PDA

View Full Version : IE7 unwanted popups


Raynor69
2007-09-18, 19:18
hello having a few proplems here. i was reading a fourm in the archives about someone having the same problem... i followed most of the steps but still having popups so i thought it's time for help in my own case.
tools i'm using
trend internet security 2005
Spybot Search and Destroy
Ad-Aware
fsbl
ATF-cleaner
Smithfraudfix
AVG Antirootkit 1.0.0.13
Hijackthis

HJT Log as follows
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:14 AM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
H:\WINDOWS\system32\svchost.exe
H:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
H:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
H:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\VTTimer.exe
H:\WINDOWS\system32\VTtrayp.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\QuickTime\qttask.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
H:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\WINDOWS\system32\ctfmon.exe
H:\PROGRA~1\AWS\WEATHE~1\Weather.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
I:\Spyware removal tools\HiJackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "H:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QUICKCARE] H:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] H:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [updateMgr] "H:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139974419906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139984248625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O20 - AppInit_DLLs: H:\WINDOWS\system32\__c00870A0.dat
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - H:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - H:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - H:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - H:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7358 bytes
Raynor69
2007-09-18, 21:41
Ran about everything i've read pst logs below...

ComboFix 07-09-18.4 - "Julie" 2007-09-18 13:20:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.137 [GMT -6:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\DOCUME~1\Brooke\APPLIC~1\microsoft\internet explorer\quick launch\VirusProtectPro 3.7.lnk
H:\DOCUME~1\Brooke\Desktop\internet.lnk
H:\DOCUME~1\Brooke\Desktop\VirusProtectPro 3.7.lnk
H:\DOCUME~1\Brooke\STARTM~1\Programs\VirusProtectPro 3.7
H:\DOCUME~1\Brooke\STARTM~1\Programs\VirusProtectPro 3.7\Uninstall VirusProtectPro 3.7.lnk
H:\DOCUME~1\Brooke\STARTM~1\Programs\VirusProtectPro 3.7\VirusProtectPro 3.7 Website.lnk
H:\DOCUME~1\Brooke\STARTM~1\Programs\VirusProtectPro 3.7\VirusProtectPro 3.7.lnk
H:\DOCUME~1\Brooke\STARTM~1\VirusProtectPro 3.7.lnk
H:\DOCUME~1\Louie\Desktop\internet.lnk
H:\DOCUME~1\Louie\Desktop\VirusProtectPro 3.7.lnk
H:\DOCUME~1\Louie\STARTM~1\Programs\VirusProtectPro 3.7
H:\DOCUME~1\Louie\STARTM~1\Programs\VirusProtectPro 3.7\Uninstall VirusProtectPro 3.7.lnk
H:\DOCUME~1\Louie\STARTM~1\Programs\VirusProtectPro 3.7\VirusProtectPro 3.7 Website.lnk
H:\DOCUME~1\Louie\STARTM~1\Programs\VirusProtectPro 3.7\VirusProtectPro 3.7.lnk
H:\DOCUME~1\Louie\STARTM~1\VirusProtectPro 3.7.lnk
H:\DOCUME~1\Zeke\Desktop\internet.lnk
H:\WINDOWS\system32\__c00870A0.dat

.
((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-18 13:19 51,200 --a------ H:\WINDOWS\NirCmd.exe
2007-09-18 01:37 2,202 --a------ H:\WINDOWS\system32\tmp.reg
2007-09-18 01:36 53,248 --a------ H:\WINDOWS\system32\Process.exe
2007-09-18 01:36 51,200 --a------ H:\WINDOWS\system32\dumphive.exe
2007-09-18 01:36 289,144 --a------ H:\WINDOWS\system32\VCCLSID.exe
2007-09-18 01:36 288,417 --a------ H:\WINDOWS\system32\SrchSTS.exe
2007-09-16 13:50 <DIR> d-------- H:\DOCUME~1\Louie\APPLIC~1\Lavasoft
2007-09-08 14:47 <DIR> d-a------ H:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-30 19:47 14,848 --a--c--- H:\WINDOWS\system32\dllcache\kbdhid.sys
2007-08-30 19:47 14,848 --a------ H:\WINDOWS\system32\drivers\kbdhid.sys
2007-08-30 19:43 9,600 --a--c--- H:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-30 19:43 9,600 --a------ H:\WINDOWS\system32\drivers\hidusb.sys
2007-08-30 19:43 12,160 --a--c--- H:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-30 19:43 12,160 --a------ H:\WINDOWS\system32\drivers\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-18 12:18 --------- d-------- H:\Program Files\AWS
2007-09-18 12:17 --------- d--h----- H:\Program Files\InstallShield Installation Information
2007-09-18 12:17 --------- d-------- H:\Program Files\Return to Castle Wolfenstein
2007-09-18 00:28 --------- d-------- H:\Program Files\SpywareBlaster
2007-08-28 14:33 --------- d-------- H:\DOCUME~1\Julie\APPLIC~1\AdobeUM
2007-08-15 19:06 --------- d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\SupportSoft
2007-08-15 18:58 --------- d-------- H:\Program Files\Qwest
2007-08-15 18:53 --------- d-------- H:\Program Files\Common Files\supportsoft
2007-08-15 18:52 --------- d-------- H:\Program Files\Actiontec
2007-08-15 18:52 --------- d-------- H:\Program Files\2Wire
2007-08-15 18:50 --------- d-------- H:\DOCUME~1\Julie\APPLIC~1\InstallShield
2007-08-06 13:19 --------- d-------- H:\DOCUME~1\Zeke\APPLIC~1\Apple Computer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-07-12 19:57 H:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2004-06-21 12:57 H:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 07:42 H:\WINDOWS\SOUNDMAN.EXE]
"pccguide.exe"="H:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" [2005-11-25 21:51]
"HP Software Update"="H:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Windows Defender"="H:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"QUICKCARE"="H:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 18:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="H:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-09-19 01:02]
"MSMSGS"="H:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

H:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-14 22:28:30]
Adobe Reader Speed Launch.lnk - H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26]
HP Digital Imaging Monitor.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24]
HP Image Zone Fast Start.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=H:\WINDOWS\system32\__c00870A0.dat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"updateMgr"="H:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

R0 viamraid;viamraid;H:\WINDOWS\system32\DRIVERS\viamraid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 13:12:01 H:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-18 19:28:40 H:\WINDOWS\Tasks\MP Scheduled Scan.job"
- H:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 13:27:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-18 13:30:51 - machine was rebooted
H:\ComboFix-quarantined-files.txt ... 2007-09-18 13:30
.
--- E O F ---


Unnamed HJT Log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:14 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
H:\WINDOWS\system32\svchost.exe
H:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
H:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
H:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\VTTimer.exe
H:\WINDOWS\system32\VTtrayp.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
H:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Messenger\msmsgs.exe
H:\WINDOWS\system32\ctfmon.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
H:\WINDOWS\system32\notepad.exe
I:\Spyware removal tools\HiJackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "H:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QUICKCARE] H:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139974419906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139984248625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O20 - AppInit_DLLs: H:\WINDOWS\system32\__c00870A0.dat
O23 - Service: Google Updater Service (gusvc) - Unknown owner - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - H:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - H:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - H:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - H:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6499 bytes

Renamed HJT.exe to juliemom.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:44 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
H:\WINDOWS\system32\svchost.exe
H:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
H:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
H:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\VTTimer.exe
H:\WINDOWS\system32\VTtrayp.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
H:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Messenger\msmsgs.exe
H:\WINDOWS\system32\ctfmon.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
H:\WINDOWS\system32\notepad.exe
I:\Spyware removal tools\juliemom.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "H:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QUICKCARE] H:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139974419906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139984248625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O20 - AppInit_DLLs: H:\WINDOWS\system32\__c00870A0.dat
O23 - Service: Google Updater Service (gusvc) - Unknown owner - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - H:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - H:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - H:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - H:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6497 bytes
Mr_JAk3
2007-09-20, 20:01
Hi and welcome to the Forums :)

You're infected.

Open notepad and copy/paste the text in the quotebox below into it:



File::
H:\WINDOWS\system32\__c00870A0.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-




Save this as "CFScript"

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Raynor69
2007-09-21, 16:57
Thankyou for the help i have it fixed... ran combofix and it found and deleted the entry just fine
Mr_JAk3
2007-09-22, 16:30
Hi :)

I would like to see the results in order to verify that you're clean....

:bigthumb:
tashi
2007-10-06, 00:37
As the information requested has not been provided, this topic has been moved to archives.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.


5) Final Run:
Towards the end of a cleanup please make sure you follow through with any final log requested even if it appears to you that your computer is back to normal operation.
As much as we like our members ;) we would rather not see you back in a few weeks because there was no follow up with the helper.
http://forums.spybot.info/showpost.php?p=1150&postcount=2

:lip: