Advertisement NSIS Media
I have been having trouble with popups that say "Advertisement NSIS Media."I've done a little bit of research and can tell that they're kind of a painto get rid of and most virus/spyware detectors won't catch them. I find that frustrating, considering I'm paying for the Ad-Aware Plus version to try to keep things like this at bay...but I did see on one of your support forums that you can help people get rid of this problem. I didn't entirely understand the process for doing so well enough to give it a try on my own. I don't want to make things worse, so I'm asking for assistance to get ridof this nuisance!
-
[Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uojtwwje
*******************
Script file located at: \??\C:\booxwuxc.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\System32\krnsvr32.dll not found!
Deletion of file C:\WINDOWS\System32\krnsvr32.dll failed!
Could not process line:
C:\WINDOWS\System32\krnsvr32.dll
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
0 -
I know I just posted this yesterday and apparently in the wrong forum because my post was moved here, but I am getting a little impatient for an answer. I have been e-mailing the support department about this issue since before the holidays. I really would like to get it solved soon. I actually just updated my browser to Internet Explorer 7 the other day, and the popups do not seem to be happening anymore, but I am not convinced that this annoying software is really gone for good. I'm still looking to remove it and hopefully find some comfort that they didn't do any serious harm...
Thank you!
0 -
Hi nmbrock,
In order for the malware experts to analyse your problems, please post an Ad-Aware SE Full-Scan log (latest Defs: SE1R143 08.01.2007), together with a log from a program called HijackThis.
Log posting instructions are included in this Topic: Infected ??, found this
As to Hijack This (from the instructions in the link above): "Please install to a folder, not the desktop nor the Temp folder.
Then rename the Hijackthis.exe file e.g. to myhjt.exe. (Some malware target hijackthis so renaming helps get round this.) Double click on the renamed file to run HijackThis and post the log from a scan.
Regards,
Spike
(NB: Sorry, am moving you to a more appropriate section of the forum, where you logs will be read sooner once posted.)
0 -
Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, January 15, 2007 6:29:41 PM
Using definitions file:SE1R144 15.01.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):18 total references
Tracking Cookie(TAC index:3):45 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects
1-15-2007 6:29:41 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\NMBROCK\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
MRU List Object Recognized!
Location: : C:\Documents and Settings\NMBROCK\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\office\11.0\common\general
Description : list of recently used symbols in microsoft office
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1229272821-1417001333-1004\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 540
ThreadCreationTime : 1-3-2007 12:10:30 AM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 604
ThreadCreationTime : 1-3-2007 12:10:35 AM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 628
ThreadCreationTime : 1-3-2007 12:10:38 AM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 672
ThreadCreationTime : 1-3-2007 12:10:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 684
ThreadCreationTime : 1-3-2007 12:10:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 832
ThreadCreationTime : 1-3-2007 12:10:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 912
ThreadCreationTime : 1-3-2007 12:10:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [msmpeng.exe]
FilePath : C:\Program Files\Windows Defender\
ProcessID : 1004
ThreadCreationTime : 1-3-2007 12:10:42 AM
BasePriority : Normal
FileVersion : 1.1.1593.0
ProductVersion : 1.1.1593.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1048
ThreadCreationTime : 1-3-2007 12:10:42 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1176
ThreadCreationTime : 1-3-2007 12:10:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1228
ThreadCreationTime : 1-3-2007 12:10:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1452
ThreadCreationTime : 1-3-2007 12:10:46 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:13 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1608
ThreadCreationTime : 1-3-2007 12:10:53 AM
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE
#:14 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1640
ThreadCreationTime : 1-3-2007 12:10:54 AM
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE
#:15 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ProcessID : 1700
ThreadCreationTime : 1-3-2007 12:10:54 AM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe
#:16 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1744
ThreadCreationTime : 1-3-2007 12:10:54 AM
BasePriority : Normal
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
ProductName : NVIDIA Driver Helper Service, Version 52.16
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe
#:17 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1916
ThreadCreationTime : 1-3-2007 12:10:55 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe
#:18 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 456
ThreadCreationTime : 1-3-2007 12:11:00 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
#:19 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 936
ThreadCreationTime : 1-3-2007 12:17:44 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:20 [point32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Mouse\
ProcessID : 1828
ThreadCreationTime : 1-3-2007 12:17:58 AM
BasePriority : Normal
#:21 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_06\bin\
ProcessID : 1792
ThreadCreationTime : 1-3-2007 12:17:58 AM
BasePriority : Normal
#:22 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1860
ThreadCreationTime : 1-3-2007 12:17:59 AM
BasePriority : Normal
FileVersion : 7.5.0.418
ProductVersion : 7.5.0.418
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE
#:23 [cfd.exe]
FilePath : C:\Program Files\BroadJump\Client Foundation\
ProcessID : 1940
ThreadCreationTime : 1-3-2007 12:17:59 AM
BasePriority : Normal
#:24 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ProcessID : 1588
ThreadCreationTime : 1-3-2007 12:17:59 AM
BasePriority : Normal
FileVersion : 2006, 7, 21, 1
ProductVersion : 1, 0, 0, 1
ProductName : Yahoo! Inc. YBrwIcon
CompanyName : Yahoo! Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
LegalCopyright : Copyright © 2003-2006 Yahoo! Inc.
OriginalFilename : YBrwIcon.exe
#:25 [motivesb.exe]
FilePath : C:\PROGRA~1\SBCSEL~1\SMARTB~1\
ProcessID : 1812
ThreadCreationTime : 1-3-2007 12:17:59 AM
BasePriority : Normal
FileVersion : 5.6.7.asst_classic.smartbridge.20031210_035000
ProductVersion : 5.6.7.asst_classic.smartbridge
ProductName : Motive System
CompanyName : Motive, Inc.
FileDescription : AT&T Self Support Tool Alerts
InternalName : version
LegalCopyright : Copyright 1998-2006
OriginalFilename : version
#:26 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 896
ThreadCreationTime : 1-3-2007 12:17:59 AM
BasePriority : Normal
FileVersion : 6.0.5.20
ProductVersion : 6.0.5.20
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe
#:27 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1240
ThreadCreationTime : 1-3-2007 12:17:59 AM
BasePriority : Normal
FileVersion : 7.1.3
ProductVersion : QuickTime 7.1.3
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2006
OriginalFilename : QTTask.exe
#:28 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 488
ThreadCreationTime : 1-3-2007 12:18:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE
#:29 [ycommon.exe]
FilePath : C:\PROGRA~1\Yahoo!\browser\
ProcessID : 216
ThreadCreationTime : 1-3-2007 12:18:01 AM
BasePriority : Normal
FileVersion : 2006, 3, 2, 1
ProductVersion : 3, 5, 0, 0
ProductName : YCommon Exe Module
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
LegalCopyright : Copyright 2003-2006 Yahoo! Inc.
OriginalFilename : YCommon.EXE
#:30 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 412
ThreadCreationTime : 1-3-2007 12:18:02 AM
BasePriority : Normal
FileVersion : 6.0.5.20
ProductVersion : 6.0.5.20
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe
#:31 [mpbtn.exe]
FilePath : C:\Program Files\SBC Self Support Tool\bin\
ProcessID : 976
ThreadCreationTime : 1-3-2007 12:18:07 AM
BasePriority : Normal
#:32 [mstordb.exe]
FilePath : C:\Program Files\Microsoft Office\OFFICE11\
ProcessID : 4084
ThreadCreationTime : 1-13-2007 8:44:19 PM
BasePriority : Normal
#:33 [hotsync.exe]
FilePath : C:\Program Files\Palm\
ProcessID : 1708
ThreadCreationTime : 1-13-2007 11:02:38 PM
BasePriority : Normal
FileVersion : 6.0.1
ProductVersion : 6.0.1
ProductName : HotSync® Manager
CompanyName : PalmSource, Inc
FileDescription : HotSync® Manager Application
InternalName : HotSync®
LegalCopyright : Copyright © 1995-2004 PalmSource Inc.
LegalTrademarks : HotSync® is a registered trademark of PalmSource Inc.
OriginalFilename : Hotsync.exe
#:34 [outlook.exe]
FilePath : C:\Program Files\Microsoft Office\OFFICE11\
ProcessID : 2200
ThreadCreationTime : 1-15-2007 11:13:14 PM
BasePriority : Normal
#:35 [winword.exe]
FilePath : C:\Program Files\Microsoft Office\OFFICE11\
ProcessID : 964
ThreadCreationTime : 1-15-2007 11:13:24 PM
BasePriority : Normal
#:36 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 3968
ThreadCreationTime : 1-15-2007 11:18:00 PM
BasePriority : Normal
FileVersion : 7.00.5730.11 (winmain(wmbla).061017-1135)
ProductVersion : 7.00.5730.11
ProductName : Windows® Internet Explorer
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
#:37 [acrord32.exe]
FilePath : C:\Program Files\Adobe\Acrobat 7.0\Reader\
ProcessID : 1148
ThreadCreationTime : 1-15-2007 11:26:23 PM
BasePriority : Normal
FileVersion : 7.0.8.2006051600
ProductVersion : 7.0.8.2006051600
ProductName : Adobe Reader
CompanyName : Adobe Systems Incorporated
FileDescription : Adobe Reader 7.0
LegalCopyright : Copyright 1984-2006 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroRd32.exe
#:38 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Plus\
ProcessID : 760
ThreadCreationTime : 1-15-2007 11:28:31 PM
BasePriority : Normal
FileVersion : 6.2.0.237
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@ads.guardian.co[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:nmbrock@ads.guardian.co.uk/
Expires : 12-30-2037 11:00:00 AM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:29
Value : Cookie:nmbrock@doubleclick.net/
Expires : 12-31-2009 2:56:40 PM
LastSync : Hits:29
UseCount : 0
Hits : 29
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:214
Value : Cookie:nmbrock@2o7.net/
Expires : 1-13-2012 5:45:00 PM
LastSync : Hits:214
UseCount : 0
Hits : 214
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@questionmarket[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:25
Value : Cookie:nmbrock@questionmarket.com/
Expires : 3-6-2008 10:05:20 AM
LastSync : Hits:25
UseCount : 0
Hits : 25
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@ehg-hyundaiusa.hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:20
Value : Cookie:nmbrock@ehg-hyundaiusa.hitbox.com/
Expires : 1-13-2008 4:24:42 PM
LastSync : Hits:20
UseCount : 0
Hits : 20
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@zedo[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:32
Value : Cookie:nmbrock@zedo.com/
Expires : 12-29-2016 2:56:22 PM
LastSync : Hits:32
UseCount : 0
Hits : 32
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@casalemedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:34
Value : Cookie:nmbrock@casalemedia.com/
Expires : 1-1-2008 2:41:36 PM
LastSync : Hits:34
UseCount : 0
Hits : 34
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@atdmt[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:36
Value : Cookie:nmbrock@atdmt.com/
Expires : 12-30-2011 7:00:00 PM
LastSync : Hits:36
UseCount : 0
Hits : 36
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@adrevolver[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:nmbrock@media.adrevolver.com/adrevolver/
Expires : 9-22-2009 11:30:42 AM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@homestore.122.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@homestore.122.2o7.net/
Expires : 1-3-2012 11:39:24 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@ford.112.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@ford.112.2o7.net/
Expires : 1-12-2012 4:25:18 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@adopt.euroclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:34
Value : Cookie:nmbrock@adopt.euroclick.com/
Expires : 10-5-2016 7:37:02 PM
LastSync : Hits:34
UseCount : 0
Hits : 34
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@ehg-bestbuy.hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:35
Value : Cookie:nmbrock@ehg-bestbuy.hitbox.com/
Expires : 3-13-2007 6:16:22 PM
LastSync : Hits:35
UseCount : 0
Hits : 35
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@revsci[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:23
Value : Cookie:nmbrock@revsci.net/
Expires : 12-30-2037 10:00:00 PM
LastSync : Hits:23
UseCount : 0
Hits : 23
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:nmbrock@realmedia.com/
Expires : 12-31-2020 7:00:00 PM
LastSync : Hits:7
UseCount : 0
Hits : 7
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:nmbrock@mediaplex.com/
Expires : 6-21-2009 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@edge.ru4[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:nmbrock@edge.ru4.com/
Expires : 12-25-2036 5:51:18 PM
LastSync : Hits:5
UseCount : 0
Hits : 5
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@msnaccountservices.112.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@msnaccountservices.112.2o7.net/
Expires : 1-8-2012 11:33:44 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:49
Value : Cookie:nmbrock@fastclick.net/
Expires : 1-12-2009 10:44:20 PM
LastSync : Hits:49
UseCount : 0
Hits : 49
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@twci.coremetrics[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@twci.coremetrics.com/
Expires : 1-13-2022 4:07:52 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@livenation.122.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@livenation.122.2o7.net/
Expires : 1-5-2012 10:40:02 AM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@maxserving[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@maxserving.com/
Expires : 1-3-2017 10:11:22 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:91
Value : Cookie:nmbrock@hitbox.com/
Expires : 1-13-2008 7:11:18 PM
LastSync : Hits:91
UseCount : 0
Hits : 91
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@advertising[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:468
Value : Cookie:nmbrock@advertising.com/
Expires : 1-14-2012 6:22:36 PM
LastSync : Hits:468
UseCount : 0
Hits : 468
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@ads.addynamix[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:36
Value : Cookie:nmbrock@ads.addynamix.com/
Expires : 1-6-2012 12:53:20 AM
LastSync : Hits:36
UseCount : 0
Hits : 36
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@server.iad.liveperson[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:nmbrock@server.iad.liveperson.net/
Expires : 1-12-2008 6:08:48 PM
LastSync : Hits:4
UseCount : 0
Hits : 4
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@media.adrevolver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:25
Value : Cookie:nmbrock@media.adrevolver.com/
Expires : 7-17-2007 1:08:38 PM
LastSync : Hits:25
UseCount : 0
Hits : 25
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@tradedoubler.com/
Expires : 1-2-2027 12:54:14 AM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@data.coremetrics[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:nmbrock@data.coremetrics.com/
Expires : 1-1-2022 8:15:34 PM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@trafficmp[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:202
Value : Cookie:nmbrock@trafficmp.com/
Expires : 1-3-2008 11:41:38 PM
LastSync : Hits:202
UseCount : 0
Hits : 202
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@msnportal.112.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:nmbrock@msnportal.112.2o7.net/
Expires : 1-6-2012 12:49:10 AM
LastSync : Hits:4
UseCount : 0
Hits : 4
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@ads2.drivelinemedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@ads2.drivelinemedia.com/
Expires : 12-30-2037 11:00:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@ehg-kodak.hitbox[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@ehg-kodak.hitbox.com/
Expires : 3-2-2007 3:51:50 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@tribalfusion[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:14
Value : Cookie:nmbrock@tribalfusion.com/
Expires : 12-31-2037 7:00:00 PM
LastSync : Hits:14
UseCount : 0
Hits : 14
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@ads.pointroll[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:24
Value : Cookie:nmbrock@ads.pointroll.com/
Expires : 12-31-2009 7:00:00 PM
LastSync : Hits:24
UseCount : 0
Hits : 24
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@server.iad.liveperson[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:nmbrock@server.iad.liveperson.net/hc/70285634
Expires : 1-12-2008 6:08:52 PM
LastSync : Hits:5
UseCount : 0
Hits : 5
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@overstock[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:47
Value : Cookie:nmbrock@overstock.com/
Expires : 2-19-2020 9:28:00 AM
LastSync : Hits:47
UseCount : 0
Hits : 47
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@chicagosuntimes.122.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@chicagosuntimes.122.2o7.net/
Expires : 1-13-2012 5:45:02 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@pbh.adbureau[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:nmbrock@pbh.adbureau.net/
Expires : 2-27-2008 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@statcounter[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:nmbrock@statcounter.com/
Expires : 1-6-2012 1:18:54 AM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@ehg-starbucks.hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:16
Value : Cookie:nmbrock@ehg-starbucks.hitbox.com/
Expires : 1-13-2008 7:11:18 PM
LastSync : Hits:16
UseCount : 0
Hits : 16
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@overture[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@overture.com/
Expires : 1-11-2017 4:08:06 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@live365[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@live365.com/
Expires : 1-14-2012 7:16:16 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@microsoftoffice.112.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:nmbrock@microsoftoffice.112.2o7.net/
Expires : 1-8-2012 11:53:12 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nmbrock@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\NMBROCK\Cookies\nmbrock@advertising[2].txt
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 45
Objects found so far: 63
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 63
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 63
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 63
6:46:26 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:44.500
Objects scanned:172848
Objects identified:45
Objects ignored:0
New critical objects:45
0 -
Logfile of HijackThis v1.99.1
Scan saved at 6:51:00 PM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Microsoft Office\OFFICE11\MSTORDB.EXE
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
C:\DOCUME~1\NMBROCK\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4A752EEF-26FA-4E8F-8FF0-4EB40FE1D33B} (ACNPlayer2 Class) - http://209.67.146.68/HarrisFiles/eplayer.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...tle/Coupons.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2822.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
0 -
Hello,nmbrock & Welcome
Hmmm lit's try something here do this for me.
Please RIGHT-CLICK HERE to download Silent Runner's.
- Save it to the desktop.
- Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
- You will receive a prompt:
Do you want to skip supplementary searches?
click NO
[*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
=============
Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.
Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Gogo
0 - Save it to the desktop.
-
The Silent Runner thing never worked. I never got a box saying that it was done. Just one that said it had started and I'd get another box and to be patient. I clicked OK on that box and nothing happened. That was over an hour ago...
???
0 -
Ok...so as soon as I posted that message I saw there was a notepad file on my desktop. I assume this is what you needed.
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AWMON" = ""C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"" ["Lavasoft Sweden"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"POINTER" = "point32.exe" [MS]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]
"YBrowser" = "C:\Program Files\Yahoo!\browser\ybrwicon.exe" ["Yahoo! Inc."]
"Motive SmartBridge" = "C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" ["Motive, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\common\yiesrvc.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SidebarAutoLaunch Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\common\ymmapi.dll" ["Yahoo! Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{D44E22BD-2D2C-4F13-BF1B-2DB458FD0C2C}" = "KernelExtExt Extension"
-> {HKLM...CLSID} = "KernelExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\krnsvr32.dll" [file not found]
"{A1D3635C-4E5F-42BF-81EF-900BED4BF8EE}" = "TerminalExtExt Extension"
-> {HKLM...CLSID} = "TerminalExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\atixim.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\common\ymmapi.dll" ["Yahoo! Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{Remove Task Manager}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\NMBROCK\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]
Startup items in "NMBROCK" & "All Users" startup folders:
---------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"AT&T Self Support Tool" -> shortcut to: "C:\Program Files\SBC Self Support Tool\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"HOTSYNCSHORTCUTNAME" -> shortcut to: "C:\Program Files\Palm\Hotsync.exe -logon" ["PalmSource, Inc"]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" [file not found]
HKLM\Software\Classes\CLSID\{0494D0DE-F8E0-41AD-92A3-14154ECE70AC}\(Default) = "My Search Bar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
HKLM\Software\Classes\CLSID\{51085E3D-A958-42A2-A6BE-A6A9B0BAF276}\(Default) = "AT&&T Yahoo! Sidebar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Yahoo!\browser\ysidebarIE.dll" ["Yahoo! Inc."]
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "AT&T Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\common\yiesrvc.dll" ["Yahoo! Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*a" (unwritable string)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
HPF00111\Driver = "HPFlpm11.dll" ["Hewlett-Packard Company"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 536 seconds, including 471 seconds for message boxes)
0 -
"NMBROCK" - 07-01-16 23:17:55 Service Pack 2
ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\NMBROCK\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\1160596747.exe
C:\WINDOWS\system32\1165009784.exe
((((((((((((((((((((((((((((((( Files Created from 2006-12-16 to 2007-01-16 ))))))))))))))))))))))))))))))))))
2007-01-15 18:48 <DIR> d-------- C:\Program Files\HijackThis
2007-01-13 18:02 <DIR> d-------- C:\Program Files\SplashData
2007-01-13 17:56 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2007-01-13 17:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\HotSync
2007-01-13 17:55 <DIR> d-------- C:\Program Files\Palm
2007-01-13 17:55 <DIR> d-------- C:\DOCUME~1\NMBROCK\Application Data\HotSync
2007-01-10 18:42 <DIR> d-------- C:\WINDOWS\LastGood
2007-01-10 18:42 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-02 19:07 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-02 19:07 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-02 19:05 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-02 19:03 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-02 19:03 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-18 22:47 <DIR> d-------- C:\Program Files\Windows Defender
2006-12-16 11:00 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-16 11:00 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-13 18:17 -------- d-------- C:\DOCUME~1\NMBROCK\Application Data\adobeum
2007-01-13 18:02 -------- d--h----- C:\Program Files\installshield installation information
2007-01-13 17:56 -------- d---s---- C:\DOCUME~1\NMBROCK\Application Data\microsoft
2007-01-13 17:55 16694 --a------ C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-01-10 23:54 -------- d-------- C:\Program Files\trillian
2006-12-16 11:00 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-16 11:00 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-16 11:00 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-11 20:40 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-07 01:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-17 03:00 -------- d-------- C:\Program Files\msxml 4.0
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Watch.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"POINTER"="point32.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5BACC17E-BDF7-405B-BC68-ECB506395118}"="NSIS Media Extension"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{857e30e1-ebd9-11d8-9978-806d6172696f}]
Shell\AutoRun\command D:\autorun.exe
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
Completion time: 07-01-16 23:19:43
0 -
Hi,nmbrock
First
Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable AdWatch:
Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options.
NOTE: Turn it back on after we are done cleaning
==============
The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.
==============
Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!) don't copy the word quote
REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5BACC17E-BDF7-405B-BC68-ECB506395118}"=-
Save this as fix.reg Choose to save as *all files and place it on your Desktop.
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.
==============
Download The Avenger Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.
CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!
Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote
Files to delete:C:\WINDOWS\System32\krnsvr32.dll
The above script is for this user only, if you need help please start your own thread.
Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.
After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt
Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.
Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.
============
Then come back here with all logfiles and feedback on how the PC is doing.
Gogo
0 -
I was just about to post that, like I mentioned before, the bulk of the problem really seemed to go away when I upgraded to Internet Explorer 7. I hadn't gotten one of those popups since I made the switch, until just a minute ago, AFTER I did what you told me to do. How on earth is that happening - it's like we woke it up! I really want to know what these things are doing to my computer (besides slowing it down and just plain being annoying).
Please help!!
0 -
Logfile of HijackThis v1.99.1
Scan saved at 8:27:40 PM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\myhjt.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4A752EEF-26FA-4E8F-8FF0-4EB40FE1D33B} (ACNPlayer2 Class) - http://209.67.146.68/HarrisFiles/eplayer.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...tle/Coupons.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2822.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
0 -
Hi,nmbrock
Please do this once more for me
Please RIGHT-CLICK HERE to download Silent Runner's.
- Save it to the desktop.
- Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
- You will receive a prompt:
Do you want to skip supplementary searches?
click NO
[*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
And
============
Please download RegScan.
Within RegScan.zip you will find the file regscan.vbs
You may have to allow this script to run or disable anti-spyware again in order for it to run.
A window will open titled RegFinder.vbs and you will see place to input search terms.
Please enter the search terms:
NSIS Media
After the search has completed a window titled Results.txt will open.
Please copy the results and post(reply) back.
Gogo
0 - Save it to the desktop.
-
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AWMON" = ""C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"" ["Lavasoft Sweden"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"POINTER" = "point32.exe" [MS]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]
"YBrowser" = "C:\Program Files\Yahoo!\browser\ybrwicon.exe" ["Yahoo! Inc."]
"Motive SmartBridge" = "C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" ["Motive, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\common\yiesrvc.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SidebarAutoLaunch Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\common\ymmapi.dll" ["Yahoo! Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{D44E22BD-2D2C-4F13-BF1B-2DB458FD0C2C}" = "KernelExtExt Extension"
-> {HKLM...CLSID} = "KernelExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\krnsvr32.dll" [file not found]
"{A1D3635C-4E5F-42BF-81EF-900BED4BF8EE}" = "TerminalExtExt Extension"
-> {HKLM...CLSID} = "TerminalExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\atixim.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\common\ymmapi.dll" ["Yahoo! Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\NMBROCK\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
0 -
Windows Registry Editor Version 5.00
; Regscan.vbs Version: 1.2 by rand1038
; 1/18/2007 7:19:29 PM
; Search Term(s) Used: "NSIS Media"
; 2 matches were found.
; The search took 44 seconds.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C9E4CF9D-31BB-4D6D-BE63-D8B878C1CAE1}"="NSIS Media Extension"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia]
"DisplayName"="NSIS Media Extension"
0 -
BTW...Now my AdWatch is going NUTS! It has logged something like 57 events since I turned my computer on an hour ago. Most of them say "registry modification detected" - that doesn't sound very good. What could be making that happen???
0 -
Hi,nmbrock
Yes i would say this is going to happen if you had turned it off then
back on it will do this if you have items running at the time.
like anything that needs to send info to the registry like say the Anti-virus scanner
now make sure you turn off Ad-Watch once again to do this here.
The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.
==============
Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!) don't copy the word quote
REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C9E4CF9D-31BB-4D6D-BE63-D8B878C1CAE1}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia]
"DisplayName"=-
Save this as fix.reg Choose to save as *all files and place it on your Desktop.
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.
Make sure to do a reboot see how PC is now.
Gogo
0 -
I did what you said, then rebooted, and I'm still getting the ads. And AdWatch is coming back on all by itself. I did not turn it back on, but once I restarted the computer it was back on and tracking all these registry modifications, etc...
I'm starting to get a little worried that I'm only making things worse. We're going to figure it out, right?? I was told when I e-mailed lavasoft support that LS Calamity Jane was good at fixing this problem. Not that I doubt your knowledge, is there any way to bring that person in on this if they've fixed it before?
Also, no one really is telling me if these things are dangerous or not...That's what concerns me the most...
0 -
Hi,nmbrock
No problem send CJ a PM
but may i ask when you did as i asked you to and
you did the reboot and Ad-Watch popup did you say
Yes to the registry modifications.
if you said no then the fix will not work for you
but as i just said send a PM to CJ.
best of luck
Gogo
0 -
yes, I did exactly what you said...it's just that my computer is running more slowly now than it was before, and the nsis popups are still happening...
0 -
I'm taking a look now. Give me a little time to review what you all have been through so far and I'll come back with a reply in a bit
0 -
Hi,nmbrock
Yes this is one of them items that is hard to get to but as i said
if you like send a PM to CJ but i will keep trying to find some info
on this for you.
Gogo
0 -
Hey,CJ
As always thank you
Gogo
0 -
Ok, my experience in dealing with NSIS media extension is that it comes bundled with another program offered as freeware. Some examples are:
Extensions Firefox,
Winamp,
Foxie Browser,
PPlive,
Arcade Classic,
DivX dvd ripper,
Matrix,
Office Poker,
several Openware, and others not still recognized
Any of the above look familiar as recently installed programs? If so that is what may have brought on the NSIS media.
It's very difficult to remove manually. And, even if you do, once you run the program that it came with, it will reinstall it. The best solution I have found is to identify the program that installed and get rid of both to ensure it doesn't come back.
Let's have look from a different log from HijackThis.
Open HijackThis and instead of scan, choose *Open Misc Tools section*
Then choose *open uninstall manager*
Wait while it prepares a list. When it finishes, press the *save list* button. That should produce a text file.
Please copy and paste the results back here for review.
0 -
I do have that Arcade thing that you mentioned...I've had it for awhile, but never really used it. Looking back, I think maybe these popups did start around that time.
A couple of questions:
1. Are the popups dangerous at all? That is what no one has answered so far...
2. What do I need to do about all of the registry updating HJThis was having me do...do I need to put things back the way they were? I don't really understand what those couple of steps did. All I know is now my AdWatch is freaking out because of the registry modifications...
Anyway...here is the HijackThis log.
Ad-Aware SE Plus
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.9
Apple Software Update
Arcade! Classic Arcade Pack 5.0
ArcSoft PhotoImpression
AT&T Self Support Tool
AT&T Yahoo! Applications
AVG Free Edition
Boggle Supreme
BroadJump Client Foundation
GRE POWERPREP
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP DeskJet 810C Series (Remove only)
Inspector Parker
Intel® PRO Network Adapters and Drivers
iPod for Windows 2005-09-23
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Keyboarding Skills Test 2004 Version 2.0.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Web Publishing Wizard 1.52
Microsoft Windows Journal Viewer
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
NSIS Media Extension
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
Palm
QuickTime
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Shockwave
SolSuite
Sony Picture Utility
Sony USB Driver
SplashShopper
The Print Shop 12
The Sims 2
Trillian
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
0 -
Great!
Yep, that's it. Arcade is what installed it and will keep installing until you uninstall both. Been through this exact same thing with another victim here:
http://www.dslreports.com/forum/remark,16709575
These are not malicious, just annoying. If you want to get rid of the popups you'll need to uninstall both of these:
Arcade! Classic Arcade Pack 5.0
NSIS Media Extension
But first! Now, you have to turn off your Ad-Watch because it is alerting you on every registry change and these changes we are making for the good! It will also alert you when removing those programs, so let's stop the alerts until we can get these things off of here.
Open Ad-Aware SE and select *AdWatch*
Under tools and preference,
Deselect (red x) : Load Adwatch on Windows Startup
Deselect both Active and Automatic options at the bottom (red X)
Restart your computer.
Then remove the above programs I listed for you from Add/remove programs in the control panel
Uninstall via Add/Remove programs in the control Panel.
Let me know how that goes. Usually this is enough to take care of it.
Arcade! Classic Arcade Pack 5.0
NSIS Media Extension
Restart your computer again.
Let me know if those two programs have now disappeared from the Add/Remove program list
Submit a fresh HijackThis log for review. Let me know what problems persist.
Once we have cleared this we can re-enable Ad-Watch.
The registry fixes HJThis supplied to you are not harmful, however they could interfere with the proper removal of the programs right now. Ad-watch doesn't know bad from good registry changes which is why it is alerting you. For now it is easier to instruct you to just turn it off until we get these resolved.
The logs we were looking at don't show all of the items in the registry from NSIS media so removal by Add/Remove is really the best method along with removing the program that sponsored it (Arcade).
I hope that helps explain what is going on. But rest assured this one is not harmful to your computer.
0 -
This is unrelated but while we are at it you have some old outdated Sun Java versions installed that could be a security vulnerability. We might as well fix that too
Old versions left on your pc, even after updating can be vulnerable to malware exploit. Go to Start / Control Panel and look in Add/Remove programs. Remove all old versions of Sun Java.
They will appear in the "J's" something similar to:
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Then go get the latest up to date version here:
http://www.java.com/en/download/manual.jsp
Here's why removing old versions of Sun Java is important:
Potential Vulnerability with Sun Java auto update
http://www.dslreports.com/forum/remark,14738046
This is a vulnerability in that Sun Java new updated versions do not remove prior vulnerable versions. You will have to remember to do that manually whenever you update your Sun Java.
0 -
It looks like they're both gone. I don't see them in the add/remove programs anymore, and I didn't get a pop-up this time when I opened Internet Explorer.
Here's the new HijackThis log.
Now, I know you said those registry changes were for the good, but do I need to do anything to clean that stuff up? I have all sorts of notepad files and programs on my desktop now (silentrunners, combofix, avengers, etc.) Should I just uninstall them, too?
Logfile of HijackThis v1.99.1
Scan saved at 9:08:30 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\myhjt.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4A752EEF-26FA-4E8F-8FF0-4EB40FE1D33B} (ACNPlayer2 Class) - http://209.67.146.68/HarrisFiles/eplayer.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...tle/Coupons.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2822.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
0 -
Very good.
A couple of minor items to finish up.
Open HijackThis and do a *system scan only*
When it finishes, place a checkmark next to these two items, then press the *fix checked* button:
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - <--empty leftover (HijackThis can remove it)
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab <---comet adware (HijackThis can remove it)
We will be deleting any special tools used but before you do that, could I see a fresh log from SilentRunners, just to be sure we got everything? If that is clean, then I'll help advise how to get rid of the extra items left on your desktop. The registry fixes won't be needed (if any are, we'll create new ones depending on what the SilentRunners log shows if anything).
Then, when done with that, we'll have you turn Ad-Watch back on again and see if it is still giving alerts and help you with those.
0 -
Ok...I'm done with the java stuff too now. Let me know what I need to do to wrap this up!
0
Please sign in to leave a comment.
Comments
51 comments