WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Random Pop-Ups, Believe I'm Infected With Something

3 posters

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRandom Pop-Ups, Believe I'm Infected With Something21st December 2008, 5:30 pm

more_horiz
Hi,

So I cannot exactly pinpoint what I have, but every 5 seconds or so a pop-up arises, despite blockers. The pop-ups happen on IE, even though I'm browsing through Firefox, so I'm kinda stumped. Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:14 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Common Files\AOL\1152044440\ee\AOLSoftware.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\USB Drive\USB Drive\JmeMon.exe
C:\Program Files\USB Drive\USB Drive\USBTD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rohit\Desktop\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 85.17.143.79 xtremewrestlingtorrents.net
O1 - Hosts: 85.17.143.79 www.xtremewrestlingtorrents.net
O1 - Hosts: 85.17.143.79 torrent-vision.org
O1 - Hosts: 85.17.143.79 www.torrent-vision.org
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\efcCvuTK.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {a48823f4-c38c-4f58-20f4-5f415a7274a8} - {8a4727a5-14f5-4f02-85f4-c83c4f32884a} - C:\WINDOWS\system32\jteknf.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {F4BF3F70-972B-4548-A18A-68562969C1F1} - C:\WINDOWS\system32\opnlMffe.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152044440\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB Drive\USB Drive\JmeMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB Drive\USB Drive\USBTD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [c8d9f426] rundll32.exe "C:\WINDOWS\system32\yiavpewe.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll jteknf.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcCvuTK - C:\WINDOWS\SYSTEM32\efcCvuTK.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10879 bytes


Thanks for any help.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something21st December 2008, 5:34 pm

more_horiz

  • Download combofix from here, use the top links - combofix.exe
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Random Pop-Ups, Believe I'm Infected With Something Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Random Pop-Ups, Believe I'm Infected With Something Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something21st December 2008, 6:23 pm

more_horiz
Hi,

The combofix log is really long for some reason, I guess because I updated the system during the check between the last time I ran ComboFix and now.

Here is the log minus the "((((((((((((((((((((((((((((( snapshot@2008-12-06_19.07.02.53 )))))))))))))))))))))))))))))))))))))))))" part. If you require this, I can post it within 4-5 posts afterwards.

ComboFix 08-12-20.05 - Rohit 2008-12-21 12:37:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1316 [GMT -5:00]
Running from: c:\documents and settings\Rohit\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rohit\Application Data\Google\T-Scan
c:\documents and settings\Rohit\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\effMlnpo.ini
c:\windows\system32\effMlnpo.ini2
c:\windows\system32\ewepvaiy.ini
c:\windows\system32\jteknf.dll
c:\windows\system32\opnlMffe.dll
c:\windows\system32\wxrfhmqx.dll
c:\windows\system32\yiavpewe.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-20 20:13 . 2008-12-20 20:13 57,856 --a------ c:\windows\system32\opnopNdE.dll
2008-12-20 20:04 . 2008-12-20 20:04 57,856 --a------ c:\windows\system32\efcCvuTK.dll
2008-12-20 20:04 . 2008-12-20 20:05 45,056 --a------ c:\windows\system32\tuvTmJAT.dll
2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\system32\scripting
2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\system32\en
2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\system32\bits
2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\l2schemas
2008-12-20 17:07 . 2008-12-20 17:07 d-------- c:\windows\ServicePackFiles
2008-12-20 16:08 . 2008-10-16 15:38 6,066,176 --a--c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-20 16:08 . 2007-04-17 04:32 2,455,488 --a--c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-20 16:08 . 2007-03-08 00:10 991,232 --a--c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-20 16:08 . 2008-10-16 15:38 459,264 --a--c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-20 16:08 . 2008-10-16 15:38 383,488 --a--c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 16:08 . 2008-10-16 15:38 267,776 --a--c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-20 16:08 . 2008-10-16 15:38 63,488 --a--c--- c:\windows\system32\dllcache\icardie.dll
2008-12-20 16:08 . 2008-10-16 15:38 52,224 --a--c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-20 16:08 . 2008-10-16 08:11 13,824 --a--c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-20 16:03 . 2007-08-13 18:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll
2008-12-06 19:38 . 2008-12-06 19:34 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-06 19:37 . 2008-12-06 19:33 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-06 18:38 . 2008-12-06 18:38 d-------- c:\program files\Trend Micro
2008-12-06 17:02 . 2008-12-06 17:02 d-------- c:\program files\SUPERAntiSpyware
2008-12-06 17:02 . 2008-12-06 17:02 d-------- c:\documents and settings\Rohit\Application Data\SUPERAntiSpyware.com
2008-12-06 17:02 . 2008-12-06 17:02 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-06 16:21 . 2008-12-06 16:22 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 16:02 . 2008-12-06 16:02 d-------- c:\program files\Windows Defender
2008-12-06 15:09 . 2008-12-21 12:18 d--h----- C:\$AVG8.VAULT$
2008-12-06 14:58 . 2008-12-21 12:17 d-------- c:\windows\system32\drivers\Avg
2008-12-06 14:58 . 2008-12-06 14:58 d-------- c:\program files\AVG
2008-12-06 14:58 . 2008-12-06 14:58 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-06 14:58 . 2008-12-06 14:58 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-06 14:58 . 2008-12-06 14:58 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-06 12:30 . 2008-12-06 14:52 d-------- c:\program files\Enigma Software Group
2008-12-06 01:22 . 2008-12-06 01:26 d--h----- c:\documents and settings\Rohit\Application Data\Kaspersky_Key_Finder_(KKF
2008-12-06 00:46 . 2008-12-06 00:46 78,415 --a------ c:\windows\system32\drivers\klif.cab
2008-12-06 00:45 . 2008-12-06 00:45 d-------- c:\program files\Common Files\Download Manager
2008-12-06 00:45 . 2008-12-06 00:45 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-06 00:34 . 2008-02-07 17:10 d--h----- C:\ckis
2008-12-06 00:23 . 2008-12-06 00:23 1,140,736 --a------ C:\MAJ.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 16:03 --------- d-----w c:\program files\Lx_cats
2008-12-20 20:53 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-18 03:34 --------- d-----w c:\documents and settings\Rohit\Application Data\uTorrent
2008-12-11 08:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 00:40 --------- d-----w c:\program files\Java
2008-12-06 22:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-06 21:41 --------- d-----w c:\documents and settings\Rohit\Application Data\U3
2008-12-06 21:22 --------- d--h--w c:\documents and settings\Rohit\Application Data\Lavasoft
2008-12-06 21:22 --------- d-----w c:\program files\Lavasoft
2008-12-06 06:38 --------- d-----w c:\program files\Kaspersky Lab
2008-11-29 01:06 --------- d-----w c:\program files\mIRC
2008-11-28 05:30 --------- d-----w c:\program files\FlashFXP
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-08-17 23:52 47,360 ---ha-w c:\documents and settings\Rohit\Application Data\pcouffin.sys
2006-09-10 15:52 81,920 ---ha-w c:\documents and settings\Rohit\Application Data\ezpinst.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-20 20:04 57856 --a------ c:\windows\system32\efcCvuTK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1006D49-ED82-49C4-888C-E3B1AEA0C7EF}]
2008-12-21 12:53 292352 --a------ c:\windows\system32\efcBqnnN.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-10-04 50528]
"Simp"="c:\program files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe" [2006-07-19 1966080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"HostManager"="c:\program files\Common Files\AOL\1152044440\ee\AOLSoftware.exe" [2006-05-09 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"UFD Monitor"="c:\program files\USB Drive\USB Drive\JmeMon.exe" [2002-11-27 45056]
"UFD Utility"="c:\program files\USB Drive\USB Drive\USBTD.exe" [2003-04-15 421888]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"LXCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2005-09-08 73728]
"lxcimon.exe"="c:\program files\Lexmark 7300 Series\lxcimon.exe" [2005-09-30 200704]
"EzPrint"="c:\program files\Lexmark 7300 Series\ezprint.exe" [2005-08-01 94208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-06 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-06 136600]
"c8d9f426"="c:\windows\system32\iyiaajow.dll" [2008-12-21 95744]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2005-09-18 c:\windows\system32\nwiz.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-07-04 c:\windows\system32\WDBtnMgr.exe]

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something21st December 2008, 6:23 pm

more_horiz
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Rakesh Mehta\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\Rohit\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2007-07-02 2367488]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\efcCvuTK.dll" [2008-12-20 57856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcCvuTK]
2008-12-20 20:04 57856 c:\windows\system32\efcCvuTK.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll jteknf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\efcBqnnN

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\1152044440\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1152044440\\ee\\aim6.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Secway\\SimpLite-MSN 2.2\\SimpLite-MSN.exe"=
"c:\\Program Files\\ASCII Art Studio\\AsciiArtStudio.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Documents and Settings\\Rohit\\Desktop\\RatioMaster\\RatioMaster.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\SSL_WRAPPER\\wrap.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Rohit\\Desktop\\PRE\\preutil.exe"=
"c:\\Documents and Settings\\Rohit\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxcicoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:mirc
"113:UDP"= 113:UDP:mirc
"13:TCP"= 13:TCP:port13
"13:UDP"= 13:UDP:port13
"50573:TCP"= 50573:TCP:Utor port1
"50573:UDP"= 50573:UDP:utor2

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-06 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-06 231704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-19 24652]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys [2006-07-24 31744]
R3 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe -service []
S3 AlcrFilt;Alcor Micro Corp;\??\c:\windows\System32\Drivers\AlcrFilt.sys [2003-02-24 22860]
S3 gbalink;GBA Link Driver (gbalink.sys);c:\windows\system32\Drivers\gbalink.sys [2007-01-06 19677]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f9f0704-bc9b-11dd-9735-0015583f463a}]
\Shell\AutoRun\command - D:\Autorun.exe /run
\Shell\Shell00\Command - D:\Autorun.exe /run
\Shell\Shell01\Command - D:\Autorun.exe /action
\Shell\Shell02\Command - D:\Autorun.exe /uninstall
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-12-21 c:\windows\Tasks\viohldom.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8a4727a5-14f5-4f02-85f4-c83c4f32884a} - c:\windows\system32\jteknf.dll
BHO-{F4BF3F70-972B-4548-A18A-68562969C1F1} - c:\windows\system32\opnlMffe.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe


.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Download linked FLV with GetFLV - c:\program files\GetFLV\iemenu\DownloadLinkFLV.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save with Download Manager... - file://c:\program files\J River\Media Center 11\DMDownload.htm
FF - ProfilePath - c:\documents and settings\Rohit\Application Data\Mozilla\Firefox\Profiles\7qdh1rpk.default\
FF - prefs.js: browser.search.selectedEngine - Smogon
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 12:45:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\efcCvuTK.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\lxcicoms.exe
c:\program files\BigFix\bigfix.exe
c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
c:\program files\Common Files\AOL\Loader\aolload.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-12-21 12:58:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 17:58:06
ComboFix2.txt 2008-12-07 00:08:51

Pre-Run: 50,700,029,952 bytes free
Post-Run: 50,732,314,624 bytes free

5687 --- E O F --- 2008-12-21 00:03:02

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something21st December 2008, 7:56 pm

more_horiz
Hello.

I see you have Viewpoint Manager installed, this is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: http://www.clickz.com/news/article.php/3561546

Additional info: http://vil.nai.com/vil/content/v_137262.htm

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar



Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
Viewpoint Manager Service

File::
c:\windows\system32\opnopNdE.dll
c:\windows\system32\efcCvuTK.dll
c:\windows\system32\tuvTmJAT.dll
c:\windows\system32\efcBqnnN.dll
c:\windows\system32\iyiaajow.dll
c:\windows\Tasks\viohldom.job

Folder::
c:\program files\Viewpoint

DirLook::
C:\ckis

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1006D49-ED82-49C4-888C-E3B1AEA0C7EF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c8d9f426"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcCvuTK]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages2"="msv1_0"
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f9f0704-bc9b-11dd-9735-0015583f463a}]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Random Pop-Ups, Believe I'm Infected With Something Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something22nd December 2008, 12:05 am

more_horiz
Hi,

Here's the resulting log:

ComboFix 08-12-20.05 - Rohit 2008-12-21 18:44:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1179 [GMT -5:00]
Running from: c:\documents and settings\Rohit\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rohit\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\efcBqnnN.dll
c:\windows\system32\efcCvuTK.dll
c:\windows\system32\iyiaajow.dll
c:\windows\system32\opnopNdE.dll
c:\windows\system32\tuvTmJAT.dll
c:\windows\Tasks\viohldom.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\dpvrwknq.dll
c:\windows\system32\efcBqnnN.dll
c:\windows\system32\efcCvuTK.dll
c:\windows\system32\gilrhh.dll
c:\windows\system32\iyiaajow.dll
c:\windows\system32\NnnqBcfe.ini
c:\windows\system32\NnnqBcfe.ini2
c:\windows\system32\onesopuj.ini
c:\windows\system32\opnopNdE.dll
c:\windows\system32\toronitu.dll
c:\windows\system32\tuvTmJAT.dll
c:\windows\system32\wojaaiyi.ini
c:\windows\Tasks\viohldom.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\system32\scripting
2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\system32\en
2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\system32\bits
2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\l2schemas
2008-12-20 17:07 . 2008-12-20 17:07 d-------- c:\windows\ServicePackFiles
2008-12-20 16:08 . 2008-10-16 15:38 6,066,176 --a--c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-20 16:08 . 2007-04-17 04:32 2,455,488 --a--c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-20 16:08 . 2007-03-08 00:10 991,232 --a--c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-20 16:08 . 2008-10-16 15:38 459,264 --a--c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-20 16:08 . 2008-10-16 15:38 383,488 --a--c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 16:08 . 2008-10-16 15:38 267,776 --a--c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-20 16:08 . 2008-10-16 15:38 63,488 --a--c--- c:\windows\system32\dllcache\icardie.dll
2008-12-20 16:08 . 2008-10-16 15:38 52,224 --a--c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-20 16:08 . 2008-10-16 08:11 13,824 --a--c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-20 16:03 . 2007-08-13 18:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll
2008-12-06 19:38 . 2008-12-06 19:34 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-06 19:37 . 2008-12-06 19:33 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-06 18:38 . 2008-12-06 18:38 d-------- c:\program files\Trend Micro
2008-12-06 17:02 . 2008-12-06 17:02 d-------- c:\program files\SUPERAntiSpyware
2008-12-06 17:02 . 2008-12-06 17:02 d-------- c:\documents and settings\Rohit\Application Data\SUPERAntiSpyware.com
2008-12-06 17:02 . 2008-12-06 17:02 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-06 16:21 . 2008-12-06 16:22 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 16:02 . 2008-12-06 16:02 d-------- c:\program files\Windows Defender
2008-12-06 15:09 . 2008-12-21 18:28 d--h----- C:\$AVG8.VAULT$
2008-12-06 14:58 . 2008-12-21 12:17 d-------- c:\windows\system32\drivers\Avg
2008-12-06 14:58 . 2008-12-06 14:58 d-------- c:\program files\AVG
2008-12-06 14:58 . 2008-12-06 14:58 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-06 14:58 . 2008-12-06 14:58 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-06 14:58 . 2008-12-06 14:58 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-06 12:30 . 2008-12-06 14:52 d-------- c:\program files\Enigma Software Group
2008-12-06 01:22 . 2008-12-06 01:26 d--h----- c:\documents and settings\Rohit\Application Data\Kaspersky_Key_Finder_(KKF
2008-12-06 00:46 . 2008-12-06 00:46 78,415 --a------ c:\windows\system32\drivers\klif.cab
2008-12-06 00:45 . 2008-12-06 00:45 d-------- c:\program files\Common Files\Download Manager
2008-12-06 00:45 . 2008-12-06 00:45 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-06 00:34 . 2008-02-07 17:10 d--h----- C:\ckis
2008-12-06 00:23 . 2008-12-06 00:23 1,140,736 --a------ C:\MAJ.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 23:32 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-21 16:03 --------- d-----w c:\program files\Lx_cats
2008-12-20 20:53 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-18 03:34 --------- d-----w c:\documents and settings\Rohit\Application Data\uTorrent
2008-12-11 08:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 00:40 --------- d-----w c:\program files\Java
2008-12-06 22:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-06 21:41 --------- d-----w c:\documents and settings\Rohit\Application Data\U3
2008-12-06 21:22 --------- d--h--w c:\documents and settings\Rohit\Application Data\Lavasoft
2008-12-06 21:22 --------- d-----w c:\program files\Lavasoft
2008-12-06 06:38 --------- d-----w c:\program files\Kaspersky Lab
2008-11-29 01:06 --------- d-----w c:\program files\mIRC
2008-11-28 05:30 --------- d-----w c:\program files\FlashFXP
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-08-17 23:52 47,360 ---ha-w c:\documents and settings\Rohit\Application Data\pcouffin.sys
2006-09-10 15:52 81,920 ---ha-w c:\documents and settings\Rohit\Application Data\ezpinst.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\ckis ----

2006-05-14 01:02 112504 -rah----- c:\ckis\crack.lst


((((((((((((((((((((((((((((( snapshot_2008-12-21_12.56.39.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-20 23:00:25 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-21 18:00:34 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-20 23:00:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-21 18:00:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-21 18:00:34 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-21 18:07:01 62,696 --sha-w c:\windows\system32\dimoburi.dll
+ 2008-12-21 18:06:58 85,176 --sha-w c:\windows\system32\juposeno.dll
+ 2008-12-21 18:06:58 62,696 --sha-w c:\windows\system32\kotafeka.dll
+ 2008-09-21 18:07:01 62,696 --sha-w c:\windows\system32\malaruwo.dll
+ 2008-12-21 23:50:00 16,384 ----atw c:\windows\temp\Perflib_Perfdata_79c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something22nd December 2008, 12:05 am

more_horiz
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{813c1807-c167-4863-8ec9-51b590509091}]
2008-09-21 13:07 62696 --ahs---- c:\windows\system32\malaruwo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-10-04 50528]
"Simp"="c:\program files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe" [2006-07-19 1966080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"HostManager"="c:\program files\Common Files\AOL\1152044440\ee\AOLSoftware.exe" [2006-05-09 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"UFD Monitor"="c:\program files\USB Drive\USB Drive\JmeMon.exe" [2002-11-27 45056]
"UFD Utility"="c:\program files\USB Drive\USB Drive\USBTD.exe" [2003-04-15 421888]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"LXCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2005-09-08 73728]
"lxcimon.exe"="c:\program files\Lexmark 7300 Series\lxcimon.exe" [2005-09-30 200704]
"EzPrint"="c:\program files\Lexmark 7300 Series\ezprint.exe" [2005-08-01 94208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-06 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-06 136600]
"gusiyafize"="c:\windows\system32\dimoburi.dll" [2008-09-21 62696]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2005-09-18 c:\windows\system32\nwiz.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-07-04 c:\windows\system32\WDBtnMgr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Rakesh Mehta\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\Rohit\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2007-07-02 2367488]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\toronitu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\1152044440\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1152044440\\ee\\aim6.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Secway\\SimpLite-MSN 2.2\\SimpLite-MSN.exe"=
"c:\\Program Files\\ASCII Art Studio\\AsciiArtStudio.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Documents and Settings\\Rohit\\Desktop\\RatioMaster\\RatioMaster.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\SSL_WRAPPER\\wrap.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Rohit\\Desktop\\PRE\\preutil.exe"=
"c:\\Documents and Settings\\Rohit\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxcicoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:mirc
"113:UDP"= 113:UDP:mirc
"13:TCP"= 13:TCP:port13
"13:UDP"= 13:UDP:port13
"50573:TCP"= 50573:TCP:Utor port1
"50573:UDP"= 50573:UDP:utor2

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-06 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-06 231704]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys [2006-07-24 31744]
R3 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe -service []
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 AlcrFilt;Alcor Micro Corp;\??\c:\windows\System32\Drivers\AlcrFilt.sys [2003-02-24 22860]
S3 gbalink;GBA Link Driver (gbalink.sys);c:\windows\system32\Drivers\gbalink.sys [2007-01-06 19677]
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8CFA46FB-AB62-4428-99ED-3D367CBBEE40} - c:\windows\system32\efcBqnnN.dll
BHO-{c55956c5-7898-41cc-a009-b3f636a027cd} - c:\windows\system32\gilrhh.dll


.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Download linked FLV with GetFLV - c:\program files\GetFLV\iemenu\DownloadLinkFLV.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save with Download Manager... - file://c:\program files\J River\Media Center 11\DMDownload.htm
FF - ProfilePath - c:\documents and settings\Rohit\Application Data\Mozilla\Firefox\Profiles\7qdh1rpk.default\
FF - prefs.js: browser.search.selectedEngine - Smogon
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 18:51:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\KB951978.log 2454 bytes
c:\windows\LastGood

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\lxcicoms.exe
c:\program files\BigFix\bigfix.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
.
**************************************************************************
.
Completion time: 2008-12-21 19:01:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 00:00:59
ComboFix2.txt 2008-12-07 00:08:51

Pre-Run: 50,696,773,632 bytes free
Post-Run: 50,661,470,208 bytes free

293 --- E O F --- 2008-12-21 00:03:02

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something22nd December 2008, 12:13 am

more_horiz
Darn it, some of the vundo regenerated.

Now open a new notepad file.
Input this into the notepad file:

Driver::
lxci_device

File::
c:\windows\system32\malaruwo.dll
c:\windows\system32\kotafeka.dll
c:\windows\system32\dimoburi.dll
c:\windows\system32\juposeno.dll
c:\windows\system32\toronitu.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{813c1807-c167-4863-8ec9-51b590509091}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gusiyafize"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"="scecli"


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Random Pop-Ups, Believe I'm Infected With Something Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something22nd December 2008, 9:16 pm

more_horiz
Hi,

Sorry about the late post, something came up last night. Ran the fix you suggested, here is the log.

ComboFix 08-12-20.05 - Rohit 2008-12-22 15:54:43.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1231 [GMT -5:00]
Running from: c:\documents and settings\Rohit\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rohit\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\dimoburi.dll
c:\windows\system32\juposeno.dll
c:\windows\system32\kotafeka.dll
c:\windows\system32\malaruwo.dll
c:\windows\system32\toronitu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\avobahub.ini
c:\windows\system32\dimoburi.dll
c:\windows\system32\juposeno.dll
c:\windows\system32\kotafeka.dll
c:\windows\system32\malaruwo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LXCI_DEVICE
-------\Service_lxci_device


((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\system32\scripting
2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\system32\en
2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\system32\bits
2008-12-20 17:10 . 2008-12-20 17:10 d-------- c:\windows\l2schemas
2008-12-20 17:07 . 2008-12-20 17:07 d-------- c:\windows\ServicePackFiles
2008-12-20 16:08 . 2008-10-16 15:38 6,066,176 --a--c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-20 16:08 . 2007-04-17 04:32 2,455,488 --a--c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-20 16:08 . 2007-03-08 00:10 991,232 --a--c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-20 16:08 . 2008-10-16 15:38 459,264 --a--c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-20 16:08 . 2008-10-16 15:38 383,488 --a--c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 16:08 . 2008-10-16 15:38 267,776 --a--c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-20 16:08 . 2008-10-16 15:38 63,488 --a--c--- c:\windows\system32\dllcache\icardie.dll
2008-12-20 16:08 . 2008-10-16 15:38 52,224 --a--c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-20 16:08 . 2008-10-16 08:11 13,824 --a--c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-20 16:03 . 2007-08-13 18:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll
2008-12-06 19:38 . 2008-12-06 19:34 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-06 19:37 . 2008-12-06 19:33 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-06 18:38 . 2008-12-06 18:38 d-------- c:\program files\Trend Micro
2008-12-06 17:02 . 2008-12-06 17:02 d-------- c:\program files\SUPERAntiSpyware
2008-12-06 17:02 . 2008-12-06 17:02 d-------- c:\documents and settings\Rohit\Application Data\SUPERAntiSpyware.com
2008-12-06 17:02 . 2008-12-06 17:02 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-06 16:21 . 2008-12-06 16:22 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 16:02 . 2008-12-06 16:02 d-------- c:\program files\Windows Defender
2008-12-06 15:09 . 2008-12-22 15:51 d--h----- C:\$AVG8.VAULT$
2008-12-06 14:58 . 2008-12-21 12:17 d-------- c:\windows\system32\drivers\Avg
2008-12-06 14:58 . 2008-12-06 14:58 d-------- c:\program files\AVG
2008-12-06 14:58 . 2008-12-06 14:58 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-06 14:58 . 2008-12-06 14:58 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-06 14:58 . 2008-12-06 14:58 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-06 12:30 . 2008-12-06 14:52 d-------- c:\program files\Enigma Software Group
2008-12-06 01:22 . 2008-12-06 01:26 d--h----- c:\documents and settings\Rohit\Application Data\Kaspersky_Key_Finder_(KKF
2008-12-06 00:46 . 2008-12-06 00:46 78,415 --a------ c:\windows\system32\drivers\klif.cab
2008-12-06 00:45 . 2008-12-06 00:45 d-------- c:\program files\Common Files\Download Manager
2008-12-06 00:45 . 2008-12-06 00:45 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-06 00:34 . 2008-02-07 17:10 d--h----- C:\ckis
2008-12-06 00:23 . 2008-12-06 00:23 1,140,736 --a------ C:\MAJ.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 23:32 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-21 16:03 --------- d-----w c:\program files\Lx_cats
2008-12-20 20:53 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-18 03:34 --------- d-----w c:\documents and settings\Rohit\Application Data\uTorrent
2008-12-11 08:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 00:40 --------- d-----w c:\program files\Java
2008-12-06 22:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-06 21:41 --------- d-----w c:\documents and settings\Rohit\Application Data\U3
2008-12-06 21:22 --------- d--h--w c:\documents and settings\Rohit\Application Data\Lavasoft
2008-12-06 21:22 --------- d-----w c:\program files\Lavasoft
2008-12-06 06:38 --------- d-----w c:\program files\Kaspersky Lab
2008-11-29 01:06 --------- d-----w c:\program files\mIRC
2008-11-28 05:30 --------- d-----w c:\program files\FlashFXP
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-08-17 23:52 47,360 ---ha-w c:\documents and settings\Rohit\Application Data\pcouffin.sys
2006-09-10 15:52 81,920 ---ha-w c:\documents and settings\Rohit\Application Data\ezpinst.exe
.

((((((((((((((((((((((((((((( snapshot_2008-12-21_12.56.39.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-22 06:07:17 85,104 --sha-w c:\windows\system32\buhabova.dll
- 2008-12-20 23:00:25 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-21 18:00:34 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-20 23:00:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-21 18:00:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-21 18:00:34 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-22 18:07:25 98,054 --sha-w c:\windows\system32\wosomupo.dll
+ 2008-12-22 20:58:47 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-10-04 50528]
"Simp"="c:\program files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe" [2006-07-19 1966080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"HostManager"="c:\program files\Common Files\AOL\1152044440\ee\AOLSoftware.exe" [2006-05-09 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"UFD Monitor"="c:\program files\USB Drive\USB Drive\JmeMon.exe" [2002-11-27 45056]
"UFD Utility"="c:\program files\USB Drive\USB Drive\USBTD.exe" [2003-04-15 421888]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"LXCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2005-09-08 73728]
"lxcimon.exe"="c:\program files\Lexmark 7300 Series\lxcimon.exe" [2005-09-30 200704]
"EzPrint"="c:\program files\Lexmark 7300 Series\ezprint.exe" [2005-08-01 94208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-06 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-06 136600]
"c8d9f426"="c:\windows\system32\buhabova.dll" [2008-12-22 85104]
"CPMcbeac7ba"="c:\windows\system32\wosomupo.dll" [2008-12-22 98054]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2005-09-18 c:\windows\system32\nwiz.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-07-04 c:\windows\system32\WDBtnMgr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Rakesh Mehta\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something22nd December 2008, 9:17 pm

more_horiz
c:\documents and settings\Rohit\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2007-07-02 2367488]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\wosomupo.dll" [2008-12-22 98054]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wosomupo.dll [2008-12-22 98054]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_SZ scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\1152044440\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1152044440\\ee\\aim6.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Secway\\SimpLite-MSN 2.2\\SimpLite-MSN.exe"=
"c:\\Program Files\\ASCII Art Studio\\AsciiArtStudio.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Documents and Settings\\Rohit\\Desktop\\RatioMaster\\RatioMaster.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\SSL_WRAPPER\\wrap.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Rohit\\Desktop\\PRE\\preutil.exe"=
"c:\\Documents and Settings\\Rohit\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxcicoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\WINDOWS\\system32\\WDBtnMgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:mirc
"113:UDP"= 113:UDP:mirc
"13:TCP"= 13:TCP:port13
"13:UDP"= 13:UDP:port13
"50573:TCP"= 50573:TCP:Utor port1
"50573:UDP"= 50573:UDP:utor2

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-06 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-06 231704]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys [2006-07-24 31744]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 AlcrFilt;Alcor Micro Corp;\??\c:\windows\System32\Drivers\AlcrFilt.sys [2003-02-24 22860]
S3 gbalink;GBA Link Driver (gbalink.sys);c:\windows\system32\Drivers\gbalink.sys [2007-01-06 19677]
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Download linked FLV with GetFLV - c:\program files\GetFLV\iemenu\DownloadLinkFLV.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save with Download Manager... - file://c:\program files\J River\Media Center 11\DMDownload.htm
FF - ProfilePath - c:\documents and settings\Rohit\Application Data\Mozilla\Firefox\Profiles\7qdh1rpk.default\
FF - prefs.js: browser.search.selectedEngine - Smogon
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 15:58:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\TEMP\TMP000000385AB26CA3CC990D38 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\BigFix\bigfix.exe
c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-12-22 16:11:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 21:11:47
ComboFix2.txt 2008-12-22 00:01:12
ComboFix3.txt 2008-12-07 00:08:51

Pre-Run: 50,638,532,608 bytes free
Post-Run: 50,560,294,912 bytes free

277 --- E O F --- 2008-12-22 21:11:38

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something22nd December 2008, 9:19 pm

more_horiz
It regenerated again. Evil or enraged

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something23rd December 2008, 12:48 am

more_horiz
Hi,

Thanks for the speedy reply as always. Here is the log:

Malwarebytes' Anti-Malware 1.31
Database version: 1533
Windows 5.1.2600 Service Pack 3

12/22/2008 7:38:04 PM
mbam-log-2008-12-22 (19-38-04).txt

Scan type: Quick Scan
Objects scanned: 63388
Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\buhabova.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wosomupo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8d9f426 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmcbeac7ba (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wosomupo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wosomupo.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\buhabova.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\avobahub.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wosomupo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something23rd December 2008, 12:55 am

more_horiz
Hmm, I think that may have got it all.

Still having problems?

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something23rd December 2008, 1:48 am

more_horiz
Everything seems up and running smoothly, but the machine seems to start up slowly now after reboots and stuff.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something23rd December 2008, 1:50 am

more_horiz
Probably the amount of stuff at startup.
Post a new Hijack This log.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something23rd December 2008, 1:53 am

more_horiz
Sure thing:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:53 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Common Files\AOL\1152044440\ee\AOLSoftware.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\USB Drive\USB Drive\JmeMon.exe
C:\Program Files\USB Drive\USB Drive\USBTD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rohit\Desktop\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152044440\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB Drive\USB Drive\JmeMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB Drive\USB Drive\USBTD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

--
End of file - 9581 bytes

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something23rd December 2008, 2:02 am

more_horiz

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152044440\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB Drive\USB Drive\JmeMon.exe
    O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB Drive\USB Drive\USBTD.exe
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe
    O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


  • Press "Fix Checked"
  • Close Hijack This.


Reboot and see if it's any faster.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something23rd December 2008, 2:14 am

more_horiz
Yep, the system loads a lot faster due to all that crap not running at startup. Thanks for the help!

By the way, is there a reason that my antivirus and anti-spyware software don't catch malware on the spot? It seems that they fail to do anything in terms of monitoring internet threats.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something23rd December 2008, 2:17 am

more_horiz
There are sooo many ways of bypassing an AV nowadays, it's crazy.

No AV is perfect, but it will keep out the worst stuff, be thankful you only had vundo (adware). LMBO or ROFL

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something23rd December 2008, 2:19 am

more_horiz
Haha...well I'm glad that someone knowledgeable like yourself can help us computer illiterate folk. Thanks for the help, much appreciated.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something24th January 2009, 10:23 am

more_horiz
Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

descriptionRandom Pop-Ups, Believe I'm Infected With Something EmptyRe: Random Pop-Ups, Believe I'm Infected With Something

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum