unstopable pop-ups(RESOLVED)

**Neal** · 15-12-2008

Open notepad(Must be NotePad) and copy/paste the text in the quotebox below into it:NOT THE WORD QUOTE

Folder::
C:\Program Files\DownloadWare
C:\Program Files\MoviePlace
C:\Program Files\Real-Tens

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadWare]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoviePlace]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Real-Tens]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

[IMG]

[/IMG]

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

**samisemo** · 15-12-2008

ComboFix 08-12-12.02 - Xing-Guo Sun MD 2008-12-14 19:39:18.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.208 [GMT -8:00]
Running from: c:\documents and settings\Xing-Guo Sun MD\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Xing-Guo Sun MD\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Real-Tens
c:\program files\Real-Tens\Real-Tens.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-11 23:44 . 2008-10-16 12:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-11 23:44 . 2007-04-17 01:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-11 23:44 . 2007-03-07 21:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-11 23:44 . 2008-10-16 12:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-11 23:44 . 2008-10-16 12:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-11 23:44 . 2008-10-16 12:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-11 23:44 . 2008-10-16 12:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-11 23:44 . 2008-10-16 12:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-11 23:44 . 2008-10-16 05:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-11 23:39 . 2008-08-14 02:00 2,180,352 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-11 23:39 . 2008-08-14 01:58 2,136,064 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-11 23:39 . 2008-08-14 01:22 2,057,728 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-11 23:39 . 2008-08-14 01:22 2,015,744 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-11 23:39 . 2008-09-15 03:57 1,846,016 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-11 23:33 . 2008-05-01 06:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-11 23:25 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-11 23:24 . 2008-08-14 01:51 138,368 --------- c:\windows\system32\dllcache\afd.sys
2008-12-11 22:12 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-11 22:12 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-11 22:12 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-11 22:12 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-11 22:00 . 2008-12-11 22:00 577,024 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-11 20:46 . 2008-12-11 20:46 <DIR> d-------- c:\windows\ERUNT
2008-12-11 20:44 . 2008-12-11 20:44 <DIR> d--hs---- C:\FOUND.000
2008-12-11 20:36 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-12-06 16:43 . 2008-12-06 16:43 <DIR> d-------- c:\documents and settings\Xing-Guo Sun MD\Application Data\Twain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-11-08 03:08 --------- d-----w c:\program files\iPod
2008-11-08 03:08 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-08 03:05 --------- d-----w c:\program files\QuickTime
2008-11-08 02:40 --------- d-----w c:\program files\Bonjour
2008-11-08 01:53 --------- d-----w c:\documents and settings\Xing-Guo Sun MD\Application Data\Malwarebytes
2008-11-08 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-23 00:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-23 00:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-17 10:08 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-01-27 20:34 154,024 ----a-w c:\documents and settings\Xing-Guo Sun MD\Application Data\GDIPFONTCACHEV1.DAT
2007-12-22 04:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-03-30 01:35 5,120 ----a-w c:\program files\pythonw.exe
2006-03-30 01:35 4,608 ----a-w c:\program files\w9xpopen.exe
2006-03-30 01:35 4,608 ----a-w c:\program files\python.exe
2006-03-29 21:24 245,894 ----a-w c:\program files\NEWS.txt
2006-03-23 18:47 13,755 ----a-w c:\program files\LICENSE.txt
2006-03-13 22:51 51,999 ----a-w c:\program files\README.txt
2005-10-29 04:15 766 ----a-w c:\program files\pyc.ico
2005-10-29 04:15 766 ----a-w c:\program files\py.ico
2004-01-30 03:16 114,984 ------w c:\documents and settings\xgsun\Application Data\GDIPFONTCACHEV1.DAT
2004-01-05 00:33 32,768 ------w c:\documents and settings\xgsun\index.dat
2001-09-18 02:00 82,206 ------w c:\program files\installScreen.jpg
2001-09-07 01:02 91,469 ------w c:\program files\installScreen2.jpg
2000-12-12 19:17 100,432 ------w c:\program files\Win2000PPAHotfix.exe
.

((((((((((((((((((((((((((((( snapshot_2008-12-12_16.26.31.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-11 06:32:50 16,609 ----a-w c:\windows\system32\nvModes.dat
+ 2008-12-14 21:38:56 16,609 ----a-w c:\windows\system32\nvModes.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Skype"="d:\sam's games\Skype\Phone\Skype.exe" [2007-12-07 21686568]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2001-08-03 1409024]
"OfficeScanNT Monitor"="c:\officescan nt\pccntmon.exe" [2006-09-01 356429]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-03 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE " [2001-08-18 44032]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-02-10 4501504]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb07.exe" [2005-07-22 188416]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
"V0230Mon.exe"="c:\windows\system32\V0230Mon.e xe" [2006-07-19 36961]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="d:\sam's stuff\iTunesHelper.exe" [2008-10-01 289576]
"nwiz"="nwiz.exe" [2003-02-10 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Temp.lnk - c:\program files\MedGraphics\Breeze\CleanTemp.exe [2002-06-14 20548]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-05-02 10872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2003-04-08 17:45 24666 c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Temp.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Temp.lnk
backup=c:\windows\pss\Clean Temp.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=c:\windows\pss\Date Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gas Off.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Gas Off.lnk
backup=c:\windows\pss\Gas Off.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=c:\windows\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=c:\windows\pss\PrecisionTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2001-08-18 05:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 22:32 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2001-06-14 16:54 254022 c:\program files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
--------- 2001-09-12 11:35 61440 c:\program files\Iomega\DriveIcons\Imgicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Startup Options]
--------- 2001-01-17 17:33 45056 c:\program files\Iomega\Common\IMGSTART.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
--------- 2006-09-01 17:58 356429 c:\officescan nt\PccNTMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysExplr]
--------- 2003-03-02 00:23 26624 c:\sthvcd\SYSEXPLR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\sam's games\\NEXON\\MapleStory\\Patcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Sam's stuff\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Sam's stuff\\iTunes.exe"=
"d:\\sam's games\\Skype\\Phone\\Skype.exe"=

R0 fasttrak;fasttrak;c:\windows\system32\DRIVERS\fast trak.sys [2003-07-07 75520]
R1 GhPciScan;GhostPciScanner;\??\c:\program files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 5632]
R1 SonyFanC;FAN Control Device Service;c:\windows\system32\Drivers\SonyFanC.sys [2001-09-09 68116]
R2 TmFilter;Trend Micro Filter;\??\c:\officescan nt\TmXPFlt.sys [2002-02-20 205328]
R2 TmPreFilter;Trend Micro PreFilter;\??\c:\officescan nt\TmPreFlt.sys [2002-02-20 36368]
R2 V7;V7;c:\windows\system32\drivers\V7.sys [2001-11-02 7196]
S0 akjxi;akjxi;c:\windows\system32\drivers\akuxnux.sy s []
S0 vswsdd;vswsdd;c:\windows\system32\drivers\qoqq.sys []
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\DRIVERS\bcm42xx5.sys [2001-09-08 54271]
S3 CrystalSysInfo;CrystalSysInfo;\??\d:\sam's stuff\MediaCoder\SysInfo.sys [2007-09-25 15152]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\DRIVERS\ngrpci.sys []
S3 oad;Visibroker Activation Daemon;c:\progra~1\Borland\vbroker\bin\oad.exe [2006-12-18 1781248]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\DRIVERS\OMVA.sys [2004-01-06 14924]
S3 osagent;VisiBroker Smart Agent;c:\progra~1\Borland\vbroker\bin\osagent.exe [2006-12-18 193536]
S3 sejt1;sejt1;\??\c:\docume~1\XING-G~1\LOCALS~1\Temp\Rar$EX00.357\AkumaEngine33\sejt. sys []
S3 V0230Vfx;V0230Vfx;c:\windows\system32\DRIVERS\V023 0Vfx.sys [2007-02-18 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\DRIVERS\V0230VID.sys [2007-02-18 498464]
S3 Vmaxcomm;Vmaxcomm;\??\c:\windows\System32\drivers\ Vmaxcomm.sys [2003-02-25 60794]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{57b7de60-8e06-11db-8854-0008740432dd}]
\Shell\Auto\command - F:\boot.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-08 c:\windows\Tasks\backup-C+D(sony).job
- c:\windows\system32\ntbackup.exe [2004-08-04 00:56]

2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.torrancechamber.com/events.php?Id=308
uInternet Settings,ProxyServer = 61.74.65.97 :80
uInternet Settings,ProxyOverride = localhost;*.local
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Ìí¼Óµ½QQ±íÇé - c:\program files\Tencent\QQ\AddEmotion.htm

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 19:42:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\M ySql]
"ImagePath"="C:/LAB4/MYSQL/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\M ySql]
"ImagePath"="C:/LAB4/MYSQL/bin/mysqld-nt.exe"
.
Completion time: 2008-12-14 19:43:32
ComboFix-quarantined-files.txt 2008-12-15 03:43:30
ComboFix4.txt 2008-06-25 19:40:22
ComboFix3.txt 2008-06-27 21:52:44
ComboFix2.txt 2008-12-13 00:27:30

Pre-Run: 8,498,069,504 bytes free
Post-Run: 8,633,532,416 bytes free

258 --- E O F --- 2008-12-12 11:12:30

I have noticed that my computer is highly unresponsive. I click things twice and it becomes not responding or it just takes a year to load the page. Its not the internet's fault because when i watch videos, the buffer rate is pretty high. The youtube videos lag even when it is fully loaded. Pop-ups are still appearing.

**Neal** · 16-12-2008

Do you have a program called hero or herosoft something like that on your PC?

Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

**samisemo** · 17-12-2008

umm, nope, can't say that i do have a hero(soft) program

here is my program list

7-Zip 4.62
Ad-aware 6 Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Reader Chinese Simplified Fonts
Adobe Shockwave Player
Adobe Type Manager 4.0
Advanced Video FX Engine
Amos 7
AnswerWorks Runtime
Apple Mobile Device Support
Apple Software Update
AutoCAD 2006 - English
Autodesk DWF Viewer
Bonjour
Borland Delphi 5
Breeze Suite 6.2C
CatchUp V1.3
Chinese (Simplified) Language Support
Corel Applications
Creative Live! Cam Center
Creative Live! Cam Video IM Pro Driver (1.00.07.0725)
Creative Software AutoUpdate
Creative System Information
DecoderBlaster 5
DigitalPrint 1.0
DivX 5.0.2 Pro Bundle
DVDExpress
DVgate
EPSON Printer Software
FlashGet(JetCar)
greenstreet Picture Browser
Hardlock Device Driver
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
hp deskjet 6122 series
Ink Monitor
InterActual Player
InterBase
Iomega App Services
IomegaWare
ISI ResearchSoft - Export Helper
iTunes
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment Standard Edition v1.3
Java 2 Runtime Environment, SE v1.4.2_04
Java 2 Runtime Environment, SE v1.4.2_09
Lame ACM MP3 Codec
LF8.5A for PWC
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
LOTUS ScreenSaver
Malwarebytes' Anti-Malware
MapleStory
MAX_II
Media Bar 3.2.11
Media Library Management Wizard
MediaCoder 0.6.2
MetaSoft
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Global IME for Office XP (Simplified Chinese)
Microsoft Global IME for Office XP (Traditional Chinese)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft SQL Server Desktop Engine
Motion JPEG Software Decoder
MoviePlace
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser
Music Visualizer Library 1.1
MyOLEDB Provider (20 February 2001)
Norton Ghost
NVIDIA Windows 2000/XP Display Drivers
OpenMG Secure Module
Origin7
OTOY
PDF-to-Word 2.5 Demo
Personal License Update Wizard for Windows Media Player
PicoPlayer
PictureGear 5.1
Plus! MP3 Audio Converter LE
Promise Array Management
Python 2.4.3
Quicken 2002 New User Edition
QuickTime
RealPlayer
RealProducer Basic 8.5
Real-Tens
Reference Manager 10
RIS Web Helper
SAS 9.1
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SigmaPlot 8.0
Skype™ 3.6
Smart Capture
SonicStage
SonicStage CD-R Writing Module
Sony Certificate PCH
Sony DV Shared Library
Sony on Yahoo!
SPSS 15.0 for Windows
SPSS 7.5 for Windows
SPSS Data Access Pack 4.4 for Windows
SPSS Dimensions Component Pack 3.5
SPSS-Python Integration Plug-In 15.0
Spybot - Search & Destroy 1.2
Support Actions Win2K,WinXP
Trend Micro OfficeScan Client
TurboFit 5.05
Update for Windows XP (KB955839)
VAIO Action Setup
VAIO Grid Wallpaper
VAIO Help & Support
VAIO Registration
VAIO Support
Vaio Tour
VAIOWorld
Verizon Broadband Toolbar
Verizon Online Help and Support
Verizon Servicepoint 1.5.12
VisualFlow 2.1
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Bonus Pack for Windows XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Toolbar

**Neal** · 17-12-2008

Real-Tens, this is spyware and causes popups, please uninstall from add/remove program and reboot afterwards.

Info on Real-Tens below

Detail of Real-Tens(Real-Tens.exe) - Startup Application Knowledge Base for Windows

Spybot - Search & Destroy 1.2 is way out of date, there is a new version out now.

This file below needs to be scanned:

c:\sthvcd\SYSEXPLR.EXE

If you can't find it do this below and look again:

Go here to learn how to show hidden files/folders:

Help Centre Home : www.telecom.co.nz/help

Re-hide after we are done

Go to next site:
VirusTotal - Free Online Virus and Malware Scan
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\sthvcd\SYSEXPLR.EXE

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

Online malware scan

And

Virus File Scanner

**samisemo** · 18-12-2008

k, got rid of real-tens.
I scanned and here are the results:

Antivirus Version Last Update Result
AhnLab-V3 2008.12.17.3 2008.12.18 -
AntiVir 7.9.0.45 2008.12.17 -
Authentium 5.1.0.4 2008.12.18 -
Avast 4.8.1281.0 2008.12.17 -
AVG 8.0.0.199 2008.12.17 -
BitDefender 7.2 2008.12.18 -
CAT-QuickHeal 10.00 2008.12.18 -
ClamAV 0.94.1 2008.12.18 -
Comodo 771 2008.12.17 -
DrWeb 4.44.0.09170 2008.12.17 -
eSafe 7.0.17.0 2008.12.17 -
eTrust-Vet 31.6.6266 2008.12.18 -
Ewido 4.0 2008.12.17 -
F-Prot 4.4.4.56 2008.12.17 -
F-Secure 8.0.14332.0 2008.12.18 -
Fortinet 3.117.0.0 2008.12.18 -
GData 19 2008.12.18 -
Ikarus T3.1.1.45.0 2008.12.18 -
K7AntiVirus 7.10.556 2008.12.17 -
Kaspersky 7.0.0.125 2008.12.18 -
McAfee 5467 2008.12.17 -
McAfee+Artemis 5467 2008.12.17 -
Microsoft 1.4205 2008.12.18 -
NOD32 3700 2008.12.17 -
Norman 5.80.02 2008.12.17 -
Panda 9.0.0.4 2008.12.17 -
PCTools 4.4.2.0 2008.12.17 -
Prevx1 V2 2008.12.18 -
Rising 21.08.30.00 2008.12.18 -
SecureWeb-Gateway 6.7.6 2008.12.17 -
Sophos 4.37.0 2008.12.18 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.18 -
TheHacker 6.3.1.4.191 2008.12.17 -
TrendMicro 8.700.0.1004 2008.12.18 -
VBA32 3.12.8.10 2008.12.17 -
ViRobot 2008.12.18.1524 2008.12.18 -
VirusBuster 4.5.11.0 2008.12.17 -
Additional information
File size: 26624 bytes
MD5...: c5f78b8f078d9d6ba009f7b378d260dc
SHA1..: f740091c40f30f53f7b0684e7d6157929400a048
SHA256: 293c9812a9167c3e8a25838685718b7e31ca1b8d69e7573f3e 3c09e8fda04d45
SHA512: b02c7d15b7da94bb95f51e45f06a8a0c55c7e41f48b5dda5fc 912c5003df968c
540328ac4aa0a0ef91a3c8cb888bab6050d973397860f2e099 02757b3337ae64

ssdeep: 384:8muLdTf7K3TU53Cw4OfsH9fjrXy9y5er4sZ:KL1K3TU/44sdPy9y5er4s

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ 4.x (57.5%)
Win64 Executable Generic (36.5%)
Win32 Dynamic Link Library (generic) (3.2%)
Win16/32 Executable Delphi generic (0.8%)
Generic Win/DOS Executable (0.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402450
timedatestamp.....: 0x3553a63e (Sat May 09 00:41:34 1998)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3178 0x3200 6.22 d2b8fc47a6499cfbd8e30fa6095ffd4e
.rdata 0x5000 0x3a5 0x400 4.80 4c6338cab1eff6d9bda13d8a95521f05
.data 0x6000 0x1474 0x1400 2.25 56b4d6a3511b1b72e212ddebf6f02188
.idata 0x8000 0x3be 0x400 3.71 c755982c5c9b90d1ea3bca6df15096cd
.rsrc 0x9000 0xc1c 0xe00 3.59 a4bd86e38ef3683f2f89476a8530e879
.reloc 0xa000 0x648 0x800 5.04 c0c124ad763cf5ae87ad67e45fbc8018

( 5 imports )
> KERNEL32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> USER32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> GDI32.dll: -, -, -, -, -
> ADVAPI32.dll: -, -, -, -, -, -, -
> SHELL32.dll: -

( 0 exports )

**Neal** · 21-12-2008

what is happenin now?

**samisemo** · 21-12-2008

i think it's gone now. I'm not getting any more of those "where are you classmates now?" pop-ups and random unblockables. I think this situation is under control. Thanks

**Neal** · 22-12-2008

Your welcome,

If you are no longer having any more trouble here is some preventative measures for you.

Be sure to re-hide hidden files/folders if you were asked to unhide them

Here are some preventive measures you can take to keep your computer from getting infected again. Also keep SpybotS&D updated.

Read This First - IMPORTANT Instructions - D-A-L Computer Help

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained Here:
Windows XP: McAfee Threat Center

Explained Here
Microsoft ME:
Disabling or enabling Windows Me System Restore

Please download ATF Cleaner by Atribune to desktop.
http://www.atribune.org/public-beta/ATF-Cleaner.exe

Double-click ATF-Cleaner.exe to run the program, to clean junk files off your PC.

If you would like to keep your cookies don't check that item

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

Get Internet Explorer 7

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including Avira and Avast and PCTools.
AVIRA: http://www.free-av.com/]Avira

AVAST: FREE antivirus software with spyware protection: avast! Home Edition

PCTOOLS: PC Tools AntiVirus - Free Anti-Virus Download

3. In addtion to using SpyBot S&D consider using another free malware scanning/removal program:
Windows Defender: Windows Defender: Home Page

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio: Personal Firewall by Sunbelt Software - Full Version & FREE Firewall - Kerio

Comodo:Free Firewall Software Download by Comodo

5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/

6. Consider increasing your browser security by using Spyware Blaster:
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:

SpywareBlaster | Prevent spyware and malware. Free download.

If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: CJB.NET

IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Block access to Untrustworthy Sites

You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the: MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.

*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free

unstopable pop-ups(RESOLVED)

re: unstopable pop-ups(RESOLVED)