Hijack this log....wife got me a nasty virus or something

IE popups, Limewire pops up(even though ive deleted it now)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jo Ann\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM77fe1e0a] Rundll32.exe "C:\WINDOWS\System32\fgfjlwms.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Tropix\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Tropix\Images\armhelper.ocx
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

i didnt check anything

just did a full scan

please help

 

i dont get anything about limewire anymore, however i get quite a few IE popups still.

anyones help would be appreciative.

 

i dld spysweeper but still have pop up gallore

 

top part of hjt log got cut off:

copy (Ctrl C) and paste (Ctrl V) the text below to Notepad. Save it as "All Files" and name it fix.bat Please save it on your desktop.

Code:

sc stop Network Monitor Service

sc delete Network Monitor Service

exit

Double click Fix.bat on your desktop. A window will open and close. reboot computer, It should stop and delete the service

download and run:
Please download Malwarebytes' Anti-Malware to your desktop:



http://www.besttechie.net/tools/mbam-setup.exe



* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform FULL SCAN, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt


post a new hjt log and the malwarebytes log.

 

Logfile of HijackThis v1.99.1
Scan saved at 6:23:15 AM, on 3/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Portrait

Displays\Plugins\AM\dtsslsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Portrait

Displays\Shared\DTSRVC.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jo Ann\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{0B52C7EC-D1A3-4054-923C-DD12567F28B1} -

C:\WINDOWS\System32\nnnmmml.dll (file missing)
O2 - BHO: (no name) -

{54C6F2D7-22BB-4B9D-AFA4-B85952B3BE9A} -

C:\WINDOWS\System32\hgdee.dll (file missing)
O2 - BHO: 0 - {58756746-D01E-4AC1-C68B-A793C38EABAC} -

C:\Program Files\Online Services\qulab.dll (file

missing)
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: HP Smart Web Printing 1.0 -

{AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program

Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC]

"C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe

-cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Related -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9}

(SpinTop DRM Control) - file://C:\Program

Files\Tropix\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54}

(ArmHelper Control) - file://C:\Program

Files\Tropix\Images\armhelper.ocx
O20 - Winlogon Notify: gzqntaid - gzqntaid.dll (file

missing)
O20 - Winlogon Notify: nnnmmml - nnnmmml.dll (file

missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier -

C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Asset Management Daemon - Unknown owner -

C:\Program Files\Common Files\Portrait

Displays\Plugins\AM\dtsslsrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Portrait Displays Display Tune Service

(DTSRVC) - Unknown owner - C:\Program Files\Common

Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FileZilla Server FTP server (FileZilla

Server) - FileZilla Project - C:\Program Files\FileZilla

Server\FileZilla Server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -

NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine

(WebrootSpySweeperService) - Webroot Software, Inc. -

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



Malwarebytes' Anti-Malware 1.08
Database version: 471

Scan type: Full Scan (C:\|)
Objects scanned: 101022
Time elapsed: 2 hour(s), 29 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hwuvirup.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Program Files\MSN\rofym89104.dll (Adware.TTC) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2b0b59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2b0b59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{64a33058-c278-4958-86a1-fec1cf14a20b} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64a33058-c278-4958-86a1-fec1cf14a20b} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSControlService (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WebBuying (Adware.WebBuying) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChange) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iDlo18 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\gzqntaid.dllbox (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hwuvirup.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\MSN\rofym89104.dll (Adware.TTC) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP182\A0015868.sys (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP203\A0025863.exe (Adware.RABCO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP203\A0025873.exe (Adware.RABCO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP203\A0025881.exe (Adware.RABCO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP203\A0025899.exe (Adware.RABCO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP203\A0025902.dll (Adware.RABCO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP203\A0025904.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP203\A0026129.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP203\A0026135.dll (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP203\A0026136.exe (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP209\A0027360.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E4B9A4F1-21CA-43BD-B8CC-5D68A1A24B4E}\RP209\A0027361.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c4\np89104.exe (Adware.TTC) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\k8\ravecom3.exe (Adware.RABCO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\s7\gbsu011.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d3d9caps.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\n.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\x.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\z.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\Documents and Settings\Jo Ann\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.

 

hi,

ok good. run this also just for good measure, then we will clean up the log, and make a new restore point. hows it looking on your end now??



download and run vundofix.exe:

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

post the vundo log and a new hjt log.

echoreply

 

VundoFix V6.5.0

Checking Java version...

Scan started at 9:16:48 PM 3/18/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:56 PM, on 3/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B52C7EC-D1A3-4054-923C-DD12567F28B1} - C:\WINDOWS\System32\nnnmmml.dll (file missing)
O2 - BHO: (no name) - {54C6F2D7-22BB-4B9D-AFA4-B85952B3BE9A} - C:\WINDOWS\System32\hgdee.dll (file missing)
O2 - BHO: 0 - {58756746-D01E-4AC1-C68B-A793C38EABAC} - C:\Program Files\Online Services\qulab.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Tropix\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Tropix\Images\armhelper.ocx
O20 - Winlogon Notify: gzqntaid - gzqntaid.dll (file missing)
O20 - Winlogon Notify: nnnmmml - nnnmmml.dll (file missing)
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5152 bytes

 

hi lmac222,

ok good. to clean up the log:

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O2 - BHO: (no name) - {0B52C7EC-D1A3-4054-923C-DD12567F28B1} - C:\WINDOWS\System32\nnnmmml.dll (file missing)
O2 - BHO: (no name) - {54C6F2D7-22BB-4B9D-AFA4-B85952B3BE9A} - C:\WINDOWS\System32\hgdee.dll (file missing)
O2 - BHO: 0 - {58756746-D01E-4AC1-C68B-A793C38EABAC} - C:\Program Files\Online Services\qulab.dll (file missing)
O20 - Winlogon Notify: gzqntaid - gzqntaid.dll (file missing)
O20 - Winlogon Notify: nnnmmml - nnnmmml.dll (file missing)

check java version:
Vulnerabilities in Sun Java versions may be exploited and may be the cause of some malware via your browser.
you can see what version of Java you have installed here:
http://www.java.com/en/download/installed.jsp

It is very important not only to keep Sun Java up to date but also to remove older versions which have possible vulnerabilities and may possibly be exploited.
* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.

Download the latest version:
Java Runtime Environment (JRE) 6 Update 5?
Download from:
http://java.sun.com/javase/downloads/index.jsp
---------------------------
restore points: the why and how:
One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed. Don't do it on a regular basis.



To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)


1. Turn off System Restore. (deletes old possibly infected restore points)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.


2. Reboot.


3. Turn ON System Restore.(force a new restore points on a clean system)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK, then reboot

happy safe surfing

 

thanks,

ill keep ya updated if somethings go wrong.

i really do appreciate it.

 

getting a lot of popups still

way back when i used spybot search and destroy and adaware


think this fixes the problem?

 

going to try the adaware/spybot combo again see if this cuts the popups back

 

Hi,

sorry i usually do a better job of tracking my posts.good thing you bumped it. still getting popups? ok lets see what combofix can dig up.

when we are finished you need to visit windows updates. you are a service pack behind. its important to download/apply updates. why? the updates patch vulnerabilites in the OS and browser that could be exploited and result in malware being introduced.

Combofix:

Download combofix from one of these links and save it to Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

as a precaution, before using combofix:


1. * Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
* Click on this link below to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
* Remember to re enable the protection again afterwards before connecting to the net

link:
http://www.bleepingcomputer.com/forums/topic114351.html

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

* IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
* If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:12 AM, on 3/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Tropix\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Tropix\Images\armhelper.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5100 bytes



ComboFix 08-03-26.3 - Jo Ann 2008-03-28 6:18:38.1 - NTFSx86
Running from: C:\Documents and Settings\Jo Ann\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
MTEE /+ d-delA.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\BM77fe1e0a.xml
C:\WINDOWS\Fonts\-
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\c2
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\drivers\oprghdlrr.sys
C:\WINDOWS\system32\eedgh.ini
C:\WINDOWS\system32\eedgh.ini2
C:\WINDOWS\system32\k8
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\UpMedia
C:\WINDOWS\system32\UpMedia\SearchTool.dll
C:\WINDOWS\system32\x3

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OPRGHDLRR
-------\Service_oprghdlrr


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-27 17:38 . 2008-03-27 17:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-27 17:38 . 2008-03-27 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 17:32 . 2008-03-27 17:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 14:45 . 2008-03-27 16:20 <DIR> d-------- C:\Program Files\Safari
2008-03-25 08:43 . 2008-03-27 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-25 08:42 . 2008-03-27 16:21 <DIR> d-------- C:\Program Files\Google
2008-03-24 13:26 . 2008-03-27 14:52 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\FileZilla
2008-03-24 13:12 . 2008-03-28 06:08 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-03-19 06:18 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-19 06:16 . 2008-03-19 06:18 <DIR> d-------- C:\Program Files\Java
2008-03-19 06:15 . 2008-03-19 06:15 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-18 22:21 . 2008-03-18 22:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-18 21:16 . 2008-03-18 21:16 <DIR> d-------- C:\VundoFix Backups
2008-03-17 22:03 . 2008-03-17 22:03 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\Malwarebytes
2008-03-17 21:52 . 2008-03-17 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 21:51 . 2008-03-17 21:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-16 20:56 . 2008-03-16 20:56 10,240 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-10 21:49 . 2008-03-10 21:49 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\Wal-Mart Digital Photo Manager
2008-03-10 21:48 . 2008-03-10 21:48 <DIR> d-------- C:\wedding pics 08
2008-03-10 21:44 . 2008-03-10 21:53 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\Wal-Mart Digital Photo Viewer
2008-03-10 18:04 . 2008-03-10 18:04 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\ActiveState
2008-03-10 18:02 . 2008-03-10 18:02 <DIR> d-------- C:\Program Files\ActiveState Komodo Edit 4
2008-03-10 00:19 . 2008-03-10 00:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-10 00:18 . 2006-10-20 15:21 128,064 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-03-10 00:18 . 2006-10-20 15:21 21,568 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-03-10 00:18 . 2006-10-20 15:21 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-03-10 00:18 . 2006-10-20 15:21 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2008-03-10 00:17 . 2008-03-10 00:17 <DIR> d-------- C:\Program Files\Webroot
2008-03-10 00:17 . 2008-03-10 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-10 00:17 . 2002-08-13 06:09 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-10 00:17 . 2002-08-13 06:10 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-03-10 00:10 . 2008-03-10 00:10 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\Webroot
2008-03-04 08:33 . 2008-03-28 06:12 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\AVG7
2008-03-04 08:32 . 2008-03-04 08:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-04 08:32 . 2008-03-04 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-04 08:32 . 2008-03-05 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-03 21:55 . 2008-03-03 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-03-03 21:50 . 2008-03-03 21:50 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-03-03 21:47 . 2008-03-18 06:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-03 21:46 . 2008-03-28 06:19 <DIR> d-------- C:\Temp
2008-03-03 21:46 . 2008-03-03 21:46 167,545 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-03-03 21:46 . 2008-03-03 21:46 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(7).dsk
2008-03-03 21:46 . 2008-03-03 21:46 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(6).dsk
2008-03-03 21:46 . 2008-03-03 21:46 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(5).dsk
2008-03-03 21:46 . 2008-03-03 21:46 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(4).dsk
2008-03-03 21:46 . 2008-03-03 21:46 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(3).dsk
2008-03-03 21:46 . 2008-03-03 21:46 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(2).dsk
2008-03-03 17:42 . 2008-03-03 17:42 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\SpinTop
2008-03-03 17:42 . 2008-03-04 21:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-03 16:36 . 2008-03-03 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-02-28 22:21 . 2008-02-28 22:21 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\DisplayTune
2008-02-28 22:11 . 2007-09-14 12:34 11,776 --a------ C:\WINDOWS\system32\drivers\pdiddcci.sys
2008-02-28 22:10 . 2008-03-03 16:28 62,009 --a------ C:\WINDOWS\system32\wpfb_i81xdnt5.dll
2008-02-28 22:10 . 2006-11-16 17:20 15,920 --a------ C:\WINDOWS\system32\drivers\PdiPorts.sys
2008-02-28 22:09 . 2008-02-28 22:09 <DIR> d-------- C:\Program Files\Portrait Displays
2008-02-28 22:09 . 2007-02-09 12:17 62,009 --a------ C:\WINDOWS\system32\WPFB.DLL
2008-02-28 22:09 . 2007-02-09 12:17 17,465 --a------ C:\WINDOWS\system32\drivers\pivot.sys
2008-02-28 22:09 . 2007-02-09 12:17 11,323 --a------ C:\WINDOWS\system32\drivers\pivotmou.sys
2008-02-28 22:09 . 2004-11-22 12:07 2,304 --a------ C:\WINDOWS\system32\Machnm32.sys
2008-02-28 22:08 . 2008-02-28 22:10 <DIR> d-------- C:\Program Files\Common Files\Portrait Displays
2008-02-28 22:08 . 2008-02-28 22:08 <DIR> d-------- C:\Program Files\Acer Display
2008-02-28 21:54 . 2005-01-05 00:03 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-28 21:52 . 2008-03-03 22:00 <DIR> d-------- C:\Program Files\GameHouse
2008-02-28 07:37 . 2008-02-28 07:37 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\IrfanView

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 11:19 384 ----a-w C:\Documents and Settings\Jo Ann\Application Data\internaldb6334.dat
2008-03-27 23:11 --------- d-----w C:\Documents and Settings\Jo Ann\Application Data\uTorrent
2008-03-27 21:21 --------- d-----w C:\Program Files\LimeWire
2008-03-25 09:43 --------- d-----w C:\Documents and Settings\Jo Ann\Application Data\LimeWire
2008-03-17 01:57 --------- d-----w C:\Documents and Settings\Jo Ann\Application Data\Image Zone Express
2008-03-04 13:23 --------- d-----w C:\Program Files\Crimson Editor
2008-02-29 03:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 22:03 --------- d-----w C:\Program Files\Microsoft Works
2008-02-24 17:22 --------- d-----w C:\Program Files\Viewpoint
2008-02-14 09:37 --------- d-----w C:\Program Files\BitDownload
2008-02-14 09:36 18,432 ----a-w C:\Documents and Settings\Jo Ann\Application Data\internaldb41.dat
2008-02-14 09:10 537 ----a-w C:\Documents and Settings\Jo Ann\Application Data\internaldb8467.dat
2008-02-14 01:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\WIPE GRID META BIAS
2008-02-10 20:31 --------- d-----w C:\Program Files\PC Wizard 2008
2008-02-10 19:13 --------- d-----w C:\Documents and Settings\Jo Ann\Application Data\Intuit
2008-02-10 19:00 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-10 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-10 18:59 --------- d-----w C:\Program Files\TurboTax
2007-11-03 14:00 87,608 ----a-w C:\Documents and Settings\Jo Ann\Application Data\inst.exe
2007-11-03 14:00 47,360 ----a-w C:\Documents and Settings\Jo Ann\Application Data\pcouffin.sys
2007-10-25 14:34 2,491 ----a-w C:\Program Files\Microsoft Office FrontPage 2003.lnk
2008-03-05 21:16 27,976 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2008-03-05 21:16 125,848 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
2008-03-05 21:16 98,712 ----a-w C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-04 08:36 579072]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-02-03 21:37 2899968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-04 08:32 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jo Ann^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Jo Ann\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jo Ann^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=C:\Documents and Settings\Jo Ann\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart]
C:\WINDOWS\System32\adspipe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_Run]
--a------ 2008-03-04 08:32 219136 C:\PROGRA~1\Grisoft\AVG7\avgw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-15 16:18 1670144 C:\Program Files\Messenger\MSMSGS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBRY Agent]
C:\WINDOWS\System32\Sys32\NBRY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2002-08-29 07:00 31744 C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2006-10-20 15:29 4806144 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

R1 Pivot;Pivot;C:\WINDOWS\System32\drivers\pivot.sys [2007-02-09 12:17]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 17:59]
R3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\system32\drivers\pivotmou.sys [2007-02-09 12:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 18:57:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 06:30:26
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
.
**************************************************************************
.
Completion time: 2008-03-28 6:38:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 11:37:47
Pre-Run: 47,334,617,088 bytes free
Post-Run: 48,034,320,384 bytes free
.
2008-02-15 16:21:32 --- E O F ---


so far after running both of these, have yet to encounter a popup

 

hi,

ok good no popups. let me digest the log.

this:
C:\Program Files\BitDownload
it has a "sponsor" called Cidhelp, which is malware- look for it in the add/remove programs panel and uninstall it. i would also uninstall Bitdownload.

 

i dont see either in program files or add/remove programs from the control panel.

 

hi,

ok we will use combofix again. but first using it disable any real time protection that may be running, like last time

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk 
C:\WINDOWS\system32\drivers\core.cache(6).dsk 
C:\WINDOWS\system32\drivers\core.cache(5).dsk 
C:\WINDOWS\system32\drivers\core.cache(4).dsk 
C:\WINDOWS\system32\drivers\core.cache(3).dsk 
C:\WINDOWS\system32\drivers\core.cache(2).dsk 
C:\WINDOWS\system32\vbzip10.dll 
C:\Documents and Settings\Jo Ann\Application Data\internaldb41.dat 
C:\Documents and Settings\Jo Ann\Application Data\internaldb8467.dat 
C:\Documents and Settings\All Users\Application Data\WIPE GRID META BIAS
C:\Program Files\BitDownload 
C:\WINDOWS\System32\adspipe.dll 
C:\WINDOWS\System32\Sys32\NBRY.exe 

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBRY Agent]

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on the desktop

using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

after we are done you need to visit windows update and "get patched"
unpatched OS and applications have known vulnerabilites that can easily be exploited.