Free Antivirus Forum - Learn about antivirus, firewalls and personal security

Pop ups and IE7

BullGuard Antivirus Forum > Bullguard zone > BullGuard Customers > Pop ups and IE7

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/1/2008 6:00 PM (GMT +3)

I am getting very aggitated, I have pop ups and yet pop up blocker is enabled, so there is an infection somewhere, yet I have tried looking for it even downloading tools to scan with, but the little thing is eveading me, grrr
Then I find I can not get IE7 to work anywhere at anytime, there seems no way to uninstall it so as I can re-install it! Then I try to go to support in bullguard and find not only is my emails failing to get sent and error occured but I can't ask for chat as there is a problem there too.........................(scream)
Any kind soul around who can shed some light for me???

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 3/1/2008 7:54 PM (GMT +3)

Hello katz smile

Click here - ->> Before posting a log

After You have run the scan tools -

Reboot normally

Post Hijackthis log along with SuperAntiSpyware log, , C: combofix TXT in this topic

I´ll look to it

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/1/2008 9:11 PM (GMT +3)

Ok I am running vista ultimate.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 3/1/2008 9:44 PM (GMT +3)

Ok. If it 32 bit, can You run all the tools. I just haven´t edited - Before posting a log - recently

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/1/2008 10:08 PM (GMT +3)

OK had ccleaner anyway and run that, spybot will not load on my pc says unknown error occurred and was not saved, done this three times. have downloaded combofix but unsure as to what to do next as I have not done the spybot, can see where the pop ups were coming from mywebsearch, when I went to do the quaruntine bit it was not there??? scanned twice and same thing happened. I am not a novice when it comes to unstalling and using software so I don't think it is my mistake, nor am I an expert to know what is going wrong, getting frustrated now how do you fellas cope with it all? Will wait till I am told what to do next thank you

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/2/2008 11:54 AM (GMT +3)

Got as far as combo fix for some reason it says the script is wrong so going to download it again, sorry to take so long, I am trying to do as you asked, but could you just bear with me, I have a disease in my hands that only lets me work on the pc so long. I do appreciate your help, thanks

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/2/2008 12:06 PM (GMT +3)

Ok I have downloaded combo fix from three of the locations given the 1st one said the page was not available anymore the url or something was not found. The other three come up the same each time saying the script CFS is not correctly spelt, the blue box comes up ready to work but does not go any further.
As you may be aware it is mothers day today and I am being whisked off for the day by my children so won't be able to work on this untill i return this evening, so sorry to be a nuisance, hope you are understanding, have a nice day yourself and I will be in touch.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 3/2/2008 12:51 PM (GMT +3)

You are not supposed to use script CFS - yet ;-)

Let´s try this methos (after mothers day. Congratulation BTW smile

)

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

and save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

When finished, it will produce a logfile located at C:\ComboFix.txt.

Post the contents of that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/2/2008 9:40 PM (GMT +3)

Redone ccleaner and spybot as well as superantispyware, one tracking cookie in superantispyware this time round, deleted. Downloaded combofix again and tried to run it, got the same meeage again. You said I should not be using CFS yet, but I have not done anything to use it or allow it at all. When I downloaded HJT it said for some reason my system has denied access to the hosts file, and to sort this out for vista to go to administrator and run then, this I am unsure of how to do it.
Thank you I had a great day with far too many chocolates shame I cannot share them with you!
I await your advise and thank you for your patience.

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/2/2008 9:53 PM (GMT +3)

Ps I am still getting popups.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 3/2/2008 10:07 PM (GMT +3)

Ok, we´ll try another scanner then -

Download Deckard's System Scanner: http://www.techsupportforum.com/sectools/Deckard/dss.exe
Close all applications and windows.

Double-click on dss.exe to run it, and follow the prompts.

(If you get an error, rightclick on - dss exe - run as admin)

When the scan is complete, a text file will open - Main.txt.

Click on Format and Uncheck Word wrap, if checked.
Please save this file and close Notepad.

A folder, C:\Deckard, will also open. In it will be another text file, Extra.txt. Please save this file too, and exit Notepad.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Post back to the Forum the contents of Main.txt and the contents of C:\Deckard\Extra.txt

I´ll look to it tomorrow, as it´s getting late here in Denmark ;-)

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/4/2008 11:54 PM (GMT +3)

kard's System Scanner v20071014.68
Run by Katzyin on 2008-03-04 20:41:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
37: 2008-03-04 09:56:30 UTC - RP251 - Installed Windows Live
36: 2008-03-04 08:48:58 UTC - RP250 - Installed Windows Live
35: 2008-03-03 09:27:44 UTC - RP249 - Removed User Agent String Utility
34: 2008-03-03 09:25:40 UTC - RP248 - Removed Ad-Aware 2007
33: 2008-03-02 18:17:41 UTC - RP247 - Removed VersionTracker Pro Windows

-- First Restore Point --
1: 2008-02-11 19:14:47 UTC - RP215 - Removed Google Earth.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Katzyin.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:43, on 2008-03-04
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Katzyin\AppData\Local\lqglq.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Katzyin\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Katzyin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [lqglq] c:\users\katzyin\appdata\local\lqglq.exe lqglq
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://katzyin.spaces.live.com/PhotoUpload/VistaMsnPUplden-gb.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 9169 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ElRawDisk - \??\c:\windows\system32\drivers\elrawdsk.sys
R1 FileDisk - c:\windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
R3 SASENUM - \??\c:\program files\superantispyware\sasenum.sys

S3 TVICHW32 - \??\c:\windows\system32\drivers\tvichw32.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-04 20:37:28 422 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{9A8AE781-0577-4DE1-A6C7-D791AF3C9CCA}.job
2008-03-04 20:18:01 256 --a------ C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
2008-03-04 18:14:16 386 --a------ C:\Windows\Tasks\AutoSmartDefrag.job
2007-12-23 22:00:00 480 --a------ C:\Windows\Tasks\SmartDefrag.job

-- Files created between 2008-02-04 and 2008-03-04 -----------------------------

2008-03-04 20:43:05 0 d-------- C:\Program Files\Trend Micro
2008-03-02 17:23:06 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-01 20:20:41 68096 --a------ C:\Windows\system32\zip.exe
2008-03-01 20:20:40 80412 --a------ C:\Windows\system32\grep.exe
2008-03-01 20:20:40 73728 --a------ C:\Windows\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-01 20:20:39 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-03-01 19:19:27 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-01 18:11:28 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-03-01 18:09:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-29 06:23:45 0 d-------- C:\Users\All Users\Lavasoft
2008-02-29 06:22:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 15:41:55 0 d-------- C:\Program Files\Microsoft Silverlight
2008-02-23 12:56:59 0 -rahs---- C:\MSDOS.SYS
2008-02-23 12:56:59 0 -rahs---- C:\IO.SYS
2008-02-23 12:39:03 9341 --a------ C:\Windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
2008-02-23 12:10:26 12800 --a------ C:\Windows\system32\drivers\elrawdsk.sys <Not Verified; EldoS Corporation; RawDisk>
2008-02-23 12:10:02 12800 --a------ C:\Windows\system32\elrawdsk.sys <Not Verified; EldoS Corporation; RawDisk>
2008-02-23 12:09:55 24064 --a------ C:\Windows\system32\smrgdf.exe
2008-02-23 12:09:55 32768 --a------ C:\Windows\system32\iolobtdfg.exe
2008-02-23 12:09:52 0 d-------- C:\Program Files\iolo
2008-02-23 12:08:33 74703 --a------ C:\Windows\system32\mfc45.dll
2008-02-23 12:06:48 0 d-------- C:\Users\All Users\iolo
2008-02-07 10:39:14 0 d-------- C:\Program Files\Common Files\Adobe

-- Find3M Report ---------------------------------------------------------------

2008-03-04 10:02:08 0 d-------- C:\Program Files\Windows Live
2008-03-03 00:21:35 0 d-------- C:\Program Files\SpywareBlaster
2008-03-02 17:23:06 0 d-------- C:\Program Files\Common Files
2008-03-01 18:09:57 0 d-------- C:\Users\Katzyin\AppData\Roaming\SUPERAntiSpyware.com
2008-03-01 17:54:02 230432 --a------ C:\PA207.DAT
2008-03-01 13:24:08 0 d-------- C:\Program Files\Zards software
2008-02-23 12:18:59 0 d-------- C:\Users\Katzyin\AppData\Roaming\iolo
2008-02-18 10:21:10 1740 --a------ C:\Users\Katzyin\AppData\Roaming\wklnhst.dat
2008-02-12 07:26:03 0 d-------- C:\Program Files\Google
2008-02-11 19:15:52 0 d-------- C:\Users\Katzyin\AppData\Roaming\BullGuard
2008-02-08 10:30:11 0 d-------- C:\Users\Katzyin\AppData\Roaming\Smart PC Solutions
2008-01-29 07:26:20 28672 --a------ C:\Windows\system32\f3PSSavr.scr <Not Verified; FunWebProducts.com; Popular Screensavers>
2008-01-19 18:11:41 0 d-------- C:\Program Files\Pogo UK
2008-01-19 15:16:15 0 d-------- C:\Program Files\BullGuard Ltd
2008-01-09 11:37:53 0 d-------- C:\Program Files\Windows Mail
2008-01-09 11:37:52 0 d-------- C:\Program Files\Windows Sidebar
2007-12-11 20:25:15 67768 --a------ C:\Users\Katzyin\AppData\Roaming\GDIPFONTCACHEV1.DAT

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-25 20:42]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-02-19 17:52]
"SoundMan"="SOUNDMAN.EXE" [2007-03-09 16:28 C:\Windows\SOUNDMAN.EXE]
"iolo Startup"="C:\Program Files\iolo\Common\Lib\ioloLManager.exe" [2007-11-21 20:16]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 17:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 17:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 17:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-02-19 17:52]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 12:34]
"lqglq"="c:\users\katzyin\appdata\local\lqglq.exe" [2008-02-24 11:07]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:33]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-03-01 13:24]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
"C:\Program Files\CCleaner\ccleaner.exe" /AUTO

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
C:\Windows\PixArt\PAC207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc
BullGuard BgMainSvc BsFileScan BsMailProxy BsFire

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8002 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-03-04 20:46:36 ------------

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/4/2008 11:58 PM (GMT +3)

Hope this helps and that I have done it correctly, thank you

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 3/5/2008 11:37 AM (GMT +3)

It looks right smile

Update Superantispyware

Download DrWebCureit:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

to your desktop.

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.

Click fix checked.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKCU\..\Run: [lqglq] c:\users\katzyin\appdata\local\lqglq.exe lqglq

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot to Safe mode << Same procedure in Vista

Doubleclick the "drweb-cureit.exe" and click "Start" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the Options->Change settings.

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select –Rename

Click – Apply - OK

Click on Scan Tab. Move dot from Express scan to Complete Scan. Click on The Green arrow to the right. It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

Start Superantispyware.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next,

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, allow it to Reboot

Start Superantispyware again –

Click Preferences and then click the statistics/logs tab.

Click the dated log and press view log and a text file will appear.

Post this log along with fresh hijackthis log, Dr.Web log and tell how things are running ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/6/2008 12:01 PM (GMT +3)

Aw Touch I am getting into a bit of a muddle here so sorry, you are patient too. let me explain a little.
I have a hand disability in both hands and sometimes find using the pc a trial hitting the right keys and manipulating the mouse, and other times I am on such strong pain killers I get a bit muddled.
Well I have been trying to follow the instructions as they have been given and telling you any problems I got along the way. IN the middle of doing this messenger sent me an update message and I updated, then found I could not open messenger, so did a restore. There I found my problem as it took away my good copy of HJT! tried to download again but have the same problem, I seem to have a small problem downloading at times not sure if this is significant at all.
I did do dr web, said I have a trojan in the combofix files saved the log but windows cant open the files.grrr, so what I will do is set a day aside when my grand daughter is here to start at the beginning and go through it all again as I don't want to annoy you with bits and pieces you cant work with. I still have pop ups, I telephoned one of these advertisers and they said they could not do anything about it and that I must of accepted some freeware and got the ads as well, did I? I am not so sure but I am enjoying telephoning them and keeping them on the line getting frustrated with me as I won't go away that easily, gives me a giigle to have some kind of payback to their annoying sales tactics!
Well Touch i do hope you are understanding and will have some more patience with this old codger who is so grateful to you for bothering with her and her problems that will probably turn out to be my own silly fault! You live and learn eh? Best wishes to you and yours, hear from you soon xx

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 3/8/2008 12:45 PM (GMT +3)

Ok, let´s try another scanner then smile

Download Deckard's System Scanner: http://www.techsupportforum.com/sectools/Deckard/dss.exe
Close all applications and windows.

Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt.

Click on Format and Uncheck Word wrap, if checked.
Please save this file and close Notepad.

A folder, C:\Deckard, will also open. In it will be another text file, Extra.txt. Please save this file too, and exit Notepad.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Post back to the Forum the contents of Main.txt and the contents of C:\Deckard\Extra.txt

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/9/2008 4:57 PM (GMT +3)

This is the only text that came up with this scan, did it three times just to make sure. I do remember last time there was two text reports.

Deckard's System Scanner v20071014.68
Run by Katzyin on 2008-03-09 12:43:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-09 12:43:34
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Katzyin\AppData\Local\hweset.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\conime.exe
C:\Windows\System32\SearchFilterHost.exe
C:\Users\Katzyin\Desktop\dss(3).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [hweset] c:\users\katzyin\appdata\local\hweset.exe hweset
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://katzyin.spaces.live.com/PhotoUpload/VistaMsnPUplden-gb.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\microsoft shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 9357 bytes

-- Files created between 2008-02-09 and 2008-03-09 -----------------------------

2008-03-05 20:47:36 0 d-------- C:\Users\Katzyin\DoctorWeb
2008-03-04 20:43:05 0 d-------- C:\Program Files\Trend Micro
2008-03-02 17:23:06 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-01 20:20:41 68096 --a------ C:\Windows\system32\zip.exe
2008-03-01 20:20:40 80412 --a------ C:\Windows\system32\grep.exe
2008-03-01 20:20:40 73728 --a------ C:\Windows\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-01 20:20:39 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-03-01 19:19:27 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-01 18:11:28 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-03-01 18:09:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-01 13:49:33 0 d-------- C:\Program Files\Microsoft User Agent String Utility
2008-02-29 06:23:45 0 d-------- C:\Users\All Users\Lavasoft
2008-02-29 06:22:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 15:41:55 0 d-------- C:\Program Files\Microsoft Silverlight
2008-02-23 12:56:59 0 -rahs---- C:\MSDOS.SYS
2008-02-23 12:56:59 0 -rahs---- C:\IO.SYS
2008-02-23 12:39:03 9341 --a------ C:\Windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
2008-02-23 12:10:26 12800 --a------ C:\Windows\system32\drivers\elrawdsk.sys <Not Verified; EldoS Corporation; RawDisk>
2008-02-23 12:10:02 12800 --a------ C:\Windows\system32\elrawdsk.sys <Not Verified; EldoS Corporation; RawDisk>
2008-02-23 12:09:55 24064 --a------ C:\Windows\system32\smrgdf.exe
2008-02-23 12:09:55 32768 --a------ C:\Windows\system32\iolobtdfg.exe
2008-02-23 12:09:52 0 d-------- C:\Program Files\iolo
2008-02-23 12:08:33 74703 --a------ C:\Windows\system32\mfc45.dll
2008-02-23 12:06:48 0 d-------- C:\Users\All Users\iolo

-- Find3M Report ---------------------------------------------------------------

2008-03-05 17:44:54 0 d-------- C:\Users\Katzyin\AppData\Roaming\iolo
2008-03-05 17:44:54 0 d-------- C:\Program Files\MSN Messenger
2008-03-04 10:02:08 0 d-------- C:\Program Files\Windows Live
2008-03-03 00:21:35 0 d-------- C:\Program Files\SpywareBlaster
2008-03-02 17:23:06 0 d-------- C:\Program Files\Common Files
2008-03-01 18:09:57 0 d-------- C:\Users\Katzyin\AppData\Roaming\SUPERAntiSpyware.com
2008-03-01 17:54:02 230432 --a------ C:\PA207.DAT
2008-03-01 13:24:08 0 d-------- C:\Program Files\Zards software
2008-02-18 10:21:10 1740 --a------ C:\Users\Katzyin\AppData\Roaming\wklnhst.dat
2008-02-12 07:26:03 0 d-------- C:\Program Files\Google
2008-02-11 19:15:52 0 d-------- C:\Users\Katzyin\AppData\Roaming\BullGuard
2008-02-08 10:30:11 0 d-------- C:\Users\Katzyin\AppData\Roaming\Smart PC Solutions
2008-02-07 10:39:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-29 07:26:20 28672 --a------ C:\Windows\system32\f3PSSavr.scr <Not Verified; FunWebProducts.com; Popular Screensavers>
2008-01-19 18:11:41 0 d-------- C:\Program Files\Pogo UK
2008-01-19 15:16:15 0 d-------- C:\Program Files\BullGuard Ltd
2008-01-09 11:37:53 0 d-------- C:\Program Files\Windows Mail
2008-01-09 11:37:52 0 d-------- C:\Program Files\Windows Sidebar
2007-12-11 20:25:15 67768 --a------ C:\Users\Katzyin\AppData\Roaming\GDIPFONTCACHEV1.DAT

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-25 20:42]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-02-19 17:52]
"SoundMan"="SOUNDMAN.EXE" [2007-03-09 16:28 C:\Windows\SOUNDMAN.EXE]
"iolo Startup"="C:\Program Files\iolo\Common\Lib\ioloLManager.exe" [2008-03-04 15:17]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 17:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 17:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 17:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-02-19 17:52]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 12:34]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:33]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-03-01 13:24]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43]
"hweset"="c:\users\katzyin\appdata\local\hweset.exe" [2008-03-07 20:43]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
"C:\Program Files\CCleaner\ccleaner.exe" /AUTO

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
C:\Windows\PixArt\PAC207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc
BullGuard BgMainSvc BsFileScan BsMailProxy BsFire

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2008-03-09 12:43:55 ------------

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 3/9/2008 5:50 PM (GMT +3)

They will do smile

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:

O4 - HKCU\..\Run: [hweset] c:\users\katzyin\appdata\local\hweset.exe hweset

Re-start your PC in Safe Mode

Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.

Delete-

Files:

c:\users\katzyin\appdata\local\hweset.exe

Reboot normally, and tell i how things are running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/12/2008 10:44 AM (GMT +3)

Touch all is gone left it till the next day just to see, and the pop ups are definately gone, thank you very much!
IE has still refused to work through out the whole proceedings.
Thanks for helping get rid of the pop ups they are so annoying, It only showed up in safe mode, clever little things aint they grrrrrr!
Once again thanks for your help xxx

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/12/2008 10:50 AM (GMT +3)

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 3/12/2008 10:52 AM (GMT +3)

That´s good news smile

Ever considered using Firefox ?

http://www.mozilla.com/en-US/firefox/all.html

Please read Tony Klein's excellent article about how to prevent against spyware/hijackers in the future

http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

katz
New Member

Date Joined Jun 2007
Total Posts : 27

Posted 3/12/2008 10:58 AM (GMT +3)

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 3/12/2008 11:02 AM (GMT +3)

I was glad to help smile

Since your problem appears to be resolved, this thread will now be closed.

If you need this topic reopened, please PM a Moderator and we will reopen it for you

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Sunday, May 26, 2013 12:05 AM (GMT +3)
There are a total of 59,544 posts in 13,143 threads.
In the last 3 days there were 3 new threads and 19 reply posts. View Active Threads