[Resolved]Advertising Popups - HJT Log Posted

  • 10 Replies
  • 2182 Views
*

Offline hobbes

  • Bronze Member
  • 6
[Resolved]Advertising Popups - HJT Log Posted
« on: January 12, 2010, 11:31:47 PM »
Getting some advertising popups lately, can't seem to figure out where they're coming from, very annoying.  As well, my DCOM server process seems to be terminating lately without any warning, and I'm not sure if it's related to this or not.  Any help would be greatly appreciated.  Thank you.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:56 AM, on 1/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SNDVOL32.EXE
D:\Applications\Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
D:\Applications\Spybot - Search & Destroy\SpybotSD.exe
D:\Applications\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Applications\Adobe Acrobat 6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17f2892c-ffc4-40ec-bfb3-bee7d6d963f0} - C:\WINDOWS\system32\kewibihi.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1060284298-1390067357-725345543-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-21-1060284298-1390067357-725345543-501\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Guest')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217456089328
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - D:\Applications\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5905 bytes
« Last Edit: January 18, 2010, 02:01:13 PM by bamajim »

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: Advertising Popups - HJT Log Posted
« Reply #1 on: January 14, 2010, 11:25:34 AM »
hobbes

1. Go HERE and download File Lister.
  • Save it to your Desktop
  • Rt Click ->> Extract all ->> And extract it to your Desktop
  • Additional help on extracting zip files can be found HERE
  • Open the File Lister Folder.
  • Note: Leave the FileLister.vbe file in the folder and run it from there.
  • Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
  • When the program is fnished it will produce a log for you C:\Files.txt
Copy and paste the contents of that log in your reply.

2008-2010
Rights cannot exist without morals

*

Offline hobbes

  • Bronze Member
  • 6
Re: [In Progress]Advertising Popups - HJT Log Posted
« Reply #2 on: January 14, 2010, 01:44:24 PM »
Thank you for the help, bamajim - done and done:


++++++++++++++++++++++++++++++++++
+ File Lister  Version 1.1.2     +
+                                +
+ By bamajim / SpywareHammer.com +
++++++++++++++++++++++++++++++++++

Report ran on --->>>  1/14/2010 2:42:46 PM


====== Running Processes ======



====== BHO's ======
BHO: (NO NAME) -  -

====== HKLM\~\Run Keys ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


====== HKCU\~\Run Keys ======


====== DNS Info (List may be empty) ======



====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

1/14/2010 2:42:46 PM    0    32    C:\Files.txt
1/14/2010 2:35:48 PM    13684    32    C:\WINDOWS\system32\hs_err_pid1352.log
11/20/2009 8:32:00 PM    262800    32    C:\WINDOWS\system32\NvApps.xml
11/20/2009 8:32:14 PM    145000    32    C:\WINDOWS\system32\nvcolor.exe
12/11/2009 3:52:13 PM    11374592    32    C:\WINDOWS\system32\nvcompiler.dll
11/20/2009 8:32:14 PM    12669544    32    C:\WINDOWS\system32\nvcpl.dll
12/11/2009 3:52:14 PM    8743    32    C:\WINDOWS\system32\nvinfo.pb
11/20/2009 8:32:14 PM    278120    32    C:\WINDOWS\system32\nvmccs.dll
11/20/2009 8:32:14 PM    110184    32    C:\WINDOWS\system32\nvmctray.dll
11/20/2009 8:32:14 PM    154216    32    C:\WINDOWS\system32\nvsvc32.exe
11/20/2009 8:32:10 PM    81920    32    C:\WINDOWS\system32\nvwddi.dll
11/20/2009 8:32:00 PM    64882    32    C:\WINDOWS\system32\NvwsApps.xml
12/11/2009 3:52:14 PM    69632    32    C:\WINDOWS\system32\OpenCL.dll
1/5/2010 8:18:09 PM    588    32    C:\WINDOWS\system32\settings.sfm
1/5/2010 8:18:09 PM    588    32    C:\WINDOWS\system32\settingsbkup.sfm

====== "\Administrator\Startup" Last 60 Days======



====== "\All Users\Startup" Last 60 Days======


====== "\Program Files" Last 60 Days======


======"Drivers" Modified Last 60 Days======

6/18/2008 4:46:00 PM    10235968    32    C:\WINDOWS\system32\drivers\nv4_mini.sys

====== Files Deleted under "%Temp%" ======

23 Files deleted

======"All Users\Application Data" Last 60 Days======


====== HKLM\~\ShellServiceObjectDelayLoad======


====== HKLM\~\SharedTaskScheduler======

======HKLM\~\msconfig\startupreg======

HKLM\Software\microsoft\shared tools\msconfig\startupreg\

====== Services ( Services that are Whitelisted are not shown) ======


====== Uninstall List ======


======== Other Info ========


Boot Info

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


====== Files with Hidden Attributes======
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\NTDETECT.COM
C:\Documents and Settings\Default User\NTUSER.DAT
C:\Documents and Settings\Evan\NTUSER.DAT

==End of Report==

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [In Progress]Advertising Popups - HJT Log Posted
« Reply #3 on: January 14, 2010, 02:13:42 PM »
hobbes

You are most welcome.

Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

2008-2010
Rights cannot exist without morals

*

Offline hobbes

  • Bronze Member
  • 6
Re: [In Progress]Advertising Popups - HJT Log Posted
« Reply #4 on: January 14, 2010, 06:06:25 PM »
All done:

(Edit: My sound card has been disabled now for some reason.  When I try to add hardware and add it to my system, it says it cannot be added due to a Code 10.  Any idea what this is, and steps I can take to get my sound working again?)
(Edit #2: Ignore the above, I uninstalled and reinstalled it, and it works fine now.)



ComboFix 10-01-14.02 - Evan 01/14/2010  18:39:54.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3327.2882 [GMT -5:00]
Running from: c:\documents and settings\Evan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Data
c:\windows\system32\Data\CT0060W.DAT
c:\windows\system32\Data\ctd20x.dat
c:\windows\system32\Data\CTEAPSW.DAT
c:\windows\system32\Data\CTEDSP2W.DAT
c:\windows\system32\Data\CTEDSPHW.DAT
c:\windows\system32\Data\CTEDSPKW.DAT
c:\windows\system32\Data\CTEDSPLW.DAT
c:\windows\system32\Data\CTEDSPPW.DAT
c:\windows\system32\Data\CTEDSPTW.DAT
c:\windows\system32\Data\CTEDSPUW.DAT
c:\windows\system32\Data\CTEDSPW.DAT
c:\windows\system32\Data\CTP0060W.DAT
c:\windows\system32\Data\CTP0061W.DAT
c:\windows\system32\Data\CTP0070W.DAT
c:\windows\system32\Data\CTP0073W.DAT
c:\windows\system32\Data\CTP0090W.DAT
c:\windows\system32\Data\CTP0091W.DAT
c:\windows\system32\Data\CTP0092W.DAT
c:\windows\system32\Data\CTP0095W.DAT
c:\windows\system32\Data\CTP0100W.DAT
c:\windows\system32\Data\CTP0101W.DAT
c:\windows\system32\Data\CTP0102W.DAT
c:\windows\system32\Data\CTP0103W.DAT
c:\windows\system32\Data\CTP0105W.DAT
c:\windows\system32\Data\CTP0150W.DAT
c:\windows\system32\Data\CTP0161W.DAT
c:\windows\system32\Data\CTP0162W.DAT
c:\windows\system32\Data\CTP0170W.DAT
c:\windows\system32\Data\CTP017AW.DAT
c:\windows\system32\Data\CTP017BW.DAT
c:\windows\system32\Data\CTP017CW.DAT
c:\windows\system32\Data\CTP017DW.DAT
c:\windows\system32\Data\CTP017EW.DAT
c:\windows\system32\Data\CTP017FW.DAT
c:\windows\system32\Data\CTP017GW.DAT
c:\windows\system32\Data\CTP017HW.DAT
c:\windows\system32\Data\CTP0191W.DAT
c:\windows\system32\Data\CTP0192W.DAT
c:\windows\system32\Data\CTP0221W.DAT
c:\windows\system32\Data\CTP0222W.DAT
c:\windows\system32\Data\CTP0230W.DAT
c:\windows\system32\Data\CTP0231W.DAT
c:\windows\system32\Data\CTP0232W.DAT
c:\windows\system32\Data\CTP0238W.DAT
c:\windows\system32\Data\CTP0240W.DAT
c:\windows\system32\Data\CTP0242W.DAT
c:\windows\system32\Data\CTP0243W.DAT
c:\windows\system32\Data\CTP0244W.DAT
c:\windows\system32\Data\CTP0245W.DAT
c:\windows\system32\Data\CTP0246W.DAT
c:\windows\system32\Data\CTP0249W.DAT
c:\windows\system32\Data\CTP0280W.DAT
c:\windows\system32\Data\CTP0320W.DAT
c:\windows\system32\Data\CTP0350W.DAT
c:\windows\system32\Data\CTP0352W.DAT
c:\windows\system32\Data\CTP0355W.DAT
c:\windows\system32\Data\CTP0358W.DAT
c:\windows\system32\Data\CTP0359W.DAT
c:\windows\system32\Data\CTP0360W.DAT
c:\windows\system32\Data\CTP0380W.DAT
c:\windows\system32\Data\CTP0400W.DAT
c:\windows\system32\Data\CTP0460W.DAT
c:\windows\system32\Data\CTP0462W.DAT
c:\windows\system32\Data\CTP0463W.DAT
c:\windows\system32\Data\CTP0464W.DAT
c:\windows\system32\Data\CTP0465W.DAT
c:\windows\system32\Data\CTP0466W.DAT
c:\windows\system32\Data\CTP0468W.DAT
c:\windows\system32\Data\CTP0469W.DAT
c:\windows\system32\Data\CTP046AW.DAT
c:\windows\system32\Data\CTP046BW.DAT
c:\windows\system32\Data\CTP046CW.DAT
c:\windows\system32\Data\CTP0530L.DAT
c:\windows\system32\Data\CTP0530W.DAT
c:\windows\system32\Data\CTP0531L.DAT
c:\windows\system32\Data\CTP0531W.DAT
c:\windows\system32\Data\CTP0550W.DAT
c:\windows\system32\Data\CTP055AW.DAT
c:\windows\system32\Data\CTP0600W.DAT
c:\windows\system32\Data\CTP0610W.DAT
c:\windows\system32\Data\CTP0669W.DAT
c:\windows\system32\Data\CTP0678W.DAT
c:\windows\system32\Data\CTP0679W.DAT
c:\windows\system32\Data\CTP0730W.DAT
c:\windows\system32\Data\CTP073AW.DAT
c:\windows\system32\Data\CTP0760W.DAT
c:\windows\system32\Data\CTP0772W.DAT
c:\windows\system32\Data\CTP0773W.DAT
c:\windows\system32\Data\CTP0776W.DAT
c:\windows\system32\Data\CTP0779W.DAT
c:\windows\system32\Data\CTP1140W.DAT
c:\windows\system32\Data\CTP4620W.DAT
c:\windows\system32\Data\CTP4670W.DAT
c:\windows\system32\Data\CTP4760W.DAT
c:\windows\system32\Data\CTP4780W.DAT
c:\windows\system32\Data\CTP4790W.DAT
c:\windows\system32\Data\CTP4820W.DAT
c:\windows\system32\Data\CTP4830W.DAT
c:\windows\system32\Data\CTP4831W.DAT
c:\windows\system32\Data\CTP4832W.DAT
c:\windows\system32\Data\CTP4840W.DAT
c:\windows\system32\Data\CTP4850W.DAT
c:\windows\system32\Data\CTP4870W.DAT
c:\windows\system32\Data\CTP4871W.DAT
c:\windows\system32\Data\CTP4872W.DAT
c:\windows\system32\Data\CTP4875W.DAT
c:\windows\system32\Data\CTP4890W.DAT
c:\windows\system32\Data\CTP4891W.DAT
c:\windows\system32\Data\CTP4893W.DAT
c:\windows\system32\Data\CTPDXW.DAT
c:\windows\system32\Data\CTPM002W.DAT
c:\windows\system32\Data\cts20x.dat
c:\windows\system32\Data\CTXFICBM.RFX
c:\windows\system32\Data\CTXFICM.RFX
c:\windows\system32\Data\CTXFIEM.RFX
c:\windows\system32\Data\CTXFIGM.RFX
c:\windows\system32\lowsec
c:\windows\system32\twain32

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
(((((((((((((((((((((((((   Files Created from 2009-12-14 to 2010-01-14  )))))))))))))))))))))))))))))))
.

2009-12-23 14:03 . 2009-12-23 14:04   --------   d-----w-   c:\documents and settings\Evan\Local Settings\Application Data\Temp
2009-12-20 21:03 . 2009-12-20 21:03   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Google

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-14 21:23 . 2008-12-23 07:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2010-01-14 19:35 . 2008-07-27 03:04   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-14 16:11 . 2008-07-30 08:42   --------   d-----w-   c:\documents and settings\Evan\Application Data\uTorrent
2010-01-12 02:35 . 2008-08-26 05:49   --------   d-----w-   c:\documents and settings\Evan\Application Data\FrostWire
2009-12-23 14:05 . 2008-12-23 07:16   --------   d-----w-   c:\program files\Google
2009-12-22 14:06 . 2009-12-12 14:23   2066200   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-11 20:53 . 2008-07-27 02:54   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-11 20:53 . 2008-08-22 19:55   --------   d-----w-   c:\program files\AGEIA Technologies
2009-11-21 01:32 . 2009-11-21 01:32   278120   ----a-w-   c:\windows\system32\nvmccs.dll
2009-11-21 01:32 . 2009-11-21 01:32   154216   ----a-w-   c:\windows\system32\nvsvc32.exe
2009-11-21 01:32 . 2009-11-21 01:32   145000   ----a-w-   c:\windows\system32\nvcolor.exe
2009-11-21 01:32 . 2009-11-21 01:32   12669544   ----a-w-   c:\windows\system32\nvcpl.dll
2009-11-21 01:32 . 2009-11-21 01:32   110184   ----a-w-   c:\windows\system32\nvmctray.dll
2009-11-21 01:32 . 2009-11-21 01:32   81920   ----a-w-   c:\windows\system32\nvwddi.dll
2009-11-20 02:42 . 2008-07-27 02:46   592488   ----a-w-   c:\windows\system32\NVUNINST.EXE
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2008-02-21 19456]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 12:21   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2009-04-09 20:53   25600   ----a-w-   c:\windows\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 19:40   155648   ----a-w-   c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-11-21 01:32   110184   ----a-w-   c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-14 19:27   148888   ----a-w-   c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ventrilo"=2 (0x2)
"QBFCService"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Applications\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Applications\\mIRC\\mirc.exe"=
"d:\\Applications\\FrostWire\\FrostWire.exe"=
"d:\\Games\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\QuickBooks 2008\\QBDBMgrN.exe"=
"d:\\Games\\World of Warcraft\\Interface.20090626-110210\\AddOns\\Curse Client\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/26/2008 10:42 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/26/2008 10:42 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/23/2009 12:03 AM 24652]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [1/7/2009 1:41 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [1/7/2009 1:41 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [1/7/2009 1:41 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [1/7/2009 1:40 PM 10368]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [5/23/2009 1:32 AM 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [4/9/2009 5:31 PM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [4/9/2009 5:31 PM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [4/9/2009 5:31 PM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [4/9/2009 5:31 PM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [4/9/2009 5:31 PM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [4/9/2009 5:31 PM 72728]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/20/2009 3:57 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-23 21:34]

2010-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 20:57]

2010-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
FF - ProfilePath - c:\documents and settings\Evan\Application Data\Mozilla\Firefox\Profiles\6em4cwrg.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: d:\applications\Adobe Acrobat 6\Reader\browser\nppdf32.dll
FF - plugin: d:\applications\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\applications\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\applications\Firefox\plugins\npatgpc.dll
FF - plugin: d:\applications\Firefox\plugins\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{17f2892c-ffc4-40ec-bfb3-bee7d6d963f0} - c:\windows\system32\kewibihi.dll
HKLM-Run-nwiz - nwiz.exe
MSConfigStartUp-0c971946 - c:\windows\system32\busofewi.dll
MSConfigStartUp-17288754 - c:\documents and settings\All Users\Application Data\17288754\17288754.exe
MSConfigStartUp-beburiyala - c:\windows\system32\zijikayi.dll
MSConfigStartUp-CPM0fa42ada - c:\windows\system32\lalewehi.dll
MSConfigStartUp-gtygfdia - c:\documents and settings\Evan\Local Settings\Application Data\vbchie\fdqqsysguard.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-nrnflkyx - c:\documents and settings\Evan\Local Settings\Application Data\dcobmw\itiasysguard.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-system tool - c:\program files\eydvfc\dfiusysguard.exe
MSConfigStartUp-UVS12 Preload - d:\corel\Corel VideoStudio 12\uvPL.exe
AddRemove-CurseClient - d:\games\World of Warcraft\Interface\AddOns\Curse Client\uninstall.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-14 18:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3520)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-01-14  18:49:33 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-14 23:49

Pre-Run: 236,354,322,432 bytes free
Post-Run: 236,545,101,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 88CD37432244E066FA75323F0921367A
« Last Edit: January 14, 2010, 06:14:25 PM by hobbes »

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [In Progress]Advertising Popups - HJT Log Posted
« Reply #5 on: January 15, 2010, 08:02:32 AM »
hobbes

How is your PC running at this point?

Rerun Hijackthis and post a fresh Hijackthis log

2008-2010
Rights cannot exist without morals

*

Offline hobbes

  • Bronze Member
  • 6
Re: [In Progress]Advertising Popups - HJT Log Posted
« Reply #6 on: January 15, 2010, 04:56:47 PM »
Hi bamajim,

My PC appears to be fine.  I haven't received any pop-up windows since doing what you advised, so, fingers crossed, let's hope it stays that way.  Again, many thanks for the help.

Here's a new Hijackthis log - let me know if you see anything that shouldn't be there or looks wrong:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:46 PM, on 1/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\System32\svchost.exe
D:\Applications\Firefox\firefox.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Applications\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Applications\Adobe Acrobat 6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217456089328
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - D:\Applications\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5662 bytes

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [In Progress]Advertising Popups - HJT Log Posted
« Reply #7 on: January 18, 2010, 07:54:12 AM »
hobbes

Glad to hear it.

Just one to clean up.

1. Rerun Hijackthis (scan only) and place checks beside the following entries

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

2008-2010
Rights cannot exist without morals

*

Offline hobbes

  • Bronze Member
  • 6
Re: [In Progress]Advertising Popups - HJT Log Posted
« Reply #8 on: January 18, 2010, 12:36:25 PM »
Hi bamajim,

Here's the fresh log with 018 cleaned up.  All appears to be good right now.

Out of curiousity, what was the issue exactly which was causing the popups, and how can I avoid getting it again?  I like to think I sort of know what I'm doing around a computer, and I'm careful not to go to untrusted Websites, but this issue was bothering me for a couple of weeks and I simply could not figure out what it was or where it came from.

Again, many thanks.  Very glad I don't have to hear a "Congratulations" and get asked to fill out a survey on every Website I go to.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:41 PM, on 1/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
D:\Applications\Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Applications\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Applications\Adobe Acrobat 6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217456089328
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - D:\Applications\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5432 bytes

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [In Progress]Advertising Popups - HJT Log Posted
« Reply #9 on: January 18, 2010, 02:00:49 PM »
hobbes

You are most welcome

The infection you had modifies some of the Windows System files, so it's difficult to find. As far as where it came from, I can't say for sure. However P2P sites are very dangerous, and places easy to get infections from.

Application Data\uTorrent
Application Data\FrostWire

If you still have them, I would remove them.

Click Start > Run and copy/paste the following  into the Run box and click OK:

ComboFix /Uninstall

You may now remove/delete/uninstall the other tools we used to clean your PC

For FileLister, just Rt Click and Delete the program.

Now that your log is clean

Here are some final notes:

Update your Anti Virus Software

Use and maintain a Firewall

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basis
  • To a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe

2008-2010
Rights cannot exist without morals

*

Offline hobbes

  • Bronze Member
  • 6
Re: [Resolved]Advertising Popups - HJT Log Posted
« Reply #10 on: January 19, 2010, 02:27:11 AM »
Combofix & FileLister have been removed.

I do update my Anti Virus software and use a fireball.  I have not, however, updated from Microsoft's site in some time, so I'll definitely go ahead and do that.  As well I'll look through that article.

Thanks once more.  Definitely going to bookmark this site in case I run into any problems in the future.  Nice to have a site like this with people who are both friendly and knowledgeable about the issues people like me run into from time to time.

Regards,

hobbes