Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Ie popups
   
BullGuard Antivirus Forum > General Security > Spyware > Ie popups  
Forum Quick Jump
 
New Topic Post reply to : Ie popups Printable version of : Ie popups
[ << Previous Thread | Next Thread >> ]

AznKidd86b
New Member


Date Joined Jan 2006
Total Posts : 8
  		   Posted 5-6-2008 9:11 (GMT +2)    Quote: Ie popupsAlert an admin about: Ie popups
internet explorer automatically runs unwanted popups
any suggestions?


HijackThis log:

C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Documents and Settings\t pham\lsass.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\TPHAM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\t pham\lsass.exe
O4 - HKLM\..\Run: [{EA-A2-25-55-DW}] C:\WINDOWS\system32\cdTMP\cdrev132.exe DWram
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\cdTMP\cdrev132.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZN
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12213
  		   Posted 5-6-2008 10:02 (GMT +2)    Quote: Ie popupsAlert an admin about: Ie popups
Hello smile


Please download Combofix:
download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix



Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".


Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.


Post the contents of that log in your next reply with a new hijackthis log.

Do NOT post your problem in someone elses thread.

Back to Top
 

AznKidd86b
New Member


Date Joined Jan 2006
Total Posts : 8
  		   Posted 5-6-2008 12:05 (GMT +2)    Quote: Ie popupsAlert an admin about: Ie popups
directions followed

combofix log:

ComboFix 08-05-01.3 - t pham 2008-05-06 5:30:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.688 [GMT -4:00]
Running from: C:\Documents and Settings\t pham\My Documents\download\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon\log.txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\NetMon
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\NetMon\log.txt
C:\Documents and Settings\t pham\Application Data\ShoppingReport
C:\Documents and Settings\t pham\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\t pham\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\t pham\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\t pham\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\t pham\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\t pham\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\t pham\Application Data\ShoppingReport\cs\res3\WhiteList.dbs
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\crosof~1.net\??crosoft.NET\
C:\Program Files\Common Files\crosof~1.net\mshta.exe
C:\Program Files\Common Files\inetget2
C:\Program Files\dns
C:\Program Files\dns\affid.dat
C:\Program Files\dns\regexp.dat
C:\Program Files\dns\regexpDate.dat
C:\Program Files\dns\uid.dat
C:\Program Files\dns\urls.dat
C:\Program Files\dns\version.txt
C:\Program Files\network monitor
C:\Program Files\outlook
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\Program Files\sks~1
C:\Program Files\sks~1\dvdplay.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byXPIxuR.dll
C:\WINDOWS\system32\drivers\rdbsss.sys
C:\WINDOWS\system32\lbekmtnf.dll
C:\WINDOWS\system32\msdrives
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nfivghpp.ini
C:\WINDOWS\system32\nhuakkyx.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pphgvifn.dll
C:\WINDOWS\system32\RuxIPXyb.ini
C:\WINDOWS\system32\RuxIPXyb.ini2
C:\WINDOWS\system32\xxyxVnlJ.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_RDBSSS
-------\Service_rdbsss


((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 05:47 . 2008-05-06 05:47 818 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-06 05:46 . 2008-05-06 05:46 401,721 --a------ C:\WINDOWS\system32\g34.exe
2008-05-06 05:46 . 2008-05-06 05:46 200,776 --a------ C:\WINDOWS\system32\kcntmkdm.exe
2008-05-06 05:46 . 2008-05-06 05:46 63,893 --a------ C:\WINDOWS\system32\{5098783d-3203-707c-27a3-13257bb0c797}.dll-uninst.exe
2008-05-06 05:46 . 2008-05-06 05:46 49,159 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-05-06 05:46 . 2008-05-06 05:46 147 --a------ C:\WINDOWS\system32\msnav32.ax
2008-05-06 05:46 . 2008-05-06 05:46 21 --a------ C:\WINDOWS\system32\zxdnt3d.cfg
2008-05-06 04:21 . 2008-05-06 04:22 109,770 --a------ C:\WINDOWS\BM775d9166.xml
2008-05-06 02:47 . 2008-05-06 02:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-06 02:29 . 2008-05-06 02:29 168 --a------ C:\WINDOWS\wininit.ini
2008-05-06 02:23 . 2008-05-06 02:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-06 02:05 . 2008-05-06 02:05 <DIR> d-------- C:\Documents and Settings\t pham\Application Data\Lavasoft
2008-05-06 01:53 . 2008-05-06 01:57 4,772,407 --a------ C:\Documents and Settings\All Users.aawqff
2008-05-06 01:03 . 2008-05-06 01:04 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-05-06 00:39 . 2008-05-06 00:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-05-06 00:21 . 2008-05-06 02:47 <DIR> d-------- C:\Documents and Settings\Administrator.BHOME
2008-05-06 00:21 . 2008-05-06 05:28 1,024 --ah----- C:\Documents and Settings\Administrator.BHOME\NTUSER.DAT.LOG
2008-05-05 16:15 . 2008-05-05 16:15 <DIR> d-------- C:\Temp\maxsv15
2008-05-05 16:15 . 2008-05-05 16:15 85,504 ---hs---- C:\Documents and Settings\t pham\lsass.exe
2008-05-05 01:58 . 2008-05-05 01:58 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-05-05 01:54 . 2008-05-05 01:54 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-04-13 21:16 . 2008-04-13 21:44 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2008-04-13 21:10 . 2008-04-13 21:10 <DIR> d-------- C:\Program Files\Bonjour
2008-04-13 20:51 . 2008-04-13 20:51 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-07 12:20 . 2008-04-07 12:20 330,240 --a------ C:\WINDOWS\system32\{5098783d-3203-707c-27a3-13257bb0c797}.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 05:46 --------- d-----w C:\Program Files\BearShare
2008-05-06 05:03 --------- d-----w C:\Program Files\Lavasoft
2008-05-06 05:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 04:13 37,376 ----a-w C:\WINDOWS\mrofinu1188.exe
2008-05-05 20:15 37,376 ----a-w C:\WINDOWS\mrofinu1188.exe.tmp
2008-05-05 20:15 37,376 ----a-w C:\WINDOWS\mrofinu1000106.exe
2008-05-05 20:15 167,545 ----a-w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-05-05 05:49 --------- d-----w C:\Program Files\BearShare Applications
2008-05-05 05:42 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-05-05 05:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Autodesk
2008-05-04 00:18 --------- d-----w C:\Program Files\Starcraft
2008-05-03 09:14 --------- d-----w C:\Documents and Settings\t pham\Application Data\U3
2008-04-14 01:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-11 19:45 --------- d-----w C:\Program Files\Autodesk
2008-03-11 19:00 --------- d-----w C:\Program Files\ExtractNow
2008-02-28 06:10 47,504 ----a-w C:\Documents and Settings\t pham\Application Data\GDIPFONTCACHEV1.DAT
2007-04-05 16:01 47,888 ----a-w C:\Documents and Settings\Pham\Application Data\GDIPFONTCACHEV1.DAT
2007-02-10 18:27 47,504 ----a-w C:\Documents and Settings\Tuan Pham\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 20:24 472 --sha-r C:\WINDOWS\dHBoYW0\xJ1CsqX.vbs
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 67,112 2006-08-01 20:35:36 C:\Program Files\AIM\bak\aim.exe
----a-w 67,112 2006-08-01 22:35:36 C:\Program Files\AIM\aim.exe

-c--a-w 3,223,552 2006-01-02 16:13:42 C:\Program Files\BearShare\bak\BearShare.exe
----a-w 3,305,472 2006-08-01 21:04:06 C:\Program Files\BearShare\BearShare.exe

-c--a-w 256,576 2006-10-30 14:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 256,576 2006-10-30 16:36:36 C:\Program Files\iTunes\iTunesHelper.exe

-c--a-w 75,520 2006-12-15 08:23:27 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe
-c--a-w 37,681 2007-04-08 19:51:27 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

----a-w 282,624 2006-10-25 23:58:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2006-10-26 01:58:18 C:\Program Files\QuickTime\qttask.exe

----a-w 715,888 2006-10-30 20:27:24 C:\Program Files\The Weather Channel FW\Desktop Weather\bak\DesktopWeather.exe
----a-w 715,888 2007-03-16 14:51:26 C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9af66da-b468-9744-55bf-ba865c7fc234}]
2008-04-07 12:20 330240 --a------ C:\WINDOWS\system32\{5098783d-3203-707c-27a3-13257bb0c797}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 10:51 715888]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736]
"WinUpdater"="C:\Program Files\winvi\update.exe" [ ]
"WebSUpdater"="C:\Program Files\winvi\wupda.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 16:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 21:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 12:36 256576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 06:43 83608]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-08-01 17:04 3305472]
"{EA-A2-25-55-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-05-06 05:46 49159]
"spa_start"="C:\WINDOWS\system32\{5098783d-3203-707c-27a3-13257bb0c797}.dll" [2008-04-07 12:20 330240]
"ExploreUpdSched"="C:\WINDOWS\system32\kcntmkdm.exe" [2008-05-06 05:46 200776]

C:\Documents and Settings\t pham\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\system32\kcntmkdm.exe [2008-05-06 05:46:35 200776]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-05-06 05:46:26 49159]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50 734872]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 05:18:22 10872]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxVnlJ]
xxyxVnlJ.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\backburner\\server.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 00:05:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 05:46:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\{5098783d-3203-707c-27a3-13257bb0c797}.dll 330240 bytes executable
C:\WINDOWS\system32\{5098783d-3203-707c-27a3-13257bb0c797}.dll-uninst.exe 63893 bytes executable
C:\WINDOWS\system32\winpfz33.sys 860 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-06 5:57:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 09:57:10

Pre-Run: 46,050,873,344 bytes free
Post-Run: 49,821,683,712 bytes free

216 --- E O F --- 2008-04-09 12:56:57



HighjackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:00:57 AM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\kcntmkdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\TPHAM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: gooochi browser optimizer - {c9af66da-b468-9744-55bf-ba865c7fc234} - C:\WINDOWS\system32\{5098783d-3203-707c-27a3-13257bb0c797}.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [{EA-A2-25-55-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntmkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZN
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: xxyxVnlJ - xxyxVnlJ.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

whats the diognosis doc?
appriciate all your help thus far.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12213
  		   Posted 5-8-2008 4:06 (GMT +2)    Quote: Ie popupsAlert an admin about: Ie popups
It´s not good rolleyes


1. Download AVG Anti-Virus Free Edition
2. AVG Free Anti-Virus can be downloaded from the free.grisoft.com/doc/2/lng/us/tpl/v5.

3. Scroll down the page and click Download Free Version. Under the Windows section, click to download the file under AVG Free for Windows installation files. Click OK to save the file to your PC.

4. Double-click the file you downloaded, and click Next on the welcome screen. Click Accept to agree to the License Agreement. Choose Standard Installation then click Next.

5. A window will now pop-up if there are any available updates. Click Update to download them. AVG will download and automatically install any updates. Click OK when finished.

6. Back on the First Run window, click Next to proceed. Leave the Daily Scanning settings as they are and click Next.

7. You now have the option to perform a scan to test your computer for viruses.

8. Click Scan computer!


Reboot, post new hijackthis log

Do NOT post your problem in someone elses thread.

Back to Top
 
New Topic Post reply to : Ie popups Printable version of : Ie popups
 
Forum Information
Currently it is Wednesday, July 09, 2008 1:09 PM (GMT +2)
There are a total of 60.308 posts in 15.138 threads.
In the last 3 days there were 23 new threads and 81 reply posts. View Active Threads
Who's Online
This forum has 25708 registered members. Please welcome our newest member, veera.
40 Guest(s), 2 Registered Member(s) are currently online.  Details
Dartelaar, efekt101
5 Latest Threads
Reply to guy who needs help (12)09-07-2008 11:09:55 (efekt101)
V8 update killed my bullguard! (1)09-07-2008 11:05:36 (Dartelaar)
I just started getting a prompt for antispycheck and have an icon in system tray (4)09-07-2008 10:36:52 (greenramp)
Am i being targeted (0)09-07-2008 08:38:22 (stewart)
Vundo Trojan (2)09-07-2008 05:31:23 (Touch)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard