CAN YOU PLEASE HELP,,I KNOW YOU GUYS ARE BUSY,PLUS YOU ARE THE EXPERTS.
I HAVE NEVER SEEN ANYTHING LIKE THIS.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:09 AM, on 8/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMConfig.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMProcess.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMPAQ~2\Presario\XPHNARP4EN\plugin\bin\pchbutton.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas48.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\h1soU3fq.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cy...mallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapp...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and
Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} -
C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet
Security Suite\pkR.dll
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\HiSO8uFQ.dll
O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Owner\Local
Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Owner\Local
Settings\Application Data\CyberDefender\cdmyidd.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
-Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter
Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [AT&T Internet Security Suite] "C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe
KMConfig.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\COMPAQ~2\Presario\XPHNARP4EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas48.exe"
/minimize
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} -
https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1145619971187
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.m...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. -
C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: gearsec (GEARSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program
Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Micro
Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T
Internet Security Suite\rpsupdaterR.exe
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet
Security Suite\Fws.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 13485 bytes
(Uipopuphidden) SOS!
Started by
albertrbh
, Aug 26 2008 04:27 PM
8 replies to this topic
#2
LoPhatPhuud
-
- General Admin
-
- 15,731 posts
Master of Disaster Recovery
Posted 26 August 2008 - 05:01 PM
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
alternate download link 1
alternate download link 2
- Make sure you are connected to the Internet.
- Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
- If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
- On the Scanner tab:
- Make sure the "Perform Quick Acan" option is selected.
- Then click on the Scan button.
- The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
- When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
- The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the contents of that report in your next reply and exit MBAM.
#3
albertrbh
-
- Member
-
- 5 posts
New Member
Posted 28 August 2008 - 02:07 PM
HELLO WEBMASTER,SORRY FOR THE DELAY
THE MALWARE SOFTWARE IS VERY NICE THANKS,,IT DELETED ALOT OF VIRUSES I DID NOT KNOW I HAD ON MY COMPUTER.
OK, THE TROJAN.BHO WILL NOT GO AWAY (UIPOPUPHIDDEN) I FOLLOW YOU INSTRUCTIONS
DELETE-REBOOT,etc. IT DOESNT MATTER,IT COMES BACK.
5 FILES WERE FOUND THIS MORNING,,I RAN BEFORE CONTACTING YOU I WANT
TO BE SURE.BELOW THAT IS THE ONE I RAN ON 8-26-2008
***********************************************************
Registry Keys Infected:
1.HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
2.HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
3.HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
4.HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
5.HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
************************************************************
Malwarebytes' Anti-Malware 1.25
Database version: 1088
Windows 5.1.2600 Service Pack 3
5:42:49 PM 8/26/2008
mbam-log-08-26-2008 (17-42-49).txt
Scan type: Quick Scan
Objects scanned: 56351
Time elapsed: 15 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\HiSO8uFQ.dll (Trojan.BHO) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll (Trojan.BHO) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{cd24eb02-9831-4838-99d0-726d411b1328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f20da564-9254-49fe-a678-cc3cef172252} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\HiSO8uFQ.dll (Trojan.BHO) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\h1soU3fq.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\N0g3uEMx.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
THE MALWARE SOFTWARE IS VERY NICE THANKS,,IT DELETED ALOT OF VIRUSES I DID NOT KNOW I HAD ON MY COMPUTER.
OK, THE TROJAN.BHO WILL NOT GO AWAY (UIPOPUPHIDDEN) I FOLLOW YOU INSTRUCTIONS
DELETE-REBOOT,etc. IT DOESNT MATTER,IT COMES BACK.
5 FILES WERE FOUND THIS MORNING,,I RAN BEFORE CONTACTING YOU I WANT
TO BE SURE.BELOW THAT IS THE ONE I RAN ON 8-26-2008
***********************************************************
Registry Keys Infected:
1.HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
2.HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
3.HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
4.HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
5.HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
************************************************************
Malwarebytes' Anti-Malware 1.25
Database version: 1088
Windows 5.1.2600 Service Pack 3
5:42:49 PM 8/26/2008
mbam-log-08-26-2008 (17-42-49).txt
Scan type: Quick Scan
Objects scanned: 56351
Time elapsed: 15 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\HiSO8uFQ.dll (Trojan.BHO) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll (Trojan.BHO) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{cd24eb02-9831-4838-99d0-726d411b1328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f20da564-9254-49fe-a678-cc3cef172252} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\HiSO8uFQ.dll (Trojan.BHO) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\h1soU3fq.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\N0g3uEMx.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
#4
LoPhatPhuud
-
- General Admin
-
- 15,731 posts
Master of Disaster Recovery
Posted 28 August 2008 - 05:41 PM
Interesting mix of malware that MBAM found. Let's look further.
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingc...to-use-combofix
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingc...to-use-combofix
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
#5
albertrbh
-
- Member
-
- 5 posts
New Member
Posted 28 August 2008 - 07:19 PM
HELLO WEBMASTER,,I RAN THE ""COMBOFIX"",,FYI I RESTARTED MY PC AND INSTEAD OF SEEING (UIPOPUPHIDDEN) I SAW (RPS.EXE) TWICE,,,ON THE 3RD RESTART IT WENT BACK TO
(UIPOPUPHIDDEN) WHAT EVER THIS IS STARTS TO EXCUTE WHEN I LOG ON TO THE INTERNET AND IT ALWAYS STARTS WITH THIS FILE (C:\WINDOWS\SYSTEM32\h1soU3fq.exe)
MY FIREWALL IS CONSTANTLY BLOCKING THIS FILE (h1soU3fq1)
************************************************************
ComboFix 08-08-27.06 - Owner 2008-08-28 14:09:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.181 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\TGCCJNMM\interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\TGCCJNMM\interclick.com\ud.sol
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\NetworkService\Cookies\system@wat.contextweb[1].txt
C:\Documents and Settings\Owner\Application Data\install.dat
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\8LMRDNX7\bin.clearspring.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\8LMRDNX7\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\8LMRDNX7\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\8LMRDNX7\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.
2008-08-26 17:24 . 2008-08-26 17:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-26 17:24 . 2008-08-26 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-25 13:32 . 2008-08-25 13:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 13:30 . 2008-08-25 13:30 6,144 --ahs---- C:\WINDOWS\system32\access.ctl
2008-08-24 21:27 . 2008-08-24 21:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\URSoft
2008-08-24 21:26 . 2008-08-25 17:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 21:25 . 2008-08-24 21:52 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-08-20 18:44 . 2008-08-20 18:44 53 --a------ C:\WINDOWS\av_affiliate.ini
2008-08-20 18:44 . 2008-08-20 18:44 53 --a------ C:\WINDOWS\as_affiliate.ini
2008-08-20 18:42 . 2008-08-23 10:13 <DIR> d-------- C:\Program Files\CyberDefender
2008-08-20 18:42 . 2008-08-20 18:41 67,424 --a------ C:\WINDOWS\system32\drivers\CDAVFS.sys
2008-08-20 18:04 . 2008-08-20 18:24 <DIR> d-------- C:\Program Files\XoftSpySE
2008-08-20 16:45 . 2008-08-28 11:59 81,410 --a------ C:\WINDOWS\system32\h1soU3fq.exe
2008-08-20 15:08 . 2008-08-25 16:29 63 --a------ C:\WINDOWS\st_affiliate.ini
2008-08-17 17:00 . 2008-08-17 18:20 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\BLSTOOLBAR
2008-08-17 14:58 . 2008-08-17 14:57 29,760 --a------ C:\WINDOWS\system32\N0g3uEMx.exe
2008-08-13 10:06 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 10:05 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-07-30 18:08 . 2008-07-30 18:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-30 18:08 . 2008-07-30 18:08 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 14:10 --------- d-----w C:\Program Files\MUSICMATCH
2008-08-26 14:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\Musicmatch
2008-08-25 20:53 --------- d-----w C:\Program Files\The Classified Connection
2008-08-24 23:40 --------- d-----w C:\Program Files\Lavasoft
2008-08-24 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-24 16:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-20 17:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-20 16:56 --------- d-----w C:\Program Files\Viewpoint
2008-08-19 15:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-19 21:50 77,824 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\FDIWrapper.dll
2007-07-05 15:52 66,248 ----a-w C:\Program Files\INSTALL.LOG
2006-10-01 15:04 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-23 10:10 3790152]
[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
2008-08-23 10:10 3790152 --a------ C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-23 10:10 3790152]
[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-23 10:10 3790152]
[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"Acme.PCHButton"="C:\PROGRA~1\COMPAQ~2\Presario\XPHNARP4EN\plugin\bin\pchbutton.exe" [2003-10-11 08:46 159744]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\cdas48.exe" [2008-08-23 10:10 619848]
"NVIEW"="nview.dll" [2003-08-19 05:56 852038 C:\WINDOWS\system32\nview.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 10:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 10:23 90112]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 11:01 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 10:16 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 10:34 851968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-29 11:37 98304]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 19:02 198184]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 16:09 310000]
"-FreedomNeedsReboot"="C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 16:09 13552]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-27 09:12 185896]
"KMCONFIG"="C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe" [2007-03-06 14:51 212992]
"VTTimer"="VTTimer.exe" [2004-10-22 12:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 20:52 40960 C:\WINDOWS\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-10-11 08:42:56 16384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 11:20:40 233472]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-08-19 21:35:57 819200]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-04-06 10:00:00 122880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdas48.exe"=
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe [2007-04-05 10:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 06:27]
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 05:28]
R3 CDAVFS;CDAVFS;C:\WINDOWS\system32\DRIVERS\CDAVFS.sys [2008-08-20 18:41]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2008-04-13 20:12]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-RecordNow! - (no file)
MSConfigStartUp-MimBoot - C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qkaqfchm.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 14:14:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-28 14:18:04
ComboFix-quarantined-files.txt 2008-08-28 18:17:39
Pre-Run: 93,737,381,888 bytes free
Post-Run: 93,982,543,872 bytes free
168 --- E O F --- 2008-08-20 20:36:13
(UIPOPUPHIDDEN) WHAT EVER THIS IS STARTS TO EXCUTE WHEN I LOG ON TO THE INTERNET AND IT ALWAYS STARTS WITH THIS FILE (C:\WINDOWS\SYSTEM32\h1soU3fq.exe)
MY FIREWALL IS CONSTANTLY BLOCKING THIS FILE (h1soU3fq1)
************************************************************
ComboFix 08-08-27.06 - Owner 2008-08-28 14:09:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.181 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\TGCCJNMM\interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\TGCCJNMM\interclick.com\ud.sol
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\NetworkService\Cookies\system@wat.contextweb[1].txt
C:\Documents and Settings\Owner\Application Data\install.dat
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\8LMRDNX7\bin.clearspring.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\8LMRDNX7\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\8LMRDNX7\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\8LMRDNX7\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.
2008-08-26 17:24 . 2008-08-26 17:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-26 17:24 . 2008-08-26 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-25 13:32 . 2008-08-25 13:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 13:30 . 2008-08-25 13:30 6,144 --ahs---- C:\WINDOWS\system32\access.ctl
2008-08-24 21:27 . 2008-08-24 21:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\URSoft
2008-08-24 21:26 . 2008-08-25 17:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 21:25 . 2008-08-24 21:52 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-08-20 18:44 . 2008-08-20 18:44 53 --a------ C:\WINDOWS\av_affiliate.ini
2008-08-20 18:44 . 2008-08-20 18:44 53 --a------ C:\WINDOWS\as_affiliate.ini
2008-08-20 18:42 . 2008-08-23 10:13 <DIR> d-------- C:\Program Files\CyberDefender
2008-08-20 18:42 . 2008-08-20 18:41 67,424 --a------ C:\WINDOWS\system32\drivers\CDAVFS.sys
2008-08-20 18:04 . 2008-08-20 18:24 <DIR> d-------- C:\Program Files\XoftSpySE
2008-08-20 16:45 . 2008-08-28 11:59 81,410 --a------ C:\WINDOWS\system32\h1soU3fq.exe
2008-08-20 15:08 . 2008-08-25 16:29 63 --a------ C:\WINDOWS\st_affiliate.ini
2008-08-17 17:00 . 2008-08-17 18:20 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\BLSTOOLBAR
2008-08-17 14:58 . 2008-08-17 14:57 29,760 --a------ C:\WINDOWS\system32\N0g3uEMx.exe
2008-08-13 10:06 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 10:05 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-07-30 18:08 . 2008-07-30 18:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-30 18:08 . 2008-07-30 18:08 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 14:10 --------- d-----w C:\Program Files\MUSICMATCH
2008-08-26 14:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\Musicmatch
2008-08-25 20:53 --------- d-----w C:\Program Files\The Classified Connection
2008-08-24 23:40 --------- d-----w C:\Program Files\Lavasoft
2008-08-24 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-24 16:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-20 17:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-20 16:56 --------- d-----w C:\Program Files\Viewpoint
2008-08-19 15:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-19 21:50 77,824 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\FDIWrapper.dll
2007-07-05 15:52 66,248 ----a-w C:\Program Files\INSTALL.LOG
2006-10-01 15:04 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-23 10:10 3790152]
[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
2008-08-23 10:10 3790152 --a------ C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-23 10:10 3790152]
[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-23 10:10 3790152]
[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"Acme.PCHButton"="C:\PROGRA~1\COMPAQ~2\Presario\XPHNARP4EN\plugin\bin\pchbutton.exe" [2003-10-11 08:46 159744]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\cdas48.exe" [2008-08-23 10:10 619848]
"NVIEW"="nview.dll" [2003-08-19 05:56 852038 C:\WINDOWS\system32\nview.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 10:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 10:23 90112]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 11:01 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 10:16 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 10:34 851968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-29 11:37 98304]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 19:02 198184]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 16:09 310000]
"-FreedomNeedsReboot"="C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 16:09 13552]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-27 09:12 185896]
"KMCONFIG"="C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe" [2007-03-06 14:51 212992]
"VTTimer"="VTTimer.exe" [2004-10-22 12:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 20:52 40960 C:\WINDOWS\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-10-11 08:42:56 16384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 11:20:40 233472]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-08-19 21:35:57 819200]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-04-06 10:00:00 122880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdas48.exe"=
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe [2007-04-05 10:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 06:27]
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 05:28]
R3 CDAVFS;CDAVFS;C:\WINDOWS\system32\DRIVERS\CDAVFS.sys [2008-08-20 18:41]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2008-04-13 20:12]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-RecordNow! - (no file)
MSConfigStartUp-MimBoot - C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qkaqfchm.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 14:14:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-28 14:18:04
ComboFix-quarantined-files.txt 2008-08-28 18:17:39
Pre-Run: 93,737,381,888 bytes free
Post-Run: 93,982,543,872 bytes free
168 --- E O F --- 2008-08-20 20:36:13
#6
LoPhatPhuud
-
- General Admin
-
- 15,731 posts
Master of Disaster Recovery
Posted 29 August 2008 - 04:12 PM
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
NOTE: Please run HiJackThis after the above and post a new log in this thread. When posting the HJT log, be sure that Word Wrap is turned off in Notepad. You will find the Word Wrap option in the Format menu of Notepad.
2. Open notepad and copy/paste the text in the quotebox below into it:
QUOTE
KillAll::
File::
C:\WINDOWS\system32\h1soU3fq.exe
C:\WINDOWS\system32\N0g3uEMx.exe
File::
C:\WINDOWS\system32\h1soU3fq.exe
C:\WINDOWS\system32\N0g3uEMx.exe
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
NOTE: Please run HiJackThis after the above and post a new log in this thread. When posting the HJT log, be sure that Word Wrap is turned off in Notepad. You will find the Word Wrap option in the Format menu of Notepad.
#7
LoPhatPhuud
-
- General Admin
-
- 15,731 posts
Master of Disaster Recovery
Posted 29 August 2008 - 04:24 PM
Re the UiPopHidden error message you are getting. I found the following in a thread at Castlecops from 2004. The ISP is different and it seems some of the file names have changed. Freedom on your system looks to be coming with AT&T INternet Security. You might want to check with them regarding this issue since I am not sure that the instructions given in quoted material are still valid.
I finally got a reply from Freedom about Uipopuphidden and the problem is with Freedom. After trying a few things that they had recommended and still not having the problem resolved they sent me the following instructions, which did in fact fix the problem. I have posted their e-mail below for anyone else who would like to resolve this problem. I hope this is okay and within the forums rules. If not then feel free to delete it.
Thanks for the help
---------------------------------------------------------------------------------------
Please follow the steps below to remove and reinstall Telus Security Services 5. Please note that the files below are not the same files used to remove/reinstall previous versions of Telus Security Services (such as Freedom 4.2) so please make sure you download the files even if you already have similarly named files on your computer.
Before starting, please make sure Telus Security Services is shutdown and your temporary files have been removed. To do so,
a) Please double click on the Telus Security Services icon on your taskbar (near the clock) to bring up the Telus Security Services window.
b) Click Telus Security Services > Shut down.
NOTE: If the Telus Security Services icon is not on your taskbar, Telus Security Services is probably not running.
Show hidden files and folders.
a) Open My Computer by double-clicking on it from your desktop.
b) From the menu bar, select Tools -> Folder Options...
c) Click on the View tab
d) Under 'Hidden files and folders' make sure the circle is filled in next to 'Show hidden files and folders'
e) Click on OK at the bottom of the window
Once that has been done, please remove all files in the temp and temporary internet folders. The folders can be found through the following directories:
** For Windows 98SE/ME: **
C:\Windows\TEMP
C:\Windows\Temporary Internet Files
** For Window 2000/XP: **
C:\Documents and Settings\%username%\Local Settings\TEMP
C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files
You may now proceed with reinstallation of Telus Security Services 5.0.
1. Telus Security Services 5.0 Uninstaller:
http://download.free...edomCleanup.exe
a) Save this file to your desktop.
b) Run the file to remove Telus Security Services.
2. Telus Security Services 5.0 Configuration files remover:
http://download.free...RemoverPlus.exe
a) Save this file to your desktop.
b) Run the file to remove Telus Security Services configuration files.
c) Once the remover will have completed its tasks, it will ask you if you want to start TELUS Security service, please click on No.
3. Microsoft Windows Install Cleanup Tool to make sure Telus Security Services has been well removed:
http://download.micr...1BD/msicuu2.exe
a) Download and install this tool.
b) Once the installation is complete, go to Start> Programs> Windows Install Clean Up.
c) A list of programs will appear. Remove any entry containing the following:
Command, Authenthium, Freedom, Telus Security, Pest Patrol, ZeroKnowledge
Click on 'Remove' to remove an entry.
4. Remove Telus Security Services program files (if anyone of them exists):
a) First, open My Computer by double-clicking on it from your desktop.
b) Browse to C:\Program Files\Zero Knowledge\ and delete the Freedom folder
c) Browse to C:\Program Files\Common Files\ and delete the Command Software and/or PestPatrol folder
d) Browse to C:\Program Files\Telus Internet Security Software\ and delete the Freedom folder
e) Browse to C:\Program Files\Common Files\ and delete the Command Software folder
f) Browse to C:\Windows\system32\drivers\ and delete freedom.sys and FreeTDI.sys
g) Browse to C:\Program Files\InstallShield Installation Information\ and delete the folder called {8F18E2E1-0BAE-4E0A-AC6B-4974382DF48D}
h) REBOOT
5. Please upgrade your installshield to the latest version, by performing the instructions below.
a) Delete the folder C:\Program Files\Common Files\InstallShield\Driver\8 from the machine.
b) Download http://support.insta...2/ISScript8.zip
c) Unzip the file you currently downloaded. For more information on unzipping files.
-How Do I Unzip a File in Windows XP? http://consumer.inst....asp?id=Q108326
-How Do I Use the WinZip Utility in Windows 2000 or Earlier? http://consumer.inst....asp?id=Q108228
d) Double-click the IsScript8.msi file. This installs the IsScript engine for this version of the installation.
6. Telus Security Services 5.0 Installer:
http://freedom.mytel.../freedom-latest
a) Save this file to your desktop.
b) Run the file to reinstall Telus Security Services.
Please reply to this email if you have any other questions or comments.
Regards,
Technical Support Team
I finally got a reply from Freedom about Uipopuphidden and the problem is with Freedom. After trying a few things that they had recommended and still not having the problem resolved they sent me the following instructions, which did in fact fix the problem. I have posted their e-mail below for anyone else who would like to resolve this problem. I hope this is okay and within the forums rules. If not then feel free to delete it.
Thanks for the help
---------------------------------------------------------------------------------------
Please follow the steps below to remove and reinstall Telus Security Services 5. Please note that the files below are not the same files used to remove/reinstall previous versions of Telus Security Services (such as Freedom 4.2) so please make sure you download the files even if you already have similarly named files on your computer.
Before starting, please make sure Telus Security Services is shutdown and your temporary files have been removed. To do so,
a) Please double click on the Telus Security Services icon on your taskbar (near the clock) to bring up the Telus Security Services window.
b) Click Telus Security Services > Shut down.
NOTE: If the Telus Security Services icon is not on your taskbar, Telus Security Services is probably not running.
Show hidden files and folders.
a) Open My Computer by double-clicking on it from your desktop.
b) From the menu bar, select Tools -> Folder Options...
c) Click on the View tab
d) Under 'Hidden files and folders' make sure the circle is filled in next to 'Show hidden files and folders'
e) Click on OK at the bottom of the window
Once that has been done, please remove all files in the temp and temporary internet folders. The folders can be found through the following directories:
** For Windows 98SE/ME: **
C:\Windows\TEMP
C:\Windows\Temporary Internet Files
** For Window 2000/XP: **
C:\Documents and Settings\%username%\Local Settings\TEMP
C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files
You may now proceed with reinstallation of Telus Security Services 5.0.
1. Telus Security Services 5.0 Uninstaller:
http://download.free...edomCleanup.exe
a) Save this file to your desktop.
b) Run the file to remove Telus Security Services.
2. Telus Security Services 5.0 Configuration files remover:
http://download.free...RemoverPlus.exe
a) Save this file to your desktop.
b) Run the file to remove Telus Security Services configuration files.
c) Once the remover will have completed its tasks, it will ask you if you want to start TELUS Security service, please click on No.
3. Microsoft Windows Install Cleanup Tool to make sure Telus Security Services has been well removed:
http://download.micr...1BD/msicuu2.exe
a) Download and install this tool.
b) Once the installation is complete, go to Start> Programs> Windows Install Clean Up.
c) A list of programs will appear. Remove any entry containing the following:
Command, Authenthium, Freedom, Telus Security, Pest Patrol, ZeroKnowledge
Click on 'Remove' to remove an entry.
4. Remove Telus Security Services program files (if anyone of them exists):
a) First, open My Computer by double-clicking on it from your desktop.
b) Browse to C:\Program Files\Zero Knowledge\ and delete the Freedom folder
c) Browse to C:\Program Files\Common Files\ and delete the Command Software and/or PestPatrol folder
d) Browse to C:\Program Files\Telus Internet Security Software\ and delete the Freedom folder
e) Browse to C:\Program Files\Common Files\ and delete the Command Software folder
f) Browse to C:\Windows\system32\drivers\ and delete freedom.sys and FreeTDI.sys
g) Browse to C:\Program Files\InstallShield Installation Information\ and delete the folder called {8F18E2E1-0BAE-4E0A-AC6B-4974382DF48D}
h) REBOOT
5. Please upgrade your installshield to the latest version, by performing the instructions below.
a) Delete the folder C:\Program Files\Common Files\InstallShield\Driver\8 from the machine.
b) Download http://support.insta...2/ISScript8.zip
c) Unzip the file you currently downloaded. For more information on unzipping files.
-How Do I Unzip a File in Windows XP? http://consumer.inst....asp?id=Q108326
-How Do I Use the WinZip Utility in Windows 2000 or Earlier? http://consumer.inst....asp?id=Q108228
d) Double-click the IsScript8.msi file. This installs the IsScript engine for this version of the installation.
6. Telus Security Services 5.0 Installer:
http://freedom.mytel.../freedom-latest
a) Save this file to your desktop.
b) Run the file to reinstall Telus Security Services.
Please reply to this email if you have any other questions or comments.
Regards,
Technical Support Team
#9
albertrbh
-
- Member
-
- 5 posts
New Member
Posted 31 August 2008 - 09:04 PM
HELLO WEBMASTER I FOUND THIS INFO AT Systemlookup.com,,,I THOUGHT MAYBE IT COULD HELP
Type: BHO
CLSID: {557B9038-FC87-453C-8B08-32D85F46EAC4}
Name: apronA Class
Filename(s): RealPlay.dll, REALON~*.DLL, WEBTHU~1.DLL, Searchd.dll, Searche.dll, search.dll, 3721.dll, 3721Search.dll, 3721SE~*.DLL, cninc.dll, usr.dll
Description: Downloader of Chinese origin, detected by Kaspersky antivirus as Trojan.Win32.BHO.r
Type: BHO
CLSID: {557B9038-FC87-453C-8B08-32D85F46EAC4}
Name: apronA Class
Filename(s): RealPlay.dll, REALON~*.DLL, WEBTHU~1.DLL, Searchd.dll, Searche.dll, search.dll, 3721.dll, 3721Search.dll, 3721SE~*.DLL, cninc.dll, usr.dll
Description: Downloader of Chinese origin, detected by Kaspersky antivirus as Trojan.Win32.BHO.r
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
