Hi,

Just removed my old spyware software and wanted to install Antivir but forgot and got hit with some pop-ups (poker, -- Look for another playground --) Just wondering if someone could help me with my log

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:16:18, on 27/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\cO304hwY.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe

--
End of file - 4640 bytes

Hello .Flight.,

So install AntiVir, run a scan, and post back. :)

Regards,
tea

Ok installed Antivir and ran it. Heres the results...



AntiVir PersonalEdition Premium
Report file date: 28 September 2007 16:43

Scanning for 835736 virus strains and unwanted programs.

Licensed to: Demo Version
Serial number:
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: MARUF

Version information:
BUILD.DAT : 308 17199 Bytes 19/09/2007 13:44:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 13/09/2007 14:26:55
ANTIVIR2.VDF : 7.0.0.1 2048 Bytes 13/09/2007 14:27:04
ANTIVIR3.VDF : 7.0.0.2 2048 Bytes 13/09/2007 14:27:13
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 17/09/2007 17:43:56
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 03/08/2007 08:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2576424 Bytes 07/08/2007 12:51:06
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 13:03:18
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition premium\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 28 September 2007 16:43

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'WinCinemaMgr.exe' - '1' Module(s) have been scanned
Scan process 'WZCSLDR2.exe' - '1' Module(s) have been scanned
Scan process 'AirGCFG.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'CLSched.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'HidService.exe' - '1' Module(s) have been scanned
Scan process 'CLCapSvc.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '26' files ).


Starting the file scan:

Begin scan in 'C:\' <Local Disk>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\5oFdik6F.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4743265a.qua'!
C:\WINDOWS\system32\cO304hwY.dll
[DETECTION] Is the Trojan horse TR/BHO.Agent.mio
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\Q1v2iJjV.dll
[DETECTION] Is the Trojan horse TR/BHO.Agent.mio
[INFO] The file was moved to '4773266a.qua'!
C:\WINDOWS\system32\Sh7vFjC0.dll
[DETECTION] Is the Trojan horse TR/BHO.Agent.mio
[INFO] The file was moved to '473426a9.qua'!
C:\WINDOWS\temp\svcipa.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47602712.qua'!


End of the scan: 28 September 2007 17:06
Used time: 23:55 min

The scan has been done completely.

2612 Scanning directories
159557 Files were scanned
5 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
159552 Files not concerned
6415 Archives were scanned
3 Warnings
0 Notes

Hello,

Great, thanks!

Now please post a new HijackThis log and let me know how your computer is running now. :)

Thanks,
tea

The pops are still there, like one or two, but heres the new hjlog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:26:36, on 28/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\cO304hwY.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe

--
End of file - 5362 bytes

Hello,

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

Ok heres the combofix log and a new hjt log:

ComboFix 07-09-28.7 - MN 2007-09-28 17:40:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.69 [GMT 1:00]
Running from: C:\Documents and Settings\MN\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\MN\Application Data\macromedia\Flash Player\#SharedObjects\JKRHLZHU\iforex.com
C:\Documents and Settings\MN\Application Data\macromedia\Flash Player\#SharedObjects\JKRHLZHU\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\MN\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\MN\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-28 16:41 <DIR> d-------- C:\Program Files\Avira
2007-09-28 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-09-28 15:42 <DIR> d-------- C:\Program Files\D-Link
2007-09-28 15:41 <DIR> d-------- C:\Program Files\ANI
2007-09-24 18:43 184,320 --a------ C:\WINDOWS\system32\cO304hwY.dll
2007-09-04 00:10 <DIR> d-------- C:\Documents and Settings\MN\Application Data\WinRAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 16:41 --------- d-------- C:\Program Files\eMule
2007-09-28 15:42 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-20 22:55 --------- d-------- C:\Program Files\LimeWire
2007-09-19 22:07 --------- d-------- C:\Documents and Settings\MN\Application Data\Azureus
2007-09-06 17:13 --------- d-------- C:\Program Files\QuickTime
2007-09-01 19:13 --------- d-------- C:\Program Files\Apoint2K
2007-08-16 12:47 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-08-15 22:36 --------- d-------- C:\Documents and Settings\MN\Application Data\SUPERAntiSpyware.com
2007-08-15 22:36 --------- d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-09 23:42 --------- d-------- C:\Program Files\DivX
2007-08-09 18:23 --------- d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-08-07 22:07 --------- d-------- C:\Program Files\Azureus
2007-07-31 19:12 --------- d-------- C:\Program Files\Wanadoo
2007-07-31 19:12 --------- d-------- C:\Program Files\Real
2007-07-31 19:12 --------- d-------- C:\Program Files\Learn2.com
2007-07-31 19:12 --------- d-------- C:\Program Files\InterVideo
2007-07-31 19:12 --------- d-------- C:\Program Files\CyberLink
2007-07-31 19:12 --------- d-------- C:\Program Files\CONEXANT
2007-07-26 03:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 03:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-04-03 20:24 278528 --a--c--- C:\Program Files\Common Files\FDEUnInstaller.exe
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-09-24 18:43 184320 --a------ C:\WINDOWS\system32\cO304hwY.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" []
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 13:48]
"SECEDIT"="C:\Drivers\SECEDIT.EXE" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-16 12:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-06 17:13]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2007-08-31 12:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-14 01:06:30]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-08-06 14:37:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-14 01:06:30]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-08-06 14:37:46]

S2 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe"
S2 AVEService;AntiVir PersonalEdition Premium MailGuard helper service;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe"
S3 netr73;D-Link DWA-111 Wireless G USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\netr73.sys

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - AVGIO
*Newly Created Service* - AVIPBB
*Newly Created Service* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
"2007-09-27 23:01:01 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-23 08:01:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-27 09:01:47 C:\WINDOWS\Tasks\At11.job"
"2007-09-27 10:01:01 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-27 11:01:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-26 12:03:01 C:\WINDOWS\Tasks\At14.job"
"2007-09-28 13:01:48 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-27 14:01:48 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-28 15:01:48 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-28 16:01:07 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-27 17:01:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-23 00:01:47 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-27 18:01:01 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-27 19:01:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-27 20:01:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-27 21:01:01 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-27 22:01:01 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-23 01:01:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-23 02:01:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-23 03:01:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-23 04:01:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-23 05:01:00 C:\WINDOWS\Tasks\At7.job"
"2007-09-23 06:01:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-23 07:01:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\5oFdik6F.exe
"2007-09-19 11:50:43 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
"2006-01-06 16:15:36 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 17:42:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-28 17:43:03
C:\ComboFix-quarantined-files.txt ... 2007-09-28 17:42
.
--- E O F ---



____________________



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:44:01, on 28/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\cO304hwY.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe

--
End of file - 5395 bytes

Hello,

* Download Deljob.exe and save it to your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop. Please post it in your reply, and let me know how your computer is running now. :)

Thanks,
tea

Ok heres the log for Deljob. The popups seem to have gone

--------------------------------------------------------
No LOP jobs found
--------------------------------------------------------
Files remaining after cleaning

At1.job
At10.job
At11.job
At12.job
At13.job
At14.job
At15.job
At16.job
At17.job
At18.job
At19.job
At2.job
At20.job
At21.job
At22.job
At23.job
At24.job
At3.job
At4.job
At5.job
At6.job
At7.job
At8.job
At9.job
Low Battery Alarm Program.job
Registration reminder 2.job
--------------------------------------------------------
App data folders

Volume in drive C is Local Disk
Volume Serial Number is 4014-7A7A

Directory of C:\Documents and Settings\MN\Application Data

04/09/2007 00:10 <DIR> .
04/09/2007 00:10 <DIR> ..
14/11/2006 01:11 <DIR> Adobe
08/01/2006 17:29 <DIR> AdobeUM
26/08/2006 10:48 <DIR> APPLEC~1 Apple Computer
19/09/2007 22:07 <DIR> Azureus
06/01/2006 17:24 <DIR> CYBERL~1 CyberLink
05/06/2007 18:01 <DIR> DivX
10/08/2004 17:04 <DIR> IDENTI~1 Identities
10/04/2006 11:42 <DIR> INTERV~1 InterVideo
23/07/2007 19:44 <DIR> LEADER~1 Leadertech
05/06/2007 17:17 <DIR> Learn2.com
16/09/2005 12:08 <DIR> MACROM~1 Macromedia
01/09/2007 19:21 <DIR> MICROS~1 Microsoft
15/01/2006 18:22 <DIR> MSNINS~1 MSNInstaller
06/01/2006 17:57 <DIR> OD2
20/11/2006 21:48 <DIR> Real
06/01/2006 17:42 <DIR> Skype
16/09/2005 11:54 <DIR> Sun
15/08/2007 22:36 <DIR> SUPERA~1.COM SUPERAntiSpyware.com
16/09/2005 12:11 <DIR> Symantec
04/09/2007 00:10 <DIR> WinRAR
16/09/2005 12:18 <DIR> YOU'VE~1 You've Got Pictures Screensaver
0 File(s) 0 bytes
23 Dir(s) 35,059,499,008 bytes free
Volume in drive C is Local Disk
Volume Serial Number is 4014-7A7A

Directory of C:\Documents and Settings\All Users\Application Data

28/09/2007 16:41 <DIR> .
28/09/2007 16:41 <DIR> ..
16/09/2005 12:16 <DIR> Adobe
06/01/2006 17:40 <DIR> AOL
14/05/2007 22:47 <DIR> APPLEC~1 Apple Computer
01/09/2007 19:54 <DIR> Avg7
28/09/2007 16:42 <DIR> Avira
09/08/2007 18:23 <DIR> Azureus
10/04/2006 11:39 <DIR> CYBERL~1 CyberLink
22/11/2006 01:17 <DIR> MICROS~1 Microsoft
16/09/2005 12:19 <DIR> OD2
15/01/2006 23:56 <DIR> QUICKT~1 QuickTime
10/08/2004 17:15 <DIR> SBSI
06/01/2006 17:43 <DIR> Skype
15/08/2007 22:36 <DIR> SUPERA~1.COM SUPERAntiSpyware.com
06/01/2006 17:53 <DIR> Symantec
16/09/2005 12:18 <DIR> VIEWPO~1 Viewpoint
0 File(s) 0 bytes
17 Dir(s) 35,059,499,008 bytes free
--------------------------------------------------------

Well fine....more than one way to get rid of what I want to get rid of! :derisive:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea

Done that, it didn't ask to reboot

ComboFix 07-09-28.7 - MN 2007-09-28 18:53:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.86 [GMT 1:00]
Running from: C:\Documents and Settings\MN\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\MN\My Documents\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-28 16:41 <DIR> d-------- C:\Program Files\Avira
2007-09-28 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-09-28 15:42 <DIR> d-------- C:\Program Files\D-Link
2007-09-28 15:41 <DIR> d-------- C:\Program Files\ANI
2007-09-04 00:10 <DIR> d-------- C:\Documents and Settings\MN\Application Data\WinRAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 16:41 --------- d-------- C:\Program Files\eMule
2007-09-28 15:42 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-20 22:55 --------- d-------- C:\Program Files\LimeWire
2007-09-19 22:07 --------- d-------- C:\Documents and Settings\MN\Application Data\Azureus
2007-09-06 17:13 --------- d-------- C:\Program Files\QuickTime
2007-09-01 19:13 --------- d-------- C:\Program Files\Apoint2K
2007-08-16 12:47 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-08-15 22:36 --------- d-------- C:\Documents and Settings\MN\Application Data\SUPERAntiSpyware.com
2007-08-15 22:36 --------- d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-09 23:42 --------- d-------- C:\Program Files\DivX
2007-08-09 18:23 --------- d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-08-07 22:07 --------- d-------- C:\Program Files\Azureus
2007-07-31 19:12 --------- d-------- C:\Program Files\Wanadoo
2007-07-31 19:12 --------- d-------- C:\Program Files\Real
2007-07-31 19:12 --------- d-------- C:\Program Files\Learn2.com
2007-07-31 19:12 --------- d-------- C:\Program Files\InterVideo
2007-07-31 19:12 --------- d-------- C:\Program Files\CyberLink
2007-07-31 19:12 --------- d-------- C:\Program Files\CONEXANT
2007-07-26 03:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 03:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-04-03 20:24 278528 --a--c--- C:\Program Files\Common Files\FDEUnInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
C:\WINDOWS\system32\cO304hwY.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" []
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 13:48]
"SECEDIT"="C:\Drivers\SECEDIT.EXE" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-16 12:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-06 17:13]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2007-08-31 12:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-14 01:06:30]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-08-06 14:37:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-14 01:06:30]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-08-06 14:37:46]

R2 AVEService;AntiVir PersonalEdition Premium MailGuard helper service;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe"
S2 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe"
S3 netr73;D-Link DWA-111 Wireless G USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\netr73.sys

*Newly Created Service* - ANTIVIRMAILSERVICE
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVESERVICE
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 11:50:43 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
"2006-01-06 16:15:36 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 18:55:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-28 18:56:18
C:\ComboFix-quarantined-files.txt ... 2007-09-28 18:56
C:\ComboFix2.txt ... 2007-09-28 17:43
.
--- E O F ---



_____________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:59:53, on 28/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\cO304hwY.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe

--
End of file - 5545 bytes

That looks much better. :) How is it running now?

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\cO304hwY.dll (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Let me know how it's running, please.

tea

Done what you asked and the pop-ups have stopped. Thanks for all your help with this, you've been awesome

You are most welcome.

You get the standard speech

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo, and I love it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Have a great weekend!
tea