Popups appearing

Question

I did a scan with Hijack this and this keeps appearing   Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:57:42 AM, on 4/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.17184)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32
vsvc32.exeC:\Program Files\Prime95\Prime95.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\LimeWire\LimeWire.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup --End of file - 1362 bytes   This is the problem one I think, O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup   but I cannot seem to get rid of it, it keeps coming back...   Someone help me get this thing off my computer and stop these stupid popups.   Thanks

bamajim · Answer

ccwitt

Looks like you have just about striped the PC in an effor to solve your problem

1. Go HERE and download File Lister.

Save it to your Desktop
Rt Click ->> Extract all ->> And extract it to your Desktop
Additional help on extracting zip files can be found HERE
Open the File Lister Folder.
Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
As the program runs, it will appear that nothing is happening.
When the program is fnished it will produce a log for you C:\Files.txt

Copy and paste the contents of that log in your reply.

Microsoft MVP Consumer-Security

CastleCops Instructor

"The world is what you make of it"

ccwitt · Answer

Part 3

=== Running Processes ======

System Idle Process   [0]
System   [4]
smss.exe   [616]   \SystemRoot\System32\smss.exe
csrss.exe   [664]
winlogon.exe   [692]   winlogon.exe
services.exe   [736]   C:\WINDOWS\system32\services.exe
lsass.exe   [748]   C:\WINDOWS\system32\lsass.exe
svchost.exe   [920]   C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe   [988]
svchost.exe   [1084]   C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe   [1232]
svchost.exe   [1312]
spoolsv.exe   [1512]   C:\WINDOWS\system32\spoolsv.exe
explorer.exe   [1852]   C:\WINDOWS\Explorer.EXE
avgamsvr.exe   [304]   C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
avgupsvc.exe   [344]   C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
avgemc.exe   [416]   C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
ehRecvr.exe   [440]   C:\WINDOWS\eHome\ehRecvr.exe
ehSched.exe   [464]   C:\WINDOWS\eHome\ehSched.exe
mdm.exe   [500]   "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
nvsvc32.exe   [608]   C:\WINDOWS\system32\nvsvc32.exe
Prime95.exe   [752]   "C:\Program Files\Prime95\Prime95.exe"
svchost.exe   [1112]   C:\WINDOWS\system32\svchost.exe -k imgsvc
dllhost.exe   [2044]   C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
alg.exe   [2528]
LimeWire.exe   [2920]   "C:\Program Files\LimeWire\LimeWire.exe"
usnsvc.exe   [328]   "C:\Program Files\Windows Live\Messenger\usnsvc.exe"
YahooMessenger.exe   [2096]   "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
iexplore.exe   [3076]   "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://login.yahoo.com/config/reset_cookies_token?.token=HAIPi_1SliSnVi4B8FU4EbdL4EOHX3MWZ0GOZf46QO0G8dMF2Sd5jyjUOHUEdUugAQtBbpFsaUfxsrBHv9jnHodA0lzET05jLi.AXyMQHragkty9pVLEc4yzo6vmXDLANfw8bvSx9gr2P15qyuvS9q8Q_hGaNWJfqhRZfKYUEuFpb2nIoGPOfl6pjAJ4imHLyNM9F_XruuADEE.0UTtid9zlln1nNZvQEs8l7Bx4nRkmg9EQvhsILQ9KAqQ2wsb3DiXSCpHOIoFR32QPSbX4oRK3KVkLjZbkwgVaMDDyv2r2La.xA7S9K8nfzYBxRQyQSrYvpXNFPKXoo.FSaYNhOx_Xgdd.WJOv7d9BC43gcfoiduEWFY58HQsBWCX5fhcmnt0VR3oGNbGBxB_Z7N4wseP2eilOcnL5aYeTmaI-
&.done=http://us.rd.yahoo.com/messenger/client/%3fhttp://mail.yahoo.com/
iexplore.exe   [1764]   "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3076 CREDAT:12801
wuauclt.exe   [2752]   "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[43c]SUSDS19706ac59dc7fc40b85881d46bb18286
msiexec.exe   [2676]   C:\WINDOWS\system32\msiexec.exe /V
wscript.exe   [3904]   "C:\WINDOWS\System32\WScript.exe" "C:\Documents and Settings\Collin Witt.XPS-700\Desktop\FileLister.vbe"
wmiprvse.exe   [1920]
wmiprvse.exe   [3588]

=== Uninstall List From Registry ======

Adobe Flash Player ActiveX
Adobe Shockwave Player
AVG 7.5
AVS DVD Player version 2.4
Otto
HijackThis 2.0.2
HTML-Kit
Windows Internet Explorer 8 Beta 1
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows Media Format SDK Hotfix - KB891122
Windows XP Hotfix - KB891781
Windows Genuine Advantage Validation Tool (KB892130)
Security Update for Windows XP (KB893756)
Windows Installer 3.1 (KB893803)
Update for Windows XP (KB894391)
Hotfix for Windows XP (KB896344)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Update for Windows XP (KB900485)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Update for Windows XP (KB904942)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Update for Windows XP (KB908531)
Hotfix for Windows XP (KB908673)
Microsoft Base Smart Card Cryptographic Service Provider Package
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Update for Windows XP (KB916595)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Update for Windows XP (KB920342)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Update for Windows XP (KB920872)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Update for Windows XP (KB922582)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB925454)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Update for Windows XP (KB927891)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Update for Windows XP (KB929338)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Update for Windows XP (KB930916)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Update for Windows XP (KB931836)
Security Update for Windows XP (KB932168)
Update for Windows XP (KB933360)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Update for Windows XP (KB936357)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Update for Windows XP (KB938828)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Update for Windows XP (KB946501-v2)
Update for Windows XP (KB946627)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
LimeWire 4.17.6
MS Access 97 SP2
NVIDIA Drivers
RealPlayer
Tweak UI
Viewpoint Media Player
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Winamp (remove only)
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Video 9 Advanced Profile Codec
XP Codec Pack
XML Paper Specification Shared Components Pack 1.0
Yahoo! ¤u¨ã¦C
Yahoo! Browser Services
Yahoo! Browser Services
Yahoo! Messenger
Macromedia Dreamweaver 8
Windows Live Mail
Sound Blaster X-Fi
Google Earth
Broadcom Advanced Control Suite
Creative MediaSource
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java(TM) SE Runtime Environment 6 Update 1
WebFldrs XP
Windows Live Messenger
Macromedia Extension Manager
Java 2 Runtime Environment, SE v1.4.2_03
Microsoft Office XP Professional with FrontPage
Google SketchUp 6
Sonic Encoders
SigmaTel Audio
Nero - Burning Rom
Windows Live installer
Adobe Reader 8.1.2
Windows Live Sign-in Assistant
Calculator Powertoy for Windows XP
Google SketchUp 6
Broadcom Gigabit Integrated Controller
QuickTime
Windows Media Encoder 9 Series
Dell Resource CD

ccwitt · Answer

So now what?

+++++++++++++++++++++++++++++++++
+
+ File Lister
+
+ Version 1.0.1
+
+ By bamajim
+
+++++++++++++++++++++++++++++++++

=== Values under HKLM\~\Run ======

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""

=== Values under HKCU\~\Run ======

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

=== Folders and Files from "C:\" and "C:\Windows" Created Last 30 Days ======

3/29/2008 4:09:39 AM    273468    C:\$VAULT$.AVG
3/29/2008 4:09:49 AM    36368826    C:\4c847bb32b7059a1467ae2df30
3/29/2008 4:09:49 AM    196096    C:\4c847bb32b7059a1467ae2df30\support
3/29/2008 4:09:49 AM    4517239    C:\4c847bb32b7059a1467ae2df30\update
3/24/2008 12:20:07 PM    0    C:\Config.Msi
3/29/2008 4:09:44 AM    0    C:\Inetpub
3/29/2008 4:09:44 AM    0    C:\Inetpub\wwwroot
3/27/2008 1:21:03 AM    0    C:\Temp
3/28/2008 3:17:40 PM    0    C:\Temp\tn3
3/28/2008 2:54:25 AM    7842    32    C:\caisslog.txt
4/22/2008 11:36:36 AM    0    32    C:\Files.txt
3/28/2008 2:42:15 AM    2383    32    C:\rapport.txt
3/24/2008 10:37:38 AM    268    34    C:\sqmdata09.sqm
3/24/2008 12:22:24 PM    268    34    C:\sqmdata10.sqm
3/24/2008 1:39:12 PM    268    34    C:\sqmdata11.sqm
3/24/2008 1:49:16 PM    268    34    C:\sqmdata12.sqm
3/25/2008 12:31:06 AM    268    34    C:\sqmdata13.sqm
3/25/2008 12:57:13 AM    268    34    C:\sqmdata14.sqm
3/25/2008 2:35:36 PM    268    34    C:\sqmdata15.sqm
3/25/2008 2:37:19 PM    268    34    C:\sqmdata16.sqm
3/24/2008 10:37:38 AM    244    34    C:\sqmnoopt09.sqm
3/24/2008 12:22:24 PM    244    34    C:\sqmnoopt10.sqm
3/24/2008 1:39:12 PM    244    34    C:\sqmnoopt11.sqm
3/24/2008 1:49:16 PM    244    34    C:\sqmnoopt12.sqm
3/25/2008 12:31:06 AM    244    34    C:\sqmnoopt13.sqm
3/25/2008 12:57:13 AM    244    34    C:\sqmnoopt14.sqm
3/25/2008 2:35:36 PM    244    34    C:\sqmnoopt15.sqm
3/25/2008 2:37:19 PM    244    34    C:\sqmnoopt16.sqm
4/8/2008 7:34:14 PM    2438688    C:\WINDOWS\$NtUninstallKB941693$
4/8/2008 7:34:14 PM    595104    C:\WINDOWS\$NtUninstallKB941693$\spuninst
4/8/2008 7:33:01 PM    789617    C:\WINDOWS\$NtUninstallKB945553$
4/8/2008 7:33:01 PM    595569    C:\WINDOWS\$NtUninstallKB945553$\spuninst
3/28/2008 1:03:13 AM    889943    C:\WINDOWS\$NtUninstallKB946501-v2$
3/28/2008 1:03:13 AM    595543    C:\WINDOWS\$NtUninstallKB946501-v2$\spuninst
4/8/2008 7:34:08 PM    877138    C:\WINDOWS\$NtUninstallKB948590$
4/8/2008 7:34:08 PM    595026    C:\WINDOWS\$NtUninstallKB948590$\spuninst
4/8/2008 7:34:20 PM    692422    C:\WINDOWS\$NtUninstallKB948881$
4/8/2008 7:34:20 PM    594118    C:\WINDOWS\$NtUninstallKB948881$\spuninst
4/7/2008 4:16:33 AM    8649121    C:\WINDOWS\ie8
4/7/2008 4:16:33 AM    989601    C:\WINDOWS\ie8\spuninst
3/28/2008 3:47:59 PM    910    32    C:\WINDOWS\Active Setup Log.BAK
3/28/2008 3:47:59 PM    909    32    C:\WINDOWS\Active Setup Log.txt
3/28/2008 2:38:04 PM    23651    32    C:\WINDOWS\BM9f58884b.txt
3/28/2008 2:38:05 PM    140296    32    C:\WINDOWS\BM9f58884b.xml
3/29/2008 5:04:07 AM    247    32    C:\WINDOWS\cookies.ini
3/27/2008 10:56:40 PM    10569    32    C:\WINDOWS\CSTBox.INI
3/24/2008 10:34:18 AM    347    32    C:\WINDOWS\CTWave32.INI
3/28/2008 1:04:26 AM    160718    32    C:\WINDOWS\ie8.log
3/28/2008 2:28:14 AM    98655    32    C:\WINDOWS\ie8Uninst.log
3/28/2008 1:01:07 AM    185136    32    C:\WINDOWS\ie8_main.log
4/8/2008 6:40:05 PM    20065    32    C:\WINDOWS\KB941693.log
4/8/2008 6:39:57 PM    19797    32    C:\WINDOWS\KB945553.log
3/28/2008 1:02:26 AM    14280    32    C:\WINDOWS\KB946501-v2.log
4/8/2008 6:40:03 PM    19865    32    C:\WINDOWS\KB948590.log
4/8/2008 7:34:18 PM    11664    32    C:\WINDOWS\KB948881.log
3/28/2008 2:58:40 AM    0    32    C:\WINDOWS\pestpatrol5.INI
3/28/2008 2:38:04 PM    22    32    C:\WINDOWS\pskt.ini
3/24/2008 10:33:27 AM    29    32    C:\WINDOWS\sfbm.INI
3/27/2008 4:46:44 PM    0    C:\WINDOWS\system32\aqVreo18
3/27/2008 4:56:40 PM    1383458    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021
3/30/2008 10:15:50 PM    128    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Continous Storage
3/30/2008 10:15:50 PM    128    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Continous Storage\JWOYTVPITEDJCHYUGDR5XL6BSC
3/30/2008 10:15:50 PM    0    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Discrete Storage
3/27/2008 4:56:44 PM    2126    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\EC-License
3/27/2008 4:56:44 PM    560    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\License-DLL
3/27/2008 4:56:44 PM    560    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\License-DLL\GQPRLG1LPBKREPCN2X44ZEABQF
3/27/2008 4:56:44 PM    68    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Licenses
3/27/2008 4:56:42 PM    858280    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Publisher Runtime
3/27/2008 4:56:42 PM    858280    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Publisher Runtime\SOQSZ5635UA41RS5EEVO1TPUGA
3/27/2008 4:56:42 PM    856576    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Publisher Runtime\SOQSZ5635UA41RS5EEVO1TPUGA\Objects
3/27/2008 4:56:42 PM    1704    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Publisher Runtime\SOQSZ5635UA41RS5EEVO1TPUGA\Security
3/27/2008 4:56:40 PM    522296    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Runtime
3/27/2008 4:56:40 PM    521728    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Runtime\Objects
3/27/2008 4:56:40 PM    568    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Runtime\Security
3/27/2008 4:56:40 PM    0    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Temp
3/30/2008 10:15:50 PM    0    C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Test Storage
4/5/2008 10:53:20 PM    4449916    C:\WINDOWS\system32\GroupPolicy
4/5/2008 10:53:20 PM    4435275    C:\WINDOWS\system32\GroupPolicy\Adm
4/5/2008 10:53:20 PM    14408    C:\WINDOWS\system32\GroupPolicy\Machine
4/5/2008 10:53:31 PM    0    C:\WINDOWS\system32\GroupPolicy\Machine\Scripts
4/5/2008 10:53:31 PM    0    C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown
4/5/2008 10:53:31 PM    0    C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup
4/5/2008 10:53:20 PM    0    C:\WINDOWS\system32\GroupPolicy\User
4/5/2008 10:55:46 PM    0    C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT
4/5/2008 10:55:46 PM    0    C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK
4/5/2008 10:55:29 PM    0    C:\WINDOWS\system32\GroupPolicy\User\Scripts
4/5/2008 10:55:29 PM    0    C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff
4/5/2008 10:55:29 PM    0    C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon
3/27/2008 4:46:47 PM    139457    C:\WINDOWS\system32\IDME
3/28/2008 3:59:11 PM    0    C:\WINDOWS\system32\Logfiles
3/24/2008 12:18:42 PM    314584    C:\WINDOWS\system32\NtmsData
3/27/2008 4:46:47 PM    136111    C:\WINDOWS\system32\usnv
3/27/2008 4:46:47 PM    0    C:\WINDOWS\system32\winz1
3/27/2008 4:46:47 PM    0    C:\WINDOWS\system32\xTmp
3/29/2008 5:01:48 AM    89088    32    C:\WINDOWS\system32\atl71.dll
4/9/2008 8:20:26 AM    24576    33    C:\WINDOWS\system32\BAZLib.dll
4/9/2008 8:20:26 AM    208896    32    C:\WINDOWS\system32\ConTest.dll
4/5/2008 4:58:22 PM    100    32    C:\WINDOWS\system32\ikhcore.cfg
3/30/2008 12:41:29 PM    143    32    C:\WINDOWS\system32\mcrh.tmp
3/27/2008 4:51:38 PM    296359    38    C:\WINDOWS\system32\MUBKnnmp.ini
3/27/2008 4:51:39 PM    296359    38    C:\WINDOWS\system32\MUBKnnmp.ini2
3/28/2008 1:04:53 AM    61440    32    C:\WINDOWS\system32\SET20.tmp
3/28/2008 1:04:53 AM    99840    32    C:\WINDOWS\system32\SET21.tmp
3/28/2008 1:04:53 AM    35328    32    C:\WINDOWS\system32\SET22.tmp
3/28/2008 1:04:53 AM    357888    32    C:\WINDOWS\system32\SET23.tmp
3/28/2008 1:04:53 AM    205824    32    C:\WINDOWS\system32\SET24.tmp
3/28/2008 1:04:58 AM    423936    32    C:\WINDOWS\system32\SET25.tmp
3/28/2008 1:04:53 AM    34304    32    C:\WINDOWS\system32\SET26.tmp
3/28/2008 1:04:53 AM    139264    32    C:\WINDOWS\system32\SET27.tmp
3/28/2008 1:04:53 AM    216576    32    C:\WINDOWS\system32\SET28.tmp
3/28/2008 1:04:53 AM    221184    32    C:\WINDOWS\system32\SET29.tmp
3/28/2008 1:04:53 AM    323584    32    C:\WINDOWS\system32\SET2A.tmp
3/28/2008 1:04:53 AM    81920    32    C:\WINDOWS\system32\SET2B.tmp
3/28/2008 1:04:53 AM    251904    32    C:\WINDOWS\system32\SET2C.tmp
3/28/2008 1:04:53 AM    48640    32    C:\WINDOWS\system32\SET2D.tmp
3/28/2008 1:04:53 AM    62976    32    C:\WINDOWS\system32\SET2E.tmp
3/28/2008 1:04:58 AM    23024    32    C:\WINDOWS\system32\SET2F.tmp
3/28/2008 1:04:53 AM    35840    32    C:\WINDOWS\system32\SET30.tmp
3/28/2008 1:04:53 AM    358400    32    C:\WINDOWS\system32\SET31.tmp
3/28/2008 1:04:53 AM    96256    32    C:\WINDOWS\system32\SET32.tmp
3/28/2008 1:04:53 AM    450560    32    C:\WINDOWS\system32\SET33.tmp
3/28/2008 1:04:53 AM    16384    32    C:\WINDOWS\system32\SET34.tmp
3/28/2008 1:04:53 AM    22016    32    C:\WINDOWS\system32\SET35.tmp
3/28/2008 1:04:53 AM    29184    32    C:\WINDOWS\system32\SET36.tmp
3/28/2008 1:04:53 AM    3066368    32    C:\WINDOWS\system32\SET37.tmp
3/28/2008 1:04:53 AM    1351168    32    C:\WINDOWS\system32\SET38.tmp
3/28/2008 1:04:53 AM    449024    32    C:\WINDOWS\system32\SET39.tmp
3/28/2008 1:04:53 AM    56832    32    C:\WINDOWS\system32\SET3A.tmp
3/28/2008 1:04:53 AM    146432    32    C:\WINDOWS\system32\SET3B.tmp
3/28/2008 1:04:53 AM    146432    32    C:\WINDOWS\system32\SET3C.tmp
3/28/2008 1:04:53 AM    532480    32    C:\WINDOWS\system32\SET3D.tmp
3/28/2008 1:04:53 AM    96256    32    C:\WINDOWS\system32\SET3E.tmp
3/28/2008 1:04:53 AM    39424    32    C:\WINDOWS\system32\SET3F.tmp
3/28/2008 1:04:54 AM    61440    32    C:\WINDOWS\system32\SET40.tmp
3/28/2008 1:04:54 AM    37888    32    C:\WINDOWS\system32\SET41.tmp
3/28/2008 1:04:54 AM    617984    32    C:\WINDOWS\system32\SET42.tmp
3/28/2008 1:04:54 AM    417792    32    C:\WINDOWS\system32\SET43.tmp
3/28/2008 1:04:54 AM    276480    32    C:\WINDOWS\system32\SET44.tmp
3/28/2008 1:04:54 AM    666112    32    C:\WINDOWS\system32\SET45.tmp
3/25/2008 12:55:17 AM    1080    32    C:\WINDOWS\system32\settings.sfm
3/25/2008 12:55:17 AM    1080    32    C:\WINDOWS\system32\settingsbkup.sfm
4/9/2008 8:20:26 AM    20480    33    C:\WINDOWS\system32\SysRestore.dll
3/27/2008 4:46:54 PM    200765    32    C:\WINDOWS\system32\tcntkkwd.exe
3/28/2008 2:42:37 AM    1474    32    C:\WINDOWS\system32\tmp.reg
3/28/2008 2:42:37 AM    0    32    C:\WINDOWS\system32\tmp.txt
3/27/2008 4:50:21 PM    147456    32    C:\WINDOWS\system32\vbzip10.dll
3/29/2008 4:56:31 AM    1583724    38    C:\WINDOWS\system32\weyljaox.ini
3/27/2008 4:47:00 PM    935    32    C:\WINDOWS\system32\winpfz37.sys

ccwitt · Answer

Part 2   === Files under '\Administrator\Startup' Last 30 Days====== === Files under 'All Users\Startup' Last 30 Days====== === Folders under '\Program Files' Last 30 Days====== 4/9/2008 8:20:22 AM    0    C:\Program Files\Ascentive4/7/2008 4:49:04 AM    4057088    C:\Program Files\Registry Easy3/30/2008 5:28:52 PM    53736760    C:\Program Files\Windows Live3/30/2008 5:28:52 PM    2237634    C:\Program Files\Windows Live\installer3/30/2008 5:33:46 PM    20604217    C:\Program Files\Windows Live\Mail3/30/2008 5:33:47 PM    548412    C:\Program Files\Windows Live\Mail\Proof3/30/2008 5:33:47 PM    548412    C:\Program Files\Windows Live\Mail\Proof\prf00093/30/2008 5:33:47 PM    548412    C:\Program Files\Windows Live\Mail\Proof\prf0009\23/30/2008 5:33:47 PM    246751    C:\Program Files\Windows Live\Mail\Stationery3/30/2008 5:31:43 PM    30894909    C:\Program Files\Windows Live\Messenger3/30/2008 5:31:43 PM    3478161    C:\Program Files\Windows Live\Messenger\Device Manager3/30/2008 5:31:43 PM    1417648    C:\Program Files\Windows Live\Messenger\Device Manager\Loc3/30/2008 5:31:44 PM    75664    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\103/30/2008 5:31:44 PM    71568    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\10283/30/2008 5:31:43 PM    75664    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\10463/30/2008 5:31:44 PM    75152    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\113/30/2008 5:31:44 PM    75664    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\123/30/2008 5:31:44 PM    75152    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\163/30/2008 5:31:43 PM    72592    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\173/30/2008 5:31:43 PM    72592    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\183/30/2008 5:31:44 PM    75152    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\193/30/2008 5:31:44 PM    74640    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\203/30/2008 5:31:44 PM    75664    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\223/30/2008 5:31:43 PM    74640    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\253/30/2008 5:31:44 PM    75152    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\293/30/2008 5:31:44 PM    74640    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\313/30/2008 5:31:43 PM    71568    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\43/30/2008 5:31:44 PM    75152    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\63/30/2008 5:31:43 PM    75664    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\73/30/2008 5:31:44 PM    76688    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\83/30/2008 5:31:44 PM    74640    C:\Program Files\Windows Live\Messenger\Device Manager\Loc\9 === Files under '\System32\Drivers' Last 30 Days====== 3/27/2008 4:46:48 PM    167545    32    C:\WINDOWS\system32\drivers\core.cache(2).dsk3/27/2008 4:46:48 PM    167545    32    C:\WINDOWS\system32\drivers\core.cache(3).dsk3/27/2008 4:46:48 PM    167545    32    C:\WINDOWS\system32\drivers\core.cache(4).dsk3/27/2008 4:46:48 PM    167545    32    C:\WINDOWS\system32\drivers\core.cache(5).dsk4/5/2008 10:39:06 PM    167545    32    C:\WINDOWS\system32\drivers\core.cache.dsk3/27/2008 4:46:48 PM    86016    32    C:\WINDOWS\system32\drivers\Dot44.sys === Files under '\User\Local Settings\Temp' Last 30 Days====== 3/27/2008 4:46:48 PM    167545    32    C:\WINDOWS\system32\drivers\core.cache(2).dsk3/27/2008 4:46:48 PM    167545    32    C:\WINDOWS\system32\drivers\core.cache(3).dsk3/27/2008 4:46:48 PM    167545    32    C:\WINDOWS\system32\drivers\core.cache(4).dsk3/27/2008 4:46:48 PM    167545    32    C:\WINDOWS\system32\drivers\core.cache(5).dsk4/5/2008 10:39:06 PM    167545    32    C:\WINDOWS\system32\drivers\core.cache.dsk3/27/2008 4:46:48 PM    86016    32    C:\WINDOWS\system32\drivers\Dot44.sys === Files and Folders under 'All Users\Application Data' Last 30 Days====== === Values under HKLM\Software\microsoft\shared tools\msconfig\startupreg ====== HKLM\Software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware HKLM\Software\microsoft\shared tools\msconfig\startupreg\9c6bbbd7 HKLM\Software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher HKLM\Software\microsoft\shared tools\msconfig\startupreg\Aim6 HKLM\Software\microsoft\shared tools\msconfig\startupreg\AVG7_CC HKLM\Software\microsoft\shared tools\msconfig\startupreg\BM9f58884b HKLM\Software\microsoft\shared tools\msconfig\startupreg\CTDVDDET HKLM\Software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe HKLM\Software\microsoft\shared tools\msconfig\startupreg\CTHelper HKLM\Software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp HKLM\Software\microsoft\shared tools\msconfig\startupreg\ehTray HKLM\Software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched HKLM\Software\microsoft\shared tools\msconfig\startupreg\Host Process HKLM\Software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1 HKLM\Software\microsoft\shared tools\msconfig\startupreg\ISUSPM HKLM\Software\microsoft\shared tools\msconfig\startupreg\iTunesHelper HKLM\Software\microsoft\shared tools\msconfig\startupreg\LSA Shellu HKLM\Software\microsoft\shared tools\msconfig\startupreg\MDNS HKLM\Software\microsoft\shared tools\msconfig\startupreg\MSMSGS HKLM\Software\microsoft\shared tools\msconfig\startupreg\MsnMsgr HKLM\Software\microsoft\shared tools\msconfig\startupreg\MSPY2002 HKLM\Software\microsoft\shared tools\msconfig\startupreg\NeroCheck HKLM\Software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon HKLM\Software\microsoft\shared tools\msconfig\startupreg\OE_OEM HKLM\Software\microsoft\shared tools\msconfig\startupreg\OpwareSE4 HKLM\Software\microsoft\shared tools\msconfig\startupreg\pccguide.exe HKLM\Software\microsoft\shared tools\msconfig\startupreg\PHIME2002A HKLM\Software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync HKLM\Software\microsoft\shared tools\msconfig\startupreg\PostSetupCheck HKLM\Software\microsoft\shared tools\msconfig\startupreg\QuickTime Task HKLM\Software\microsoft\shared tools\msconfig\startupreg\runner1 HKLM\Software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate HKLM\Software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched HKLM\Software\microsoft\shared tools\msconfig\startupreg\TkBellExe HKLM\Software\microsoft\shared tools\msconfig\startupreg\UIUCU HKLM\Software\microsoft\shared tools\msconfig\startupreg\UpdReg HKLM\Software\microsoft\shared tools\msconfig\startupreg\VolPanel HKLM\Software\microsoft\shared tools\msconfig\startupreg\WinampAgent HKLM\Software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager === BHO's under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects ====== HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\

bamajim · Answer

ccwitt

You have a minor rootkit infection

Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Microsoft MVP Consumer-Security

CastleCops Instructor

"The world is what you make of it"

Virus & Spyware

Popups appearing

Was this post helpful?