Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hi Everyone! My first Log. Please help me out with pop ups...

Started by jhate83 , Sep 27 2006 06:06 PM

Please log in to reply

#1
jhate83

Posted 27 September 2006 - 06:06 PM

New Member

Member
4 posts

So for some reason i started getting a TON of pop ups. Im not used to that. I never got a one until just the other day. So i downloaded all of the free software from the site(THANK YOU!) and i just need someone to check out my log and give me advice. I was having the look2me pop ups and the outerinfo pop ups, Those are the ones i know of. Thanks in advance!!!

Logfile of HijackThis v1.99.1
Scan saved at 8:02:35 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\{F41B2A84-05D8-1033-0928-050506220001}\Update.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158731512517
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\pjrfnw.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#2
loophole

Posted 28 September 2006 - 10:44 AM

Malware Expert

Retired Staff
9,798 posts

Please refrain from altering the appearanc of your hijack log using bold, colors, etc. For some odd reoson we are used to reading them plain and they are difficult to read if altered. :blink:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

#3
jhate83

Posted 28 September 2006 - 03:41 PM

New Member

Topic Starter
Member
4 posts

Thanks! Sorry about the bold text. I ran the Combofix, i recieved 2 "regedit" errors during the process and had to click ok to continue...

Jimmy - 06-09-28 17:23:25.93 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Dxcuknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\justin.exe
C:\WINDOWS\thiselt.exe
C:\Program Files\outlook
C:\Program Files\PrintView
C:\Program Files\Common Files\{F41B2A84-05D8-1033-0928-050506220001}

((((((((((((((((((((((((((((((( Files Created from 2006-08-28 to 2006-09-28 ))))))))))))))))))))))))))))))))))

2006-09-25 18:23 32,768 --a--c--- C:\WINDOWS\1205.exe
2006-09-25 18:23 25,105 --a--c--- C:\WINDOWS\idlemg.exe
2006-09-25 18:22 921 --a--c--- C:\WINDOWS\SYSTEM32\winpfg32.sys
2006-09-25 18:22 2,560 --a--c--- C:\WINDOWS\ac3_0002.exe
2006-09-25 18:22 1,233 --a--c--- C:\WINDOWS\SYSTEM32\qtqeab6a.sys
2006-09-24 19:54 66,048 --a--c--- C:\WINDOWS\ieResetIcons.exe
2006-09-20 08:58 127,208 --a--c--- C:\WINDOWS\SYSTEM32\mucltui.dll
2006-09-18 07:32 80,896 --a--c--- C:\WINDOWS\SYSTEM32\nshE.dll
2006-09-04 18:00 108 -----c--- C:\WINDOWS\st32sys.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-28 17:38 -------- d----c--- C:\Program Files\Common Files
2006-09-27 23:00 -------- d----c--- C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\BearShare
2006-09-27 22:39 -------- d----c--- C:\Program Files\BearShare Applications
2006-09-27 22:22 -------- d----c--- C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Kazaa Lite
2006-09-27 20:49 -------- d----c--- C:\Program Files\Internet Explorer
2006-09-27 19:17 -------- d----c--- C:\Program Files\Hijackthis
2006-09-27 18:27 -------- d----c--- C:\Program Files\SpywareBlaster
2006-09-27 00:23 -------- d----c--- C:\Program Files\Google
2006-09-26 19:07 -------- d----c--- C:\Program Files\RedLeg
2006-09-26 00:31 -------- d----c--- C:\Program Files\CCleaner
2006-09-24 22:18 -------- d----c--- C:\Program Files\Infogrames
2006-09-24 19:52 -------- d----c--- C:\Program Files\Lavasoft
2006-09-24 19:52 -------- d----c--- C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Lavasoft
2006-09-24 19:39 -------- d----c--- C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Registry Cleaner
2006-09-24 18:44 -------- d----c--- C:\Program Files\Online Services
2006-09-24 18:43 -------- d----c--- C:\Program Files\Windows NT
2006-09-24 15:01 -------- d----c--- C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Adobe
2006-09-24 01:13 -------- d----c--- C:\Program Files\Trymedia
2006-09-20 20:19 -------- d----c--- C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Talkback
2006-09-20 20:14 -------- d----c--- C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Mozilla
2006-09-20 01:44 -------- d--h-c--- C:\Program Files\InstallShield Installation Information
2006-09-20 01:44 -------- d----c--- C:\Program Files\Motorola
2006-09-16 16:03 -------- d----c--- C:\Program Files\mIRC
2006-09-13 17:20 -------- d----c--- C:\Program Files\AIM
2006-09-07 07:33 -------- d---sc--- C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Microsoft
2006-09-03 16:19 -------- d----c--- C:\Program Files\BitPim
2006-08-24 21:22 -------- d----c--- C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Google
2006-08-23 00:31 5906432 -----c--- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-08-23 00:31 50688 -----c--- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-08-23 00:31 457728 -----c--- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-08-23 00:31 413696 --a--c--- C:\WINDOWS\SYSTEM32\vbscript.dll
2006-08-23 00:31 225792 --a--c--- C:\WINDOWS\SYSTEM32\webcheck.dll
2006-08-23 00:31 175616 -----c--- C:\WINDOWS\SYSTEM32\ieui.dll
2006-08-23 00:31 152064 --a--c--- C:\WINDOWS\SYSTEM32\msls31.dll
2006-08-23 00:18 78336 --a--c--- C:\WINDOWS\SYSTEM32\ieencode.dll
2006-08-23 00:18 206336 -----c--- C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-08-23 00:17 40448 --a--c--- C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-08-23 00:17 105472 --a--c--- C:\WINDOWS\SYSTEM32\url.dll
2006-08-23 00:17 100352 --a--c--- C:\WINDOWS\SYSTEM32\occache.dll
2006-08-23 00:16 16896 --a--c--- C:\WINDOWS\SYSTEM32\corpol.dll
2006-08-23 00:14 378368 --a--c--- C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-08-23 00:14 229376 --a--c--- C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-08-23 00:13 71680 --a--c--- C:\WINDOWS\SYSTEM32\admparse.dll
2006-08-23 00:13 55296 --a--c--- C:\WINDOWS\SYSTEM32\iesetup.dll
2006-08-23 00:13 54784 --a--c--- C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-08-23 00:13 43008 --a--c--- C:\WINDOWS\SYSTEM32\iernonce.dll
2006-08-23 00:13 152064 --a--c--- C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-08-23 00:13 122880 --a--c--- C:\WINDOWS\SYSTEM32\advpack.dll
2006-08-23 00:13 11776 --a--c--- C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-08-23 00:11 12288 -----c--- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-08-23 00:10 61440 -----c--- C:\WINDOWS\SYSTEM32\icardie.dll
2006-08-23 00:10 35328 --a--c--- C:\WINDOWS\SYSTEM32\imgutil.dll
2006-08-23 00:09 262656 -----c--- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-08-23 00:07 45568 --a--c--- C:\WINDOWS\SYSTEM32\mshta.exe
2006-08-22 23:37 48128 --a--c--- C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-08-22 23:36 380928 -----c--- C:\WINDOWS\SYSTEM32\ieapfltr.dll
2006-08-22 23:30 161792 --a--c--- C:\WINDOWS\SYSTEM32\ieakui.dll
2006-08-21 08:21 16896 --a--c--- C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a--c--- C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 -----c--- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-10 19:46 22752 --a--c--- C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-08-03 23:17 -------- d----c--- C:\Program Files\Windows Defender
2006-07-27 09:24 679424 --a--c--- C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704 --a--c--- C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-14 11:52 121856 -----c--- C:\WINDOWS\SYSTEM32\xmllite.dll
2006-06-29 08:05 26112 -----c--- C:\WINDOWS\SYSTEM32\idndl.dll
2006-06-29 08:05 23552 -----c--- C:\WINDOWS\SYSTEM32\normaliz.dll
2006-06-28 17:59 24576 -----c--- C:\WINDOWS\SYSTEM32\nlsdl.dll
2006-06-07 13:55 3626 --a--c--- C:\Program Files\Common Files\howyw.html

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Jimmy.JIMMYSLAPTOP^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Jimmy.JIMMYSLAPTOP\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\SYSTEM32\\owinppes.exe ELT001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Jimmy.JIMMYSLAPTOP^Start Menu^Programs^Startup^Webshots.lnk]
"path"="C:\\Documents and Settings\\Jimmy.JIMMYSLAPTOP\\Start Menu\\Programs\\Startup\\Webshots.lnk"
"backup"="C:\\WINDOWS\\pss\\Webshots.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Webshots\\Launcher.exe /t"
"item"="Webshots"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AIM+"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\AIM+\\AIM+.exe\" -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AVG7_Run]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgw"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Cleanup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="20061121416_mcappins"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\JIMMY~1.JIM\\LOCALS~1\\Temp\\20061121416_mcappins.exe /v=3 /cleanup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Dell Photo AIO Printer 942]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlbubmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell Photo AIO Printer 942\\dlbubmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Dell QuickSet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="quickset"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DellMCM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="memcard"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell Photo AIO Printer 942\\memcard.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="owinppes"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\owinppes.exe ELT001"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="C:\\Program Files\\ICQLite\\ICQLite.exe -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IntelWireless]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ifrmewrk"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IntelZeroConfig]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ZCfgSvc"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msci]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="20061121410_mcinfo"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\JIMMY~1.JIM\\LOCALS~1\\Temp\\20061121410_mcinfo.exe /insfin"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\outlook]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="outlook"
"hkey"="HKLM"
"command"="C:\\Program Files\\outlook\\outlook.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\winlog]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlog"
"hkey"="HKLM"
"command"="winlog.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (JIMMYSLAPTOP-Jimmy).job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Thu 09/28/2006 17:38:59.98
ComboFix.txt
ComboFix2.txt

#4
loophole

Posted 29 September 2006 - 12:21 AM

Malware Expert

Retired Staff
9,798 posts

No problem on the bold etc. just a little tough to read :blink:

Please run a scan with HijackThis and check the following lines for removal:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\pjrfnw.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\1205.exe
C:\WINDOWS\idlemg.exe
C:\WINDOWS\SYSTEM32\winpfg32.sys
C:\WINDOWS\ac3_0002.exe
C:\WINDOWS\SYSTEM32\qtqeab6a.sys
C:\WINDOWS\SYSTEM32\nshE.dll
C:\WINDOWS\st32sys.sys
C:\Program Files\Common Files\{F41B2A84-05D8-1033-0928-050506220001}\Update.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After the reboot

Clean out your Temporary Internet files. Proceed as follows:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

#5
jhate83

Posted 30 September 2006 - 11:24 AM

New Member

Topic Starter
Member
4 posts

Please run a scan with HijackThis and check the following lines for removal:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\pjrfnw.dll (file missing)

none of these are listed

#6
loophole

Posted 30 September 2006 - 01:09 PM

Malware Expert

Retired Staff
9,798 posts

OK, Did you run the panda scan?

#7
jhate83

Posted 30 September 2006 - 05:39 PM

New Member

Topic Starter
Member
4 posts

OK, Did you run the panda scan?

Incident Status Location

Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Registry Cleaner
Adware:adware/adrotator Not disinfected Windows Registry
Adware:adware/ieplugin Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\[email protected][2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@com[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@drivecleaner[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@go[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@kmpads[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\[email protected][1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@qksrv[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@realmedia[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@serving-sys[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@statcounter[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\[email protected][2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies\jimmy@tribalfusion[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\[email protected][1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\[email protected][1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\system@errorsafe[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\[email protected][1].txt
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\ac3_0002.exe
Adware:Adware/ISearch Not disinfected C:\WINDOWS\idlemg.exe
Potentially unwanted tool:Application/RealSpy Not disinfected C:\WINDOWS\SYSTEM32\actskn45.ocx

#8
loophole

Posted 01 October 2006 - 07:22 PM

Malware Expert

Retired Staff
9,798 posts

Killbox

Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\ac3_0002.exe
C:\WINDOWS\idlemg.exe
C:\WINDOWS\SYSTEM32\actskn45.ocx
C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Application Data\Registry Cleaner
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Browse here C:\Documents and Settings\Jimmy.JIMMYSLAPTOP\Cookies and delete everything IN that folder

How is the computer running?