Help, with annoying popup thing >_>

**Ramoth** · 2007-08-21, 11:57

Hey, it's a joke if I say I rarely get viruses but I'm usually able to remove them on my own. But before this popup started appearing I'd rarely get any problems.

I have no idea how I got it, the only thing I can think of is when I used Internet Explorer for a few mins, when I normally use firefox. The next thing I new, I had some stupid poker popup then all my admin abilities were disabled, like ctrl alt del and shut down on the start menu, I remedied this by creating a new admin account and running various programs to get it back.

Everything is fine, but this bloody popup. Avast keep's saying there is something in the memory and cannot remove it, spybot said the same thing so I did a reboot and scan..still could not remove it, and adaware keeps finding it, argh!

So, I keep getting this stupid popup everytime I'm browsing even when its firefox, I can't find its process and ive read other peoples topics but each computer is different so I thought I'd ask about it first. I did that hijackthis thing, and this is the report.

Any and all help is much appreciated *Bows*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:46, on 21/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - (no file)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwinmmdt.exe OLI001
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [Home Theater] C:\Program Files\InterVideo\Home Theater\Home Theater.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb106\res\DealioSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: hggfcde - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6981 bytes

**Ramoth** · 2007-08-21, 12:19

A quick post before I'm off to work. I renamed the Hijackthis and this is the report this time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:17, on 21/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\jsattg.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - (no file)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwinmmdt.exe OLI001
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [Home Theater] C:\Program Files\InterVideo\Home Theater\Home Theater.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb106\res\DealioSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: hggfcde - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7161 bytes

Thank you, I will check this thread when I finish work!

**Ramoth** · 2007-08-21, 12:31

Oh, I forgot to put down what I think it is, it's that stupid
Smitfraud-C.Core Service.
Which wont go away.

Spybot says this:
C:\\WINDOWS\system32\drivers\core.sys
C:\\WINDOWS\system32\drivers\core.dsk
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\core
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core

I mean, who the hell are they and what gives them the right to put their rubbish onto people's computer's without asking us? >_>

**Ramoth** · 2007-08-21, 23:26

Ugh the popup's are annoying, please help.

**Mr_JAk3** · 2007-08-23, 21:36

Hello Ramoth and welcome to the Forums

You got something there...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

**Ramoth** · 2007-08-23, 23:35

Thank you, here's the log.

ComboFix 07-08-17.2 - "Hannah" 2007-08-23 22:28:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.312 [GMT 1:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\temp\tn3
C:\WINDOWS\smsys.dat
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\xpdx.sys

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_NTMLSVC
-------\core
-------\NtmlSvc
-------\xpdx

((((((((((((((((((((((((( Files Created from 2007-07-23 to 2007-08-23 )))))))))))))))))))))))))))))))

2007-08-23 22:27 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-22 22:15 19,805 -ra------ C:\WINDOWS\system32\drivers\usbio.sys
2007-08-22 22:13 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-22 22:12 <DIR> d-------- C:\Program Files\Datel
2007-08-22 11:28 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-22 11:27 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-08-22 11:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-21 11:26 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-21 10:36 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-19 20:10 <DIR> d-------- C:\Program Files\Prevx2
2007-08-19 20:10 <DIR> d-------- C:\DOCUME~1\Hannah\APPLIC~1\Prevx
2007-08-19 20:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-08-19 20:09 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-19 19:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-19 19:32 <DIR> d-------- C:\DOCUME~1\Hannah\APPLIC~1\Lavasoft
2007-08-19 19:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-19 19:09 786,432 --ah----- C:\DOCUME~1\Shit\NTUSER.DAT
2007-08-19 17:49 59,392 --a------ C:\arca.exe
2007-08-19 17:48 <DIR> d-------- C:\WINDOWS\Web Download
2007-08-16 13:31 <DIR> d-------- C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2007-08-16 13:19 983,121 --a------ C:\WINDOWS\system32\lxcggf.dll
2007-08-16 13:19 98,304 --a------ C:\WINDOWS\system32\lxcginsr.dll
2007-08-16 13:19 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-08-16 13:19 86,016 --a------ C:\WINDOWS\system32\lxcgcub.dll
2007-08-16 13:19 73,728 --a------ C:\WINDOWS\system32\lxcgcu.dll
2007-08-16 13:19 704,512 --a------ C:\WINDOWS\system32\lxcgcomc.dll
2007-08-16 13:19 65,536 --a------ C:\WINDOWS\system32\lxcgcfg.dll
2007-08-16 13:19 491,520 --a------ C:\WINDOWS\system32\lxcgcoms.exe
2007-08-16 13:19 483,328 --a------ C:\WINDOWS\system32\lxcglmpm.dll
2007-08-16 13:19 413,696 --a------ C:\WINDOWS\system32\lxcgcomm.dll
2007-08-16 13:19 40,960 --a------ C:\WINDOWS\system32\lxcgvs.dll
2007-08-16 13:19 397,312 --a------ C:\WINDOWS\system32\lxcgutil.dll
2007-08-16 13:19 372,736 --a------ C:\WINDOWS\system32\lxcgih.exe
2007-08-16 13:19 36,864 --a------ C:\WINDOWS\system32\lxcgcur.dll
2007-08-16 13:19 172,032 --a------ C:\WINDOWS\system32\lxcginsb.dll
2007-08-16 13:19 155,648 --a------ C:\WINDOWS\system32\lxcgprox.dll
2007-08-16 13:19 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-08-16 13:19 131,072 --a------ C:\WINDOWS\system32\lxcgins.dll
2007-08-16 13:19 126,976 --a------ C:\WINDOWS\system32\lxcgjswr.dll
2007-08-16 13:19 114,688 --a------ C:\WINDOWS\system32\lxcgpplc.dll
2007-08-16 13:19 1,183,744 --a------ C:\WINDOWS\system32\lxcgserv.dll
2007-08-16 13:19 1,134,592 --a------ C:\WINDOWS\system32\lxcgusb1.dll
2007-08-16 13:19 <DIR> d-------- C:\Temp
2007-08-16 13:19 <DIR> d-------- C:\Program Files\Lexmark 2300 Series
2007-08-15 11:32 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-29 18:06 <DIR> d-------- C:\Program Files\AceBIT

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 10:13 --------- d-------- C:\Program Files\The Privacy Guard
2007-08-19 19:56 --------- d-------- C:\DOCUME~1\Hannah\APPLIC~1\uTorrent
2007-08-16 17:50 --------- d-------- C:\DOCUME~1\Hannah\APPLIC~1\BSplayer
2007-08-16 17:23 --------- d-------- C:\Program Files\Webteh
2007-08-14 19:18 --------- d-------- C:\Program Files\FTP Navigator
2007-07-29 13:05 --------- d-------- C:\DOCUME~1\Hannah\APPLIC~1\Ulead Systems
2007-07-27 23:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 23:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 23:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 23:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 22:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 22:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 22:57 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-25 10:26 --------- d-------- C:\Program Files\DDS Converter 2
2007-07-22 15:09 --------- d-------- C:\Program Files\ImTOO
2007-07-22 01:10 --------- d-------- C:\DOCUME~1\Hannah\APPLIC~1\Intervideo
2007-07-22 01:09 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-22 01:09 --------- d-------- C:\Program Files\InterVideo
2007-07-22 01:09 --------- d-------- C:\Program Files\Common Files\InterVideo
2007-07-22 01:08 --------- d-------- C:\Program Files\Adaptec
2007-07-22 00:38 --------- d-------- C:\Program Files\ASUS
2007-07-21 12:15 --------- d-------- C:\Program Files\Intel
2007-07-21 12:14 --------- d-------- C:\Program Files\Real
2007-07-21 12:14 --------- d-------- C:\Program Files\Common Files\Real
2007-07-21 12:12 --------- d-------- C:\Program Files\SmartSound Software
2007-07-21 12:12 --------- d-------- C:\Program Files\QuickTime
2007-07-21 12:11 --------- d-------- C:\Program Files\Common Files\SONY Digital Images
2007-07-21 12:10 --------- d-------- C:\Program Files\Windows Media Components
2007-07-21 12:09 --------- d-------- C:\Program Files\Ulead Systems
2007-07-21 12:09 --------- d-------- C:\Program Files\Common Files\Ulead Systems
2007-07-21 12:09 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-20 21:36 --------- d-------- C:\DOCUME~1\Hannah\APPLIC~1\BSplayer Pro
2007-07-19 03:10 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-15 16:20 --------- d-------- C:\Program Files\DreamWorks Interactive
2007-07-15 16:19 --------- d-------- C:\Program Files\uTorrent
2007-07-15 12:19 --------- d-------- C:\DOCUME~1\Hannah\APPLIC~1\Help
2007-07-14 23:25 --------- d-------- C:\DOCUME~1\Hannah\APPLIC~1\DivX
2007-07-14 23:24 --------- d-------- C:\Program Files\DivX
2007-07-10 23:07 --------- d-------- C:\Program Files\MSN Messenger
2007-07-08 17:46 --------- d-------- C:\Program Files\TGTSoft
2007-07-08 13:28 502272 --a------ C:\WINDOWS\system32\winlogon.exe
2007-07-06 19:08 196608 --a------ C:\WINDOWS\system32\libssl32.dll
2007-07-06 14:40 --------- d-------- C:\DOCUME~1\Hannah\APPLIC~1\WinRAR
2007-07-06 13:52 --------- d-------- C:\DOCUME~1\Hannah\APPLIC~1\InterTrust
2007-07-06 13:49 --------- d-------- C:\Program Files\Jasc Software Inc
2007-07-02 20:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 20:41 36624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-02 20:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 20:41 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-02 20:41 2432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-02 20:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 20:41 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-02 20:41 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-02 20:41 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-02 20:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 20:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 20:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 20:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 20:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 20:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 20:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 20:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 20:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 20:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 20:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 20:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 20:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 20:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 20:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79108934-32c6-11dc-970e-806d6172696f}]
AutoRun\command- D:\autorun.exe

Contents of the 'Scheduled Tasks' folder
2007-08-23 20:26:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-23 22:32:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-23 22:33:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-23 22:33

--- E O F ---

**Mr_JAk3** · 2007-08-24, 20:33

Hi again, we'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

Download avz4en.zip here
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the file tab and then click on System recovery
Put a checkmark next to Restore SafeBoot registry keys
Click on Execute selected operations

==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

WhenUSave

and any other programs you didn't install or don't recognize - if your not sure please ask first
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - (no file)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O20 - Winlogon Notify: hggfcde - C:\WINDOWS\

Restart your computer.

Open "My Computer" and delete the following folders (if present):
C:\Program Files\Save

Open "My Computer" and delete the following files (if present):
C:\arca.exe

Use the Windows search

Start
Search
All files and folders
More advanced options

Checkmark these options:

"Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: hggfcde.dll

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis log.

**tashi** · 2007-09-03, 20:34

Due to lack of a response to helper this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.

Thread: Help, with annoying popup thing >_>

Thread Tools

Display

Help, with annoying popup thing >_>

Posting Permissions