0

Hey guys,

I have been using Firefox for awhile, but all of a sudden have been getting popups in IE windows. Also my Internet conection has been lagging.

I have done a few virus scan Adawre, Spybot, and Ewido. However, it seems that I have a trojan.

Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:11:34 AM, on 1/27/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\EasyOffice 2001\EasySpeller.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\paul dunn\Desktop\Virus_Scans\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [EasySpeller] C:\Program Files\EasyOffice 2001\EasySpeller.exe -n
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: msnetobj - Unknown owner - C:\WINDOWS\System32\msnetobj.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Please help!!!
My machine is running very, very, very slow.

3
Contributors
9
Replies
10
Views
11 Years
Discussion Span
Last Post by swatkat
0

Hi,
Download CCleaner and install it. Do not run it now!


Make Windows to show all files:-
Go to Start > My Computer. Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.


Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Go to Start > Run and type services.msc and press ENTER. Here, navigate to the service named msnetobj and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".


Uninstall this Software from Add/Remove Programs in Control Panel:-
Aveo Attune (If found)

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O23 - Service: msnetobj - Unknown owner - C:\WINDOWS\System32\msnetobj.exe (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Exit from HijackThis. Delete this file:-
C:\WINDOWS\System32\[colo=red]msnetobj.exe

Delete these folders:-
C:\PROGRAM FILES\[colo=red]Aveo

Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


Reboot to Normal Mode. Perform an online virus scan at Kaspersky Online Scanner. Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log.

0

Thanx for your help swatkat!

Unfortunately, I am still getting IE popups in my firefox browser.
Here is my Hijackthis log:

++++++++++++++++++++++++++++++++++++++++


Logfile of HijackThis v1.99.1
Scan saved at 7:20:52 PM, on 1/28/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\paul dunn\Desktop\Virus_Scans\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


++++++++++++++++++++++++++++++++++++++++


And here is the Kaspersky log:


++++++++++++++++++++++++++++++++++++++++


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, January 28, 2006 19:06:51
Operating System: Microsoft Windows XP Home Edition,  (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/01/2006
Kaspersky Anti-Virus database records: 163093
-------------------------------------------------------------------------------


Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true


Scan Target - My Computer:
A:\
C:\
D:\


Scan Statistics:
Total number of scanned objects: 17098
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 1219 sec


Infected Object Name - Virus Name
C:\WINDOWS\system32\ltwicm32.exe    Infected: Trojan.Win32.Crypt.t


Scan process completed.


++++++++++++++++++++++++++++++++++++++++

Please help me!!
My browsing is getting slower, and I am still getting the IE popups.
:(

Edited by happygeek: fixed formatting

0

Hi,
Download KillBox, extract it to your desktop.

Open Killbox.exe. Check the following box:-

Delete on Reboot

Highlight the entry in the quote box below and then Copy them.

C:\WINDOWS\system32\ltwicm32.exe

Then, paste the copied filename in the Full path of file to delete text box in KillBox. Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.


After the reboot, download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives and please post it here.


Download Rootkit Revealer (link is at the very bottom of the page)

  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.

** NOTEBefore performing a scan it is recommended to do the following.
1. Physically unplug the cable from the PC to the internet connection.
2. Close down All Scheduling/Updating + Running Background tasks etc.
3. Launch and run the program.
4. While it is scanning DO NOT use your computer at ALL until the scan has been completed.
5. Save your Log File, and then Enable those things you closed down, or Reboot, and ONLY then Reconnect to the Internet.


Please post back both the WinPFind and Rootkit Reaveler logs.

0

Hey Swatkat,

Here is the log for winpfind:

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
\viewkind4\uc1\pard\f0\fs20 Checking %SystemDrive% folder...\par
\par
Checking %ProgramFilesDir% folder...\par
\par
Checking %WinDir% folder...\par
\par
Checking %System% folder...\par
PEC2                 8/18/2001 4:00:00 AM        41397      C:\\WINDOWS\\SYSTEM32\\dfrg.msc\par
PECompact2           12/7/2005 1:38:52 PM        2714976    C:\\WINDOWS\\SYSTEM32\\MRT.exe\par
aspack               12/7/2005 1:38:52 PM        2714976    C:\\WINDOWS\\SYSTEM32\\MRT.exe\par
qoologic             3/28/2005 12:32:34 AM       9659997    C:\\WINDOWS\\SYSTEM32\\pav.sig\par
aspack               3/28/2005 12:32:34 AM       9659997    C:\\WINDOWS\\SYSTEM32\\pav.sig\par
SAHAgent             3/28/2005 12:32:34 AM       9659997    C:\\WINDOWS\\SYSTEM32\\pav.sig\par
winsync              3/28/2005 12:32:34 AM       9659997    C:\\WINDOWS\\SYSTEM32\\pav.sig\par
Umonitor             2/12/2002 6:14:12 PM        630784     C:\\WINDOWS\\SYSTEM32\\rasdlg.dll\par
winsync              8/18/2001 4:00:00 AM        1309184    C:\\WINDOWS\\SYSTEM32\\wbdbase.deu\par
\par
Checking %System%\\Drivers folder and sub-folders...\par
\par
Items found in C:\\WINDOWS\\SYSTEM32\\drivers\\etc\\hosts\par
\par
\par
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...\par
1/29/2006 9:21:08 PM      S 2048       C:\\WINDOWS\\bootstat.dat\par
1/29/2006 9:30:46 PM     H  24         C:\\WINDOWS\\p2c3f\par
1/28/2006 11:04:40 PM    H  54156      C:\\WINDOWS\\QTFont.qfn\par
1/12/2006 6:36:30 PM     H  65         C:\\WINDOWS\\Downloaded Program Files\\desktop.ini\par
1/12/2006 6:36:28 PM     H  65         C:\\WINDOWS\\Offline Web Pages\\desktop.ini\par
1/29/2006 9:21:46 PM     H  1024       C:\\WINDOWS\\system32\\config\\default.LOG\par
1/29/2006 9:21:10 PM     H  1024       C:\\WINDOWS\\system32\\config\\SAM.LOG\par
1/29/2006 9:21:36 PM     H  1024       C:\\WINDOWS\\system32\\config\\SECURITY.LOG\par
1/29/2006 9:27:00 PM     H  1024       C:\\WINDOWS\\system32\\config\\software.LOG\par
1/29/2006 9:22:34 PM     H  1024       C:\\WINDOWS\\system32\\config\\system.LOG\par
12/25/2005 4:37:18 AM    H  1024       C:\\WINDOWS\\system32\\config\\systemprofile\\ntuser.dat.LOG\par
1/29/2006 9:21:12 PM     H  6          C:\\WINDOWS\\Tasks\\SA.DAT\par
\par
Checking for CPL files...\par
Microsoft Corporation          8/18/2001 4:00:00 AM        66048      C:\\WINDOWS\\SYSTEM32\\access.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        558592     C:\\WINDOWS\\SYSTEM32\\appwiz.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        130048     C:\\WINDOWS\\SYSTEM32\\desk.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        150016     C:\\WINDOWS\\SYSTEM32\\hdwwiz.cpl\par
Microsoft Corporation          8/29/2002 6:14:40 AM        292352     C:\\WINDOWS\\SYSTEM32\\inetcpl.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        119808     C:\\WINDOWS\\SYSTEM32\\intl.cpl\par
Microsoft Corporation          8/29/2002 3:41:00 AM        208896     C:\\WINDOWS\\SYSTEM32\\joy.cpl\par
Sun Microsystems, Inc.         12/6/2004 9:31:48 PM        49265      C:\\WINDOWS\\SYSTEM32\\jpicpl32.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        187904     C:\\WINDOWS\\SYSTEM32\\main.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        559616     C:\\WINDOWS\\SYSTEM32\\mmsys.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        35840      C:\\WINDOWS\\SYSTEM32\\ncpa.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        256000     C:\\WINDOWS\\SYSTEM32\\nusrmgr.cpl\par
NVIDIA Corporation             7/28/2003 3:19:00 PM        143360     C:\\WINDOWS\\SYSTEM32\\nvtuicpl.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        36864      C:\\WINDOWS\\SYSTEM32\\odbccp32.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        109056     C:\\WINDOWS\\SYSTEM32\\powercfg.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        270848     C:\\WINDOWS\\SYSTEM32\\sysdm.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        28160      C:\\WINDOWS\\SYSTEM32\\telephon.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        90112      C:\\WINDOWS\\SYSTEM32\\timedate.cpl\par
Microsoft Corporation          5/26/2005 3:16:30 AM        174360     C:\\WINDOWS\\SYSTEM32\\wuaucpl.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        66048      C:\\WINDOWS\\SYSTEM32\\dllcache\\access.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        558592     C:\\WINDOWS\\SYSTEM32\\dllcache\\appwiz.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        130048     C:\\WINDOWS\\SYSTEM32\\dllcache\\desk.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        150016     C:\\WINDOWS\\SYSTEM32\\dllcache\\hdwwiz.cpl\par
Microsoft Corporation          8/29/2002 6:14:40 AM        292352     C:\\WINDOWS\\SYSTEM32\\dllcache\\inetcpl.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        119808     C:\\WINDOWS\\SYSTEM32\\dllcache\\intl.cpl\par
Microsoft Corporation          8/29/2002 3:41:00 AM        208896     C:\\WINDOWS\\SYSTEM32\\dllcache\\joy.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        187904     C:\\WINDOWS\\SYSTEM32\\dllcache\\main.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        559616     C:\\WINDOWS\\SYSTEM32\\dllcache\\mmsys.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        35840      C:\\WINDOWS\\SYSTEM32\\dllcache\\ncpa.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        256000     C:\\WINDOWS\\SYSTEM32\\dllcache\\nusrmgr.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        36864      C:\\WINDOWS\\SYSTEM32\\dllcache\\odbccp32.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        109056     C:\\WINDOWS\\SYSTEM32\\dllcache\\powercfg.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        147456     C:\\WINDOWS\\SYSTEM32\\dllcache\\sapi.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        270848     C:\\WINDOWS\\SYSTEM32\\dllcache\\sysdm.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        28160      C:\\WINDOWS\\SYSTEM32\\dllcache\\telephon.cpl\par
Microsoft Corporation          8/18/2001 4:00:00 AM        90112      C:\\WINDOWS\\SYSTEM32\\dllcache\\timedate.cpl\par
\par
\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb Checking Selected Startup Folders \'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\par
\par
Checking files in %ALLUSERSPROFILE%\\Startup folder...\par
11/3/2003 7:45:46 PM     HS 84         C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\desktop.ini\par
1/26/2006 1:14:14 AM        772        C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Trend Micro Anti-Spyware.lnk\par
\par
Checking files in %ALLUSERSPROFILE%\\Application Data folder...\par
11/3/2003 11:11:56 AM    HS 62         C:\\Documents and Settings\\All Users\\Application Data\\desktop.ini\par
12/26/2005 12:16:22 AM      1747       C:\\Documents and Settings\\All Users\\Application Data\\QTSBandwidthCache\par
\par
Checking files in %USERPROFILE%\\Startup folder...\par
11/3/2003 7:45:46 PM     HS 84         C:\\Documents and Settings\\paul dunn\\Start Menu\\Programs\\Startup\\desktop.ini\par
\par
Checking files in %USERPROFILE%\\Application Data folder...\par
11/3/2003 11:11:56 AM    HS 62         C:\\Documents and Settings\\paul dunn\\Application Data\\desktop.ini\par
12/3/2003 4:11:20 PM        0          C:\\Documents and Settings\\paul dunn\\Application Data\\dm.ini\par
\par
\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb Checking Selected Registry Keys \'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Post Platform]\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved]\par
\par
[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved]\par
\par
[HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers]\par
HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\EasyZip\par
\tab\{1D9721CD-50B7-4AC3-99CB-BB1F05B52364\}\tab  = C:\\PROGRA~1\\EASYOF~1\\CONTEX~1.DLL\par
HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\moveonboot_delete\par
\tab\{12B23346-6BD8-4812-BF8C-75E7C386ACB8\}\tab  = C:\\Program Files\\GiPo@Utilities\\GiPo@MoveOnBoot\\mboot.dll\par
HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\Offline Files\par
\tab\{750fdf0e-2a26-11d1-a3ea-080036587f03\}\tab  = %SystemRoot%\\System32\\cscui.dll\par
HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\Open With\par
\tab\{09799AFB-AD67-11d1-ABCD-00C04FC30936\}\tab  = %SystemRoot%\\system32\\SHELL32.dll\par
HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu\par
\tab\{A470F8CF-A1E8-4f65-8335-227475AA5C46\}\tab  = %SystemRoot%\\system32\\SHELL32.dll\par
HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8\}\par
\tab Start Menu Pin\tab  = %SystemRoot%\\system32\\SHELL32.dll\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shellex\\ContextMenuHandlers]\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\ContextMenuHandlers]\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\ContextMenuHandlers\\EasyZip\par
\tab\{1D9721CD-50B7-4AC3-99CB-BB1F05B52364\}\tab  = C:\\PROGRA~1\\EASYOF~1\\CONTEX~1.DLL\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\ContextMenuHandlers\\EncryptionMenu\par
\tab\{A470F8CF-A1E8-4f65-8335-227475AA5C46\}\tab  = %SystemRoot%\\system32\\SHELL32.dll\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\ContextMenuHandlers\\Offline Files\par
\tab\{750fdf0e-2a26-11d1-a3ea-080036587f03\}\tab  = %SystemRoot%\\System32\\cscui.dll\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\ContextMenuHandlers\\Sharing\par
\tab\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6\}\tab  = ntshrui.dll\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shellex\\ColumnHandlers]\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shellex\\ColumnHandlers\\\{0D2E74C4-3C34-11d2-A27E-00C04FC30871\}\par
\tab  = %SystemRoot%\\system32\\SHELL32.dll\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shellex\\ColumnHandlers\\\{24F14F01-7B1C-11d1-838f-0000F80461CF\}\par
\tab  = %SystemRoot%\\system32\\SHELL32.dll\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shellex\\ColumnHandlers\\\{24F14F02-7B1C-11d1-838f-0000F80461CF\}\par
\tab  = %SystemRoot%\\system32\\SHELL32.dll\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shellex\\ColumnHandlers\\\{66742402-F9B9-11D1-A202-0000F81FEDEE\}\par
\tab  = %SystemRoot%\\system32\\SHELL32.dll\par
\par
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects]\par
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3\}\par
\tab AcroIEHlprObj Class = C:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\ActiveX\\AcroIEHelper.dll\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Explorer Bars]\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Explorer Bars\\\{4528BBE0-4E08-11D5-AD55-00010333D0AD\}\par
\tab  = \par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Explorer Bars\\\{4D5C8C25-D075-11d0-B416-00C04FB90376\}\par
\tab &Tip of the Day = %SystemRoot%\\System32\\shdocvw.dll\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ToolBar]\par
\tab\{8E718888-423F-11D2-876E-00A0C9082467\}\tab  = &Radio\tab : C:\\WINDOWS\\System32\\msdxm.ocx\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions]\par
\par
[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Explorer Bars]\par
HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Explorer Bars\\\{32683183-48a0-441b-a342-7c2a440a9478\}\par
\tab Media Band = %SystemRoot%\\System32\\browseui.dll\par
HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Explorer Bars\\\{4528BBE0-4E08-11D5-AD55-00010333D0AD\}\par
\tab  = \par
HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Explorer Bars\\\{EFA24E62-B078-11D0-89E4-00C04FC9E26E\}\par
\tab History Band = %SystemRoot%\\System32\\shdocvw.dll\par
\par
[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Toolbar]\par
HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Toolbar\\ShellBrowser\par
\tab\{01E04581-4EEE-11D0-BFE9-00AA005B4383\} = &Address\tab : %SystemRoot%\\System32\\browseui.dll\par
HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Toolbar\\WebBrowser\par
\tab\{01E04581-4EEE-11D0-BFE9-00AA005B4383\} = &Address\tab : %SystemRoot%\\System32\\browseui.dll\par
\tab\{2318C2B1-4965-11D4-9B18-009027A5CD4F\} = \tab : \par
\tab\{0E5CBF21-D15F-11D0-8301-00AA005B4383\} = &Links\tab : %SystemRoot%\\system32\\SHELL32.dll\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]\par
\tab NvCplDaemon\tab RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup\par
\tab nwiz\tab nwiz.exe /install\par
\tab C-Media Mixer\tab Mixer.exe /startup\par
\tab SunJavaUpdateSched\tab C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe\par
\tab iTunesHelper\tab "C:\\Program Files\\iTunes\\iTunesHelper.exe"\par
\tab QuickTime Task\tab "C:\\Program Files\\QuickTime\\qttask.exe" -atboottime\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OptionalComponents]\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce]\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx]\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices]\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce]\par
\par
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]\par
\tab MSMSGS\tab "C:\\Program Files\\Messenger\\msmsgs.exe" /background\par
\tab NvMediaCenter\tab RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit\par
\tab ctfmon.exe\tab C:\\WINDOWS\\System32\\ctfmon.exe\par
\par
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce]\par
\par
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices]\par
\par
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce]\par
\par
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load]\par
\par
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\run]\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Shared Tools\\MSConfig]\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies]\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\NonEnum\par
\tab\{BDEADF00-C265-11D0-BCED-00A0C90AB50F\} = C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL\par
\tab\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF\} = \par
\tab\{0DF44EAA-FF21-4412-828E-260A8728E7F1\} = \par
\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Ratings\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\par
\tab dontdisplaylastusername\tab 0\par
\tab legalnoticecaption\tab\par
\tab legalnoticetext\tab\par
\tab shutdownwithoutlogon\tab 1\par
\tab undockwithoutlogon\tab 1\par
\par
\par
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies]\par
\par
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\par
\tab NoDriveTypeAutoRun\tab 145\par
\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad]\par
\tab PostBootReminder               \tab\{7849596a-48ea-486e-8937-a2a3009f31a9\} = %SystemRoot%\\system32\\SHELL32.dll\par
\tab CDBurn                         \tab\{fbeb8a05-beee-4442-804e-409d6c4515e9\} = %SystemRoot%\\system32\\SHELL32.dll\par
\tab WebCheck                       \tab\{E6FB5E20-DE35-11CF-9C87-00AA005127ED\} = %SystemRoot%\\System32\\webcheck.dll\par
\tab SysTray                        \tab\{35CEC8A3-2BE6-11D2-8773-92E220524153\} = C:\\WINDOWS\\System32\\stobject.dll\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]\par
\tab UserInit\tab = C:\\WINDOWS\\system32\\userinit.exe,\par
\tab Shell\tab\tab = Explorer.exe\par
\tab System\tab\tab = \par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\crypt32chain\par
\tab  = crypt32.dll\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\cryptnet\par
\tab  = cryptnet.dll\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\cscdll\par
\tab  = cscdll.dll\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\ScCertProp\par
\tab  = wlnotify.dll\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Schedule\par
\tab  = wlnotify.dll\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\sclgntfy\par
\tab  = sclgntfy.dll\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\SensLogn\par
\tab  = WlNotify.dll\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\termsrv\par
\tab  = wlnotify.dll\par
\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\wlballoon\par
\tab  = wlnotify.dll\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options]\par
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Your Image File Name Here without a path\par
\tab Debugger = ntsd -d\par
\par
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\par
\tab AppInit_DLLs\tab\par
\par
\par
\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb Scan Complete \'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\'bb\par
WinPFind v1.4.1\tab - Log file written to "WinPFind.Txt" in the WinPFind folder.\par
Scan completed on 1/29/2006 9:30:58 PM\par
}

Edited by happygeek: fixed formatting

0

The RootkitRevealer log is way too large to post.

Thanx for all your help,
but I am still getting the popups.
:(

0

Hi,
1. Please download AproposFix from here.
Save it to your desktop but do NOT run it yet.

2. Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes. This means some of the programs that normally are set to run when Windows starts will not run. To do this tap the F8 key repeatedly while your computer starts, then navigate the screen using the arrow keys and select "Safe Mode"

3. Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop.

4. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

5. When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.


If the popups persist after running the above program, can you post the screenshot of the popup?

0

OMG!!!
OMG!!!

Thank you!

No more Popups! You are a great help!

Thank you!

0

I've been having this issue too, with the pop ups, and I think its causing some of the other issues I've been having with my PC, I'll give the last suggested method a try.

0

Hi Clowny,
Glad to hear that popups are gone. I will mark this thread as "Solved" then!

Hi Kiba Ookami,
If the popups persist or if you need any help, then please start a new topic in this section by clicking the "Post a new thread" button at the top-left of that page.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.