PDA

View Full Version : Firstadsolution popups



Mritter26
2006-08-29, 07:17
Hello! I need help getting rid of these darn popups! The window first says Firstadsolution.
Here is my Hijackthis report
Logfile of HijackThis v1.99.1
Scan saved at 12:16:55 AM, on 8/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS.0\CTHELPER.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\WINDOWS.0\win3207421387864.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Maplom\Maplom.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS.0\Duce6.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Anti-spyware\HijackThis(2).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [win3207421387864] C:\WINDOWS.0\win3207421387864.exe
O4 - HKLM\..\Run: [ms05644213878] C:\WINDOWS.0\ms05644213878.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS.0\Duce6.exe
O4 - HKCU\..\Run: [Maplom] C:\Program Files\Maplom\Maplom.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows.0\system32\nvappfilter.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.custhelp.com/7540-b358h/rnl/java/RntX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe

Help please! =)

LonnyRJones
2006-09-01, 16:18
Hello
Can you tell me what this program is ?
C:\Program Files\Maplom
If not post a list of its contents and scan each file here
http://www.virustotal.com/flash/index_en.html

Mritter26
2006-09-05, 00:48
Maplom is Game Jackel. It allows me to buy my games, enter the serial number for them, and then make it so that I don't need the disk to be in the computer anymore when I play them!

Here is a newer report
Logfile of HijackThis v1.99.1
Scan saved at 5:45:04 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS.0\CTHELPER.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS.0\Duce6.exe
C:\WINDOWS.0\win3206442138786.exe
C:\Program Files\Maplom\Maplom.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\talkback.exe
C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: SynchronEyes - {8E1233B3-485A-4E51-B77E-9E075A68C588} - C:\Program Files\SynchronEyes Teacher 6.0\SEyesIeToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS.0\Duce6.exe
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\Common Files\SMART Techno
O4 - HKLM\..\Run: [win3206442138786] C:\WINDOWS.0\win3206442138786.exe
O4 - HKCU\..\Run: [Maplom] C:\Program Files\Maplom\Maplom.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows.0\system32\nvappfilter.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.custhelp.com/7540-b358h/rnl/java/RntX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\Common Files\SMART Technologies Inc\Mirror Driver\monitorservice.exe

Thanks!

LonnyRJones
2006-09-05, 04:01
In WinPatrol's options have it not start with windows

Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS.0\Duce6.exe
O4 - HKLM\..\Run: [win3206442138786] C:\WINDOWS.0\win3206442138786.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

Mritter26
2006-09-07, 02:52
I didn't find either of those two objects I'm afraid, although, right as soon as Windows boots up, I get a winpatrol for that second object. Weird huh? I ran the combofix and here is the log.
Matthew Ritter - 06-09-06 19:47:44.09
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-08-06 to 2006-09-06 ))))))))))))))))))))))))))))))))))


2006-08-31 22:44 86,016 --a------ C:\StickMen.scr
2006-08-28 20:08 159,744 --a------ C:\WINDOWS.0\ms056442138782006.exe
2006-08-27 12:48 78,488 --a------ C:\WINDOWS.0\system32\XMD5.dll
2006-08-27 12:48 101,888 --a------ C:\WINDOWS.0\system32\vb6stkit.dll
2006-08-27 00:45 118,784 --a------ C:\WINDOWS.0\system32\MSSTDFMT.DLL
2006-08-26 00:55 215,308 --a------ C:\WINDOWS.0\srvxxobhed.exe
2006-08-21 16:48 53,248 --a------ C:\WINDOWS.0\uni_ehhhh.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-06 19:46 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-01 17:16 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\SMART Technologies Inc
2006-09-01 17:15 -------- d-------- C:\Program Files\SynchronEyes Teacher 6.0
2006-09-01 17:15 -------- d-------- C:\Program Files\Common Files\SMART Technologies Inc
2006-09-01 17:15 -------- d-------- C:\Program Files\Common Files
2006-08-31 22:46 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\U3
2006-08-28 23:58 -------- d---s---- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Microsoft
2006-08-28 22:47 -------- d-------- C:\Program Files\Common Files\Scanner
2006-08-28 20:04 -------- d-------- C:\Program Files\PCPitstop
2006-08-28 00:41 -------- d-------- C:\Program Files\BitLord
2006-08-27 00:45 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-27 00:44 -------- d-------- C:\Program Files\PepiMK Software
2006-08-27 00:29 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\WinPatrol
2006-08-27 00:27 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-26 14:30 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\.bittorrent
2006-08-26 01:42 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Opera
2006-08-26 01:40 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Adobe
2006-08-26 01:24 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-26 01:23 -------- d-------- C:\Program Files\Adobe
2006-08-26 01:03 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-08-18 16:01 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Macromedia
2006-08-18 15:59 -------- d-------- C:\Program Files\Macromedia
2006-08-17 11:57 -------- d-------- C:\Program Files\Yahoo!
2006-08-17 11:57 -------- d-------- C:\Program Files\HHD Software
2006-08-17 11:23 -------- d-------- C:\Program Files\Maplom
2006-08-12 15:21 98304 --a------ C:\WINDOWS.0\system32\CmdLineExt.dll
2006-08-12 14:39 777472 --a------ C:\WINDOWS.0\system32\drivers\avg7core.sys
2006-08-12 14:39 27904 --a------ C:\WINDOWS.0\system32\drivers\avg7rsxp.sys
2006-08-11 13:00 -------- d-------- C:\Program Files\Internet Explorer
2006-08-06 15:11 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\LimeWire
2006-08-02 19:27 -------- d-------- C:\Program Files\Bethesda Softworks
2006-08-02 13:13 -------- d-------- C:\Program Files\Plus!
2006-07-31 14:36 -------- d-------- C:\Program Files\Rockstar Games
2006-07-31 14:08 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Atari
2006-07-31 14:06 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Leadertech
2006-07-30 11:19 -------- d-------- C:\Program Files\Real
2006-07-29 23:23 -------- d-------- C:\Program Files\MSXML 4.0
2006-07-29 23:20 -------- d-------- C:\Program Files\Microsoft Games
2006-07-29 00:14 -------- d-------- C:\Program Files\Activision
2006-07-28 14:25 -------- d-------- C:\Program Files\Memware
2006-07-27 09:24 679424 --a------ C:\WINDOWS.0\system32\inetcomm.dll
2006-07-26 11:39 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\vlc
2006-07-24 06:46 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\uTorrent
2006-07-22 14:46 163644 --a------ C:\WINDOWS.0\system32\drivers\secdrv.sys
2006-07-21 04:24 72704 --a------ C:\WINDOWS.0\system32\hlink.dll
2006-07-18 00:12 -------- d-------- C:\Program Files\WinRAR
2006-07-16 21:02 -------- d-------- C:\Program Files\NovaLogic
2006-07-16 12:55 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Yahoo!
2006-07-14 00:40 -------- d-------- C:\Program Files\AGEIA Technologies
2006-07-11 22:01 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Help
2006-07-11 00:33 -------- d-------- C:\Program Files\Google
2006-07-10 22:21 -------- d-------- C:\Program Files\Privacy Guardian
2006-07-10 22:21 -------- d-------- C:\Program Files\CCleaner
2006-07-10 22:18 -------- d-------- C:\Program Files\Lavasoft
2006-07-10 22:18 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Lavasoft
2006-07-10 22:11 -------- d-------- C:\Program Files\AOD
2006-07-10 22:11 -------- d-------- C:\Program Files\AIM
2006-07-10 22:11 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Aim
2006-07-10 16:47 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Talkback
2006-07-10 16:47 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Mozilla
2006-07-10 16:41 4992 --a------ C:\WINDOWS.0\system32\drivers\avgtdi.sys
2006-07-10 16:41 23424 --a------ C:\WINDOWS.0\system32\drivers\avgmfrs.sys
2006-07-10 16:41 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\AVG7
2006-07-10 16:40 4288 --a------ C:\WINDOWS.0\system32\drivers\avg7rsw.sys
2006-07-10 16:40 -------- d-------- C:\Program Files\Grisoft
2006-07-10 16:36 98304 --a------ C:\WINDOWS.0\system32\nvapi.dll
2006-07-10 16:36 86016 --a------ C:\WINDOWS.0\system32\nvmctray.dll
2006-07-10 16:36 81920 --a------ C:\WINDOWS.0\system32\nvwddi.dll
2006-07-10 16:36 7561216 --a------ C:\WINDOWS.0\system32\nvcpl.dll
2006-07-10 16:36 573440 --a------ C:\WINDOWS.0\system32\nvhwvid.dll
2006-07-10 16:36 5419008 --a------ C:\WINDOWS.0\system32\nvoglnt.dll
2006-07-10 16:36 466944 --a------ C:\WINDOWS.0\system32\nvshell.dll
2006-07-10 16:36 45056 --a------ C:\WINDOWS.0\system32\nvmccsrs.dll
2006-07-10 16:36 442368 --a------ C:\WINDOWS.0\system32\nvappbar.exe
2006-07-10 16:36 425984 --a------ C:\WINDOWS.0\system32\keystone.exe
2006-07-10 16:36 3968512 --a------ C:\WINDOWS.0\system32\nv4_disp.dll
2006-07-10 16:36 3650368 --a------ C:\WINDOWS.0\system32\drivers\nv4_mini.sys
2006-07-10 16:36 35840 --a------ C:\WINDOWS.0\system32\nvcodins.dll
2006-07-10 16:36 35840 --a------ C:\WINDOWS.0\system32\nvcod.dll
2006-07-10 16:36 335872 --a------ C:\WINDOWS.0\system32\nvwrses.dll
2006-07-10 16:36 335872 --a------ C:\WINDOWS.0\system32\nvwrsel.dll
2006-07-10 16:36 327680 --a------ C:\WINDOWS.0\system32\nvwrsfr.dll
2006-07-10 16:36 327680 --a------ C:\WINDOWS.0\system32\nvwrsesm.dll
2006-07-10 16:36 327680 --a------ C:\WINDOWS.0\system32\nvrsar.dll
2006-07-10 16:36 323584 --a------ C:\WINDOWS.0\system32\nvwrspt.dll
2006-07-10 16:36 323584 --a------ C:\WINDOWS.0\system32\nvwrsit.dll
2006-07-10 16:36 323584 --a------ C:\WINDOWS.0\system32\nvrshe.dll
2006-07-10 16:36 319488 --a------ C:\WINDOWS.0\system32\nvwrsptb.dll
2006-07-10 16:36 319488 --a------ C:\WINDOWS.0\system32\nvwrsnl.dll
2006-07-10 16:36 315392 --a------ C:\WINDOWS.0\system32\nvwrsru.dll
2006-07-10 16:36 315392 --a------ C:\WINDOWS.0\system32\nvwrshu.dll
2006-07-10 16:36 311296 --a------ C:\WINDOWS.0\system32\nvwrsde.dll
2006-07-10 16:36 303104 --a------ C:\WINDOWS.0\system32\nvwrstr.dll
2006-07-10 16:36 303104 --a------ C:\WINDOWS.0\system32\nvwrssl.dll
2006-07-10 16:36 303104 --a------ C:\WINDOWS.0\system32\nvwrsfi.dll
2006-07-10 16:36 299008 --a------ C:\WINDOWS.0\system32\nvwrssk.dll
2006-07-10 16:36 299008 --a------ C:\WINDOWS.0\system32\nvwrsno.dll
2006-07-10 16:36 294912 --a------ C:\WINDOWS.0\system32\nvwrssv.dll
2006-07-10 16:36 294912 --a------ C:\WINDOWS.0\system32\nvwrspl.dll
2006-07-10 16:36 294912 --a------ C:\WINDOWS.0\system32\nvwrsda.dll
2006-07-10 16:36 286720 --a------ C:\WINDOWS.0\system32\nvwrseng.dll
2006-07-10 16:36 286720 --a------ C:\WINDOWS.0\system32\nvwrscs.dll
2006-07-10 16:36 286720 --a------ C:\WINDOWS.0\system32\nvnt4cpl.dll
2006-07-10 16:36 282624 --a------ C:\WINDOWS.0\system32\nvwrsar.dll
2006-07-10 16:36 282624 --a------ C:\WINDOWS.0\system32\nvrsfr.dll
2006-07-10 16:36 278528 --a------ C:\WINDOWS.0\system32\nvwrshe.dll
2006-07-10 16:36 278528 --a------ C:\WINDOWS.0\system32\nvrsit.dll
2006-07-10 16:36 278528 --a------ C:\WINDOWS.0\system32\nvrses.dll
2006-07-10 16:36 278528 --a------ C:\WINDOWS.0\system32\nvrsel.dll
2006-07-10 16:36 274432 --a------ C:\WINDOWS.0\system32\nvrsde.dll
2006-07-10 16:36 270336 --a------ C:\WINDOWS.0\system32\nvrspt.dll
2006-07-10 16:36 270336 --a------ C:\WINDOWS.0\system32\nvrsnl.dll
2006-07-10 16:36 270336 --a------ C:\WINDOWS.0\system32\nvrsesm.dll
2006-07-10 16:36 266240 --a------ C:\WINDOWS.0\system32\nvrsru.dll
2006-07-10 16:36 266240 --a------ C:\WINDOWS.0\system32\nvrsptb.dll
2006-07-10 16:36 266240 --a------ C:\WINDOWS.0\system32\nvrsja.dll
2006-07-10 16:36 258048 --a------ C:\WINDOWS.0\system32\nvrsko.dll
2006-07-10 16:36 258048 --a------ C:\WINDOWS.0\system32\nvrshu.dll
2006-07-10 16:36 253952 --a------ C:\WINDOWS.0\system32\nvrstr.dll
2006-07-10 16:36 253952 --a------ C:\WINDOWS.0\system32\nvrssl.dll
2006-07-10 16:36 253952 --a------ C:\WINDOWS.0\system32\nvrssk.dll
2006-07-10 16:36 253952 --a------ C:\WINDOWS.0\system32\nvrspl.dll
2006-07-10 16:36 249856 --a------ C:\WINDOWS.0\system32\nvrssv.dll
2006-07-10 16:36 249856 --a------ C:\WINDOWS.0\system32\nvrsno.dll
2006-07-10 16:36 249856 --a------ C:\WINDOWS.0\system32\nvrsda.dll
2006-07-10 16:36 245760 --a------ C:\WINDOWS.0\system32\nvrsfi.dll
2006-07-10 16:36 245760 --a------ C:\WINDOWS.0\system32\nvrseng.dll
2006-07-10 16:36 245760 --a------ C:\WINDOWS.0\system32\nvrscs.dll
2006-07-10 16:36 229376 --a------ C:\WINDOWS.0\system32\nvmccs.dll
2006-07-10 16:36 221184 --a------ C:\WINDOWS.0\system32\nvrszhc.dll
2006-07-10 16:36 212992 --a------ C:\WINDOWS.0\system32\nvwrsja.dll
2006-07-10 16:36 196608 --a------ C:\WINDOWS.0\system32\nvwrsko.dll
2006-07-10 16:36 180224 --a------ C:\WINDOWS.0\system32\nvudisp.exe
2006-07-10 16:36 167936 --a------ C:\WINDOWS.0\system32\nvwrszht.dll
2006-07-10 16:36 1662976 --a------ C:\WINDOWS.0\system32\nvwdmcpl.dll
2006-07-10 16:36 163840 --a------ C:\WINDOWS.0\system32\nvwrszhc.dll
2006-07-10 16:36 1519616 --a------ C:\WINDOWS.0\system32\nwiz.exe
2006-07-10 16:36 147456 --a------ C:\WINDOWS.0\system32\nvcolor.exe
2006-07-10 16:36 1466368 --a------ C:\WINDOWS.0\system32\nview.dll
2006-07-10 16:36 143436 --a------ C:\WINDOWS.0\system32\nvsvc32.exe
2006-07-10 16:36 1339392 --a------ C:\WINDOWS.0\system32\nvdspsch.exe
2006-07-10 16:36 122880 --a------ C:\WINDOWS.0\system32\nvrszht.dll
2006-07-10 16:36 1019904 --a------ C:\WINDOWS.0\system32\nvwimg.dll
2006-07-10 16:27 -------- d-------- C:\Program Files\AMD
2006-07-10 16:26 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-07-10 16:20 -------- d-------- C:\Program Files\NVIDIA Corporation
2006-07-10 16:19 -------- d-------- C:\Program Files\Creative
2006-07-10 16:18 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Creative
2006-07-10 16:12 -------- d-------- C:\Program Files\Common Files\Nero
2006-07-10 16:11 -------- d-------- C:\Program Files\Ahead
2006-07-10 15:15 -------- d-------- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\Sun
2006-07-10 15:14 -------- d-------- C:\Program Files\Java
2006-07-10 15:13 359808 --a------ C:\WINDOWS.0\system32\drivers\TCPIP.SYS
2006-07-10 15:11 -------- d-------- C:\Program Files\Common Files\Java
2006-07-10 13:08 -------- d-------- C:\Program Files\HD Tune
2006-07-10 10:06 499712 --a------ C:\WINDOWS.0\system32\msvcp71.dll
2006-07-10 10:06 348160 --------- C:\WINDOWS.0\system32\msvcr71.dll
2006-07-09 19:26 -------- d-------- C:\Program Files\Common Files\Macromedia
2006-07-06 18:09 -------- d-------- C:\Program Files\Sateira
2006-07-06 18:03 -------- d-------- C:\Program Files\MTV Networks
2006-07-06 00:26 -------- d-------- C:\Program Files\BillP Studios
2006-07-02 20:06 62 --ahs---- C:\Documents and Settings\Matthew Ritter.YOUR-D0CE7430EE\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS.0\\system32\\NeroCheck.exe"
"CTHelper"="CTHELPER.EXE"
"nTrayFw"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS.0\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS.0\\system32\\NvMcTray.dll,NvTaskbarInit"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AGEIA PhysX SysTray"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"
"SMART Mirror Driver Monitor Service"="\"C:\\Program Files\\Common Files\\SMART Techno"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Maplom"="C:\\Program Files\\Maplom\\Maplom.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Completion time: Wed 09/06/2006 19:48:43.78
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

I want to thank you for all of your help so far! =)

LonnyRJones
2006-09-07, 03:07
C:\WINDOWS.0\ms056442138782006.exe < delete that file
==========
Go here and submit each of these then let us know what if anything was found
http://www.virustotal.com/flash/index_en.html

C:\StickMen.scr
C:\WINDOWS.0\system32\XMD5.dll
C:\WINDOWS.0\system32\vb6stkit.dll
C:\WINDOWS.0\system32\MSSTDFMT.DLL
C:\WINDOWS.0\srvxxobhed.exe
C:\WINDOWS.0\uni_ehhhh.exe

Mritter26
2006-09-07, 04:41
VirusTotal found XMD5.dll, vb6stkit.dll, and MSSTDFMT.DLL to be virus free, but srvxxobhed.exe had this report:

AntiVir 7.1.1.14 09.06.2006 no virus found
Authentium 4.93.8 09.07.2006 no virus found
Avast 4.7.844.0 09.06.2006 Win32:Trojan-gen. {Other}
AVG 386 09.06.2006 Collected.8.BJ
BitDefender 7.2 09.07.2006 Adware.TagASaurus.A
CAT-QuickHeal 8.00 09.05.2006 no virus found
ClamAV devel-20060426 09.06.2006 no virus found
DrWeb 4.33 09.06.2006 BackDoor.Generic.1372
eTrust-InoculateIT 23.72.118 09.07.2006 no virus found
eTrust-Vet 30.3.3064 09.06.2006 no virus found
Ewido 4.0 09.05.2006 no virus found
Fortinet 2.77.0.0 09.07.2006 Adware/DigInk
F-Prot 3.16f 09.07.2006 no virus found
F-Prot4 4.2.1.29 09.07.2006 no virus found
Ikarus 0.2.65.0 09.06.2006 no virus found
Kaspersky 4.0.2.24 09.07.2006 Trojan.Win32.VB.tg
McAfee 4846 09.06.2006 potentially unwanted program Adware-DigInk
Microsoft 1.1560 09.07.2006 no virus found
NOD32v2 1.1742 09.06.2006 no virus found
Norman 5.90.23 09.06.2006 W32/Smalldrp.GOJ
Panda 9.0.0.4 09.07.2006 Adware/DigInk
Sophos 4.09.0 09.06.2006 no virus found
Symantec 8.0 09.07.2006 Trojan.Dropper
TheHacker 5.9.8.206 09.07.2006 Trojan/Dropper.Agent.acu
UNA 1.83 09.06.2006 Trojan.Win32.VB.BF6D
VBA32 3.11.1 09.05.2006 Trojan.Win32.VB.tg
VirusBuster 4.3.7:9 09.06.2006 no virus found

LonnyRJones
2006-09-07, 15:12
Ok, delete srvxxobhed.exe if you havent already and turn on winpatrol

Any problems to report ?

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

Mritter26
2006-09-13, 01:55
Sorry for being so late, but i've been sick lately! :(

I'm happy to report that I haven't had a pop-up yet! Then again, I haven't been on my computer much lately...But I think it's gone! If it's not, i'll be sure to contact you again. Thanks so much for the help!

tashi
2006-09-16, 07:02
Cheers, as the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter. :)