:48 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-07-24 08:28 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-24 08:28 208,248 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-23 16:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-23 16:10 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\Google
2007-07-23 15:48 <DIR> d-------- C:\Program Files\Google
2007-07-23 15:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-23 15:47 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-07-23 15:13 164 --a------ C:\install.dat
2007-07-23 14:54 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\SpywareRemover
2007-07-23 12:12 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-07-23 11:54 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-07-23 11:25 6,471 --ahs---- C:\WINDOWS\SYSTEM32\vycdd.bak1
2007-07-23 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-23 10:22 6,471 --ahs---- C:\WINDOWS\SYSTEM32\egjlm.bak1
2007-07-23 10:17 <DIR> d-------- C:\WINDOWS\SYSTEM32\L11
2007-07-23 10:17 <DIR> d-------- C:\Temp\0c2
2007-07-23 10:16 <DIR> d-------- C:\Temp\brr
2007-07-23 10:16 <DIR> d-------- C:\Temp
2007-07-23 09:39 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\Yahoo!
2007-07-23 09:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-23 09:18 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-20 15:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-07-09 13:40 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\AdobeUM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 16:12:59 -------- d-----w C:\Program Files\MUSICMATCH
2007-06-13 17:33:56 -------- d-----w C:\DOCUME~1\RECEPT~1\APPLIC~1\Move Networks
2007-06-12 14:41:11 -------- d-----w C:\Program Files\Dell
2007-06-12 14:39:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11978EAF-7B5F-4A3F-A59B-C37C13478D74}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91C48C25-395F-48FF-A257-626727DA5482}]
C:\Program Files\NetMeeting\vixy83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e5c3f224-94b7-41d7-99df-dff10d451232}]
C:\WINDOWS\system32\rfpydgo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]
"OneCareUI "= "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-07-10 11:12]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-07-23 16:11]

C:\Documents and Settings\reception\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljge]
C:\WINDOWS\system32\mljge.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall; "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe "
R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R2 OneCareMP;OneCare AntiSpyware and AntiVirus; "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe "
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\system32\drivers\NSDriver.sys
S3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\RECEPT~1\LOCALS~1\Temp\tni3B.tmp
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


Contents of the 'Scheduled Tasks' folder
2007-07-23 19:58:29 C:\WINDOWS\tasks\SpywareRemover Scheduled Scan.job
2007-07-26 14:18:33 C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_dartcapital_reception.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 09:17:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-26 9:21:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-26 09:21

--- E O F ---

 

I posted the Kaspersky log to http://www.bleepingcomputer.com/subm...php?channel=19 under the topic Annoying popups. I hope I did that part right.

 

Hi,

I got the Kaspersky log OK. Thanks
Looks like the Combofix log you posted was the old one (combofix2.txt)

Turn off your Windows One care so it doesn't interfere with fix.
You can leave the firewall part running.

Start Hijackthis
Run system scan and check the following entries if they exist:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {11978EAF-7B5F-4A3F-A59B-C37C13478D74} - (no file)
O2 - BHO: (no name) - {91C48C25-395F-48FF-A257-626727DA5482} - C:\Program Files\NetMeeting\vixy83122.dll (file missing)
O2 - BHO: (no name) - {e5c3f224-94b7-41d7-99df-dff10d451232} - C:\WINDOWS\system32\rfpydgo.dll (file missing)
O20 - Winlogon Notify: mljge - C:\WINDOWS\system32\mljge.dll (file missing)


Close all open windows except Hijackthis and click "fix checked "
OK it and exit Hijackthis

Reboot

Make sure your antivirus is back up & running.
Please post fresh Hijackthis log.
Please post C:\Combofix.txt (not combofix2.txt)

We'll take care of what Kaspersky reported next round.

Let me know how machine is running.

Thanks

 

"reception" - 2007-07-26 21:32:47 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\reception\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\0c2
C:\Temp\0c2\tmpFF.log
C:\Temp\brr
C:\Temp\brr\tmpZTF.log
C:\WINDOWS\SYSTEM32\egjlm.bak1
C:\WINDOWS\SYSTEM32\L11
C:\WINDOWS\SYSTEM32\vycdd.bak1


((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))


2007-07-26 09:39 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-25 09:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-24 12:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-24 12:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-24 10:39 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-07-24 09:50 81,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
2007-07-24 09:50 105,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys
2007-07-24 09:49 67,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys
2007-07-24 09:48 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-07-24 09:28 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-24 09:28 208,248 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-23 17:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-23 17:10 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\Google
2007-07-23 16:48 <DIR> d-------- C:\Program Files\Google
2007-07-23 16:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-23 16:47 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-07-23 16:13 164 --a------ C:\install.dat
2007-07-23 15:54 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\SpywareRemover
2007-07-23 13:12 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-07-23 12:54 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-07-23 11:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-23 11:16 <DIR> d-------- C:\Temp
2007-07-23 10:39 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\Yahoo!
2007-07-23 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-23 10:18 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-20 16:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-07-09 14:40 <DIR> d-------- C:\DOCUME~1\RECEPT~1\APPLIC~1\AdobeUM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 16:12:59 -------- d-----w C:\Program Files\MUSICMATCH
2007-06-13 17:33:56 -------- d-----w C:\DOCUME~1\RECEPT~1\APPLIC~1\Move Networks
2007-06-12 14:41:11 -------- d-----w C:\Program Files\Dell
2007-06-12 14:39:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11978EAF-7B5F-4A3F-A59B-C37C13478D74}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91C48C25-395F-48FF-A257-626727DA5482}]
C:\Program Files\NetMeeting\vixy83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e5c3f224-94b7-41d7-99df-dff10d451232}]
C:\WINDOWS\system32\rfpydgo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21]
"OneCareUI "= "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-07-10 12:12]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-07-23 17:11]

C:\Documents and Settings\reception\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljge]
C:\WINDOWS\system32\mljge.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall; "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe "
R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R2 OneCareMP;OneCare AntiSpyware and AntiVirus; "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe "
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\system32\drivers\NSDriver.sys
S3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\RECEPT~1\LOCALS~1\Temp\tni3B.tmp
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


Contents of the 'Scheduled Tasks' folder
2007-07-26 07:00:00 C:\WINDOWS\tasks\SpywareRemover Scheduled Scan.job
2007-07-27 01:33:47 C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_dartcapital_reception.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 21:38:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-26 21:40:51
C:\ComboFix-quarantined-files.txt ... 2007-07-26 21:40
C:\ComboFix2.txt ... 2007-07-26 10:21

--- E O F ---
------------------------------------------------------------------------
I uninstalled windows live onecare it wasnt working properly. I am going to do the Hijackthis now. Thank you.

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:55:36 PM, on 07/27/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlsstratus.com/Login.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\Software\..\Telephony: DomainName = dartcapital.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dartcapital.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6216 bytes

 

Hi,

Thanks for those logs.

Few things to clean up and I think we can clean up our tools after your next reply if everything is OK.

Click start> run> type cmd and hit enter.
Type the following command and hit enter:

sc delete TnIDriver

You should get success messege.

Type exit and hit enter to close the CMD window.

Click start> run> type %temp% and hit enter.

Select all> delete all.
It is normal for some not to delete.

Go to Start > Control Panel > Internet Options.

For I.E. 6 - under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

For I.E. 7 - under Browsing History, click delete...
Under Temporary Internet Files, click Delete files...

Empty recycle bin.

Since you uninstalled OneCare... which is fine.
I see you have Symantec installed which should be fine. Not as bloated as the "consumer" version.
Is it running OK?

If looking to get rid of Symantec and need a free AV....
Here are a few choices for antivirus:

Avast:
http://www.avast.com/eng/avast_4_home.html

AVG:
http://free.grisoft.com/doc/1

AntiVir:
http://www.free-av.com/antivirus/allinonen.html

Active Virus Shield:
http://www.activevirusshield.com/antivirus/freeav/index.adp
(uncheck the security toolbar during install)

Active Virus Shield is based on Kaspersky engine which is an awsome AV
AntiVir has a very high detection rate and is easy on resorces.

XP has its own firewall but is not very good for OUTgoing traffic protection.
Outgoing protection is as important as incomming.
If something nasty slips past your antivirus/antispyware then you can usually block it from "calling home" with the firewall reducing the effects of the infection.

Free choices:

Zone Alarm free:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

Outpost free:
http://www.agnitum.com/products/outpostfree/download.php

Comodo free:
http://www.personalfirewall.comodo.com/

Sunbelt kerio:
http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/Download/

Jetico free:
http://www.jetico.com/index.htm#/jpfirewall.htm

Understanding and using firewalls:

http://www.bleepingcomputer.com/tutorials/tutorial60.html

http://forum.malwareremoval.com/viewtopic.php?p=56#56

Zone Alarm is IMO one of the easiest ones to get used to and is easier to understand the prompts if you are not used to firewalls.
Only thing is the free firewalls don't support networks well. Need to go Pro.

Let me know how machine is running.

Thanks

 

Hey Blender I will Have to get back to you on Monday because I am not going to be back to work until then. But I just wanted to say thank you again and have a fantabulous weekend.

 

Hi,

You have a good weekend too.
See you Monday.

 

Ok I did all you said to do except for the last two things. I didn't really want to download anything else because the computer guy that fixes our computer alway request for our firewall to be off so that he can get access to the server. But other than that the computer is running great. The popup totally stopped and it is actually running faster. Oh and another thing I was going to download windows defender again because that is what he had on my computer before but I uninstalled it because I thought that that was the reason for windows live onecare not working. Do you think I should re install it?

 

Hi,

Glad to hear things are running OK.
Shouldn't hurt to re-install Defender.
I would only have one active antispyware running though.
If you want Defender as the acctive one then disable AVG Antispyware guards and disable it from starting with windows.

You can still run manual scans and update manually with AVG.

----------------

Time we clean up the tools we used as well. They are updated too often to keep around and are not good for "general fix" tools.
These include:

Combofix.exe
CFScript
C:\Qoobox
C:\Combofix*.txt (* is number)
C:\Quarentined_files.txt
C:\Windows\Catchme.exe
C:\Windows\nircmd.exe

I don't know what your computer guy will think of Hijackthis being there but you can uninstall it if you wish.
Just go to add/remove programs in control panel to uninstall it.

-----------------------

After a few reboots and checking to see that all is well; it is highly recommended to reset your system restore to remove any possible backed up infected files there.

Right click "my computer "
Click "properties "
Click "system restore" tab
Checkmark "turn off system restore "
Hit apply> ok> ok.

Reboot

Go back and turn system restore back on by removing the check, hit apply, and OK.

A new restore point is created at this time.
You will not be able to restore computer to any earlier than today.

----------------

Couple other programs that would benifet.

:arrow: Spywareblaster <--this prog blocks known bad active x controls, many tracking cookies and puts more sites in restricted zone.
Install> update> enable all protection.
Updates are about once a month and is free.

:arrow: Install an alternative browser for day to day surfing.
These 2 are free and have alot less security issues than IE:

Opera Browser

FireFox Browser

here is some great information from Tony Klein, Texruss, ChrisRLG, TeMerc, Miekiemoes and Grinler to help you stay clean and safe online:
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I
http://boards.cexx.org/index.php?topic=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://temerc.com/hddncounttuts.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If you want to help speed up your system Miekiemoes has some great information here:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Take care & surf safe

Blender

 

Blender please help me again. I'm having trouble with those annoying popups again. I will go ahead and post that hijackthis log and combofix. Please can you help me. I think the same receptionist I told you about before is going to some kind of explicit sites because she started working here a month and a half ago and this is the second time its happening.