win32.PornPopup problem [Archive] - Safer-Networking Forums

View Full Version : win32.PornPopup problem

georgeant

2010-09-28, 02:44

hello there..i have this problem with win32.PornPopup..spybot reports that the problem is fixed but after a few days it comes back. i did download ERUNT and made the back up. i also downloaded DDS so this is my log

DDS (Ver_10-03-17.01) - NTFSx86
Run by George at 3:32:51,07 on ’¨* 28/09/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Ultimate 6.1.7600.0.1253.30.1033.18.3062.1606 [GMT 3:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\IM Magician\vicamon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\George\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.gr/
uURLSearchHooks: Messenger Plus Live Greece Toolbar: {aca12d39-b4c1-42f6-a487-aaf892905f9f} - c:\program files\messenger_plus_live_greece\tbMess.dll
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
mURLSearchHooks: Messenger Plus Live Greece Toolbar: {aca12d39-b4c1-42f6-a487-aaf892905f9f} - c:\program files\messenger_plus_live_greece\tbMess.dll
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Messenger Plus Live Greece Toolbar: {aca12d39-b4c1-42f6-a487-aaf892905f9f} - c:\program files\messenger_plus_live_greece\tbMess.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - c:\program files\microsoft visual studio 10.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
TB: Messenger Plus Live Greece Toolbar: {aca12d39-b4c1-42f6-a487-aaf892905f9f} - c:\program files\messenger_plus_live_greece\tbMess.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\users\george\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IMMON] "c:\program files\im magician\Vicamon.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\george\appdata\roaming\dvdvideosoftiehelpers\youtubetomp3.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\george\appdata\roaming\mozilla\firefox\profiles\t50vz5c3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.gr/
FF - component: c:\program files\microsoft\search enhancement pack\default manager\dmextension\components\FFGlobalExtension.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\users\george\appdata\roaming\mozilla\firefox\profiles\t50vz5c3.default\extensions\{aca12d39-b4c1-42f6-a487-aaf892905f9f}\components\FFExternalAlert.dll
FF - component: c:\users\george\appdata\roaming\mozilla\firefox\profiles\t50vz5c3.default\extensions\{aca12d39-b4c1-42f6-a487-aaf892905f9f}\components\RadioWMPCore.dll
FF - component: c:\users\george\appdata\roaming\mozilla\firefox\profiles\t50vz5c3.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\users\george\appdata\roaming\mozilla\firefox\profiles\t50vz5c3.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - component: c:\users\george\appdata\roaming\mozilla\firefox\profiles\t50vz5c3.default\extensions\engine@conduit.com\components\FFExternalAlert.dll
FF - component: c:\users\george\appdata\roaming\mozilla\firefox\profiles\t50vz5c3.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\george\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\george\appdata\roaming\mozilla\firefox\profiles\t50vz5c3.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-11-3 21520]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 avp;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe -r --> c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe -r [?]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2010-5-23 32256]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2009-12-8 48128]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
S4 wlcrasvc;Windows Live Devices remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-7-31 49504]

=============== Created Last 30 ================

2010-09-23 17:56:22 315392 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2010-09-23 17:56:22 1843200 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2010-09-23 17:56:22 120832 ----a-w- c:\windows\system32\lame_enc.dll
2010-09-23 17:56:22 1040384 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2010-09-23 17:49:54 0 d-----w- c:\users\george\appdata\roaming\GetRightToGo
2010-09-23 17:37:53 0 d---a-w- c:\programdata\TEMP
2010-09-23 17:37:51 0 d-----w- c:\programdata\Socusoft
2010-09-23 15:31:37 26 ----a-w- c:\windows\dvdSanta.INI
2010-09-23 15:30:57 0 d-----w- C:\TempDVD
2010-09-23 15:30:52 0 d-----w- C:\dvdsanta
2010-09-23 15:30:46 0 d-----w- c:\program files\dvdSanta
2010-09-15 03:02:26 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-09 22:39:14 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-09 17:57:26 0 d-----w- c:\users\george\appdata\roaming\Vimisoft Studio
2010-09-09 17:57:08 77824 ----a-w- c:\windows\system32\vgf.dll
2010-09-09 17:57:08 73728 ----a-r- c:\windows\system32\exvmuvc.ax
2010-09-09 17:57:08 450560 ----a-w- c:\windows\system32\newlistview2.dll
2010-09-09 17:57:07 8990 ----a-w- c:\windows\Product.ico
2010-09-09 17:57:07 4608 --sha-w- c:\windows\Thumbs.db
2010-09-09 17:57:07 15086 ----a-w- c:\windows\uninstall.ico
2010-09-09 17:57:07 0 d-----w- c:\program files\common files\Vimisoft Studio
2010-09-09 17:56:50 0 d-----w- c:\program files\Vimicro Corporation
2010-09-09 17:56:09 0 d-----w- c:\program files\IM Magician
2010-09-09 14:56:25 0 d-----w- c:\users\george\appdata\roaming\Microsoft FxCop
2010-09-09 13:50:33 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2010-09-09 13:49:27 0 d-----w- c:\windows\system32\RsFx
2010-09-06 18:27:24 0 d-----w- c:\users\george\appdata\roaming\Microsoft Corporation
2010-09-05 15:11:46 0 d-----w- c:\users\george\appdata\roaming\FLEXnet
2010-09-05 15:04:20 0 d-----w- c:\program files\common files\Macrovision Shared
2010-09-05 15:03:11 0 d-----w- c:\programdata\FLEXnet
2010-09-05 15:03:11 0 d-----w- c:\program files\InstallShield
2010-09-05 12:02:12 0 d-----w- c:\programdata\PreEmptive Solutions
2010-09-05 11:44:46 0 d-----w- c:\program files\common files\Merge Modules
2010-09-05 01:52:31 89960 ----a-w- c:\windows\system32\SQSRVRES.DLL
2010-09-05 01:10:33 0 d-----w- c:\windows\system32\appmgmt
2010-09-05 00:05:10 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2010-09-04 17:23:00 0 d-----w- C:\bk
2010-09-04 14:06:25 65536 --sha-w- c:\users\george\ntuser.dat{1b189859-b827-11df-9360-001eec5c20a8}.TM.blf
2010-09-04 14:06:25 524288 --sha-w- c:\users\george\ntuser.dat{1b189859-b827-11df-9360-001eec5c20a8}.TMContainer00000000000000000002.regtrans-ms
2010-09-04 14:06:25 524288 --sha-w- c:\users\george\ntuser.dat{1b189859-b827-11df-9360-001eec5c20a8}.TMContainer00000000000000000001.regtrans-ms
2010-09-02 10:04:59 0 d-----w- c:\programdata\Microsoft Visual Studio
2010-09-02 09:36:27 0 d-----w- c:\program files\Microsoft ASP.NET
2010-09-02 09:36:20 0 d-----w- c:\program files\IIS
2010-09-02 09:24:36 0 d-----w- c:\windows\system32\1033
2010-09-01 11:58:40 0 d-----w- c:\program files\Microsoft SQL Server
2010-09-01 11:58:28 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-09-01 11:55:49 0 d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-09-01 11:55:49 0 d-----w- c:\program files\Microsoft Help Viewer

==================== Find3M ====================

2010-08-10 16:44:38 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-08-10 16:39:02 297328 ----a-w- c:\windows\WLXPGSS.SCR
2010-08-03 08:24:31 87608 ----a-w- c:\users\george\appdata\roaming\inst.exe
2010-08-03 08:24:31 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-08-03 08:24:31 47360 ----a-w- c:\users\george\appdata\roaming\pcouffin.sys
2010-07-29 18:39:20 209280 ----a-w- c:\windows\system32\LIVESSP.DLL
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-17 02:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-14 23:21:38 137752 ----a-w- c:\windows\hpoins44.dat
2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 3:33:59,68 ===============

Thanks in advance.

peku006

2010-10-01, 13:28

Hi georgeant

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Vuze

I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

After that:

Please download GMER Rootkit Scanner from here (http://www.gmer.net/download.php).
Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Run Gmer again and click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log into your next reply.

Thanks peku006

georgeant

2010-10-01, 16:05

hi peku006, thanks for your reply..i uninstalled vuze and i ran the gmer scanner..i am trying to post the log but it says that the text is too long..

peku006

2010-10-01, 16:18

Hi
you need to attach the txt file created by gmer

georgeant

2010-10-01, 16:51

i am attaching to seperate files if thats not a problem because it wouldnt let me upload larger file, thanks

peku006

2010-10-01, 17:18

Hi georgeant

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you
Please include the C:\ComboFix.txt in your next reply for further review.

Thanks peku006

georgeant

2010-10-02, 02:25

hello peku006 i am posting the combofix log

ComboFix 10-10-01.01 - George 02/10/2010 3:11.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1253.30.1033.18.3062.2167 [GMT 3:00]
Running from: c:\users\George\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\George\AppData\Roaming\inst.exe

----- BITS: Possible infected sites -----

hxxp://wlxindex
.
((((((((((((((((((((((((( Files Created from 2010-09-02 to 2010-10-02 )))))))))))))))))))))))))))))))
.

2010-09-29 00:00 . 2010-03-04 04:04 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-09-29 00:00 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-28 23:25 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 00:29 . 2010-09-28 00:31 -------- d-----w- c:\program files\ERUNT
2010-09-25 15:00 . 2010-09-05 13:42 58368 ----a-w- c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\t50vz5c3.default\extensions\engine@conduit.com\components\FFExternalAlert.dll
2010-09-25 15:00 . 2010-09-05 13:42 101376 ----a-w- c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\t50vz5c3.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
2010-09-23 17:56 . 2004-12-08 10:21 1843200 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2010-09-23 17:56 . 2004-12-08 08:38 1040384 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2010-09-23 17:56 . 2004-12-01 11:43 315392 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2010-09-23 17:56 . 2002-03-19 04:18 120832 ----a-w- c:\windows\system32\lame_enc.dll
2010-09-23 17:49 . 2010-09-23 17:55 -------- d-----w- c:\users\George\AppData\Roaming\GetRightToGo
2010-09-23 17:37 . 2010-09-23 17:37 -------- d-----w- c:\programdata\Socusoft
2010-09-23 15:30 . 2010-09-23 15:30 -------- d-----w- C:\TempDVD
2010-09-23 15:30 . 2010-09-23 15:35 -------- d-----w- C:\dvdsanta
2010-09-23 15:30 . 2010-09-25 13:35 -------- d-----w- c:\program files\dvdSanta
2010-09-16 15:20 . 2010-09-16 15:20 850520 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\updater.dll
2010-09-16 15:20 . 2010-09-16 15:20 850448 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\updater.dll
2010-09-15 03:02 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-09 22:39 . 2010-09-09 22:39 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-09 17:57 . 2010-09-09 17:57 -------- d-----w- c:\users\George\AppData\Roaming\Vimisoft Studio
2010-09-09 17:57 . 2009-03-03 08:55 450560 ----a-w- c:\windows\system32\newlistview2.dll
2010-09-09 17:57 . 2009-02-09 08:13 77824 ----a-w- c:\windows\system32\vgf.dll
2010-09-09 17:57 . 2010-09-09 17:57 -------- d-----w- c:\program files\Common Files\Vimisoft Studio
2010-09-09 17:56 . 2010-09-09 17:56 -------- d-----w- c:\program files\Vimicro Corporation
2010-09-09 17:56 . 2010-09-09 17:57 -------- d-----w- c:\program files\IM Magician
2010-09-09 17:54 . 2010-09-09 17:54 -------- d-----w- c:\users\George\AppData\Roaming\InstallShield
2010-09-09 17:40 . 2010-09-09 17:40 -------- d-----w- c:\users\George\AppData\Local\ElevatedDiagnostics
2010-09-09 14:56 . 2010-09-09 14:56 -------- d-----w- c:\users\George\AppData\Roaming\Microsoft FxCop
2010-09-09 13:50 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2010-09-09 13:49 . 2010-09-09 13:49 -------- d-----w- c:\windows\system32\RsFx
2010-09-06 18:27 . 2010-09-06 18:27 -------- d-----w- c:\users\George\AppData\Roaming\Microsoft Corporation
2010-09-06 16:40 . 2010-09-06 16:40 -------- d-----w- c:\users\George\AppData\Local\PreEmptive Solutions
2010-09-06 16:38 . 2010-09-06 16:38 -------- d-----w- c:\users\George\AppData\Local\IsolatedStorage
2010-09-05 15:11 . 2010-09-05 15:11 -------- d-----w- c:\users\George\AppData\Roaming\FLEXnet
2010-09-05 15:04 . 2010-09-05 15:04 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-09-05 15:03 . 2010-09-05 15:04 -------- d-----w- c:\programdata\FLEXnet
2010-09-05 15:03 . 2010-09-05 15:03 -------- d-----w- c:\program files\InstallShield
2010-09-05 15:01 . 2010-09-05 15:01 -------- d-----w- c:\users\George\AppData\Local\Downloaded Installations
2010-09-05 12:02 . 2010-09-05 12:02 -------- d-----w- c:\programdata\PreEmptive Solutions
2010-09-05 11:45 . 2010-09-05 11:45 -------- d-----w- c:\windows\symbols
2010-09-05 11:44 . 2010-09-06 17:03 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-09-05 01:52 . 2010-06-19 03:21 89960 ----a-w- c:\windows\system32\SQSRVRES.DLL
2010-09-05 00:21 . 2010-09-05 00:21 -------- d-----w- c:\users\George\AppData\Local\Microsoft_Corporation
2010-09-05 00:05 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2010-09-04 17:23 . 2010-09-04 19:55 -------- d-----w- C:\bk
2010-09-02 17:06 . 2010-09-02 17:06 -------- d-----w- c:\program files\Google
2010-09-02 10:04 . 2010-09-02 10:04 -------- d-----w- c:\programdata\Microsoft Visual Studio
2010-09-02 09:45 . 2010-09-02 09:45 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-09-02 09:36 . 2010-09-02 09:36 -------- d-----w- c:\program files\Microsoft ASP.NET
2010-09-02 09:36 . 2010-09-02 09:36 -------- d-----w- c:\program files\IIS
2010-09-02 09:34 . 2010-09-09 13:42 1463968 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2010-09-02 09:24 . 2010-09-09 13:47 -------- d-----w- c:\windows\system32\1033
2010-09-02 09:20 . 2010-09-05 01:59 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-02 00:07 . 2010-05-23 02:31 -------- d-----w- c:\users\George\AppData\Roaming\Skype
2010-10-02 00:01 . 2010-05-23 02:32 -------- d-----w- c:\users\George\AppData\Roaming\skypePM
2010-10-02 00:00 . 2010-05-23 11:51 -------- d-----w- c:\programdata\Kaspersky Lab
2010-09-29 21:47 . 2010-07-13 09:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-29 21:47 . 2010-05-23 04:22 -------- d-----w- c:\users\George\AppData\Roaming\Azureus
2010-09-29 21:46 . 2010-05-23 04:56 -------- d-----w- c:\program files\CCleaner
2010-09-29 00:39 . 2010-08-20 22:55 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-25 23:19 . 2010-05-23 02:39 -------- d-----w- c:\program files\Messenger Plus! Live
2010-09-17 15:19 . 2010-07-15 21:56 -------- d-----w- c:\users\George\AppData\Roaming\Windows Live Writer
2010-09-15 06:04 . 2010-05-23 03:08 -------- d-----w- c:\programdata\Microsoft Help
2010-09-14 18:35 . 2010-05-23 15:01 -------- d-----w- c:\users\George\AppData\Roaming\vlc
2010-09-09 17:56 . 2010-05-23 21:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-09 17:38 . 2010-05-23 20:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-09 14:15 . 2010-09-01 11:58 -------- d-----w- c:\program files\Microsoft SQL Server
2010-09-09 13:47 . 2010-05-23 03:10 -------- d-----w- c:\program files\Microsoft.NET
2010-09-06 17:07 . 2010-09-01 11:55 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-09-05 15:03 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-09-05 01:10 . 2010-07-14 20:41 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-09-04 15:43 . 2010-05-23 18:43 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2010-09-04 15:01 . 2010-05-25 17:03 -------- d-----w- c:\programdata\TamoSoft
2010-09-02 09:46 . 2010-09-01 11:55 -------- d-----w- c:\program files\Microsoft SDKs
2010-09-01 11:59 . 2010-09-01 11:57 205984 ----a-w- c:\programdata\Microsoft\VBExpress\10.0\1033\ResourceCache.dll
2010-09-01 11:58 . 2010-09-01 11:58 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-09-01 11:55 . 2010-09-01 11:55 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-08-27 16:52 . 2010-07-08 19:28 -------- d-----w- c:\users\George\AppData\Roaming\Vso
2010-08-27 09:23 . 2010-08-27 09:23 310208 ----a-w- c:\users\George\AppData\Roaming\Azureus\plugins\mlab\ShaperProbeC.exe
2010-08-20 23:01 . 2010-05-23 02:19 -------- d-----w- c:\program files\Windows Live
2010-08-18 15:36 . 2010-08-18 15:36 170584 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\prloader.dll
2010-08-18 15:36 . 2010-08-18 15:36 340520 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\avp.exe
2010-08-18 14:18 . 2010-08-20 22:52 52224 ----a-w- c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\t50vz5c3.default\extensions\{aca12d39-b4c1-42f6-a487-aaf892905f9f}\components\FFExternalAlert.dll
2010-08-18 14:18 . 2010-08-20 22:52 101376 ----a-w- c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\t50vz5c3.default\extensions\{aca12d39-b4c1-42f6-a487-aaf892905f9f}\components\RadioWMPCore.dll
2010-08-12 14:09 . 2010-06-20 22:35 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2010-08-12 13:37 . 2010-08-12 13:37 -------- d-----w- c:\program files\Common Files\Java
2010-08-12 13:36 . 2010-05-25 18:38 -------- d-----w- c:\program files\Java
2010-08-10 16:44 . 2010-08-10 16:44 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-08-10 16:39 . 2010-08-10 16:39 297328 ----a-w- c:\windows\WLXPGSS.SCR
2010-08-09 04:23 . 2010-08-09 04:23 20 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\apu\ForDiff\apu0006.dat.bat
2010-08-03 08:24 . 2010-07-08 19:28 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-08-03 08:24 . 2010-07-08 19:28 47360 ----a-w- c:\users\George\AppData\Roaming\pcouffin.sys
2010-08-03 08:24 . 2010-07-08 19:28 47360 ----a-w- c:\users\George\AppData\Roaming\pcouffin.sys
2010-08-03 08:24 . 2010-08-03 08:24 -------- d-----w- c:\program files\VSO
2010-07-29 18:39 . 2010-07-29 18:39 209280 ----a-w- c:\windows\system32\LIVESSP.DLL
2010-07-29 17:29 . 2010-05-23 11:51 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 17:29 . 2010-05-23 11:51 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-29 06:30 . 2010-08-12 12:55 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-12 12:55 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-17 02:00 . 2010-05-25 18:38 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-14 23:21 . 2010-07-14 23:17 137752 ----a-w- c:\windows\hpoins44.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{aca12d39-b4c1-42f6-a487-aaf892905f9f}"= "c:\program files\Messenger_Plus_Live_Greece\tbMess.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{aca12d39-b4c1-42f6-a487-aaf892905f9f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aca12d39-b4c1-42f6-a487-aaf892905f9f}]
2010-02-22 09:05 2353176 ----a-w- c:\program files\Messenger_Plus_Live_Greece\tbMess.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{aca12d39-b4c1-42f6-a487-aaf892905f9f}"= "c:\program files\Messenger_Plus_Live_Greece\tbMess.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{aca12d39-b4c1-42f6-a487-aaf892905f9f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{ACA12D39-B4C1-42F6-A487-AAF892905F9F}"= "c:\program files\Messenger_Plus_Live_Greece\tbMess.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{aca12d39-b4c1-42f6-a487-aaf892905f9f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-08-10 4217720]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
"Google Update"="c:\users\George\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-23 136176]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2010-08-18 340520]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"IMMON"="c:\program files\IM Magician\Vicamon.exe" [2009-05-07 143360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^Users^George^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\George\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [2009-12-08 48128]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-05-23 691696]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
R4 wlcrasvc;Windows Live Devices remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-07-31 49504]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-11-03 21520]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2007-04-25 32256]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1900014311-2347012936-2808965523-1001Core.job
- c:\users\George\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-23 21:42]

2010-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1900014311-2347012936-2808965523-1001UA.job
- c:\users\George\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-23 21:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.gr/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\George\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
FF - ProfilePath - c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\t50vz5c3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.gr/
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\components\FFGlobalExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\t50vz5c3.default\extensions\{aca12d39-b4c1-42f6-a487-aaf892905f9f}\components\FFExternalAlert.dll
FF - component: c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\t50vz5c3.default\extensions\{aca12d39-b4c1-42f6-a487-aaf892905f9f}\components\RadioWMPCore.dll
FF - component: c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\t50vz5c3.default\extensions\engine@conduit.com\components\FFExternalAlert.dll
FF - component: c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\t50vz5c3.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\George\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\t50vz5c3.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-12Voip - c:\windows.old\Program Files\12Voip.com\12Voip\12voip.exe

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-10-02 03:20:39
ComboFix-quarantined-files.txt 2010-10-02 00:20

Pre-Run: 6.546.022.400 bytes free
Post-Run: 6.473.961.472 bytes free

- - End Of File - - 71E8C8F7CB332EB955073DD28225F0AE

georgeant

2010-10-02, 03:07

by the way after the combofix scan my kaspersky won't update.it says task failed.Object not found

peku006

2010-10-02, 09:50

Hi georgeant

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Hold down Control then click on the following link to open a new window to ESET online scannner (http://www.eset.com/onlinescan/)
Then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

Thanks peku006

georgeant

2010-10-02, 16:06

hi peku006

Here is the log of ESET

C:\System Volume Information\_restore{F7498E77-1F67-4B17-88E7-CAD9E0AD4135}\RP287\A0051851.lnk Win32/Adware.ADON application
C:\System Volume Information\_restore{F7498E77-1F67-4B17-88E7-CAD9E0AD4135}\RP287\A0051852.lnk Win32/Adware.ADON application
C:\Users\George\Documents\Vuze Downloads\Nero 7.10.1.0 (stew's)\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application
C:\Users\George\Downloads\MsgPlusLive-484.exe a variant of Win32/MessengerPlus application
C:\Users\George\Downloads\MsgPlusLive-485(2).exe a variant of Win32/MessengerPlus application
C:\Users\George\Downloads\MsgPlusLive-485.exe a variant of Win32/MessengerPlus application

peku006

2010-10-02, 16:32

Hi georgeant

Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.

How's the computer running now? Any problems?

Thanks peku006

georgeant

2010-10-02, 17:30

hi peku006

the computer works fine, its not slow or something..my internet connection goes little slow sometimes..my anti virus updated successfully after i changed the time (from 16:30 to 16:31). here is the new log:

Results of screen317's Security Check version 0.99.5
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Kaspersky Anti-Virus 2010
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Flash Player 10.1.85.3
Adobe Reader 9.3.4
````````````````````````````````
Process Check:
objlist.exe by Laurent
Kaspersky Lab Kaspersky Anti-Virus 2010 avp.exe
Kaspersky Lab Kaspersky Anti-Virus 2010 klwtblfs.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

georgeant

2010-10-02, 17:35

by the way before i ran a spybot scan, the win32.pornpopup appeared again but i didnt choose to fix the problem as i am waiting instructions

peku006

2010-10-03, 08:58

Hi georgeant

Please post spybot report

Thanks peku006

georgeant

2010-10-03, 14:01

hi peku006

i am attaching spybot report

peku006

2010-10-03, 14:42

Hi georgeant

they are cookies in your Chrome.
Please delete your cookies manually.

here (http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95647&from=95626&rd=1) are instructions

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:filefind
Win32.pornpopup
:folderfind
Win32.pornpopup
:regfind
Win32.pornpopup

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Thanks peku006

georgeant

2010-10-03, 15:03

hello peku006

here is the log
SystemLook 04.09.10 by jpshortstuff
Log created at 16:00 on 03/10/2010 by George
Administrator - Elevation successful

========== filefind ==========

Searching for "Win32.pornpopup"
No files found.

========== folderfind ==========

Searching for "Win32.pornpopup"
No folders found.

========== regfind ==========

Searching for "Win32.pornpopup"
No data found.

-= EOF =-

peku006

2010-10-03, 15:35

Hi georgeant

Please update your Adobe Flash Player........

After that.............

Your log now appears to be clean. Congratulations! :yahoo:

To remove all of the tools we used and the files and folders they created do the following:

Delete SecurityCheck and SystemLook from your desktop.

Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.

Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore-Vista

Click the Vista/Start icon.
Right Click >> Computer
Click Properties.
Click the System Protection tab.
Uncheck All drives
Click Turn Off System Restore at the prompt then click Apply.
Restart your computer.

Turn ON System Restore-Vista

Click the Vista/Start icon
Right Click >> Computer
Click Properties.
Click the System Protection tab.
Checkmark All drives that were selected previously then click Apply.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Here are some things that I think are worth having a look at if you don't already know a bout them:.

Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy safe surfing! :bigthumb:

peku006

georgeant

2010-10-03, 16:21

hello peku006

thank you so much for your help, now spybot scan is clean :)

You were very helpful

peku006

2010-10-04, 18:14

As this issue appears to be resolved, this topic is now closed

We are pleased to have been some help in getting you clean.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)