Member Avatar for hamihol

Hi, I am new to this, so if someone could help me out, I would GREATLY appreciate it! I have been getting all sorts of annoying popups from exitexchange.com and I can't get rid of them. I have run AVG, Ad-Aware, and SpyBot S&D, and none of these have gotten rid of the popups. Here is my log from HiJack This:

Logfile of HijackThis v1.99.1
Scan saved at 6:47:44 PM, on 5/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\WINNT\System32\desk95.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Holli\Desktop\HijackThis.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Plug&Share 108Mbps Wireless PCI Adapter Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1009864352796
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

  • 3 Contributors
  • 14 Replies
  • 241 Views
  • 4 Weeks Discussion Span
  • Latest Post Latest Post by ShadowPuterDude

Recommended Answers

All 14 Replies

Member Avatar for hamihol

Okay, these are mostly Adult Friend Finder, SysProtect, and WinAntiVirus popups. I have scanned my computer with AdAware SE, Spybot S&D, AVG Antivirus. I've tried Vundo Fix. I don't know what else to do. PLEASE HELP!!!!

Member Avatar for ShadowPuterDude

You appear to be running a completely unpatched, original Windows XP. This is a serious sercurity risk and if not update to SP2 and brought up2date your computer will get infected again.

DO NOT update your version of XP at this time. Doing so will render your operating system useless; wait until we are finished disinfecting your system.

The version of Java installed on your computer is out-of-date. Install version 1.5.0_07 available from http://www.java.com/en/download/manual.jsp. Make sure you uninstall all older versions.


You are running HijackThis directly from your Desktop, this is not the preferred location. Move HijackThis to C:\Program Files\HJT. Run HijackThis from this location from this point foward.

Scan With HijackThis and fix the follow line:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

There is nothing in your log to suggest you are infected.

Download WinPFind

  • Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program.
  • Now click Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
  • When it is done, it will show the results of the scan. Right Click in the window and choose Select All. Then Right Click again and select Copy which will copy to the contents of the log to your clipboard. Then open a notepad window and paste in the log by pressing CTRL-V. Save it to a file and upload the text file here as an attachment.
Member Avatar for hamihol

I have updated my version of Java and removed all older versions. I fixed the line item in HijackThis. I downloaded WinPFind, but I cannot scan with it. When I double clicked the icon, an error message came up stating "File not found" but it still opened the program. When I clicked on "Start Scan" another error message came up stating "Access Violation at 0044DE27 in module 'winpfind.exe.' Read of address 00000004."

Member Avatar for ShadowPuterDude

OK, lets use a different utility.

Download the attached GetRunKey.zip to your Desktop. Then extract the contents of the ZIP file directly to your desktop. Double-click getrunkey.bat. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the runkeys.txt file here as an attachment.

NOTE: Anybody else seeing this file do not download it. This file changes frequently.

GetRunKey.zip (45.07 KB)
Member Avatar for Burton1

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

Sp1 will not render his system it will simply patch up the holes in his system. I agree with you that his system is very vulnerable, he can get infected just by connecting to the internet so he will need to patch. Sp2 needs to wait until you have finished cleaning him

Member Avatar for ShadowPuterDude

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

Sp1 will not render his system it will simply patch up the holes in his system. I agree with you that his system is very vulnerable, he can get infected just by connecting to the internet so he will need to patch. Sp2 needs to wait until you have finished cleaning him

I am not a novice at this. There are different schools of thought on appplying SP1a to Windows XP on an infected PC. Many of the Malware training centers teach to do this; appling patches to infected PCs can break the OS. His hiJackThis log is not showing infections, and WinPFind will not run. There is something hiding on the system and it is best to find it before recommend the OS be patched.

Member Avatar for Burton1

Something is hidding? Black light?

Member Avatar for ShadowPuterDude

Something is hidding? Black light?

There are other tools that can be used to reveal stuff not shown by HijackThis. Running a RootKit scanner is rarely necessary. GetRunKeys and ISeeYouXP are two examples; both of which are developed by assoiciates of mine and are updated frequently.

Member Avatar for hamihol

Attached...

****************************************************************************
*             GetRunKeys.Bat - (c) 01/28/2006 By Chaslang                  *
*             Beta only partially supports Win9x and ME                    *
*             05/31/2006 Version 1.42 beta                                 *
****************************************************************************
* Most of the information reported below is not necessarily bad.  You must *
* not take any steps on any of these lines without consulting an expert.   *
****************************************************************************
 
Windows OS is  

Microsoft Windows XP [Version 5.1.2600]
 
----------------------------------------------------------------------------
             Listing Standard Startup (Run) Registry Keys
----------------------------------------------------------------------------

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE"
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"C-Media Mixer"="Mixer.exe /startup"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AtiPTA"="atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"EEventManager"="C:\\Program Files\\EPSON\\Creativity Suite\\Event Manager\\EEventManager.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"HydarVisionDesktopManager"="desk95.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnceEx]
@=""


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunServices]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  74,00,73,00,63,00,75,00,70,00,67,00,72,00,64,00,2e,00,65,00,78,00,65,00,00,\
  00

----------------------------------------------------------------------------
                Listing MSCONFIG Registry Keys               
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000002
"services"=dword:00000000
"startup"=dword:00000000

----------------------------------------------------------------------------
              Listing ModuleUsage Registry Keys              
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/WoF.ocx]
".Owner"="{DA758BB1-5F89-4465-975F-8D7179A4BCF3}"
"{DA758BB1-5F89-4465-975F-8D7179A4BCF3}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/danim.dll]
".Owner"="{DC38CC30-4E3B-11d1-9071-0060081840BC}"
"{DC38CC30-4E3B-11d1-9071-0060081840BC}"="{DC38CC30-4E3B-11d1-9071-0060081840BC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/ddrawex.dll]
".Owner"="{DC38CC30-4E3B-11d1-9071-0060081840BC}"
"{DC38CC30-4E3B-11d1-9071-0060081840BC}"="{DC38CC30-4E3B-11d1-9071-0060081840BC}"
"22d6f312-b0f6-11d0-94ab-0080c74c7e95"="22d6f312-b0f6-11d0-94ab-0080c74c7e95"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll]
".Owner"="{DC38CC30-4E3B-11d1-9071-0060081840BC}"
"{DC38CC30-4E3B-11d1-9071-0060081840BC}"="{DC38CC30-4E3B-11d1-9071-0060081840BC}"
"{4112DF42-0DCB-11d1-8177-00AA00576BAD}"="{4112DF42-0DCB-11d1-8177-00AA00576BAD}"
"{22d6f312-b0f6-11d0-94ab-0080c74c7e95}"="{22d6f312-b0f6-11d0-94ab-0080c74c7e95}"

----------------------------------------------------------------------------
             Listing HKCU Policies Registry Keys             
----------------------------------------------------------------------------

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

----------------------------------------------------------------------------
             Listing HKLM Policies Registry Keys             
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

----------------------------------------------------------------------------
             Listing BHO Registry Keys              
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
@=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
"NoExplorer"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C9AA0D-17AA-49A6-B7D3-4167897B17A4}]

----------------------------------------------------------------------------
             Listing SharedTaskScheduler Registry Keys              
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

----------------------------------------------------------------------------
        Listing Default URL Prefix Keys - a possible hijack point        
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

----------------------------------------------------------------------------
        HKEY_CURRENT_USER ZoneMap ProtocolDefaults        
----------------------------------------------------------------------------

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001

----------------------------------------------------------------------------
             Miscellaneous Malware Detection Report              
----------------------------------------------------------------------------

    List of Malware found in SharedTaskScheduler 
    ------------------------------------------------------------------------
       No Malware found in SharedTaskScheduler 
    ------------------------------------------------------------------------


    List of Malware found in C:\WINNT\system32  
    ------------------------------------------------------------------------
       No Malware found in C:\WINNT\system32 
    ------------------------------------------------------------------------


    Check for Troj-Torpig-D,E,J Keylogger 
    ------------------------------------------------------------------------
       Troj-Torpig-D,E,J Keylogger was not found 
    ------------------------------------------------------------------------
Member Avatar for ShadowPuterDude

Your runkey.txt shows no infections. This is looking more like an OS issue. Update you system to SP1a do not apply SP2 at this time.

After you have updated to SP1a post a fresh HijackThis log.

Member Avatar for hamihol

Updated HJT attached

Logfile of HijackThis v1.99.1
Scan saved at 4:05:32 PM, on 6/25/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINNT\System32\desk95.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Plug&Share 108Mbps Wireless PCI Adapter Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151268500611
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
Member Avatar for ShadowPuterDude

Your logs are coming back clean.

What issues if any are you having?

Is there a specific reason why, you have not updated your copy of XP?

As it stands now, you are running a completely unpatched copy of XP. It will becoome infected, as there are numerous vulnerabilties that updating your OS would close.

Member Avatar for hamihol

The only issue I was having was getting popups, mainly from Sysprotect, Adult Friend Finder, and WinAntiVirus. Since I've done the update, I haven't seen any more popups (hopefully I didn't just jynx myself!).

Not sure why XP was not being updated? A friend built my computer and loaded the OS and all other software on to it, so I assumed it was good to go.

Member Avatar for ShadowPuterDude

There are no signs of the infections that cause those pop-ups. They would show in HijackThis and GetRunKeys.

You may want to run the Windows Genuine Advatange tool. That will tell you if your friend used a legit copy of Windows, when your system was built. If your copy of Windows is not valid, you will want to obtain a legit product key from Microsoft.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.