Constant Popup: bestmanage.org

I

Irishwhistle

New Member
I keep on getting a popup of Bestmanage.org and I have no idea of how to remove it. It got past Spybot. I have no idea of how to read HijackThis logs socould you tell me how mine looks?

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:40:52 AM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\118075~1\EE\AOLHOS~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\118075~1\EE\AOLServiceHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\avp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\smgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Colibri\Colibri.exe
C:\DOCUME~1\Owner\MYDOCU~1\ICROSO~1\iexplore.exe
C:\Program Files\McAfee\mb138\McBar.v.0.0.1.38\mcbar.exe
C:\Documents and Settings\Owner\My Documents\RK_Launcher_04_Beta\RKLauncher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\MOZILL~1.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe
C:\WINDOWS\?icrosoft.NET\r?gedit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W3115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W3115
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W3115
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\ssqrool.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C601396C-D2A0-9E7D-D107-8AADAB9328B1} - C:\WINDOWS\system32\cevij.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {D6A14199-8F79-4B67-B365-0701D3A175D7} - C:\WINDOWS\system32\pmkjj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1180758482\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] C:\Program Files\Common Files\Stardock\TrayServer.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpoj.dll,startup
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Colibri] C:\Program Files\Colibri\Colibri.exe
O4 - HKCU\..\Run: [Ealb] "C:\DOCUME~1\Owner\MYDOCU~1\ICROSO~1\iexplore.exe" -vt ndrv
O4 - HKCU\..\Run: [Poolv] C:\WINDOWS\?icrosoft.NET\r?gedit.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINDOWS\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Shortcut to mcbar.lnk = C:\Program Files\McAfee\mb138\McBar.v.0.0.1.38\mcbar.exe
O4 - Startup: Shortcut to RKLauncher.lnk = C:\Documents and Settings\Owner\My Documents\RK_Launcher_04_Beta\RKLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,wbsys.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: pmkjj - C:\WINDOWS\system32\pmkjj.dll
O20 - Winlogon Notify: ssqrool - C:\WINDOWS\SYSTEM32\ssqrool.dll
O20 - Winlogon Notify: winkve32 - C:\WINDOWS\SYSTEM32\winkve32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8363 bytes

Any ideas? Thanks!


~Jordan
 
Welcome to the world of Limewire!!!!

Seriously, you really need to ditch that program and think again about your downloading habits....


Download ComboFix from either of these links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click Combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.
 
Could just be something as simple as deleting your cookies. I didn't see anything that looked too suspicious, but I would get rid of the AOL crap, which is just as bad as spyware.
 
madtownidiot said:
Could just be something as simple as deleting your cookies. I didn't see anything that looked too suspicious, but I would get rid of the AOL crap, which is just as bad as spyware.
Click to expand...

Me, myself and I would be more concerned about the myriad of trojans and worms present than any legitimate AOL installation. :D
 
John McKenna said:
Welcome to the world of Limewire!!!!

Seriously, you really need to ditch that program and think again about your downloading habits....


Download ComboFix from either of these links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click Combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.
Click to expand...

It is scanning right now, I'll post the log when it's done. To bad, the thing I like about Limewire is that the download speeds are really fast so I like it for big files. It's weird though, neither AVG or Spybot recognized it as a virus or trojan.

Could just be something as simple as deleting your cookies. I didn't see anything that looked too suspicious, but I would get rid of the AOL crap, which is just as bad as spyware.
Click to expand...

:D Sure thing! I hate AOL, I only have it installed because it came with my computer and I haven't gotten around to removing it.

Thanks!


~Jordan
 
Here is the log:

"Owner" - 2007-06-08 21:43:30 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Owner\"


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\winkve32.dll
C:\WINDOWS\system32\xyadd.ini
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\jjkmp.bak2
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\pmkjj.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:
C:\DOCUME~1\Owner\MYDOCU~1\ICROSO~1
C:\Program Files\Common Files\SMANTE~1
C:\Program Files\outlook
C:\WINDOWS\ICROSO~1.NET


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-08 19:52 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\uk.co.planetside
2007-06-08 19:21 <DIR> d-------- C:\Program Files\Planetside Software
2007-06-08 19:21 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Planetside Software
2007-06-08 11:41 58,420 --a------ C:\WINDOWS\system32\bghjvuwp.dll
2007-06-08 11:38 131,124 --a------ C:\WINDOWS\system32\iknbmjhs.dll
2007-06-08 11:32 2,580 --a------ C:\WINDOWS\system32\lxtvdfle.exe
2007-06-08 10:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-08 10:14 60,928 --a------ C:\WINDOWS\system32\cevij.dll
2007-06-08 10:10 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-08 10:10 11,776 --a------ C:\WINDOWS\smgr.exe
2007-06-08 10:07 62,464 --a------ C:\WINDOWS\system32\bszip.dll
2007-06-08 10:06 0 --ahs---- C:\WINDOWS\system32\tracert.com
2007-06-08 10:06 0 --ahs---- C:\WINDOWS\system32\tasklist.com
2007-06-08 10:06 0 --ahs---- C:\WINDOWS\system32\taskkill.com
2007-06-08 10:06 0 --ahs---- C:\WINDOWS\system32\regedit.com
2007-06-08 10:06 0 --ahs---- C:\WINDOWS\system32\ping.com
2007-06-08 10:06 0 --ahs---- C:\WINDOWS\system32\netstat.com
2007-06-08 10:06 0 --ahs---- C:\WINDOWS\system32\cmd.com
2007-06-08 10:03 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-06-08 10:03 19,456 --a------ C:\WINDOWS\avp.exe
2007-06-08 10:02 40,960 --a------ C:\WINDOWS\retadpu1000272.exe
2007-06-08 10:02 40,183 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-06-08 10:02 2 --a------ C:\WINDOWS\system32\wnststr.exe
2007-06-08 10:01 33,302 --a------ C:\WINDOWS\system32\khfgdby.dll
2007-06-08 10:00 33,302 --a------ C:\WINDOWS\system32\ssqrool.dll
2007-06-08 09:57 7,840 --a------ C:\WINDOWS\system32\mcdmsg4.dll
2007-06-08 09:16 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
2007-06-07 21:34 37,442 --a------ C:\musiclibrary.dat
2007-06-07 21:33 <DIR> d-------- C:\Program Files\Cloudbrain
2007-06-07 18:20 <DIR> d-------- C:\Program Files\iPod
2007-06-07 17:56 <DIR> d-------- C:\Program Files\Axon Data
2007-06-05 17:32 <DIR> d-------- C:\softMac
2007-06-05 17:03 229,733 --a------ C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_2859.exe
2007-06-05 17:03 <DIR> d-------- C:\Program Files\Burn4Free Toolbar
2007-06-05 17:03 <DIR> d-------- C:\Program Files\Burn4Free
2007-06-04 22:25 <DIR> d-------- C:\Program Files\Aladdin Systems
2007-06-04 22:22 <DIR> d-------- C:\Program Files\WinImage
2007-06-04 22:04 299,520 --a------ C:\WINDOWS\uninst.exe
2007-06-04 22:04 <DIR> d-------- C:\Program Files\Basilisk II JIT
2007-06-04 21:41 <DIR> d-------- C:\WebCD
2007-06-04 21:20 3,664 --a------ C:\WINDOWS\system32\drivers\GEM98.SYS
2007-06-04 21:15 6,112 --a------ C:\WINDOWS\system32\drivers\cdenable.sys
2007-06-04 21:08 <DIR> d-------- C:\GTK
2007-06-04 20:52 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-06-04 19:35 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Emulators
2007-06-04 15:25 <DIR> d-------- C:\Program Files\Paint.NET
2007-06-04 13:32 7,852 --a------ C:\WINDOWS\system32\mcdmsg7.dll
2007-06-04 13:32 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-06-04 09:43 28,160 --a------ C:\WINDOWS\system32\vbCPUInf.dll
2007-06-04 09:43 <DIR> d-------- C:\Program Files\WinMac
2007-06-04 09:04 39,424 --a------ C:\WINDOWS\zipinst.exe
2007-06-04 09:04 <DIR> d--h----- C:\WINDOWS\PIF
2007-06-04 09:04 <DIR> d-------- C:\Program Files\Finderbar 1.5
2007-06-04 03:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-03 17:33 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-06-03 17:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-06-03 17:16 <DIR> d-------- C:\MinGW
2007-06-03 15:15 <DIR> d-------- C:\DOCUME~1\fXwm\APPLIC~1\.Aoof-Wm
2007-06-03 15:12 <DIR> d-------- C:\Program Files\The Toy'd Project
2007-06-03 15:11 <DIR> d-------- C:\DOCUME~1\fXwm\APPLIC~1\McAfee.com Personal Firewall
2007-06-03 15:10 856,064 --a------ C:\DOCUME~1\fXwm\NTUSER.DAT
2007-06-03 15:10 <DIR> d-------- C:\DOCUME~1\fXwm\WINDOWS
2007-06-03 15:10 <DIR> d-------- C:\DOCUME~1\fXwm\APPLIC~1\You've Got Pictures Screensaver
2007-06-03 15:10 <DIR> d-------- C:\DOCUME~1\fXwm\APPLIC~1\SampleView
2007-06-03 15:10 <DIR> d-------- C:\DOCUME~1\fXwm\APPLIC~1\AOL
2007-06-03 14:28 23,040 --------- C:\WINDOWS\kb913800.exe
2007-06-03 00:16 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-02 20:48 <DIR> d-------- C:\Program Files\MAC Volume
2007-06-02 20:45 <DIR> d-------- C:\Program Files\Colibri
2007-06-02 17:03 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-06-02 17:01 <DIR> d-------- C:\Program Files\iTunes
2007-06-02 16:57 <DIR> d-------- C:\Program Files\QuickTime
2007-06-02 16:57 <DIR> d-------- C:\Program Files\Apple Software Update
2007-06-02 16:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-02 15:43 <DIR> d-------- C:\WINDOWS\pss
2007-06-02 15:16 <DIR> d-------- C:\Program Files\Aqua
2007-06-02 14:44 <DIR> d-------- C:\DOCUME~1\Owner\Incomplete
2007-06-02 14:43 <DIR> d-------- C:\Program Files\LimeWire
2007-06-02 14:43 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\LimeWire
2007-06-02 14:40 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-06-02 14:28 <DIR> d-------- C:\Program Files\Maxthon2
2007-06-02 13:52 <DIR> d-------- C:\Program Files\Picasa
2007-06-02 13:51 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-02 13:51 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-02 13:51 <DIR> d-------- C:\Program Files\Picasa2
2007-06-02 13:06 <DIR> d-------- C:\Program Files\NeXplorer1.90
2007-06-02 13:04 <DIR> d-------- C:\Program Files\LIVEUPDATE
2007-06-02 13:04 <DIR> d-------- C:\Program Files\Aqua Dock
2007-06-02 13:02 <DIR> d-------- C:\Program Files\Gman
2007-06-02 12:46 <DIR> d-------- C:\Program Files\MovieWorks Deluxe Trial
2007-06-02 12:46 <DIR> d-------- C:\Program Files\Common Files\Wintertree
2007-06-02 12:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MovieWorks
2007-06-02 12:04 <DIR> d-------- C:\Program Files\Trillian
2007-06-02 11:47 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AveDesk
2007-06-02 11:46 <DIR> d-------- C:\Program Files\AveDesk
2007-06-02 11:13 <DIR> d-------- C:\Program Files\7-Zip
2007-06-02 11:11 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-06-02 11:11 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-06-02 11:11 <DIR> d-------- C:\Program Files\Stardock
2007-06-02 11:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-02 15:58:49 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-06-02 03:46:46 -------- d-----w C:\Program Files\Windows NT
2007-06-02 03:46:41 -------- d-----w C:\Program Files\Movie Maker
2007-06-02 03:46:40 -------- d-----w C:\Program Files\Messenger
2007-06-02 03:41:39 -------- d-----w C:\Program Files\Windows Plus
2007-06-02 03:41:39 -------- d-----w C:\Program Files\Online Services
2007-06-02 03:41:39 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-02 03:41:39 -------- d-----w C:\Program Files\microsoft frontpage
2007-06-02 03:41:38 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-06-02 03:41:38 -------- d-----w C:\Program Files\Common Files\ODBC
2007-06-02 03:41:38 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 04:56]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{60BF5EE3-0105-4858-AD98-17C19F86B042}=C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll [2007-06-05 17:03]
{8A61098D-612B-4EF2-943D-64E920684061}=C:\WINDOWS\system32\ssqrool.dll [2007-06-08 10:00]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{C601396C-D2A0-9E7D-D107-8AADAB9328B1}=C:\WINDOWS\system32\cevij.dll [2007-05-21 09:59]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}=c:\windows\system32\BAE.dll [2006-02-01 06:54]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\bghjvuwp.dll [2007-06-08 11:41]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 C:\WINDOWS\soundman.exe]
"nwiz"="nwiz.exe" [2005-09-18 11:32 C:\WINDOWS\system32\nwiz.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1180758482\EE\AOLHostManager.exe" [2004-11-03 17:03]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 20:42]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-02 12:35]
"Openwares LiveUpdate"="C:\Program Files\LiveUpdate\LiveUpdate.exe" [2003-12-13 13:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"1A:Stardock TrayMonitor"="C:\Program Files\Common Files\Stardock\TrayServer.exe" [2003-02-14 03:57]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-08 10:47]
"1A:MacVisionTrayMonitor"="C:\Documents and Settings\Owner\Local Settings\Temp\TrayMonitor.exe" [1999-08-29 20:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-02 01:12]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24]
"Colibri"="C:\Program Files\Colibri\Colibri.exe" [2006-08-07 05:39]
"Poolv"="C:\WINDOWS\?icrosoft.NET\r?gedit.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\system32\ssqrool.dll" [2007-06-08 10:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"="C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll" [2005-05-10 13:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrool]
ssqrool.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,wbsys.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-04 23:37:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-02 05:07:55 C:\WINDOWS\tasks\ISP signup reminder 2.job
2007-06-02 05:07:55 C:\WINDOWS\tasks\ISP signup reminder 3.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 22:03:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 22:09:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-08 22:09

--- E O F ---


Thanks!


~Jordan
 
Now please go to Start, then Control Panel and then Add/Remove Programs. Click "Remove" on Burn4Free Toolbar to uninstall it.


Open notepad (Start > Run and type notepad) and copy/paste all the text in the code box below into it:

Code: 
File::
C:\WINDOWS\system32\bghjvuwp.dll
C:\WINDOWS\system32\iknbmjhs.dll
C:\WINDOWS\system32\lxtvdfle.exe
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\retadpu1000272.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\wnststr.exe
C:\WINDOWS\system32\khfgdby.dll
C:\WINDOWS\system32\ssqrool.dll
C:\WINDOWS\system32\drvpoj.dll
C:\WINDOWS\system32\cevij.dll
C:\WINDOWS\SYSTEM32\instcat.dll
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\svchost.exe


Save this as ComboFix-Do.txt

Combo-Do.gif


Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

Run ComboFix once more please.


Once ComboFix has finished, open HijackThis and place a check before the following entries (if still present):

O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\ssqrool.dll
02 - BHO: (no name) - {C601396C-D2A0-9E7D-D107-8AADAB9328B1} - C:\WINDOWS\system32\cevij.dll
O2 - BHO: (no name) - {D6A14199-8F79-4B67-B365-0701D3A175D7} - C:\WINDOWS\system32\pmkjj.dll
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpoj.dll,startup
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKCU\..\Run: [Ealb] "C:\DOCUME~1\Owner\MYDOCU~1\ICROSO~1\iexplore. exe" -vt ndrv
O4 - HKCU\..\Run: [Poolv] C:\WINDOWS\?icrosoft.NET\r?gedit.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINDOWS\svchost.exe
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: pmkjj - C:\WINDOWS\system32\pmkjj.dll
O20 - Winlogon Notify: ssqrool - C:\WINDOWS\SYSTEM32\ssqrool.dll
O20 - Winlogon Notify: winkve32 - C:\WINDOWS\SYSTEM32\winkve32.dll

Close any open programs/browser windows and click Fix Checked.


Restart the machine and post the second ComboFix log and a fresh HijackThis log please.
 
John McKenna said:
Now please go to Start, then Control Panel and then Add/Remove Programs. Click "Remove" on Burn4Free Toolbar to uninstall it.


Open notepad (Start > Run and type notepad) and copy/paste all the text in the code box below into it:

Code: 
File::
C:\WINDOWS\system32\bghjvuwp.dll
C:\WINDOWS\system32\iknbmjhs.dll
C:\WINDOWS\system32\lxtvdfle.exe
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\retadpu1000272.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\wnststr.exe
C:\WINDOWS\system32\khfgdby.dll
C:\WINDOWS\system32\ssqrool.dll
C:\WINDOWS\system32\drvpoj.dll
C:\WINDOWS\system32\cevij.dll
C:\WINDOWS\SYSTEM32\instcat.dll
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\svchost.exe


Save this as ComboFix-Do.txt

Combo-Do.gif


Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

Run ComboFix once more please.


Once ComboFix has finished, open HijackThis and place a check before the following entries (if still present):

O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\ssqrool.dll
02 - BHO: (no name) - {C601396C-D2A0-9E7D-D107-8AADAB9328B1} - C:\WINDOWS\system32\cevij.dll
O2 - BHO: (no name) - {D6A14199-8F79-4B67-B365-0701D3A175D7} - C:\WINDOWS\system32\pmkjj.dll
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpoj.dll,startup
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKCU\..\Run: [Ealb] "C:\DOCUME~1\Owner\MYDOCU~1\ICROSO~1\iexplore. exe" -vt ndrv
O4 - HKCU\..\Run: [Poolv] C:\WINDOWS\?icrosoft.NET\r?gedit.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINDOWS\svchost.exe
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: pmkjj - C:\WINDOWS\system32\pmkjj.dll
O20 - Winlogon Notify: ssqrool - C:\WINDOWS\SYSTEM32\ssqrool.dll
O20 - Winlogon Notify: winkve32 - C:\WINDOWS\SYSTEM32\winkve32.dll

Close any open programs/browser windows and click Fix Checked.


Restart the machine and post the second ComboFix log and a fresh HijackThis log please.
Click to expand...

Thanks for the help, but for some reasons the popups are already gone. Thanks again!


~Jordan
 
The popups may well be gone but there's still plenty of malware present on your computer. If you want the malware banished, please follow my last set of instructions and post the requested log files. ;)
 
You must log in or register to reply here.
Back
Top