Spyware and popups

Dell DIMENSION
November 19, 2009 at 15:49:32
Specs: Windows XP, 252
Hello, I was having spy ware pop ups.. I ran Lava soft Ada-ware, it found nothing, spy bot found a few things a few files, all the others I've used found a few things in the restore.. I've used SUPERAntiSpyware, Webroot Spy Sweeper, Malwarebytes' Anti-Malware, Trend micro anti virus.. And still I here a clicking noise that IE explorer uses to navigate, even though I'm using Firefox and IE explorer is not even open.. (clicking noises happen every few minutes or so) Also I'm here audio like an advertisement, but nothing pops up.. Does anyone know what program will cure this.. I've tried a lot and nothing so far..

HELP....Thanks


See More: Spyware and popups

Report •


#1
November 19, 2009 at 19:09:11
Please save this file to your desktop.

Win32kDiag.exe

Please double click on the Win32kDiag file and post the log it produces. This log might be quite lengthy and may take more than one post to get all of it posted.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply.


Report •

#2
November 20, 2009 at 16:06:43
Win32kDiag.exe says could not get any backup privileges..

Logfile of random's system information tool 1.06 (written by random/random)
Run by Adam at 2009-11-20 19:05:38
Microsoft Windows XP Professional Service Pack 2
System drive C: has 46 GB (61%) free of 76 GB
Total RAM: 255 MB (37% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:08 PM, on 11/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Adam\Desktop\Win32kDiag.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Adam\Desktop\RSIT.exe
C:\Program Files\trend micro\Adam.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\ADAM\Application Data\Mozilla\Profiles\default\yeyzn3ei.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\ADAM\Application Data\Mozilla\Profiles\default\yeyzn3ei.slt\prefs.js)
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 1491 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe /runcleanupscript []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE [2006-02-14 278528]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\InterVideo\DVD7\WinDVD.exe"="C:\Program Files\InterVideo\DVD7\WinDVD.exe:*:Enabled:WinDVD"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 1 months======

2009-11-20 19:05:44 ----D---- C:\Program Files\trend micro
2009-11-20 19:05:38 ----D---- C:\rsit
2009-11-19 09:18:06 ----D---- C:\Program Files\Webroot
2009-11-19 08:22:34 ----D---- C:\Documents and Settings\Adam\Application Data\Malwarebytes
2009-11-19 08:22:24 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-11-18 07:08:10 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-11-18 07:08:10 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-18 05:48:35 ----D---- C:\Program Files\iZotope
2009-11-18 05:48:35 ----D---- C:\Program Files\Common Files\Digidesign
2009-11-18 05:45:20 ----D---- C:\Documents and Settings\Adam\Application Data\NetMedia Providers
2009-11-18 05:45:19 ----D---- C:\Documents and Settings\Adam\Application Data\Publish Providers
2009-11-18 04:37:18 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-11-11 05:28:30 ----D---- C:\audio
2009-11-10 04:39:01 ----D---- C:\Program Files\Vstplugins
2009-11-10 03:44:56 ----D---- C:\Config.Msi
2009-11-10 03:41:21 ----HDC---- C:\WINDOWS\$NtUninstallKB926239$
2009-11-10 03:39:52 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2009-11-10 03:38:51 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2009-11-05 03:39:38 ----D---- C:\Documents and Settings\Adam\Application Data\Ableton
2009-11-05 03:38:57 ----D---- C:\Program Files\Ableton
2009-11-01 14:01:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2009-10-27 21:44:37 ----D---- C:\Program Files\Microsoft Silverlight
2009-10-27 21:43:39 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2009-10-27 21:43:17 ----D---- C:\Program Files\Microsoft SQL Server Compact Edition
2009-10-27 21:42:00 ----HDC---- C:\WINDOWS\$NtUninstallKB954708$
2009-10-27 21:40:50 ----HDC---- C:\WINDOWS\$NtUninstallWIC$
2009-10-27 21:39:19 ----D---- C:\Program Files\Microsoft
2009-10-27 21:38:55 ----D---- C:\Program Files\Windows Live SkyDrive
2009-10-27 21:38:17 ----D---- C:\Program Files\Windows Live
2009-10-27 21:26:39 ----D---- C:\Program Files\Common Files\Windows Live
2009-10-27 21:18:03 ----HDC---- C:\WINDOWS\$NtUninstallKB942288-v3$

======List of files/folders modified in the last 1 months======

2009-11-20 19:05:44 ----RD---- C:\Program Files
2009-11-20 18:54:21 ----D---- C:\WINDOWS\Temp
2009-11-20 18:49:44 ----D---- C:\Program Files\Mozilla Firefox
2009-11-19 20:40:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-19 20:14:05 ----SHD---- C:\WINDOWS\Installer
2009-11-19 20:05:34 ----D---- C:\WINDOWS\system32\drivers
2009-11-19 20:04:00 ----D---- C:\WINDOWS
2009-11-19 20:03:47 ----D---- C:\WINDOWS\system32
2009-11-19 19:57:00 ----D---- C:\WINDOWS\Prefetch
2009-11-19 09:37:29 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-19 09:18:19 ----HD---- C:\WINDOWS\inf
2009-11-19 09:15:03 ----D---- C:\Documents and Settings
2009-11-19 09:02:03 ----SHD---- C:\System Volume Information
2009-11-19 09:02:03 ----D---- C:\WINDOWS\system32\Restore
2009-11-19 08:15:40 ----A---- C:\WINDOWS\NeroDigital.ini
2009-11-19 06:33:50 ----D---- C:\Converted Wave Files
2009-11-18 09:13:58 ----SH---- C:\boot.ini
2009-11-18 09:13:58 ----A---- C:\WINDOWS\win.ini
2009-11-18 09:13:58 ----A---- C:\WINDOWS\system.ini
2009-11-18 08:38:27 ----D---- C:\Program Files\GetFLV
2009-11-18 05:48:35 ----D---- C:\Program Files\Common Files
2009-11-18 04:40:55 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-18 04:40:55 ----D---- C:\WINDOWS\AppPatch
2009-11-18 04:37:01 ----A---- C:\WINDOWS\imsins.BAK
2009-11-18 04:36:28 ----D---- C:\Program Files\Windows Media Player
2009-11-18 04:35:46 ----D---- C:\WINDOWS\system32\LogFiles
2009-11-18 04:35:21 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-18 04:34:31 ----D---- C:\WINDOWS\WinSxS
2009-11-18 04:26:12 ----D---- C:\WINDOWS\system32\config
2009-11-18 04:25:52 ----D---- C:\WINDOWS\system32\wbem
2009-11-18 04:25:52 ----D---- C:\WINDOWS\Registration
2009-11-18 04:24:48 ----D---- C:\Program Files\Replay Media Catcher
2009-11-18 04:23:44 ----D---- C:\Program Files\K-Lite Codec Pack
2009-11-18 04:23:42 ----D---- C:\Program Files\ffdshow
2009-11-17 03:52:33 ----D---- C:\Program Files\BitComet
2009-11-17 03:39:04 ----D---- C:\Downloads
2009-11-12 01:39:32 ----D---- C:\Pictures Of 8 Track Recorders
2009-11-11 23:36:47 ----SD---- C:\WINDOWS\Tasks
2009-11-10 03:38:14 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-28 17:59:17 ----RSD---- C:\WINDOWS\assembly
2009-10-28 17:59:17 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-27 21:43:41 ----D---- C:\WINDOWS\system32\DirectX
2009-10-27 21:10:23 ----SD---- C:\Documents and Settings\Adam\Application Data\Microsoft
2009-10-27 21:10:02 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Asapi;Asapi; C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 11264]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2009-02-12 62288]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2009-02-12 23436]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-03 36096]
R2 CX23880;Video Advantage PCI; C:\WINDOWS\system32\drivers\cx88vid.sys [2004-05-17 185216]
R2 CX88XBAR;Video Advantage PCI Crossbar; C:\WINDOWS\system32\drivers\CX88XBAR.sys [2004-05-17 9216]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R3 allegro;ESS Allegro Audio Driver (WDM); C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 174464]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 hcwPP2;Hauppauge WinTV PVR PCI II ([23|25|26]xxx); C:\WINDOWS\system32\DRIVERS\hcwPP2.sys [2005-10-28 159232]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 SWLD23U;Netopia 802.11b WLAN USB Adapter; C:\WINDOWS\system32\DRIVERS\SWLD23U.sys [2003-12-17 82888]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2001-08-17 40704]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-03 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 swlubtl;WLAN USB Boot Device; C:\WINDOWS\System32\Drivers\swlubtl.sys [2003-05-02 53690]
S3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-03 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [2001-05-01 53248]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-03 14336]

-----------------EOF-----------------


Report •

#3
November 20, 2009 at 16:18:49
info.txt logfile of random's system information tool 1.06 2009-11-20 19:06:12

======Uninstall list======

-->"C:\Program Files\InstallShield Installation Information\{F37167DD-4436-4641-90B6-329D60632DDA}\Setup.exe" REMOVEALL --u:{F37167DD-4436-4641-90B6-329D60632DDA}
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Ares Ultra 3.5.0-->"C:\Program Files\Ares Ultra\unins000.exe"
ASAPI Update-->C:\WINDOWS\system32\IWUNIN~1.EXE -uninstall C:\WINDOWS\ISUNINST.EXE -fC:\PROGRA~1\VOB\ASAPIU~1\ASAPI.isu
Audio Record Wizard v3.98-->"C:\Program Files\ARWizard3\unins000.exe"
BearShare-->C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG
BellSouth Wireless LAN USB Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7FB76C8-3A76-49A1-B1A4-C686E4B067B9}\setup.exe" -l0x9
BitComet 1.09-->C:\Program Files\BitComet\uninst.exe
Conexant Video Capture Driver-->C:\WINDOWS\DrvSetup.exe /u
DelinvFile - 4.02-->"C:\Program Files\PurgeIE\unins000.exe"
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Easy CD Creator 5 Platinum-->MsiExec.exe /I{8851E12C-0EF9-11D4-A788-009027ABA5D0}
ffdshow [rev 1972] [2008-05-24]-->"C:\Program Files\ffdshow\unins000.exe"
Filetopia Client v3.04d-->C:\PROGRA~1\FILETO~1\UNWISE.EXE C:\PROGRA~1\FILETO~1\INSTALL.LOG
FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe
FriendBlasterPro-->"C:\Program Files\FriendBlasterPro\unins000.exe"
Hauppauge English Help Files and Resources-->C:\PROGRA~1\WinTV\UNHLPeng.EXE C:\PROGRA~1\WinTV\WTV2Keng.LOG
Hauppauge WinTV Scheduler-->C:\PROGRA~1\WinTV\SCHEDU~1\UniSched.EXE C:\PROGRA~1\WinTV\SCHEDU~1\INSTALL.LOG
Hauppauge WinTV2000-->C:\PROGRA~1\WinTV\UNTV32.EXE C:\PROGRA~1\WinTV\WINTV2K.LOG
Hauppauge WinTV-PVR 150 Drivers-->C:\PROGRA~1\WinTV\UNpvr48.EXE C:\PROGRA~1\WinTV\pvr26xxx.LOG
HijackThis 2.0.2-->"C:\Documents and Settings\Adam\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB954708)-->"C:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo FilterSDK for Hauppauge-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2227E1FA-01F5-483C-AB0E-2A308E900B3D}\setup.exe" REMOVEALL
InterVideo WinDVD 7-->"C:\Program Files\InstallShield Installation Information\{90885A82-9673-49EA-AB39-AF776639C67C}\setup.exe" REMOVEALL
iZotope iDrum Factory Content-->"C:\Documents and Settings\Adam\My Documents\iZotope iDrum Content\unins000.exe"
iZotope iDrum-->"C:\Program Files\iZotope\iDrum\unins000.exe"
Java 2 Runtime Environment, SE v1.4.1_02-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java Web Start-->"C:\Program Files\Java Web Start\uninst-javaws.exe"
Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}
K-Lite Codec Pack 2.50 Full-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Magic ISO Maker v5.3 (build 0213)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MAGIX Audio Cleaning Lab 11 e-version 7.0.3.0 (US)-->C:\Program Files\MAGIX\ACL11_e-version\instslct.exe
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Expression Web MUI (English)-->MsiExec.exe /X{90120000-0026-0409-0000-0000000FF1CE}
Microsoft Expression Web-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall WEBDESIGNER /dll ESETUP.DLL
Microsoft Expression Web-->MsiExec.exe /X{90120000-0026-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mp3 To Wave Converter 1.19-->C:\PROGRA~1\MP3TOW~1\UNWISE.EXE C:\PROGRA~1\MP3TOW~1\INSTALL.LOG
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
nanoPEG-Editor 2.3 Hauppauge Edition-->"C:\Program Files\nanocosmos\MPEG-Tools for Hauppauge\Editor2\unins000.exe"
Nero 6 Ultra Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Netscape (7.2)-->C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
Online Manuals for WinTV (English)-->C:\PROGRA~1\WinTV\UNTVmans.exe C:\PROGRA~1\WinTV\WinTVMan.LOG
PlayFLV-->"C:\Program Files\FLVCodec\uninstall.exe"
PowerDirector-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\setup.exe" -uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -l0x9 -cluninstall
PowerProducer Express-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Replay Media Catcher 3.01-->"C:\WINDOWS\Replay Media Catcher\uninstall.exe" "/U:C:\Program Files\Replay Media Catcher\Uninstall\uninstall.xml"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SnagIt 8-->MsiExec.exe /I{DA0BF7AB-88EB-4675-8FA1-531EAD938821}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steinberg WaveLab 5.00a-->C:\PROGRA~1\STEINB~1\WAVELA~1.00A\WaveLab\UNWISE.EXE C:\PROGRA~1\STEINB~1\WAVELA~1.00A\WaveLab\INSTALL.LOG
Thrustmaster Force Feedback Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8F5A0981-5CDC-41D0-BCA2-AD3B777FC358}\setup.exe" -l0x9
VideoAdvantage-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F619B62-0F6D-4747-B778-D7E965994041}\Setup.exe" -l0x9 -removeonly
WaveLab v3.03a-->C:\PROGRA~1\STEINB~1\WAVELA~1.0\UNWISE.EXE C:\PROGRA~1\STEINB~1\WAVELA~1.0\INSTALL.LOG
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Mail-->MsiExec.exe /I{6412CECE-8172-4BE5-935B-6CECACD2CA87}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Photo Gallery-->MsiExec.exe /X{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{178832DE-9DE0-4C87-9F82-9315A9B03985}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinPcap 4.0.2-->C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xara Webstyle 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B1656A3E-2744-48B2-95EA-52C4A316551B}\Setup.exe" -l0x9

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======System event log======

Computer Name: ADAM-961611626D
Event Code: 8021
Message: The browser was unable to retrieve a list of servers from the browser master \\ELIZABET-FBA065 on the network \Device\NetBT_Tcpip_{E8F69A2E-3569-467B-9A51-95E84B01621B}.
The data is the error code.

Record Number: 6528
Source Name: BROWSER
Time Written: 20090917223040.000000-240
Event Type: warning
User:

Computer Name: ADAM-961611626D
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 000278EAF177. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 6475
Source Name: Dhcp
Time Written: 20090916074005.000000-240
Event Type: warning
User:

Computer Name: ADAM-961611626D
Event Code: 1001
Message: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 000278EAF177. The following error
occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 6274
Source Name: Dhcp
Time Written: 20090910203615.000000-240
Event Type: error
User:

Computer Name: ADAM-961611626D
Event Code: 1001
Message: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 000278EAF177. The following error
occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 6171
Source Name: Dhcp
Time Written: 20090907193959.000000-240
Event Type: error
User:

Computer Name: ADAM-961611626D
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 6114
Source Name: Tcpip
Time Written: 20090905181338.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: ADAM-961611626D
Event Code: 1041
Message: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 3091
Source Name: Userenv
Time Written: 20090925195014.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: ADAM-961611626D
Event Code: 1041
Message: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 3090
Source Name: Userenv
Time Written: 20090925195014.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: ADAM-961611626D
Event Code: 1041
Message: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 3089
Source Name: Userenv
Time Written: 20090925193711.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: ADAM-961611626D
Event Code: 1041
Message: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 3088
Source Name: Userenv
Time Written: 20090925193711.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: ADAM-961611626D
Event Code: 1041
Message: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 3087
Source Name: Userenv
Time Written: 20090925180711.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Common Files\iZotope\Runtimes
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0204
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


Report •

Related Solutions

#4
November 20, 2009 at 18:49:44
I don't see any files that jump out as baddies, but your system appears to be unprotected. I see webroot , but it don't look like its running and even it it was it is not enough protection.

Before running combox if you have an antivirus or anti-spyware program running such as spybot, spy sweeper and only run it once.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#5
November 20, 2009 at 19:00:14
Also after seeing your second log.. go to add/remove programs and uninstall these:

Bearshare (known to harbor spyware)

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 17 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.


Report •

#6
November 21, 2009 at 18:19:49
I've always had bearshare on the computer i don't even use it anymore and also spybot has detected as spyware but bearshare never gave any problems... Also the popups are still popping up, just as i went to this site one one popped up I'm using firefoxas the default browser, and what ever i have must use IE explorer because of the clicks (nothing pops up when hearing the clicking noise)... I'll download combat fix when I have time i gotta go out to work, I'll get back to you tomorrow or later tonight to see if any results.. thanks for your responses

Report •

#7
November 22, 2009 at 05:30:32
Here the report I got after using combofix... Also PEV.exe caused an illegal operation twice while combofix was going through the stages..

ComboFix 09-11-21.03 - Adam 11/22/2009 8:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.102 [GMT -5:00]
Running from: c:\documents and settings\Adam\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-21 00:05 . 2009-11-21 00:06 -------- d-----w- C:\rsit
2009-11-19 14:18 . 2009-11-19 14:18 -------- d-----w- c:\program files\Webroot
2009-11-19 13:22 . 2009-11-19 13:22 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-11-19 13:22 . 2009-11-19 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-18 12:08 . 2009-11-19 10:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-18 12:08 . 2009-11-19 10:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-18 10:48 . 2009-11-18 10:48 -------- d-----w- c:\program files\iZotope
2009-11-18 10:48 . 2009-11-18 10:48 -------- d-----w- c:\program files\Common Files\Digidesign
2009-11-18 10:45 . 2009-11-18 10:45 -------- d-----w- c:\documents and settings\Adam\Application Data\NetMedia Providers
2009-11-18 10:45 . 2009-11-18 10:45 -------- d-----w- c:\documents and settings\Adam\Application Data\Publish Providers
2009-11-18 09:25 . 2009-11-18 09:25 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-17 10:58 . 2009-11-17 10:58 17 ----a-w- c:\windows\popcinfo.dat
2009-11-11 10:28 . 2009-11-11 10:28 -------- d-----w- C:\audio
2009-11-10 09:40 . 2009-11-18 10:45 -------- d-----w- c:\documents and settings\Adam\Local Settings\Application Data\Sony
2009-11-10 09:39 . 2009-11-19 10:31 -------- d-----w- c:\program files\Vstplugins
2009-11-10 08:39 . 2009-11-18 09:36 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-11-05 08:39 . 2009-11-05 08:39 -------- d-----w- c:\documents and settings\Adam\Application Data\Ableton
2009-11-05 08:38 . 2009-11-05 08:38 -------- d-----w- c:\program files\Ableton
2009-10-28 02:45 . 2009-11-20 23:51 -------- d-----w- c:\documents and settings\Adam\Tracing
2009-10-28 02:44 . 2009-10-28 02:44 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-28 02:43 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-28 02:43 . 2009-10-28 02:43 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-28 02:39 . 2009-10-28 02:39 -------- d-----w- c:\program files\Microsoft
2009-10-28 02:38 . 2009-10-28 02:38 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-28 02:38 . 2009-10-28 02:44 -------- d-----w- c:\program files\Windows Live
2009-10-28 02:26 . 2009-10-28 02:26 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 13:38 . 2009-04-16 07:55 -------- d-----w- c:\program files\GetFLV
2009-11-18 09:24 . 2009-02-20 02:58 -------- d-----w- c:\program files\Replay Media Catcher
2009-11-18 09:23 . 2009-02-12 10:23 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-11-18 09:23 . 2009-04-11 20:22 -------- d-----w- c:\program files\ffdshow
2009-11-17 08:52 . 2009-02-20 16:28 -------- d-----w- c:\program files\BitComet
2009-11-01 19:01 . 2009-11-01 19:01 3218 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-03 21:17 . 2009-02-12 09:41 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-10-03 21:17 . 2009-02-12 09:41 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-10-03 21:17 . 2009-02-12 09:39 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[-] 2004-08-04 01:07 . 9139778E392D461A4EFF2B2FB6FC8AE6 . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27338:TCP"= 27338:TCP:BitComet 27338 TCP
"27338:UDP"= 27338:UDP:BitComet 27338 UDP

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2/12/2009 4:53 AM 11264]
R2 CX88XBAR;Video Advantage PCI Crossbar;c:\windows\system32\drivers\cx88xbar.sys [2/12/2009 5:36 AM 9216]
R3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys [2/12/2009 4:22 AM 82888]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys [2/12/2009 4:22 AM 53690]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\wd8elgx6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-Ares Ultra_is1 - c:\program files\Ares Ultra\unins000.exe
AddRemove-BearShare - c:\progra~1\BEARSH~1\UNWISE.EXE
AddRemove-HijackThis - c:\documents and settings\Adam\Desktop\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 08:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x81B3550C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf9a96fc3
\Driver\ACPI -> ACPI.sys @ 0xf99e9cb8
\Driver\atapi -> atapi.sys @ 0xf997b7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
Completion time: 2009-11-22 08:28
ComboFix-quarantined-files.txt 2009-11-22 13:27

Pre-Run: 48,387,948,544 bytes free
Post-Run: 48,420,294,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 841E46077896A877FB240F4D26250303


Report •

#8
November 22, 2009 at 08:05:06
PEV.exe is part of Combofix.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Fcopy::
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys | c:\windows\system32\drivers\atapi.sys

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Post a new Combofix log following the previous directions.


Report •

#9
November 22, 2009 at 17:16:31
ComboFix 09-11-22.04 - Adam 11/22/2009 19:53.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.145 [GMT -5:00]
Running from: c:\documents and settings\Adam\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Adam\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-23 00:53 . 2009-11-23 00:53 -------- d-----w- c:\windows\LastGood
2009-11-21 00:05 . 2009-11-21 00:06 -------- d-----w- C:\rsit
2009-11-19 14:18 . 2009-11-19 14:18 -------- d-----w- c:\program files\Webroot
2009-11-19 13:22 . 2009-11-19 13:22 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-11-19 13:22 . 2009-11-19 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-18 12:08 . 2009-11-19 10:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-18 12:08 . 2009-11-19 10:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-18 10:48 . 2009-11-18 10:48 -------- d-----w- c:\program files\iZotope
2009-11-18 10:48 . 2009-11-18 10:48 -------- d-----w- c:\program files\Common Files\Digidesign
2009-11-18 10:45 . 2009-11-18 10:45 -------- d-----w- c:\documents and settings\Adam\Application Data\NetMedia Providers
2009-11-18 10:45 . 2009-11-18 10:45 -------- d-----w- c:\documents and settings\Adam\Application Data\Publish Providers
2009-11-18 09:25 . 2009-11-18 09:25 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-17 10:58 . 2009-11-17 10:58 17 ----a-w- c:\windows\popcinfo.dat
2009-11-11 10:28 . 2009-11-11 10:28 -------- d-----w- C:\audio
2009-11-10 09:40 . 2009-11-18 10:45 -------- d-----w- c:\documents and settings\Adam\Local Settings\Application Data\Sony
2009-11-10 09:39 . 2009-11-19 10:31 -------- d-----w- c:\program files\Vstplugins
2009-11-10 08:39 . 2009-11-18 09:36 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-11-05 08:39 . 2009-11-05 08:39 -------- d-----w- c:\documents and settings\Adam\Application Data\Ableton
2009-11-05 08:38 . 2009-11-05 08:38 -------- d-----w- c:\program files\Ableton
2009-10-28 02:45 . 2009-11-20 23:51 -------- d-----w- c:\documents and settings\Adam\Tracing
2009-10-28 02:44 . 2009-10-28 02:44 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-28 02:43 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-28 02:43 . 2009-10-28 02:43 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-28 02:39 . 2009-10-28 02:39 -------- d-----w- c:\program files\Microsoft
2009-10-28 02:38 . 2009-10-28 02:38 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-28 02:38 . 2009-10-28 02:44 -------- d-----w- c:\program files\Windows Live
2009-10-28 02:26 . 2009-10-28 02:26 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 13:38 . 2009-04-16 07:55 -------- d-----w- c:\program files\GetFLV
2009-11-18 09:24 . 2009-02-20 02:58 -------- d-----w- c:\program files\Replay Media Catcher
2009-11-18 09:23 . 2009-02-12 10:23 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-11-18 09:23 . 2009-04-11 20:22 -------- d-----w- c:\program files\ffdshow
2009-11-17 08:52 . 2009-02-20 16:28 -------- d-----w- c:\program files\BitComet
2009-11-01 19:01 . 2009-11-01 19:01 3218 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-03 21:17 . 2009-02-12 09:41 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-10-03 21:17 . 2009-02-12 09:41 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-10-03 21:17 . 2009-02-12 09:39 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-11-22_13.20.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 01:07 . 2004-08-04 03:59 95360 c:\windows\system32\dllcache\atapi.sys
+ 2009-02-12 09:14 . 2009-11-23 00:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-12 09:14 . 2009-11-22 13:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-12 09:14 . 2009-11-23 00:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-12 09:14 . 2009-11-22 13:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-12 09:14 . 2009-11-23 00:41 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-12 09:14 . 2009-11-22 13:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-23 00:53 . 2008-04-13 18:40 96512 c:\windows\LastGood\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27338:TCP"= 27338:TCP:BitComet 27338 TCP
"27338:UDP"= 27338:UDP:BitComet 27338 UDP

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2/12/2009 4:53 AM 11264]
R2 CX88XBAR;Video Advantage PCI Crossbar;c:\windows\system32\drivers\cx88xbar.sys [2/12/2009 5:36 AM 9216]
R3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys [2/12/2009 4:22 AM 82888]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys [2/12/2009 4:22 AM 53690]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\wd8elgx6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 20:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x81B3550C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf9a96fc3
\Driver\ACPI -> ACPI.sys @ 0xf99e9cb8
\Driver\atapi -> atapi.sys @ 0xf997b7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(724)
c:\windows\system32\msi.dll
.
Completion time: 2009-11-22 20:16
ComboFix-quarantined-files.txt 2009-11-23 01:16
ComboFix2.txt 2009-11-22 13:28

Pre-Run: 48,396,468,224 bytes free
Post-Run: 48,366,710,784 bytes free

- - End Of File - - 12EB2D076A8401018A2E366DA8E9DDBB


Report •

#10
November 22, 2009 at 17:58:31
Are you still having pop ups or redirects?

Report •

#11
November 23, 2009 at 17:20:12
jabuck i must say you are good at helping people out, as i read other posts... The popups went away once that file was replaced... Thanks for all your help....

Report •

#12
November 23, 2009 at 17:43:46
A little clean-up to do.

Delete win32kdiag and RSIT from your desktop.

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •


Ask Question