View Full Version : unwanted popup ads for reg cleaners
silasticus
2006-09-14, 06:17
Hi, I have the kind of Trojan that Tashi describes, giving me numerous pop-ups that say I must download reg cleaner and regpro etc. I've followed the steps outlined and here are my logs. Trend didn't seem to work, so I'll only try it if you find nothing wrong in the logs below. I've run out of download quota. I hope you can help me to get rid of this problem.
Many thanks for this service and advise.
God bless you
SmitFraudFix v2.87
Scan done at 8:46:40.73, Thu 14/09/2006
Run from E:\Our Goods\PC tech\Downloads\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:25:45 PM 14/09/2006
+ Scan result:
Nothing found.
::Report end
--- Search result list ---
Alexa Related: Link (Replace file, fixed)
C:\WINNT\Web\RELATED.HTM
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-09-14 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-09-08 Includes\Cookies.sbi (*)
2006-09-08 Includes\Dialer.sbi (*)
2006-09-08 Includes\Hijackers.sbi (*)
2006-09-08 Includes\Keyloggers.sbi (*)
2006-09-08 Includes\Malware.sbi (*)
2006-09-08 Includes\PUPS.sbi (*)
2006-09-08 Includes\Revision.sbi (*)
2006-09-08 Includes\Security.sbi (*)
2006-09-08 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-09-08 Includes\Trojans.sbi (*)
--- System information ---
Windows 2000 (Build: 2195) Service Pack 3
/ Windows 2000 / SP4: Windows 2000 Hotfix (SP4) KB282010
/ Windows 2000 / SP5: Windows Installer 3.1 (KB893803)
--- Startup entries list ---
Located: HK_LM:Run, BigPondCable
command: "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
file: C:\Program Files\Telstra\Cable Login\bpcable.exe
size: 253952
MD5: adf3e34bec6c9b0d1cba56fd202135d4
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 53408
MD5: 8c5d5b71e4e8a1fb8f1fa6cc57fe411e
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
file: C:\WINNT\system32\RUNDLL32.EXE
size: 10000
MD5: 1ed5274825cd1eebbe102b9ff7c9ec31
Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINNT\system32\nwiz.exe
size: 323584
MD5: 99b4b415dd1be7325deda3b88df5938a
Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINNT\SOUNDMAN.EXE
size: 57344
MD5: 18af798f49a1084b0ed8c47d3ceca6b2
Located: HK_LM:Run, SSC_UserPrompt
command: "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
file: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
size: 218240
MD5: b96c81be7b8d11710496787e5859d768
Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
size: 36975
MD5: 61a3a9d5d98bf0331df5b716144a8100
Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 8896de4ed047ba097e82d75e4da30d06
Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: 77ed13fd3196ebc7311ccd6899c7488c
Located: HK_CU:Run, internat.exe
command: internat.exe
file: C:\WINNT\system32\internat.exe
size: 20752
MD5: f4206fca3b1d2feab50738ec2485d5f3
Located: HK_CU:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
file: C:\WINNT\system32\RUNDLL32.EXE
size: 10000
MD5: 1ed5274825cd1eebbe102b9ff7c9ec31
Located: Startup (common), WinZip Quick Pick.lnk
command: C:\Program Files\Utilities\WinZip\WZQKPICK.EXE
file: C:\Program Files\Utilities\WinZip\WZQKPICK.EXE
size: 122880
MD5: 6613e98493ec4a94395955b17f836cf9
Located: Startup (user), OpenOffice.org 1.1.4.lnk
command: C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
file: C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
size: 61440
MD5: cb96f4101f57df891886ee99b3cc4182
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
--- Browser helper object list ---
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: ssv.dll
Short name:
Date (created): 2/03/2006 1:53:00 PM
Date (last access): 2/03/2006 1:53:00 PM
Date (last write): 10/11/2005 1:22:12 PM
Filesize: 184423
Attributes: archive
MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
CRC32: 0111B892
Version: 5.0.60.5
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} (Norton Internet Security 2006)
BHO name: Norton Internet Security 2006
CLSID name: CNisExtBho Class
description: NIS 2004,
classification: Legitimate
known filename: NISShExt.dll
info link: http://www.symantec.com/sabu/nis/nis_pe/
info source: TonyKlein
Path: C:\Program Files\Common Files\Symantec Shared\AdBlocking\
Long name: NISShExt.dll
Short name:
Date (created): 6/02/2006 11:35:48 PM
Date (last access): 14/09/2006 9:06:26 AM
Date (last write): 6/02/2006 11:35:48 PM
Filesize: 94384
Attributes: archive
MD5: AD8FD65B6285111F7CF60A774D53C99F
CRC32: B756703C
Version: 9.1.0.33
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (NAV Helper)
BHO name: NAV Helper
CLSID name: CNavExtBho Class
Path: C:\Program Files\Security\Norton Internet Security\Norton AntiVirus\
Long name: NavShExt.dll
Short name:
Date (created): 5/02/2006 1:03:32 AM
Date (last access): 14/09/2006 8:56:06 AM
Date (last write): 5/02/2006 1:03:32 AM
Filesize: 140960
Attributes: archive
MD5: 2BBF8C0CF0E439ADA20789CD3D0FB57B
CRC32: F87D6BA5
Version: 12.2.0.13
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\WMV9VCM.inf
Codebase:
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.C
AB
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
{5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module)
DPF name:
CLSID name: Windows Live Safety Center Base Module
Installer: C:\WINNT\Downloaded Program Files\wlscBase.inf
Codebase:
http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
description:
classification: Legitimate
known filename: wlscBase.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: wlscBase.dll
Short name:
Date (created): 27/07/2006 4:33:46 PM
Date (last access): 14/09/2006 9:06:18 AM
Date (last write): 27/07/2006 4:33:46 PM
Filesize: 452920
Attributes: archive
MD5: 31B684EB136F3A933D8E5D4646ABA6AD
CRC32: D72E5183
Version: 1.2.969.1
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINNT\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\System32\Macromed\Flash\
Long name: Flash9.ocx
Short name:
Date (created): 22/06/2006 1:44:22 PM
Date (last access): 14/09/2006 8:00:06 AM
Date (last write): 22/06/2006 1:44:22 PM
Filesize: 2201224
Attributes: readonly archive
MD5: 99F80CA1EBE95677668F54CAC6F4AD6D
CRC32: B7385E3B
Version: 9.0.16.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 108 ( 8) \SystemRoot\System32\smss.exe
PID: 136 ( 108) \??\C:\WINNT\system32\csrss.exe
PID: 156 ( 108) \??\C:\WINNT\system32\winlogon.exe
PID: 184 ( 156) C:\WINNT\system32\services.exe
size: 88848
MD5: 7F164D07BA059B6E3C37C119B49B282A
PID: 196 ( 156) C:\WINNT\system32\lsass.exe
size: 33552
MD5: 0FABC9F91EAB355A6303FA540071AEE7
PID: 332 ( 184) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 364 ( 184) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196685
MD5: B426E21B3192CC8F87C7FF74BF013645
PID: 224 ( 248) C:\WINNT\Explorer.EXE
size: 242960
MD5: 51794D917250081AB41A77950CEE481D
PID: 396 ( 224) C:\WINNT\system32\NOTEPAD.EXE
size: 50960
MD5: CF8C98E8B3979F15DF77A7DE2E51BCC1
PID: 484 ( 224) C:\Program Files\Security\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 8 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 14/09/2006 9:13:24 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar
=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{639B0C10-90B6-4162-8633-61DD0110EFF7}]
SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{639B0C10-90B6-4162-8633-61DD0110EFF7}]
DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B0D2938F-BBA5-48B8-8824-6103B431FAA6}]
SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B0D2938F-BBA5-48B8-8824-6103B431FAA6}]
DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{94C978F5-0347-4A74-BEAD-0B7F45025942}]
SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{94C978F5-0347-4A74-BEAD-0B7F45025942}]
DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F513989E-4783-43BF-ABBE-BF58C3BD87B7}]
SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F513989E-4783-43BF-ABBE-BF58C3BD87B7}]
DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
continued in next thread...
silasticus
2006-09-14, 06:19
...continued
Here's the rest of my logs
--- Uninstall list ---
(AddressBook)
Audacity 1.2.3 (Audacity_is1)
install location: C:\Program Files\Music\Audacity\
uninstall cmd: "C:\Program Files\Music\Audacity\unins000.exe"
help link: http://audacity.sourceforge.net
(Branding)
Canon i350 (CANONBJ_Deinstall_CNMCP53.DLL)
uninstall cmd: C:\WINNT\System32\CNMCP53.exe "-PRINTERNAMECanon i350"
"-HELPERDLLC:\BJPrinter\CNMWINNT\Canon i350 Installer\Inst2\cnmis.dll"
"-RCDLLC:\BJPrinter\CNMWINNT\Canon i350 Installer\Inst2\cnmi0409.dll"
(Connection Manager)
(DirectAnimation)
(DirectDrawEx)
(DXM_Runtime)
Canon Utilities Easy-PhotoPrint (Easy-PhotoPrint)
uninstall cmd: C:\WINNT\ISUNINST.EXE -f"C:\Program
Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"C:\Program
Files\Canon\Easy-PhotoPrint\EZUNINST.DLL"
Easy-WebPrint (Easy-WebPrint)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
ewido anti-spyware 4.0 (ewidoantispyware4)
install location: C:\Program Files\Security\ewido anti-spyware 4.0
uninstall cmd: C:\Program Files\Security\ewido anti-spyware 4.0\Uninstall.exe
publisher: ewido networks
help link: http://www.ewido.net
(expinst)
(Fontcore)
HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Program Files\Security\Hijackthis\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.
Hijackthis 1.99.1 (Hijackthis_is1)
install location: C:\Program Files\Security\Hijackthis\
uninstall cmd: "C:\Program Files\Security\Hijackthis\unins000.exe"
publisher: Soeperman Enterprises Ltd
help link: http://www.merijn.org
(ICW)
Microsoft Internet Explorer 6 SP1 (IE40)
uninstall cmd: rundll32 C:\WINNT\System32\setupwbv.dll,IE6Maintenance C:\Program
Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
(IE4Data)
(IE5BAKEX)
(IEData)
(IEREADME)
Windows 2000 Hotfix (SP4) KB282010 20030522.125038 (KB282010)
uninstall cmd: C:\WINNT\$NtUninstallKB282010$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=282010
(KB884016)
3.1 (KB893803)
help link: http://go.microsoft.com/fwlink/?LinkId=42467
Windows Installer 3.1 (KB893803) (KB893803v2)
uninstall cmd: "C:\WINNT\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://go.microsoft.com/fwlink/?LinkId=42467
LiveUpdate 3.0 (Symantec Corporation) 3.0.0.154 (LiveUpdate)
install location: "C:\Program Files\Symantec\LiveUpdate"
uninstall cmd: "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
publisher: Symantec Corporation
(MobileOptionPack)
(MSI30-Beta1)
(MSI30-Beta2)
(MSI30-KB884016)
(MSI30-RC1)
(MSI30-RC2)
(MSI30a-KB884016)
(MSI31-Beta)
(MSI31-RC1)
(MsJavaVM)
(NetMeeting)
NVIDIA Windows 2000/XP Display Drivers (NVIDIA)
uninstall cmd: rundll32.exe C:\WINNT\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
(OutlookExpress)
(RealJukebox 1.0)
uninstall cmd: C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe
RealNetworks|RealPlayer|6.0
RealPlayer (RealPlayer 6.0)
uninstall cmd: C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe
RealNetworks|RealPlayer|6.0
(SchedulingAgent)
(Sevinst)
Adobe Flash Player 9 ActiveX 9 (ShockwaveFlash)
uninstall cmd: C:\WINNT\System32\Macromed\Flash\UninstFl.exe -q
publisher: Adobe Systems
help link: http://www.adobe.com/go/flashplayer_support/
Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Program Files\Security\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Security\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited
Norton Internet Security 2006 (Symantec Corporation) 9.1.0.33
(SymSetup.{A93C9E60-29B6-49da-BA21-F70AC6AADE20})
install location: C:\Program Files\Security\Norton Internet Security
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33
uninstall cmd: "C:\Program Files\Common Files\Symantec
Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe" /X
publisher: Symantec Corporation
VideoLAN VLC media player 0.7.1 (VideoLAN)
uninstall cmd: "C:\Program Files\Media\VideoLAN\VLC\uninstall.exe"
Windows Live Safety Scanner (Windows Live Safety Scanner)
uninstall cmd: RunDll32.exe "C:\Program Files\Windows Live Safety
Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
WinZip 10.0 (6698) (WinZip)
version (major): 10
install location: C:\PROGRA~1\UTILIT~1\WINZIP\
uninstall cmd: "C:\Program Files\Utilities\WinZip\WINZIP32.EXE" /uninstall
publisher: WinZip Computing LP
help link: http://www.winzip.com/xsupport.htm
ccCommon 104.0.5.3 ({1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB})
version: 1744830469
version (major): 104
estimated size: 6095
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Support\ccCommon\
uninstall cmd: MsiExec.exe /I{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}
publisher: Symantec
Norton Internet Security 9.1.0.33 ({12E2B9E9-05B1-407d-B0FD-B5F350535125})
version: 151060480
version (major): 9
version (minor): 1
estimated size: 24281
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Setup\
uninstall cmd: MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
publisher: Symantec Corporation
CC_ccProxyExt 104.0.5.3 ({2EBF25F1-F8A2-40EA-92BE-931C142A44E2})
version: 1744830469
version (major): 104
estimated size: 688
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Support\Proxy\
uninstall cmd: MsiExec.exe /I{2EBF25F1-F8A2-40EA-92BE-931C142A44E2}
publisher: Symantec
ccPxyCore 104.0.5.3 ({30738666-9805-4926-A78F-91DA33B6C437})
version: 1744830469
version (major): 104
estimated size: 2826
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Support\Proxy\
uninstall cmd: MsiExec.exe /I{30738666-9805-4926-A78F-91DA33B6C437}
publisher: Symantec
J2SE Runtime Environment 5.0 Update 6 1.5.0.60 ({3248F0A8-6813-11D6-A77B-00B0D0150060})
version: 17104896
version (major): 1
version (minor): 5
estimated size: 122273
install date: 20060914
install source: C:\Documents and Settings\Cooper\Local Settings\Application
Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}\
uninstall cmd: MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
publisher: Sun Microsystems, Inc.
contact: http://java.com
help link: http://java.com
readme: C:\Program Files\Java\jre1.5.0_06\README.txt
Norton AntiSpam 2006.2.0.150 ({3B29A786-5803-4E9E-9B58-3014A5B4E519})
version (major): 2006
version (minor): 2
estimated size: 1553
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Setup\
uninstall cmd: MsiExec.exe /I{3B29A786-5803-4E9E-9B58-3014A5B4E519}
publisher: Symantec Corporation
SymNet 6.0.4.402 ({3B474041-D5BC-44E0-9059-8BAAAC921656})
version: 100663300
version (major): 6
estimated size: 2726
install date: 20060912
install source: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\LIVEUP~1\DOWNLO~1\Updt515\
publisher: Symantec Corporation
Norton Internet Security 9.1.0.33 ({48185814-A224-447a-81DA-71BD20580E1B})
version: 151060480
version (major): 9
version (minor): 1
estimated size: 4159
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Setup\
uninstall cmd: MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
publisher: Symantec Corporation
Sony Ericsson PC Suite 1.0.79 ({50F90522-2ACE-434E-9987-F42A5F06208F})
version: 16777295
version (major): 1
estimated size: 95454
install date: 20060912
install location: C:\Program Files\Sony Ericsson\Mobile\
install source: C:\WINNT\Downloaded Installations\{86FA6F1C-6BDD-47C9-8D7B-B620B0277FC3}\
uninstall cmd: MsiExec.exe /I{50F90522-2ACE-434E-9987-F42A5F06208F}
publisher: Sony Ericsson
contact: Sony Ericsson Technical Support
help link: http://www.sonyericsson.com
Norton AntiSpam 2006.2.0.153 ({5677563D-0CB1-485F-9E18-C5025306BB3F})
version (major): 2006
version (minor): 2
estimated size: 8956
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Setup\
uninstall cmd: MsiExec.exe /I{5677563D-0CB1-485F-9E18-C5025306BB3F}
publisher: Symantec Corporation
WebFldrs 9.00.3907 ({6F716D8C-398F-11D3-85E1-005004838609})
version: 150998851
version (major): 9
estimated size: 2524
install date: 20060911
install source: C:\WINNT\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows
SPBBC 2.1.0.4 ({77772678-817F-4401-9301-ED1D01A8DA56})
version: 33619968
version (major): 2
version (minor): 1
estimated size: 3367
install date: 20060911
install location: C:\Program Files\Security\Norton Internet Security\Norton AntiVirus\
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Support\SPBBC\
uninstall cmd: MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
publisher: Symantec Corporation
Norton Protection Center 1.4.4 ({82A5BF38-8461-4A5C-B2C9-24F5256D92A6})
version: 17039364
version (major): 1
version (minor): 4
estimated size: 3870
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Support\NSC\
uninstall cmd: MsiExec.exe /I{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}
publisher: Symantec Corp
Norton Internet Security 9.1.0.33 ({A93C9E60-29B6-49da-BA21-F70AC6AADE20})
version: 151060480
version (major): 9
version (minor): 1
estimated size: 37454
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Setup\
uninstall cmd: MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
publisher: Symantec Corporation
MSRedist 1.0.0.0 ({B7C61755-DB48-4003-948F-3D34DB8EAF69})
version: 16777216
version (major): 1
estimated size: 4903
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Support\Redist\
uninstall cmd: MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
publisher: Symantec Corporation
BigPond Broadband Cable Login 1.1 ({BCE5A33D-A808-492A-9B5C-DCAFCFF24D27})
version: 16842752
version (major): 1
version (minor): 1
estimated size: 1482
install date: 20060912
install source: C:\Program Files\Common Files\Wise Installation Wizard\
uninstall cmd: MsiExec.exe /I{BCE5A33D-A808-492A-9B5C-DCAFCFF24D27}
publisher: Telstra Corporation Limited
Norton AntiVirus 2006 12.2.0.13 ({C6F5B6CF-609C-428E-876F-CA83176C021B})
version: 201457664
version (major): 12
version (minor): 2
estimated size: 63294
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\NAV\
uninstall cmd: MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
publisher: Symantec Corporation
Norton Internet Security 1.0.0 ({E3EFA461-EB83-4C3B-9C47-2C1D58A01555})
version: 16777216
version (major): 1
estimated size: 1484
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Support\HelpMSI\
uninstall cmd: MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
publisher: Symantec Corp.
Norton Internet Security 9.1.0.33 ({E5EE9939-259F-4DE2-8023-5C49E16A4F43})
version: 151060480
version (major): 9
version (minor): 1
estimated size: 474
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\NAV\
uninstall cmd: MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
publisher: Symantec Corporation
Norton WMI Update 2005.1.2.20 ({E85FA9A1-C241-4698-893B-DD99509B8DB0})
version (major): 2005
version (minor): 1
estimated size: 613
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Support\SymSC\
uninstall cmd: MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}
publisher: Symantec Corporation
Norton WMI Update 2005.1.2.20 ({F64306A5-4C32-41bb-B153-53986527FAB4})
version (major): 2005
version (minor): 1
estimated size: 613
install date: 20060911
install source: C:\DOCUME~1\Cooper\LOCALS~1\Temp\NIS9.1.33\Support\SymSC\
uninstall cmd: MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
publisher: Symantec Corporation
Realtek AC'97 Audio ({FB08F381-6533-4108-B7DD-039E11FBC27E})
uninstall cmd: RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program
Files\InstallShield Installation
Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Logfile of HijackThis v1.99.1
Scan saved at 12:28:34 PM, on 14/09/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Security\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\System32\internat.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Utilities\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Security\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\windows\system32\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program
Files\Security\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program
Files\Security\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program
Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security
Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program
Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Utilities\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module)
- http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program
Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec
Corporation - C:\Program Files\Security\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Security\Norton
Internet Security\comHost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software
Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program
Files\Security\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation -
C:\Program Files\Security\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINNT\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program
Files\Security\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe
eTrust web scan
Scan Results: Scan Completed. 16447 files scanned. No viruses found.
BitDefender Online Scanner - Real Time Virus Report
Generated at: Thu, Sep 14, 2006 - 13:47:17
Scanned Files 84124
Infected Files 0
Virus Detected
No virus found.
LonnyRJones
2006-09-18, 03:02
Hello
How often and where are you at when the pop ups occur ?
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.
silasticus
2006-09-18, 22:31
The popups appear regularly, perhaps every 20 minutes. If I'm away from the PC for a while there will be a back-log of them waiting to be closed.
Here's the Silent Runners log.
Thanks
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"ctfmon.exe" = "ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = ""C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"" ["Symantec Corporation"]
"BigPondCable" = ""C:\Program Files\Telstra\Cable Login\bpcable.exe" /r" ["Telstra"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"iTunesHelper" = "C:\Program Files\Media\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Utilities\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security 2006"
-> {HKLM...CLSID} = "CNisExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Security\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Media\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\UTILIT~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\UTILIT~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\UTILIT~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\UTILIT~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org1.0.1\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Music\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "C:\Program Files\Music\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Security\ewido anti-spyware 4.0\shellexecutehook.dll" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Security\ewido anti-spyware 4.0\context.dll" [file not found]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Security\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\UTILIT~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Security\ewido anti-spyware 4.0\context.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\UTILIT~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Security\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\UTILIT~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Startup items in "Cooper" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\Cooper\Start Menu\Programs\Startup
"OpenOffice.org 1.1.4" -> shortcut to: "C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe" [null data]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\Utilities\WinZip\WZQKPICK.EXE" ["WinZip Computing LP"]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Run Full System Scan - Cooper" -> launches: "C:\PROGRA~1\Security\NORTON~1\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{C4069E3A-68F1-403E-B40E-20066696354B}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Security\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {HKLM...CLSID} = "Norton Internet Security 2006"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security 2006"
-> {HKLM...CLSID} = "Norton Internet Security 2006"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Security\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
-> {HKLM...CLSID} = "Easy-WebPrint"
\InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]
Miscellaneous IE Hijack Points
------------------------------
C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.bigpond.com/
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\Security\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
HID Input Service, HidServ, "C:\WINNT\system32\hidserv.exe" [MS]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
LiveUpdate, LiveUpdate, ""C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"" ["Symantec Corporation"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Security\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Protection Center Service, NSCService, ""C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor i350\Driver = "CNMLM53.DLL" ["CANON INC."]
PDF995 Monitor\Driver = "pdf995mon.dll" [null data]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 17 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 57 seconds)
LonnyRJones
2006-09-19, 00:53
I'm not seeing a cause yet, this tool might help us spot suspects
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
silasticus
2006-09-20, 22:48
Thanks for your time, I really appreciate this.
Here's the Combofix log.
I ran a Trend Micro scan, but couldn't manage to either copy the text or save the web page, so I can't show you the report.
Cooper - Thu 2006-09-21 6:46:09.95 Service Pack 3
ComboFix 06.09.14 - Running from: E:\Our Goods\PC tech\Downloads
((((((((((((((((((((((((((((((( Files Created from 2006-08-19 to 2006-09-19 ))))))))))))))))))))))))))))))))))
2006-09-19 16:01 569,344 -ra------ C:\WINNT\system32\imagr5.dll
2006-09-19 16:01 544,768 -ra------ C:\WINNT\system32\imagx5.dll
2006-09-19 16:01 38,912 -ra------ C:\WINNT\system32\picn20.dll
2006-09-19 16:01 283,920 -ra------ C:\WINNT\system32\ImagXpr5.dll
2006-09-19 16:01 155,648 -ra------ C:\WINNT\system32\NeroCheck.exe
2006-09-19 14:04 51,472 --a------ C:\WINNT\system32\vfwwdm32.dll
2006-09-19 14:04 45,840 --a------ C:\WINNT\system32\iyuv_32.dll
2006-09-19 07:02 997,888 --a------ C:\WINNT\system32\wmvdmoe2.dll
2006-09-19 07:02 981,504 --a------ C:\WINNT\system32\wmnetmgr.dll
2006-09-19 07:02 892,416 --a------ C:\WINNT\system32\wmspdmoe.dll
2006-09-19 07:02 82,432 --a------ C:\WINNT\system32\drmstor.dll
2006-09-19 07:02 816,264 --a------ C:\WINNT\system32\wmvdmod.dll
2006-09-19 07:02 81,408 --a------ C:\WINNT\system32\logagent.exe
2006-09-19 07:02 760,968 --a------ C:\WINNT\system32\wmsdmod.dll
2006-09-19 07:02 678,912 --a------ C:\WINNT\system32\drmv2clt.dll
2006-09-19 07:02 670,208 --a------ C:\WINNT\system32\wmadmoe.dll
2006-09-19 07:02 6,656 --a------ C:\WINNT\system32\laprxy.dll
2006-09-19 07:02 486,536 --a------ C:\WINNT\system32\wmspdmod.dll
2006-09-19 07:02 410,248 --a------ C:\WINNT\system32\wmadmod.dll
2006-09-19 07:02 384,512 --a------ C:\WINNT\system32\mp4sdmod.dll
2006-09-19 07:02 316,040 --a------ C:\WINNT\system32\mp43dmod.dll
2006-09-19 07:02 301,712 --a------ C:\WINNT\system32\drmclien.dll
2006-09-19 07:02 253,952 --a------ C:\WINNT\system32\msnetobj.dll
2006-09-19 07:02 241,664 --a------ C:\WINNT\system32\mpg4dmod.dll
2006-09-19 07:02 232,960 --a------ C:\WINNT\system32\blackbox.dll
2006-09-19 07:02 218,112 --a------ C:\WINNT\system32\wmasf.dll
2006-09-19 07:02 2,058,888 --a------ C:\WINNT\system32\wmvcore.dll
2006-09-19 07:02 143,360 --a------ C:\WINNT\system32\wmidx.dll
2006-09-19 07:02 1,111,040 --a------ C:\WINNT\system32\wmsdmoe2.dll
2006-09-14 19:41 48,972 --a------ C:\WINNT\system32\pdf995mon.dll
2006-09-14 19:41 143,410 --a------ C:\WINNT\system32\pdfmona.dll
2006-09-14 18:53 86,016 --a------ C:\WINNT\unvise32qt.exe
2006-09-14 18:50 164,352 --a------ C:\WINNT\system32\SpoonUninstall.exe
2006-09-14 08:26 53,248 --a------ C:\WINNT\system32\Process.exe
2006-09-14 08:26 40,960 --a------ C:\WINNT\system32\swsc.exe
2006-09-14 08:26 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2006-09-14 08:26 135,168 --a------ C:\WINNT\system32\swreg.exe
2006-09-13 00:20 720,896 --a------ C:\WINNT\system32\Audio3D.dll
2006-09-13 00:20 720,896 --a------ C:\WINNT\system32\a3d.dll
2006-09-13 00:20 57,344 --a------ C:\WINNT\SOUNDMAN.EXE
2006-09-13 00:20 208,896 --------- C:\WINNT\alcupd.exe
2006-09-13 00:20 139,264 --------- C:\WINNT\alcrmv.exe
2006-09-12 07:45 69,632 --a------ C:\WINNT\uinst001.exe
2006-09-12 07:43 19,728 --a------ C:\WINNT\system32\hidserv.exe
2006-09-12 07:33 86,016 -ra------ C:\WINNT\system32\nvwrszht.dll
2006-09-12 07:33 86,016 -ra------ C:\WINNT\system32\nvwrszhc.dll
2006-09-12 07:33 835,654 -ra------ C:\WINNT\system32\nview.dll
2006-09-12 07:33 69,632 -ra------ C:\WINNT\system32\nvsvc32.exe
2006-09-12 07:33 512,000 -ra------ C:\WINNT\system32\nviewimg.dll
2006-09-12 07:33 49,152 -ra------ C:\WINNT\system32\nvmctray.dll
2006-09-12 07:33 467,016 -ra------ C:\WINNT\system32\nvshell.dll
2006-09-12 07:33 4,640,768 -ra------ C:\WINNT\system32\nvcpl.dll
2006-09-12 07:33 323,584 -ra------ C:\WINNT\system32\nwiz.exe
2006-09-12 07:33 3,764,224 -ra------ C:\WINNT\system32\nvoglnt.dll
2006-09-12 07:33 3,403,776 -ra------ C:\WINNT\system32\nvrsar.dll
2006-09-12 07:33 3,391,488 -ra------ C:\WINNT\system32\nvrshe.dll
2006-09-12 07:33 3,387,392 -ra------ C:\WINNT\system32\nvrsja.dll
2006-09-12 07:33 3,383,296 -ra------ C:\WINNT\system32\nvrsko.dll
2006-09-12 07:33 3,180,171 -ra------ C:\WINNT\system32\nv4_disp.dll
2006-09-12 07:33 286,806 -ra------ C:\WINNT\system32\keystone.exe
2006-09-12 07:33 282,624 -ra------ C:\WINNT\system32\nvrsesm.dll
2006-09-12 07:33 270,336 -ra------ C:\WINNT\system32\nvrsit.dll
2006-09-12 07:33 266,240 -ra------ C:\WINNT\system32\nvrsptb.dll
2006-09-12 07:33 266,240 -ra------ C:\WINNT\system32\nvrsfr.dll
2006-09-12 07:33 266,240 -ra------ C:\WINNT\system32\nvrsde.dll
2006-09-12 07:33 262,144 -ra------ C:\WINNT\system32\nvrstr.dll
2006-09-12 07:33 262,144 -ra------ C:\WINNT\system32\nvrsru.dll
2006-09-12 07:33 262,144 -ra------ C:\WINNT\system32\nvrsnl.dll
2006-09-12 07:33 258,048 -ra------ C:\WINNT\system32\nvrssv.dll
2006-09-12 07:33 258,048 -ra------ C:\WINNT\system32\nvrsno.dll
2006-09-12 07:33 258,048 -ra------ C:\WINNT\system32\nvrses.dll
2006-09-12 07:33 258,048 -ra------ C:\WINNT\system32\nvrseng.dll
2006-09-12 07:33 258,048 -ra------ C:\WINNT\system32\nvrsda.dll
2006-09-12 07:33 253,952 -ra------ C:\WINNT\system32\nvrssl.dll
2006-09-12 07:33 253,952 -ra------ C:\WINNT\system32\nvrsel.dll
2006-09-12 07:33 249,856 -ra------ C:\WINNT\system32\nvrspt.dll
2006-09-12 07:33 249,856 -ra------ C:\WINNT\system32\nvrsfi.dll
2006-09-12 07:33 249,856 -ra------ C:\WINNT\system32\nvrscs.dll
2006-09-12 07:33 245,760 -ra------ C:\WINNT\system32\nvrssk.dll
2006-09-12 07:33 245,760 -ra------ C:\WINNT\system32\nvrspl.dll
2006-09-12 07:33 245,760 -ra------ C:\WINNT\system32\nvrshu.dll
2006-09-12 07:33 217,088 -ra------ C:\WINNT\system32\nvrszht.dll
2006-09-12 07:33 217,088 -ra------ C:\WINNT\system32\nvrszhc.dll
2006-09-12 07:33 184,320 -ra------ C:\WINNT\system32\nvwrsel.dll
2006-09-12 07:33 176,128 -ra------ C:\WINNT\system32\nvwrsru.dll
2006-09-12 07:33 176,128 -ra------ C:\WINNT\system32\nvwrspt.dll
2006-09-12 07:33 176,128 -ra------ C:\WINNT\system32\nvwrses.dll
2006-09-12 07:33 176,128 -ra------ C:\WINNT\system32\nvwrsde.dll
2006-09-12 07:33 172,032 -ra------ C:\WINNT\system32\nvwrsptb.dll
2006-09-12 07:33 172,032 -ra------ C:\WINNT\system32\nvwrsit.dll
2006-09-12 07:33 172,032 -ra------ C:\WINNT\system32\nvwrsfr.dll
2006-09-12 07:33 167,936 -ra------ C:\WINNT\system32\nvwrssk.dll
2006-09-12 07:33 167,936 -ra------ C:\WINNT\system32\nvwrsnl.dll
2006-09-12 07:33 167,936 -ra------ C:\WINNT\system32\nvwrshu.dll
2006-09-12 07:33 163,840 -ra------ C:\WINNT\system32\nvwrstr.dll
2006-09-12 07:33 163,840 -ra------ C:\WINNT\system32\nvwrspl.dll
2006-09-12 07:33 163,840 -ra------ C:\WINNT\system32\nvwrsfi.dll
2006-09-12 07:33 159,744 -ra------ C:\WINNT\system32\nvwrssv.dll
2006-09-12 07:33 159,744 -ra------ C:\WINNT\system32\nvwrsno.dll
2006-09-12 07:33 159,744 -ra------ C:\WINNT\system32\nvwrsda.dll
2006-09-12 07:33 159,744 -ra------ C:\WINNT\system32\nvwrscs.dll
2006-09-12 07:33 155,648 -ra------ C:\WINNT\system32\nvwrssl.dll
2006-09-12 07:33 147,456 -ra------ C:\WINNT\system32\nvwrsesm.dll
2006-09-12 07:33 147,456 -ra------ C:\WINNT\system32\nvwrseng.dll
2006-09-12 07:33 143,360 -ra------ C:\WINNT\system32\nvwrsar.dll
2006-09-12 07:33 139,264 -ra------ C:\WINNT\system32\nvwrshe.dll
2006-09-12 07:33 126,976 -ra------ C:\WINNT\system32\nvinstnt.dll
2006-09-12 07:33 106,496 -ra------ C:\WINNT\system32\nvwrsja.dll
2006-09-12 07:33 102,400 -ra------ C:\WINNT\system32\nvwrsko.dll
2006-09-12 07:33 1,323,008 -ra------ C:\WINNT\system32\dmcpl.exe
2006-09-12 07:20 80,480 --a------ C:\WINNT\system32\msrclr40.dll
2006-09-12 07:20 35,424 --a------ C:\WINNT\system32\msrecr40.dll
2006-09-12 07:19 94,208 --a------ C:\WINNT\system32\odbccp32.dll
2006-09-12 07:19 90,112 --a------ C:\WINNT\system32\odbcint.dll
2006-09-12 07:19 61,440 --a------ C:\WINNT\system32\odbccu32.dll
2006-09-12 07:19 61,440 --a------ C:\WINNT\system32\odbccr32.dll
2006-09-12 07:19 61,440 --a------ C:\WINNT\system32\dbnetlib.dll
2006-09-12 07:19 45,632 --a------ C:\WINNT\system32\cliconfg.exe
2006-09-12 07:19 44,032 --a------ C:\WINNT\system32\msxml3r.dll
2006-09-12 07:19 4,656 --a------ C:\WINNT\system32\ds16gt.dll
2006-09-12 07:19 385,024 --a------ C:\WINNT\system32\sqlsrv32.dll
2006-09-12 07:19 36,864 --a------ C:\WINNT\system32\mscpxl32.dll
2006-09-12 07:19 32,768 --a------ C:\WINNT\system32\odbcad32.exe
2006-09-12 07:19 28,672 --a------ C:\WINNT\system32\dbnmpntw.dll
2006-09-12 07:19 26,224 --a------ C:\WINNT\system32\odbc16gt.dll
2006-09-12 07:19 24,576 --a------ C:\WINNT\system32\odbcbcp.dll
2006-09-12 07:19 24,576 --a------ C:\WINNT\system32\dbmsvinn.dll
2006-09-12 07:19 24,576 --a------ C:\WINNT\system32\dbmsrpcn.dll
2006-09-12 07:19 24,576 --a------ C:\WINNT\system32\dbmsgnet.dll
2006-09-12 07:19 200,704 --a------ C:\WINNT\system32\odbc32.dll
2006-09-12 07:19 20,480 --a------ C:\WINNT\system32\msorc32r.dll
2006-09-12 07:19 20,480 --a------ C:\WINNT\system32\dbmsadsn.dll
2006-09-12 07:19 180,800 --a------ C:\WINNT\system32\sqlunirl.dll
2006-09-12 07:19 16,384 --a------ C:\WINNT\system32\odbc32gt.dll
2006-09-12 07:19 16,384 --a------ C:\WINNT\system32\ds32gt.dll
2006-09-12 07:19 147,456 --a------ C:\WINNT\system32\odbctrac.dll
2006-09-12 07:19 131,072 --a------ C:\WINNT\system32\msorcl32.dll
2006-09-12 07:19 127,552 --a------ C:\WINNT\system32\cliconfg.dll
2006-09-12 07:19 126,976 --a------ C:\WINNT\system32\msdart.dll
2006-09-12 07:19 1,122,304 --a------ C:\WINNT\system32\msxml3.dll
2006-09-12 07:17 98,816 --a------ C:\WINNT\system32\dmstyle.dll
2006-09-12 07:17 974,848 --a------ C:\WINNT\system32\dxdiag.exe
2006-09-12 07:17 80,896 --a------ C:\WINNT\system32\dpvsetup.exe
2006-09-12 07:17 797,184 --a------ C:\WINNT\system32\d3dim700.dll
2006-09-12 07:17 79,360 --a------ C:\WINNT\system32\dpwsockx.dll
2006-09-12 07:17 77,824 --a------ C:\WINNT\system32\dpmodemx.dll
2006-09-12 07:17 76,800 --a------ C:\WINNT\system32\dmscript.dll
2006-09-12 07:17 733,184 --a------ C:\WINNT\system32\qedwipes.dll
2006-09-12 07:17 723,968 --a------ C:\WINNT\system32\dpnet.dll
2006-09-12 07:17 7,168 --a------ C:\WINNT\system32\d3d8thk.dll
2006-09-12 07:17 68,096 --a------ C:\WINNT\system32\dpnhupnp.dll
2006-09-12 07:17 664,576 --a------ C:\WINNT\system32\dinput8.dll
2006-09-12 07:17 645,120 --a------ C:\WINNT\system32\dinput.dll
2006-09-12 07:17 64,512 --a------ C:\WINNT\system32\amstream.dll
2006-09-12 07:17 602,624 --a------ C:\WINNT\system32\dx7vb.dll
2006-09-12 07:17 591,120 --a------ C:\WINNT\system32\d3dramp.dll
2006-09-12 07:17 58,368 --a------ C:\WINNT\system32\dmcompos.dll
2006-09-12 07:17 491,520 --a------ C:\WINNT\system32\dsdmoprp.dll
2006-09-12 07:17 49,424 --a------ C:\WINNT\system32\d3dxof.dll
2006-09-12 07:17 480,256 --a------ C:\WINNT\system32\msvidctl.dll
2006-09-12 07:17 470,528 --a------ C:\WINNT\system32\qdvd.dll
2006-09-12 07:17 47,104 --a------ C:\WINNT\system32\wstdecod.dll
2006-09-12 07:17 46,592 --a------ C:\WINNT\system32\dxdllreg.exe
2006-09-12 07:17 459,264 --a------ C:\WINNT\system32\diactfrm.dll
2006-09-12 07:17 446,224 --a------ C:\WINNT\system32\d3dim.dll
2006-09-12 07:17 44,032 --a------ C:\WINNT\system32\dimap.dll
2006-09-12 07:17 4,096 --a------ C:\WINNT\system32\ksuser.dll
2006-09-12 07:17 381,952 --a------ C:\WINNT\system32\dsound.dll
2006-09-12 07:17 381,952 --a------ C:\WINNT\system32\dpvoice.dll
2006-09-12 07:17 37,648 --a------ C:\WINNT\system32\d3dpmesh.dll
2006-09-12 07:17 364,816 --a------ C:\WINNT\system32\d3drm.dll
2006-09-12 07:17 354,816 --a------ C:\WINNT\system32\psisdecd.dll
2006-09-12 07:17 34,304 --a------ C:\WINNT\system32\mciqtz32.dll
2006-09-12 07:17 33,280 --a------ C:\WINNT\system32\dmloader.dll
2006-09-12 07:17 324,096 --a------ C:\WINNT\system32\mswebdvd.dll
2006-09-12 07:17 32,768 --a------ C:\WINNT\system32\dpnhpast.dll
2006-09-12 07:17 316,928 --a------ C:\WINNT\system32\qdv.dll
2006-09-12 07:17 31,744 --a------ C:\WINNT\system32\pid.dll
2006-09-12 07:17 3,072 --a------ C:\WINNT\system32\dpnlobby.dll
2006-09-12 07:17 3,072 --a------ C:\WINNT\system32\dpnaddr.dll
2006-09-12 07:17 292,864 --a------ C:\WINNT\system32\ddraw.dll
2006-09-12 07:17 28,160 --a------ C:\WINNT\system32\dplaysvr.exe
2006-09-12 07:17 27,136 --a------ C:\WINNT\system32\dmband.dll
2006-09-12 07:17 257,024 --a------ C:\WINNT\system32\qcap.dll
2006-09-12 07:17 241,664 --a------ C:\WINNT\system32\qasf.dll
2006-09-12 07:17 230,400 --a------ C:\WINNT\system32\dplayx.dll
2006-09-12 07:17 206,336 --a------ C:\WINNT\system32\gcdef.dll
2006-09-12 07:17 19,968 --a------ C:\WINNT\system32\dpvacm.dll
2006-09-12 07:17 186,880 --a------ C:\WINNT\system32\dsdmo.dll
2006-09-12 07:17 181,248 --a------ C:\WINNT\system32\dmime.dll
2006-09-12 07:17 18,944 --a------ C:\WINNT\system32\encapi.dll
2006-09-12 07:17 18,432 --a------ C:\WINNT\system32\dswave.dll
2006-09-12 07:17 16,896 --a------ C:\WINNT\system32\msyuv.dll
2006-09-12 07:17 16,896 --a------ C:\WINNT\system32\dpnsvr.exe
2006-09-12 07:17 132,608 --a------ C:\WINNT\system32\devenum.dll
2006-09-12 07:17 13,312 --a------ C:\WINNT\system32\msdmo.dll
2006-09-12 07:17 122,880 --a------ C:\WINNT\system32\dmusic.dll
2006-09-12 07:17 112,128 --a------ C:\WINNT\system32\dpvvox.dll
2006-09-12 07:17 100,864 --a------ C:\WINNT\system32\dmsynth.dll
2006-09-12 07:17 1,962,496 --a------ C:\WINNT\system32\quartz.dll
2006-09-12 07:17 1,798,144 --a------ C:\WINNT\system32\qedit.dll
2006-09-12 07:17 1,769,472 --a------ C:\WINNT\system32\dxdiagn.dll
2006-09-12 07:17 1,703,936 --a------ C:\WINNT\system32\d3d9.dll
2006-09-12 07:17 1,294,336 --a------ C:\WINNT\system32\dsound3d.dll
2006-09-12 07:17 1,201,152 --a------ C:\WINNT\system32\d3d8.dll
2006-09-12 07:17 1,189,888 --a------ C:\WINNT\system32\dx8vb.dll
2006-09-12 07:10 465,176 --a------ C:\WINNT\system32\wuapi.dll
2006-09-12 07:10 41,240 --a------ C:\WINNT\system32\wups.dll
2006-09-12 07:10 194,328 --a------ C:\WINNT\system32\wuaueng1.dll
2006-09-12 07:10 18,200 --a------ C:\WINNT\system32\wups2.dll
2006-09-12 07:10 173,536 --a------ C:\WINNT\system32\wuweb.dll
2006-09-12 07:10 172,312 --a------ C:\WINNT\system32\wuauclt1.exe
2006-09-12 07:10 127,256 --a------ C:\WINNT\system32\wucltui.dll
2006-09-12 07:09 306,688 --a------ C:\WINNT\IsUninst.exe
2006-09-12 07:07 73,728 -ra------ C:\WINNT\system32\CNMCP53.exe
2006-09-12 07:07 5,632 --a------ C:\WINNT\system32\CNMVS53.DLL
2006-09-12 07:07 100,352 --a------ C:\WINNT\system32\CNMLM53.DLL
2006-09-12 06:54 15,360 --------- C:\WINNT\NetMotCM.sys
2006-09-12 01:03 59,664 --a------ C:\WINNT\system32\usbui.dll
2006-09-12 01:02 85,264 --a------ C:\WINNT\system32\dgsetup.dll
2006-09-12 01:02 63,248 --a------ C:\WINNT\system32\SPOOLSS.DLL
2006-09-12 01:02 6,416 --a------ C:\WINNT\system32\batt.dll
silasticus
2006-09-20, 22:51
By the way, when these pop-ups are occuring, I can see them in Task manager, and the related process is csrss.exe is that a clue?
Combofix log continued...
2006-09-12 01:02 50,960 --a------ C:\WINNT\NOTEPAD.EXE
2006-09-12 01:02 5,392 --a------ C:\WINNT\delttsul.exe
2006-09-12 01:02 45,328 --a------ C:\WINNT\system32\SPOOLSV.EXE
2006-09-12 01:02 35,600 --a------ C:\WINNT\TASKMAN.EXE
2006-09-12 01:02 35,600 --a------ C:\WINNT\system32\storprop.dll
2006-09-12 01:02 176,400 --a------ C:\WINNT\system32\EqnClass.Dll
2006-09-12 01:02 148,992 --a------ C:\WINNT\system32\spxcoins.dll
2006-09-12 01:02 123,904 --a------ C:\WINNT\system32\dgrpsetu.dll
2006-09-11 22:00 87,808 --a------ C:\WINNT\system32\S32EVNT1.DLL
2006-09-11 21:36 0 -rahs---- C:\MSDOS.SYS
2006-09-11 21:36 0 -rahs---- C:\IO.SYS
2006-09-11 21:36 0 ---h----- C:\CONFIG.SYS
2006-09-11 21:36 0 ---h----- C:\AUTOEXEC.BAT
2006-09-11 21:35 63,248 --a------ C:\WINNT\system32\ils.dll
2006-09-11 21:35 57,104 --a------ C:\WINNT\system32\icwdial.dll
2006-09-11 21:35 53,520 --a------ C:\WINNT\system32\msconf.dll
2006-09-11 21:35 5,904 --a------ C:\WINNT\system32\icfgnt5.dll
2006-09-11 21:35 49,424 --a------ C:\WINNT\system32\icwphbk.dll
2006-09-11 21:35 32,880 --a------ C:\WINNT\system32\mnmdd.dll
2006-09-11 21:35 3,072 --a------ C:\WINNT\system32\nmevtmsg.dll
2006-09-11 21:35 251,152 --a------ C:\WINNT\system32\inetcfg.dll
2006-09-11 21:35 21,776 --a------ C:\WINNT\system32\mnmsrvc.exe
2006-09-11 21:35 131,072 --a------ C:\WINNT\system32\mapi32.dll
2006-09-11 21:35 12,560 --a------ C:\WINNT\system32\nmmkcert.dll
2006-09-11 21:35 10,000 --a------ C:\WINNT\system32\mstinit.exe
2006-09-11 21:34 72,464 --a------ C:\WINNT\system32\isign32.dll
2006-09-11 21:34 6,416 --a------ C:\WINNT\system32\write.exe
2006-09-11 21:34 219,408 --a------ C:\WINNT\system32\mstask.dll
2006-09-11 21:34 118,544 --a------ C:\WINNT\system32\mstask.exe
2006-09-11 21:33 99,600 --a------ C:\WINNT\system32\clipbrd.exe
2006-09-11 21:33 96,528 --a------ C:\WINNT\system32\winmine.exe
2006-09-11 21:33 96,016 --a------ C:\WINNT\system32\clbcatex.dll
2006-09-11 21:33 91,408 --a------ C:\WINNT\system32\calc.exe
2006-09-11 21:33 90,384 --a------ C:\WINNT\system32\charmap.exe
2006-09-11 21:33 89,360 --a------ C:\WINNT\system32\comrepl.dll
2006-09-11 21:33 88,848 --a------ C:\WINNT\system32\msdtclog.dll
2006-09-11 21:33 84,240 --a------ C:\WINNT\system32\txflog.dll
2006-09-11 21:33 8,704 --a------ C:\WINNT\system32\wuauserv.dll
2006-09-11 21:33 76,048 --a------ C:\WINNT\system32\avwav.dll
2006-09-11 21:33 700,176 --a------ C:\WINNT\system32\msdtcprx.dll
2006-09-11 21:33 68,368 --a------ C:\WINNT\system32\stclient.dll
2006-09-11 21:33 68,368 --a------ C:\WINNT\system32\sndvol32.exe
2006-09-11 21:33 66,832 --a------ C:\WINNT\system32\winchat.exe
2006-09-11 21:33 641,808 --a------ C:\WINNT\system32\xiffr3_0.dll
2006-09-11 21:33 625,936 --a------ C:\WINNT\system32\comuid.dll
2006-09-11 21:33 61,712 --a------ C:\WINNT\system32\oiui400.dll
2006-09-11 21:33 60,688 --a------ C:\WINNT\system32\imgcmn.dll
2006-09-11 21:33 6,928 --a------ C:\WINNT\system32\msdtc.exe
2006-09-11 21:33 591,120 --a------ C:\WINNT\system32\catsrvut.dll
2006-09-11 21:33 575,248 --a------ C:\WINNT\system32\hypertrm.dll
2006-09-11 21:33 55,056 --a------ C:\WINNT\system32\catsrvps.dll
2006-09-11 21:33 53,008 --a------ C:\WINNT\system32\packager.exe
2006-09-11 21:33 509,712 --a------ C:\WINNT\system32\clbcatq.dll
2006-09-11 21:33 444,176 --a------ C:\WINNT\system32\oieng400.dll
2006-09-11 21:33 406,800 --a------ C:\WINNT\system32\getuname.dll
2006-09-11 21:33 392,464 --a------ C:\WINNT\system32\txfaux.dll
2006-09-11 21:33 38,160 --a------ C:\WINNT\system32\jpeg2x32.dll
2006-09-11 21:33 37,648 --a------ C:\WINNT\system32\colbact.dll
2006-09-11 21:33 34,064 --a------ C:\WINNT\system32\sol.exe
2006-09-11 21:33 34,064 --a------ C:\WINNT\system32\freecell.exe
2006-09-11 21:33 337,680 --a------ C:\WINNT\system32\cdplayer.exe
2006-09-11 21:33 33,552 --a------ C:\WINNT\system32\tifflt.dll
2006-09-11 21:33 319,248 --a------ C:\WINNT\system32\mspaint.exe
2006-09-11 21:33 30,480 --a------ C:\WINNT\system32\mtxlegih.dll
2006-09-11 21:33 3,856 --a------ C:\WINNT\system32\mtxex.dll
2006-09-11 21:33 29,968 --a------ C:\WINNT\system32\comaddin.dll
2006-09-11 21:33 27,920 --a------ C:\WINNT\system32\jpeg1x32.dll
2006-09-11 21:33 25,872 --a------ C:\WINNT\system32\oitwa400.dll
2006-09-11 21:33 23,824 --a------ C:\WINNT\system32\mtxdm.dll
2006-09-11 21:33 226,576 --a------ C:\WINNT\system32\avtapi.dll
2006-09-11 21:33 21,776 --a------ C:\WINNT\system32\oislb400.dll
2006-09-11 21:33 21,776 --a------ C:\WINNT\system32\hticons.dll
2006-09-11 21:33 21,264 --a------ C:\WINNT\system32\comclust.exe
2006-09-11 21:33 17,680 --a------ C:\WINNT\system32\xolehlp.dll
2006-09-11 21:33 17,168 --a------ C:\WINNT\system32\avmeter.dll
2006-09-11 21:33 166,160 --a------ C:\WINNT\system32\catsrv.dll
2006-09-11 21:33 150,800 --a------ C:\WINNT\system32\accwiz.exe
2006-09-11 21:33 147,216 --a------ C:\WINNT\system32\DComExt.dll
2006-09-11 21:33 146,192 --a------ C:\WINNT\system32\msdtcui.dll
2006-09-11 21:33 146,192 --a------ C:\WINNT\system32\comsnap.dll
2006-09-11 21:33 13,584 --a------ C:\WINNT\system32\imgshl.dll
2006-09-11 21:33 13,072 --a------ C:\WINNT\system32\oissq400.dll
2006-09-11 21:33 13,072 --a------ C:\WINNT\system32\oiprt400.dll
2006-09-11 21:33 124,184 --a------ C:\WINNT\system32\wuauclt.exe
2006-09-11 21:33 118,032 --a------ C:\WINNT\system32\mplay32.exe
2006-09-11 21:33 107,792 --a------ C:\WINNT\system32\sndrec32.exe
2006-09-11 21:33 106,256 --a------ C:\WINNT\system32\mtxoci.dll
2006-09-11 21:33 1,776,456 -ra------ C:\WINNT\system32\dtcsetup.exe
2006-09-11 21:33 1,439,504 --a------ C:\WINNT\system32\comsvcs.dll
2006-09-11 21:33 1,343,768 --a------ C:\WINNT\system32\wuaueng.dll
2006-09-11 21:33 1,128,208 --a------ C:\WINNT\system32\msdtctm.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-20 12:18 -------- d-------- C:\Program Files\OpenOffice.org1.0.1
2006-09-19 22:06 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-19 21:53 -------- d-------- C:\Documents and Settings\Cooper\Application Data\dvdcss
2006-09-19 16:04 -------- d-------- C:\Documents and Settings\Cooper\Application Data\Ahead
2006-09-19 16:02 -------- d-------- C:\Program Files\Ahead
2006-09-19 16:01 -------- d-a------ C:\Program Files\Common Files
2006-09-19 16:01 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-19 07:24 -------- d-------- C:\Documents and Settings\Cooper\Application Data\Ulead Systems
2006-09-19 07:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-19 07:03 -------- d-------- C:\Program Files\Media
2006-09-19 07:03 -------- d-------- C:\Documents and Settings\Cooper\Application Data\Help
2006-09-19 07:02 -------- d-------- C:\Program Files\Windows Media Player
2006-09-19 07:02 -------- d-------- C:\Program Files\SmartSound Software
2006-09-19 07:01 -------- d-------- C:\Program Files\Windows Media Components
2006-09-19 07:01 -------- d-------- C:\Program Files\Common Files\Ulead Systems
2006-09-19 07:00 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-19 06:50 -------- d-------- C:\Program Files\Canon
2006-09-15 07:33 -------- d-------- C:\Program Files\MR56SVS 2k
2006-09-14 22:37 -------- d-------- C:\Program Files\WinRAR
2006-09-14 19:54 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-14 19:54 -------- d-------- C:\Documents and Settings\Cooper\Application Data\AdobeUM
2006-09-14 18:53 -------- d-------- C:\Program Files\QuickTime
2006-09-14 18:53 -------- d-------- C:\Program Files\iPod
2006-09-14 18:50 -------- d-------- C:\Program Files\Music
2006-09-14 15:14 -------- d-------- C:\Program Files\Serif
2006-09-14 14:49 -------- d---s---- C:\Documents and Settings\Cooper\Application Data\Microsoft
2006-09-14 14:40 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared
2006-09-14 14:40 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-14 14:39 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-09-14 14:39 -------- d-------- C:\Program Files\Microsoft Office
2006-09-14 14:39 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-14 14:38 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-09-14 13:54 -------- d-------- C:\Program Files\Internet Explorer
2006-09-14 13:52 76560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2006-09-14 13:38 -------- d-------- C:\Program Files\Utilities
2006-09-14 13:38 -------- d-------- C:\Documents and Settings\Cooper\Application Data\InterTrust
2006-09-14 13:38 -------- d-------- C:\Documents and Settings\Cooper\Application Data\Adobe
2006-09-14 12:56 -------- d-------- C:\Program Files\Symantec
2006-09-14 12:51 -------- d-------- C:\Documents and Settings\Cooper\Application Data\Symantec
2006-09-14 12:30 -------- d-------- C:\Documents and Settings\Cooper\Application Data\Sun
2006-09-14 08:22 83 --a------ C:\Documents and Settings\Cooper\Application Data\sversion.ini
2006-09-14 08:19 -------- d-------- C:\Program Files\Java
2006-09-14 08:18 -------- d-------- C:\Program Files\Common Files\Java
2006-09-14 08:14 -------- d-------- C:\Program Files\Security
2006-09-13 00:34 -------- d-------- C:\Documents and Settings\Cooper\Application Data\Real
2006-09-13 00:32 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-13 00:32 -------- d-------- C:\Program Files\Common Files\Real
2006-09-13 00:20 -------- d-------- C:\Program Files\Realtek Sound Manager
2006-09-13 00:20 -------- d-------- C:\Program Files\AvRack
2006-09-12 23:56 -------- d-------- C:\Documents and Settings\Cooper\Application Data\Windows Live Safety Center
2006-09-12 23:38 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-09-12 07:50 2048 --a------ C:\Documents and Settings\Cooper\Application Data\user60.rdb
2006-09-12 07:19 -------- d-------- C:\Program Files\Sony Ericsson
2006-09-12 07:19 -------- d-------- C:\Program Files\Common Files\Teleca Shared
2006-09-12 07:10 -------- d-ah----- C:\Program Files\WindowsUpdate
2006-09-12 07:01 -------- d-------- C:\Documents and Settings\Cooper\Application Data\Macromedia
2006-09-12 07:00 -------- d-------- C:\Program Files\Telstra
2006-09-12 06:54 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-09-12 01:02 -------- d-a------ C:\Program Files\Common Files\ODBC
2006-09-11 22:02 10344 --a------ C:\WINNT\system32\drivers\symlcbrd.sys
2006-09-11 21:46 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-11 21:46 -------- d-------- C:\Program Files\Outlook Express
2006-09-11 21:46 -------- d-------- C:\Program Files\Common Files\System
2006-09-11 21:46 -------- d-------- C:\Program Files\Common Files\Services
2006-09-11 21:40 -------- d-------- C:\Documents and Settings\Cooper\Application Data\Identities
2006-09-11 21:36 -------- d-------- C:\Program Files\microsoft frontpage
2006-09-11 21:35 271 ---h----- C:\Program Files\desktop.ini
2006-09-11 21:35 21952 ---h----- C:\Program Files\folder.htt
2006-09-11 21:35 -------- d-------- C:\Program Files\NetMeeting
2006-09-11 21:34 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-11 21:33 -------- d-------- C:\Program Files\Windows NT
2006-09-11 21:33 -------- d-------- C:\Program Files\Accessories
2006-08-07 16:02 534208 --a------ C:\WINNT\system32\SymNeti.dll
2006-08-07 16:02 31936 --a------ C:\WINNT\system32\drivers\symids.sys
2006-08-07 16:02 28352 --a------ C:\WINNT\system32\drivers\symndis.sys
2006-08-07 16:02 24768 --a------ C:\WINNT\system32\drivers\symredrv.sys
2006-08-07 16:02 195776 --a------ C:\WINNT\system32\drivers\symtdi.sys
2006-08-07 16:02 161472 --a------ C:\WINNT\system32\SymRedir.dll
2006-08-07 16:02 110784 --a------ C:\WINNT\system32\drivers\symfw.sys
2006-08-07 16:01 12992 --a------ C:\WINNT\system32\drivers\symdns.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"ctfmon.exe"="ctfmon.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
"BigPondCable"="\"C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe\" /r"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SoundMan"="SOUNDMAN.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="C:\\Program Files\\Media\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Completion time: Thu 2006-09-21 6:46:28.82
ComboFix.txt
ComboFix2.txt
LonnyRJones
2006-09-21, 00:35
csrss.exe is a normal process if running from the system32 folder
E:\Our Goods\PC tech\Downloads\
Are you a tech fixing a clients pc ?
These are odd to see
2006-09-11 21:35 271 ---h----- C:\Program Files\desktop.ini
2006-09-11 21:35 21952 ---h----- C:\Program Files\folder.htt
since win 2k or one of its service packs was installed recenlty that log isnt much good to us.
Download this zip.
http://www.downloads.subratam.org/pv.zip
unzip it to the desktop.
Open the folder and Double click on the runme.bat
wait for one of those popups you mentioned then
choose option 2 and attach or post that text please.
Also a report from one or both of these free onlines scans
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
We dont need to see item's listed as "Object is locked skipped" so edit those out.
silasticus
2006-09-22, 10:13
Here's the log from pv.
<Are you a tech fixing a clients pc ?>
No, just a humble musician. That's just how I organise my data.
<service packs was installed recenlty >
sorry, I should have guessed that would make things hard.
By the way , the pop-ups may not happen when offline... I'll let you know if I find out for sure.
God bless you Lonnie
silasticus
2006-09-22, 10:15
Here's the log from Panda.
Incident Status Location
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\system32\i
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\system32\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected E:\Our Goods\PC tech\Downloads\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected E:\Our Goods\PC tech\Downloads\SmitfraudFix.zip[SmitfraudFix/Process.exe]
LonnyRJones
2006-09-22, 18:38
Any improvment since that panda scan ?
Post a screenshot of one of those "popup ads for reg cleaners"
silasticus
2006-09-23, 05:44
They are still coming, however I can confirm that they are only happening when online.
thanks
LonnyRJones
2006-09-23, 07:56
That helps
See the MS KB
Disabling Messenger Service in Windows XP: http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx
silasticus
2006-09-23, 12:25
Thanks mate, you are the MASTOR (spoken in Star-Wars-ian-tone-of-voice!)
Haven't seen the proof in the eating yet, but it never hurt anyone to celebrate prematurely...
God bless, and all the best with saving the known tech world (and whatever else you like doing off the PC).
Steve
LonnyRJones
2006-09-24, 10:10
Great
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Cheers silasticus :)
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.