[Psychaospath]

I have a serious problem. Ive got some kind of adware on my computer. When Im surfing, or just have my browser open, a popup will pop up every 2-3 minutes. Ive tried using AVG Anti-Virus, AVG Anti-Spyware, CounterSpy, and Bazooka Scanner.

They all found tons of things, i got rid of all of them , i scanned again, everything gone. Except for quite a few TrackingCookies, but that shouldn't contribute to the adware problem. These are suppost to be the best programs.

Any suggestions to what I need to use or what I should do?

[evilfantasy]

Lets take a closer look.

Download and rename HijackThis (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
  • Close HijackThis and rename it.
  • Go to C:\Program Files\Trend Micro\HijackThis.exe
  • Right click on HijackThis.exe and select Rename.
  • Type in sniper.exe and press Enter.
  • Right-click on sniper.exe and select Send To > Desktop (create shortcut)
• From the desktop open HiajckThis.
• If using Windows Vista, be sure to Run As Administrator
• Click on the Do a system scan and save a log file button
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the log in your post.
  • Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Even though we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

[Psychaospath]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:07 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtim e.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
--
End of file - 7993 bytes

[evilfantasy]

That didn't reveal much, we will need to do some more thorough scans.

A few empty entries to fix with HJT real quick.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries:

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)

Close all windows except for HijackThis and click Fix checked.

Exit Hijackthis.

---------

Download CCleaner

It is suggested to download the CCleaner - Slim - No Toolbar which is the version without the Yahoo! Toolbar.

• Double click on the ccsetup.exe file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click next to use the default install location.
• Under Install Options, choose all the default settings
• Click Install then finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
• On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
• If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
• Click on the "Options" icon at the left side of the window, then click on "Advanced."
  deselect "Only delete files in Windows Temp folders older than 48 hours."
• Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
• Caution: Only use the "Registry" feature if you are very familiar with the registry as it has been known to find legitimate items.
• Always back up your registry before making any changes.
• After CCleaner has completed its process, click Exit.

----------

Download SUPERAntispyware Free Edition (SAS)

• Double-click the icon on your desktop to run the installer.
• When asked to Update the program definitions, click Yes
• Next click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure only the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
• Click the Close button to leave the control center screen.
• On the main screen click Scan your computer
• On the left check C:\Fixed Drive
• On the right choose Perform Complete Scan
• Click Next to start the scan. Please be patient while it scans your computer.
• After the scan is complete a summary box will appear. Click OK
• Make sure everything in the white box has a check next to it, then click Next
• It will quarantine what it found and if it asks if you want to reboot, click Yes
• To retrieve the removal information please do the following:
  • After reboot, double-click the SUPERAntiSpyware icon on your desktop.
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Save the notepad file to your desktop by clicking (in notepad) File > Save As...
• Save the log somewhere you can easily find it. (normally the desktop)
• Click close and close again to exit the program.
• Please copy and then paste the log in your post.

----------

Next post please add
SuperantiSpyware log

[Psychaospath]

ok i finally got it done, but.... popups still here, anyways heres the log :



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/22/2008 at 00:10 AM

Application Version : 3.9.1008

Core Rules Database Version : 3385
Trace Rules Database Version: 1379

Scan type : Complete Scan
Total Scan Time : 00:48:33

Memory items scanned : 556
Memory threats detected : 0
Registry items scanned : 4213
Registry threats detected : 0
File items scanned : 39567
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Richard\Cookies\richard@login.revenueloop[2].txt
C:\Documents and Settings\Richard\Cookies\richard@publishers.clickb ooth[2].txt
C:\Documents and Settings\Richard\Cookies\richard@doubleclick[1].txt
C:\Documents and Settings\Richard\Cookies\richard@ads.pointroll[1].txt
C:\Documents and Settings\Richard\Cookies\richard@bluestreak[1].txt
C:\Documents and Settings\Richard\Cookies\richard@tribalfusion[2].txt
C:\Documents and Settings\Richard\Cookies\richard@atdmt[2].txt

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

[evilfantasy]

This scan will take around 5 to 10 minutes.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
• Link #2
• Link #3

IMPORTANT - Combofix.exe MUST be saved to your your Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc)
• Close/disable all anti virus and anti malware programs so they do not interfere with Combofix. <-- IMPORTANT
  • Click on this link to see a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
• Double click combofix.exe & follow the prompts.
  • From the keyboard select 1 and press Enter
• When finished, it will produce a log for you.
• Post that log in your next reply.

Do not mouseclick combofix's window while it's running.
The scan will temporarily disable your desktop.
If interrupted it may leave your computer frozen.
If this occurs, please reboot to restore the desktop.


Next post
Combofix log

[Psychaospath]

ok did it. but ive still got popups :-( Heres the log:



ComboFix 08-01-21.3 - Richard 2008-01-22 0:30:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.628 [GMT -5:00]
Running from: C:\Documents and Settings\Richard\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.
2008-01-22 00:36 . 2008-01-22 00:36 167,545 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-22 00:34 . 2008-01-22 00:34 <DIR> d-------- C:\Temp\tn3
2008-01-22 00:29 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 23:10 . 2008-01-21 23:10 <DIR> d-------- C:\Program Files\CCleaner
2008-01-21 22:47 . 2008-01-21 22:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 22:21 . 2008-01-22 00:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-21 02:10 . 2008-01-21 02:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-21 02:09 . 2008-01-21 22:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 22:04 . 2008-01-20 22:04 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-01-20 17:41 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-20 16:39 . 2008-01-20 16:39 86,144 --a------ C:\WINDOWS\system32\drivers\ALCXWDMM.sys
2008-01-12 16:25 . 2008-01-12 16:25 <DIR> d-------- C:\Program Files\Electronic Arts
2008-01-12 15:11 . 2005-06-24 16:24 438,272 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-01-12 15:11 . 2004-12-10 09:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax
2008-01-12 15:06 . 2008-01-12 15:20 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-10 19:21 . 2008-01-10 19:21 <DIR> d-------- C:\Program Files\uTorrent
2008-01-10 19:01 . 2008-01-10 19:21 <DIR> d-------- C:\Program Files\megamaps
2008-01-08 22:43 . 2008-01-10 19:30 <DIR> d-------- C:\Program Files\Guitar Pro 5
2008-01-06 05:19 . 2008-01-06 05:19 <DIR> d-------- C:\Program Files\Power Tab Software
2008-01-03 22:31 . 2008-01-03 22:31 <DIR> d-------- C:\AeriaGames
2008-01-03 21:30 . 2008-01-12 21:55 <DIR> d-------- C:\UnrealTournament
2007-12-25 14:25 . 2007-12-28 16:53 90 --a------ C:\WINDOWS\RCAMPEG4VC.ini
2007-12-25 14:18 . 2006-09-13 14:52 561,152 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-25 14:18 . 2006-09-13 15:01 237,568 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-25 14:18 . 2005-12-30 15:34 2,864 --a------ C:\WINDOWS\system32\xvid.inf
2007-12-25 14:17 . 2007-12-25 14:17 <DIR> d-------- C:\Program Files\RCA
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-20 20:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 00:48 --------- d-----w C:\Program Files\Yahoo!
2008-01-16 01:15 --------- d-----w C:\Program Files\Lx_cats
2008-01-11 00:21 --------- d-----w C:\Program Files\Xfire
2008-01-11 00:21 --------- d-----w C:\Program Files\LimeWire
2007-12-22 10:47 --------- d-----w C:\Program Files\DriftCity
2007-12-20 07:35 --------- d-----w C:\Program Files\Sierra On-Line
2007-12-18 08:02 --------- d-----w C:\Program Files\NHN USA
2007-12-17 21:17 --------- d-----w C:\Program Files\Bethesda Softworks
2007-12-05 04:14 --------- d-----w C:\Program Files\SlySoft
2007-12-03 03:06 --------- d-----w C:\Program Files\TGTSoft
2007-11-25 18:18 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-11-22 05:03 --------- d-----w C:\Program Files\Cliprex DVD Player Professional
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 10:09 171464]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-16 16:42 577536 C:\WINDOWS\SOUNDMAN.EXE]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 13:43 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 14:21 57344]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-20 17:18 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X 86\3\LXCFtime.dll" [2005-07-20 12:47 73728]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-20 17:18 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.15.lnk - C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-01-30 13:57:42 577536]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk
backup=C:\WINDOWS\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\Download Manager\DLM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX3 2.sys [2006-10-17 07:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 04:39]
R1 ALCXWDMM;ALCXWDMM;C:\WINDOWS\system32\drivers\ALCX WDMM.sys [2008-01-20 16:39]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\cine msup.sys [2002-07-19 09:10]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sy s [2007-08-17 20:35]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8180.SYS [2003-12-30 12:20]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5ed3c7c1-4bdf-11dc-8daa-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2352721C-2267-DB51-0008-030706070804}]
C:\WINDOWS\system32\vsc32.exe
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 00:37:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2008-01-22 0:42:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-22 05:42:10
.
2008-01-11 00:38:07 --- E O F ---

[evilfantasy]

Now download The Avenger By Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the Input script manually box.
• Click on the Magnifying Glass Icon which will open a new window titled View/edit script
• Copy everything in the Codee box below, and paste it in the box that opens:

Code:

Folders to delete:
C:\Temp\tn3
Files to delete:
C:\WINDOWS\system32\drivers\core.cache.dsk
Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2352721C-2267-DB51-0008-030706070804}

Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system

• Now click the 'Done' button.
• Click on the Green Light and OK the prompt.
• You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

The Avenger will automatically do the following:

• It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger's actions.

• This log file will be located at C:\avenger.txt

• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

• Please attach the C:\avenger.txt in your next post.

----------

Next post
Avenger log

[Psychaospath]

ok here u go, still popups btw.



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\hptxmheu
*******************
Script file located at: wqwsrviw
Could not open script file! Error
Could not open script file! Status: 0xc000003b Abort!

[Psychaospath]

oops my bad i redid it, cuz the log didnt look right, and apparently i didnt do something right the first time, heres the new log. oh and there are still popups.



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\mkawvjax
*******************
Script file located at: \??\C:\WINDOWS\system32\ygueewld.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Folder C:\Temp\tn3 deleted successfully.
File C:\WINDOWS\system32\drivers\core.cache.dsk deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2352721C-2267-DB51-0008-030706070804} deleted successfully.
Completed script processing.
*******************
Finished! Terminate.