Hello,

After browsing some unfamiliar websites recently I suddenly started getting warnings appearing from the system tray telling me I had various adware, spyware and virus infections. In addition to this, some virus checking software had apparently been installed without my knowledge and my browser was being hijacked, diverting me to a page that was designed to appear as Windows XP SP2 Security Center. Clicking on the warnings led me to various decontamination tools that the spywarewarrior.com website list as untrustworthy (eg antivirmins). I was also getting popups for the same products.

After reading the spyawarewarrior.com website, it was obvious that these were bogus warnings trying to get me to subscribe to the products I was being directed towards.

I deleted as many of the programs that had installed themselves, run my bitdefender virus checker and spybot S&D programs, removing as much malicious material as possible. I then followed the instructions of the forum, checking with panda scanner and running spybot from safe mode. However, the warnings are still appearing.

Below is the log from the panda scan:



Incident Status Location

Adware:Adware/VideoActiveXObject Not disinfected C:\Program Files\Video ActiveX Object\PMUNST.EXE
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Bryan Hammons\Local Settings\Temporary Internet Files\Content.IE5\CHKZ8ZYV\protectionwarning[1].htm
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@com[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@casalemedia[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@ad.yieldmanager[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@trafficmp[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@bluestreak[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@adtech[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@zedo[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@ads.pointroll[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@questionmarket[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@serving-sys[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@stat.onestat[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@2o7[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@bs.serving-sys[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@247realmedia[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@xiti[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@tradedoubler[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@server.iad.liveperson[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@adrevolver[4].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@overture[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@adrevolver[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@stats.drivecleaner[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@errorsafe[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@www.errorsafe[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bryan Hammons\Cookies\bryan hammons@www.drivecleaner[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[.advertising.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[.atdmt.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[.yadro.ru/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[.adrevolver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[.c5.zedo.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[.drivecleaner.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[.questionmarket.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[stats.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bryan Hammons\Application Data\Mozilla\Firefox\Profiles\vdbd1a14.default\COOKIES.TXT[www.drivecleaner.com/]

And the log from the Hijackthis scan:


Logfile of HijackThis v1.99.1
Scan saved at 15:27:32, on 07/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Video ActiveX Object\isamntr.exe
C:\Program Files\Video ActiveX Object\pmsnrr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Video ActiveX Object\pmmnt.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\vsnpstd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Video ActiveX Object\isamini.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TrustInstaller] G:\Setup.exe
O4 - HKLM\..\Run: [Creative AGP Wizard] C:\Program Files\Creative\AGPWizard\Agpwiz.exe -startup
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A49212EB-9772-44B0-8563-A579D8646145}: NameServer = 212.139.132.6 212.139.132.7
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - C:\WINDOWS\system32\cwgppb.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Please help get this poop off my computer! THANKS IN ADVANCE!

Welcome to the forum, I will do my best to help you clean up your computer if you will take the time to read these instructions again:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288
You said this:
I then followed the instructions of the forumand the instructions say this:

All logs should be copy/pasted into topic and not attached unless requested by helper in that format.

Since it is your computer we are working on, I can not tell you how important it is that all instructions are read and followed carefully. Copy and paste all information from this point on unless I request otherwise.

Please follow the instruction in this link, use Post Reply to stay in this same topic.
http://forums.spybot.info/showthread.php?t=4015

Thanks

Many apologies, I didn't realise that putting the logs in quotation boxes violated the instructions. I will follow the instructions on the link you provided and get back to you.

Thanks.

This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.