Getpluso.inf - getplusuninstall ocx

**dazkool** · #31 14th Sep 2007, 09:13

These files don't exist on my hard drive!!

**evilfantasy** · #32 14th Sep 2007, 09:16

Did you enable hidden files from the earlier post?

How to view hidden, system files & folders
Windows XP
* Right Click Start.
* Select Explore.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide extensions for known file types option.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Apply.
*Click OK.

Then look for them.

**dazkool** · #33 14th Sep 2007, 09:25

Yep, done all that. Still nothing!

**evilfantasy** · #34 14th Sep 2007, 09:44

Go to virustotal and scan this file
C:\Program Files\WinPop\winpop.exe

I do not understand why NOTHING is being fixed.

**dazkool** · #35 14th Sep 2007, 09:48

That directory doesn't exist either.....

**evilfantasy** · #36 14th Sep 2007, 10:08

NOTE: You have downloaded ComboFix previously please delete that version and download it again!

http://download.bleepingcomputer.com/sUBs/combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall

======================

You have vundofix, remove it and get the current version

Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
Double-click VundoFix.exe to run it.
click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes

======================

Please post the contents of
C:\vundofix.txt
ComboFix Log
HJT Log

**dazkool** · #37 14th Sep 2007, 10:25

Done as requested. Here are the various logs:

VundoFix:

VundoFix V6.5.8
Checking Java version...
Scan started at 11:43:53 12/09/2007
Listing files found while scanning....
No infected files were found.

Beginning removal...
VundoFix V6.5.8
Checking Java version...
Scan started at 18:19:05 14/09/2007
Listing files found while scanning....
No infected files were found.

Beginning removal...

ComboFix:
ComboFix 07-09-14.2 - "Darren" 2007-09-14 18:11:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.85 [GMT 1:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\Darren\APPLIC~1\WinTouch
C:\DOCUME~1\Darren\APPLIC~1\WinTouch\wintouch.cfg
C:\Program Files\Common Files\ystem3~1
C:\Program Files\Common Files\ystem3~1\?ystem32\
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_COM+_MESSAGES

((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.
2007-09-14 18:10 113,664 --a------ C:\VundoFix[0].exe
2007-09-14 18:09 1,484,062 --a------ C:\ComboFix[0].exe
2007-09-14 17:02 <DIR> d-------- C:\Program Files\DiskInternals
2007-09-14 10:53 <DIR> d-------- C:\!KillBox
2007-09-13 18:35 3,320 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-12 18:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-12 18:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-12 18:10 <DIR> d-------- C:\DOCUME~1\Darren\APPLIC~1\SUPERAntiSpyware.com
2007-09-12 18:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-12 16:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-12 11:43 <DIR> d-------- C:\VundoFix Backups
2007-09-11 18:27 679,424 --a------ C:\WINDOWS\is-5TL9C.exe
2007-09-11 14:47 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-11 14:47 <DIR> d-------- C:\Program Files\ffdshow
2007-09-11 14:45 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-09-11 12:38 <DIR> d-------- C:\DOCUME~1\Darren\APPLIC~1\Sports Interactive
2007-09-10 18:48 <DIR> d-------- C:\Football Manager 2007
2007-08-30 18:23 <DIR> d-------- C:\DOCUME~1\Darren\Incomplete
2007-08-30 18:23 <DIR> d-------- C:\DOCUME~1\Darren\APPLIC~1\LimeWire
2007-08-29 14:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-08-29 14:55 <DIR> d-------- C:\Program Files\Jasc Software Inc
2007-08-29 14:55 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2007-08-29 14:55 <DIR> d-------- C:\DOCUME~1\Darren\APPLIC~1\Jasc Software Inc
2007-08-29 12:51 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-29 12:08 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-08-29 12:08 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-08-29 12:06 <DIR> d-------- C:\DOCUME~1\Darren\APPLIC~1\Sunbelt Software
2007-08-29 11:47 <DIR> d-------- C:\WINDOWS\pss
2007-08-29 11:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-28 19:00 <DIR> d-------- C:\DOCUME~1\Darren\Contacts
2007-08-28 18:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-28 18:36 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-28 18:36 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-28 18:08 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-28 18:03 <DIR> d-------- C:\quarantine
2007-08-28 16:58 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-28 16:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-28 16:47 <DIR> d-------- C:\DOCUME~1\Darren\APPLIC~1\WinRAR
2007-08-28 16:46 <DIR> d-------- C:\Program Files\LimeWire
2007-08-28 16:19 <DIR> d-------- C:\Program Files\Webroot
2007-08-28 16:19 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-08-28 16:19 <DIR> d-------- C:\DOCUME~1\Darren\APPLIC~1\Webroot
2007-08-28 16:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-08-28 16:18 69,960 --a------ C:\WINDOWS\Unwash6.exe
2007-08-28 15:12 <DIR> d-------- C:\Program Files\BitComet
2007-08-28 15:06 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-28 15:04 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-08-28 14:58 <DIR> d-------- C:\Program Files\Real
2007-08-28 14:58 <DIR> d-------- C:\Program Files\Common Files\Real
2007-08-28 14:58 <DIR> d-------- C:\DOCUME~1\Darren\APPLIC~1\Real
2007-08-28 14:55 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-28 14:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-28 14:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-28 14:54 <DIR> d-------- C:\DOCUME~1\Darren\APPLIC~1\Lavasoft
2007-08-28 14:50 <DIR> d-------- C:\Program Files\QuickTime
2007-08-28 14:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-28 14:48 <DIR> d--hs---- C:\WINDOWS\RGFycmVuIENhc3RlbGxpbm8
2007-08-28 14:41 <DIR> d-------- C:\Program Files\Winamp
2007-08-28 14:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-08-28 13:58 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-28 13:52 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-08-28 13:44 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-08-28 13:44 <DIR> d-------- C:\Program Files\Nero
2007-08-28 13:44 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-08-28 13:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-08-28 13:43 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-08-28 13:42 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-08-28 13:42 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-08-28 13:42 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2007-08-28 13:40 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-08-28 13:25 <DIR> d-------- C:\Downloads
2007-08-28 13:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-28 13:19 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-08-28 13:19 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-08-28 13:18 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-08-28 13:18 <DIR> d-------- C:\Program Files\Microsoft Works
2007-08-28 13:17 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-08-28 13:17 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-08-28 13:16 <DIR> dr-h----- C:\MSOCache
2007-08-28 13:14 163,840 --a------ C:\WINDOWS\system32\LexLog.dll
2007-08-28 13:14 <DIR> d-------- C:\Program Files\Lexmark
2007-08-28 13:12 59,904 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2007-08-28 13:12 117,024 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-08-28 13:12 <DIR> d-------- C:\Program Files\Network Associates
2007-08-28 13:12 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2007-08-28 13:12 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-08-28 13:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Network Associates
2007-08-28 13:09 81,920 --------- C:\WINDOWS\system32\drivers\iansmsg.dll
2007-08-28 13:09 376,832 --------- C:\WINDOWS\system32\Ncs2DMIX.dll
2007-08-28 13:09 372,736 --------- C:\WINDOWS\system32\NcsCoLib.dll
2007-08-28 13:09 249,856 --------- C:\WINDOWS\system32\Accesor.dll
2007-08-28 13:09 19,456 --------- C:\WINDOWS\system32\drivers\iqvw32.sys
2007-08-28 13:09 135,168 --------- C:\WINDOWS\system32\PRONtObj.dll
2007-08-28 13:09 110,592 --a------ C:\WINDOWS\system32\drivers\ianswxp.sys
2007-08-28 13:09 <DIR> d-------- C:\Program Files\Intel
2007-08-28 13:07 126,976 --------- C:\WINDOWS\system32\Ncs2InstUtility.dll
2007-08-28 13:04 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-08-28 13:04 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-08-28 13:04 <DIR> d-------- C:\Program Files\Analog Devices
2007-08-28 13:03 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-08-28 16:00 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-28 12:53 --------- d-------- C:\Program Files\microsoft frontpage
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 08:47 238888 --a------ C:\WINDOWS\NuNInst.exe
2007-06-20 20:46 266088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-08-24 12:50]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-08-24 12:47]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-08-24 12:51]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 08:47]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 08:47]
"{10A1F3CD-0A21-2057-0924-03041620002c}"="C:\Program Files\Common Files\{10A1F3CD-0A21-2057-0924-03041620002c}\Update.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 12:12]
"Tpee"="C:\PROGRA~1\COMMON~1\YSTEM3~1\explorer.exe " []
"Uttkrx"="C:\Program Files\??curity\w?crtupd.exe" []
"WinPop"="C:\Program Files\WinPop\winpop.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonce]
"getPlusUninstall_ocx"=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mv stdi5x.sys
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\ EntDrv51.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-08-28 13:55:50 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 18:16:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-09-14 18:18:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-14 18:18
C:\ComboFix2.txt ... 2007-09-12 17:00
.
--- E O F ---

**dazkool** · #38 14th Sep 2007, 10:25

New HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:21:31, on 14/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [{10A1F3CD-0A21-2057-0924-03041620002c}] "C:\Program Files\Common Files\{10A1F3CD-0A21-2057-0924-03041620002c}\Update.exe" mc-110-12-0001291
O4 - HKLM\..\RunOnce: [getPlusUninstall_ocx] rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Tpee] "C:\PROGRA~1\COMMON~1\YSTEM3~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Uttkrx] "C:\Program Files\??curity\w?crtupd.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188305907078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188305964531
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D026BD40-E175-44C7-B678-49AFAC612DE7}: NameServer = 217.35.118.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 9568 bytes

I saw ComboFix delete all those registy entries, but they keep getting written back automatically no matter what we try!

**evilfantasy** · #39 14th Sep 2007, 10:41

Try this and see if it reveals anything. Sophos Anti-Rootkit

Is it just pop ups
Are they the same ones
Is it only certain sites or every site?

Do you have counter spy? Did it turn up anything?

**dazkool** · #40 14th Sep 2007, 10:47

The pop-up have stopped now that I have set IE's pop-up blocker to the highest setting. And it was certain sites.

I did have Counter Spy - it removed some stuff, but then it was only the trial version and it ran out.

Trying that Sophos one now. Btw, I still get that missing INF message when Windows starts - even though I uninstalled Windows Messenger.