Malware Prob

B

BWillia

New member
I recently was affected with some bad malware. I've tried running the following spyware programs to attempt to zap this from my system: Ad-aware SE, Spybot S&D, AVG Anti-spyware, Panda Antivirus, and SpyCatcher. None of these have fully cleaned my system. Symptoms are the usual: pop-up windows both inside my browser and outside. It doesn't seem to activate until I open my browser after first powering up.

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 9:24:26 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft

Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - G:\Program

Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {5689A996-459E-44AE-832D-2DE47478DF76} - C:\WINDOWS\system32\wvurr.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} -

C:\WINDOWS\system32\htwfflyo.dll (file missing)
O2 - BHO: (no name) - {E1DADA05-3E74-43B0-B3CE-FC347DB7C76B} -

C:\WINDOWS\system32\pmnlkih.dll (file missing)
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean

4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean

4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus

XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio

Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator

6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator

6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpyCatcher Reminder] "G:\Program Files\SpyCatcher 2006\SpyCatcher.exe"

reminder
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall

2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = G:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SpyCatcher Protector.lnk = G:\Program Files\SpyCatcher

2006\Protector.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -

http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.excite.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385

835968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: pmnlkih - pmnlkih.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvurr - C:\WINDOWS\system32\wvurr.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program

Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies -

G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program

Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program

Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program

Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program

Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program

files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda

Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner -

%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program

Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean

4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda

Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program

Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks in advance for your help!
 
In attempting to be proactive, I decided to try and run Vundofix 6.3.19 with instructions from another post. My problems still exists...here's my new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:00:52 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\apvxdwin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
g:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - G:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {5689A996-459E-44AE-832D-2DE47478DF76} - C:\WINDOWS\system32\wvurr.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\htwfflyo.dll (file missing)
O2 - BHO: (no name) - {E1DADA05-3E74-43B0-B3CE-FC347DB7C76B} - C:\WINDOWS\system32\pmnlkih.dll (file missing)
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpyCatcher Reminder] "G:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = G:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SpyCatcher Protector.lnk = G:\Program Files\SpyCatcher 2006\Protector.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.excite.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385835968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: pmnlkih - pmnlkih.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Sorry, forgot to post my VendoFix from above step.


VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:35:22 PM 4/18/2007

Listing files found while scanning....

C:\WINDOWS\system32\rruvw.bak1
C:\WINDOWS\system32\rruvw.ini
C:\WINDOWS\system32\wvurr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rruvw.bak1
C:\WINDOWS\system32\rruvw.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rruvw.ini
C:\WINDOWS\system32\rruvw.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvurr.dll
C:\WINDOWS\system32\wvurr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...
 
Welcome to the forum, sometimes pro-active is good and other times it is not. Reading and following the directions is always good:"
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
I don't know if you are following this information or not:
http://forums.spybot.info/showthread.php?t=4394
But let me give you a little information about this junk:
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog

One thing I know that can cause the fix problems is out of date Java programs, that can also get you the infections, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
You are running an old version: Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Click to expand...
and the fix even told you that. Start by downloading the newest Java version and uninstall all old versions in add remove programs.

Next, the fix needs time to learn the bad files and remove them. I have seen it take as many as six runs, once in a while it will not remove a file at all, but that is rare. Here is your issue, and you can also see it in your HJT log:
Attempting to delete C:\WINDOWS\system32\wvurr.dll
C:\WINDOWS\system32\wvurr.dll Could not be deleted.
Until you kill it all it will morph and put itself back, nice stuff huh?
Run the fix until it removes the junk, then post the Vundofix log and a new HJT log and I will see what is left to do.

Thanks
 
Hello pskelley,
Thanks for responding to my request. I accept all punishments and beat-down's you may decide to throw upon me for not following all instructions and being too proactive.

I'm at work now, but I'll post a latest HJT log and Vundofix log (I've ran Vundofix a few times since my last posting and it has come up empty) tonight. I used HJT to remove the wvurr.dll file (maybe a bad move), but I'm still getting the pop-ups.

As I said, "Captain Pro-active" here will accept all verbal abuse and punishment you can dish out. Feel free to vent. Although this spyware was a royal pain, trying to fix it was kinda fun....could I be a junior security expert in training? (Yes, I hear the groans from Florida clear up here in Delaware).

I'll post my results later tonight. Thanks again for your help with this.
 
P.S. I was afraid to keep posting HJT logs for fear of bumping...at least I read that part of the instructions properly. :red:
 
VundoFix Log
-------------

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 5:48:31 PM 4/20/2007

Listing files found while scanning....

No infected files were found.



Hijack This Log:
--------------
Logfile of HijackThis v1.99.1
Scan saved at 6:08:08 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\apvxdwin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
g:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\psimreal.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\avciman.exe
G:\Program Files\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - G:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpyCatcher Reminder] "G:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = G:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SpyCatcher Protector.lnk = G:\Program Files\SpyCatcher 2006\Protector.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.excite.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385835968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Also if it helps here's a log from running the online Panda Antivirus scan last night (nothing has been messed with on my system since then):


Incident Status Location

Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daddy\Application Data\jugskindmags\once style.exe
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Daddy\Cookies\daddy@hitbox[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Daddy\Desktop\SmitfraudFix\Process.exe
 
Thanks for returning the information, I am still showing this:
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Click to expand...
If you have not removed the old versions of Java, please uninstall them in Add Remove programs.

I do not see LOP/C2 Media in your log: http://inetexplorer.mvps.org/data/lop.htm
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daddy\Application Data\jugskindmags\ <<< Delete that folder
Navigate to the folder in red and delete it!!

C:\Documents and Settings\Daddy\Desktop\SmitfraudFix\ <<< delete that folder in red

G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\ <<< follow the instructions in this link to run that program, delete or quarantine anything it finds and post the scan report.
http://forums.security-central.us/showthread.php?t=3165

Post the AVG Anti-Spyware scan results and let me know how the computer is running.

Do you own this program? G:\Program Files\SpyCatcher 2006\SpyCatcher.exe

O15 - Trusted Zone: http://*.excite.com <<< are you sure that belongs in your "Trusted Zone"?

Thanks
 
Thanks. Dunno what happened with the Java Update...no other versions were showing in my add/remove programs (I had removed 2 other versions before updating to environment 6 update 1 which I verified on JAVA's site.) I uninstalled it, then reinstalled it again and verified it on JAVA's web site. However, running VundoFix STILL shows an old version even after rebooting:

---------------------------------------
VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 9:10:46 PM 4/20/2007

Listing files found while scanning....

No infected files were found.


---------------------------------------

I double checked my add/remove programs and still don't see any versions of Java except the environment 6, update 1 version. I'm really miffed on this one.


- I can't seem to delete the jugskindmags directory. When I try, I get a message which says "Cannot Delete...The directory is not empty." When I open it, I don't see any files inside and I do have the Tools-->Folder Options-->Show hidden files and folders checked.

- Successfully deleted the SmitfraudFix folder.

- AVG Results:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:16:03 PM 4/20/2007

+ Scan result:



G:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP480\A0179605.exe -> Adware.RegistryDoc : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@cartoonnetwork.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@getmusicfree.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.12:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.6:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.7:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.8:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.11:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.14:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.15:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.22:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.23:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.


::Report end



- Spycatcher 2006 was an application I downloaded from tenebril.com. I can uninstall it if need be.

- The http://*.excite.com in the trusted zone was something or other I had used awhile ago to allow me to login to excite's internet mail (had to have it for something which I can't remember now). We can remove it as it's no longer needed.

Thanks again for your help.
 
Forgot to mention how the comp is running...seems to be running a little better, but I'm still getting the pop-up windows.
 
Good morning and thanks for the feedback. Please post your uninstall list so I can have a look:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

The jugskindmags directory is as I posted in the link for you, LOP/C2 media which is a pain, usually gets installed with messengerplus because the EULA is not read. It can and will create popups. I am interested in where the popups are directing you. Vundo directs to rouge spyware products like Winfixer/errorsafe, etc.
We can run a tool which is complex or you can delete the folder manually, you know where it is located now. Boot to safe mode and do it:
http://www.bleepingcomputer.com/tutorials/tutorial61.html

Spycatcher 2006: if you don't own it, I suggest uninstalling it, Windows Defender will problably do a better job without another program running doing the same thing.

As far as your "TrustedZone", I personally allow nothing in mine, that is a lot of access to your computer you are giving that website.

Cookies in Firefox: http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html

So...get rid of LOP, that should stop the popups, then post the uninstall list and a new HJT log for a last look along with your comments.

Thanks...Phil
 
Last edited:
Good Evening Phil,
Here's the latest:

- I booted to safe mode and successfully removed the jugskindmags directory , emptied my recycle bin, and verified it did not reappear on reboot.

- Here are some of the links that have been popping up:

http://www.jack.com
http://cnasq.com/home
http://www.smashits.com
http://www.count2.exitexchange.com
http://www.musicplustv.com
http://www.search123.com
http://c5.zedo.com
http://www.netster.com
http://www.pcsecurityshield.com
http://www.rootv.com
http://url.cpvfeed.com
http://www.netster.com
http://www.viduku.com
http://arn.aavalue.com
...and a few non-browser pop-ups such as Ebay (with "spyware" filled in the search box) and NESTER.

- I uninstalled Spycatcher 2006

- I removed the trusted zone of Excite.com in IE

- Here's the uninstall list from HJT:

µTorrent
7-Zip 3.13
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop CS
Adobe Reader 7.0
AirPlus XtremeG
AnalogX DLLArchive
ANIO Service
ANIWZCS2 Service
A-Ray Scanner 2.0.2.3
ATI - Software Uninstall Utility
ATI Display Driver
AVG Anti-Spyware 7.5
AVI MPEG Video Converter
AVI/MPEG/ASF/WMV Splitter 2.31
AVI/MPEG/RM/WMV Joiner 4.61
BitLord 1.1
BitTorrent 3.4.2
Boardmaker version 5
CachemanXP 1.1
Canon Camera Window for ZoomBrowser EX
Canon FV M10, OPTURA20 WIA Driver
Canon PhotoRecord
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Card Services Remote Access Toolkit
CleanUp!
ClrMamePro
CursorXP
DiscWizard for Windows
Diskeeper Professional Edition
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD X Rescue
DVDXCopy Platinum 3.2.1
Easy CD & DVD Creator 6
Easy Graphic Converter 1.2
EAX4 Unified Redist
eMule
EPSON Scan! II
Family Lawyer 2004
Far Cry
Fraps (remove only)
Future Pinball
Google Video Player
Guild Wars
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Image Resizer Powertoy for Windows XP
Immersion TouchWare Gaming Trial
Java(TM) SE Runtime Environment 6 Update 1
Kazaa Lite Resurrection 0.0.8
K-Lite Codec Pack 2.79 Full
LifeGlobe Goldfish Aquarium
LimeWire PRO 4.10.9
Living Marine Aquarium 2 Full Screen Saver
Logitech SetPoint
Macromedia Flash Player 8
MadOnion.com/3DMark2001 SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.3)
MSI Live Update 3
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
NVIDIA Drivers
NvMixer
Panda ActiveScan
Panda Antivirus + Firewall 2007
PC Alert 4
PCBugDoctor version 1.0.0.4
PeerGuardian 2.0
Picasa 2
Pinnacle Hollywood FX 5
PowerQuest PartitionMagic 7.0
QuickTime
RealPlayer
RomCenter 2.62
Sansa Media Converter
Sansa Updater
SecureClean4
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Sierra Utilities
SmartSound Quicktracks Plugin
SP2 Connection Patcher
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Star Wars Jedi Knight Jedi Academy
Star Wars Republic Commando
Starcraft
Studio 9
Studio 9.1 Patch
SUPER © Version 2007.bld.21 (Jan 4, 2007)
TorrentAid v1.0
Tweak UI
TweakNow RegCleaner Standard
Ulead VideoStudio 8.0
Uniblue Registry Booster
Unique v1.01
Unlocker 1.8.5
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Virtual Desktop Manager Powertoy for Windows XP
Visual Pinball
What's Running 2.2
Winamp (remove only)
Window Washer 5
Windows Defender
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WingMan Software
WinPcap 3.1
WinRAR archiver
WM Recorder 11.0
WM Recorder 11.2
ZoneAlarm

--------------------------------------
Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:58:53 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\apvxdwin.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\WINDOWS\System32\svchost.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
G:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
g:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
G:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\Program Files\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - G:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385835968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


- Lastly after doing all this, I was still getting the pop-up windows (after also deleting my cookies and privacy info in IE and Firefox).

As always, thanks for your help.

Regards,
Brett
 
Thanks for returning the information and the feedback, this one may be though. I will look at the HJT log first:

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - G:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
Use HJT to delete that line, not causing the problem but with the missing file, is just clutter.

I see programs I do not know, but nothing that looks like malware. You should look to see if you do not know anything that is there, the same with the uninstall list.

Uninstall List.

Brett, you have a bunch of stuff I just do not know and any of it could be our problem. I have no way of knowing if one of these games is causing the adware popups. They often say free but rarely are and usually exact their price in adware. Take a look at the uninstall list. I see nothing that I can point at but I do not recognize a third of the stuff you have installed on your computer.

Let's move on and see if we can spot another reason. Since LOP was there, perhaps more is hiding, this tool will tell us:

1) Thanks to skate_punk_21 and anyone else who helped with this fix.

Please download NoLop to the Desktop from one of these links:
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16

Close any programs you have running since a reboot is required
Double click NoLop.exe to run it
Next, click the button labeled: Search and Destroy
<<your computer will now be scanned for infected files>> When the scan finishes, if infected, you are prompted to reboot
Click OK

Now click: REBOOT
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please Post the contents of C:\NoLop.log along with a new HijackThis log

2) Let's check for a rootkit like this:
Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.
Please don't fix anything, most if not all will be valid

Restart the computer and post the results of NoLop, the results of BlackLight and a new HJT log.

I appreciate any feedback you can provide, something happened at some point that caused these problems on your computer and I am interested in any thoughts you have.

Thanks
 
Armed with my bowl of cookies and cream, I dive in....

- I ran NoLop and it came up empty. No issues found (could't post a log).

- Same thing happend with Blacklight. Here's the log:

04/21/07 21:12:30 [Info]: BlackLight Engine 1.0.61 initialized
04/21/07 21:12:30 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/21/07 21:12:30 [Note]: 7019 4
04/21/07 21:12:30 [Note]: 7005 0
04/21/07 21:12:38 [Note]: 7006 0
04/21/07 21:12:38 [Note]: 7011 236
04/21/07 21:12:38 [Note]: 7026 0
04/21/07 21:12:38 [Note]: 7026 0
04/21/07 21:12:43 [Note]: FSRAW library version 1.7.1021
04/21/07 21:19:58 [Note]: 2000 1012
04/21/07 21:20:11 [Note]: 7007 0



Here's the latest HJT log after removing that missing DLL:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:31 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
g:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
G:\Program Files\uTorrent\utorrent.exe
G:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\Program Files\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385835968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I do have a lot of programs, but most (except for some recent spyware scanners used to try and remedy this issue) existed prior to this problem. I do believe though I know what happened. I had downloaded a torrent file called "Online TV Player 3.0.920." I'm usually pretty careful about looking at this kind of stuff, but I was careless on this one. Avast did pick up a trojan worm and blocked it (either during or after the patch file install). I actually went back out tonight and regrabbed the torrent so I now have the files used in the install (I of course didn't install it)...but figured it may help if you would like to see them.

Thanks,
Brett
 
Something else that may (or may not) be important - it appears that most (if not all at this point) of the pop-ups are using IE or some kind of other generic GUI window. I haven't seen a pop-up in Firefox for quite awhile. Also, the pop-ups don't seem to start until I open a browser...they tend to come a little later after opening.
 
Let me just comment first that we are searching for a needle in a haystack. Different scanners will find different items and even though BlackLight is great, a super hidden rootkit could still be present.

I have no way to scan those torrent files, but you may use these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

You can also use Panda, I am sure it will scan individual files for you.

I need to make sure you do not have more than one user Account. If you should, then I need to see a HJT log from each use while signed in to their account.

Remove NoLop and BlackLight from your computer.

To scan for hidden Smitfraud, download Smitfraudfix from here:
http://siri.geekstogo.com/SmitfraudFix.php Follow ONLY these directions:

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

_______________________________________________________

Credit: miekiemoes

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Post the report from Dr.Web and the C:\rapport.txt from Smitfraudfix. If you have multiple users, post their HJT log, labeled so we will know who they belong to.

Thanks
 
Here's the latest:

1) I ran Smitfraud. Here's the log:

SmitFraudFix v2.171

Scan done at 14:28:12.78, Sun 04/22/2007
Run from C:\Documents and Settings\Daddy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\WINDOWS\System32\svchost.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
G:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\~.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Daddy


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Daddy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Daddy\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 71.242.0.12
DNS Server Search Order: 71.250.0.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E4B519D-0D82-437A-86CE-DBC28CEABCD6}: DhcpNameServer=71.242.0.12 71.250.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7E4B519D-0D82-437A-86CE-DBC28CEABCD6}: DhcpNameServer=71.242.0.12 71.250.0.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7E4B519D-0D82-437A-86CE-DBC28CEABCD6}: DhcpNameServer=71.242.0.12 71.250.0.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=71.242.0.12 71.250.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=71.242.0.12 71.250.0.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=71.242.0.12 71.250.0.12


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



(more to come)....
 
(part 2)...

2) Dr.Web Cureit results:


PCBug Doctor v1.0.0.4 Trial to Full by Great Elmo!!.EXE;C:\Documents and Settings\All Users\Documents;Tool.GameCrack;Incurable.Moved.;
winsys2f.dll;C:\Documents and Settings\All Users\Documents\Settings;Probably BACKDOOR.Trojan;Incurable.Moved.;
winsys2f.dll~;C:\Documents and Settings\All Users\Documents\Settings;Probably BACKDOOR.Trojan;Incurable.Moved.;
tvplayer_setup.exe;C:\Documents and Settings\Daddy\Desktop\Online TV Player 3.0.920 Plus Crack;Trojan.Virtumod;Deleted.;
Process.exe;C:\Documents and Settings\Daddy\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
1.dllb;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
5.dllb;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.Packed.64;Deleted.;
ma1x1ddv.game;C:\Documents and Settings\Daddy\Local Settings\Temp;Dialer.Maxd;Deleted.;
v3x1.g22me\data001;C:\Documents and Settings\Daddy\Local Settings\Temp\v3x1.g22me;Probably BACKDOOR.Trojan;;
v3x1.g22me\data002;C:\Documents and Settings\Daddy\Local Settings\Temp\v3x1.g22me;Probably BACKDOOR.Trojan;;
v3x1.g22me;C:\Documents and Settings\Daddy\Local Settings\Temp;Archive contains infected objects;Moved.;
v4x6.gam5e;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.DownLoader.13046;Deleted.;
v5x2.g3ame;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.DownLoader.20822;Deleted.;
v5x4.ga2me;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.DownLoader.14813;Deleted.;
v6xt4.game;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.Packed.38;Deleted.;
vx1t1.game;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.Packed.68;Deleted.;
adv_4[1].exe;C:\Documents and Settings\Daddy\Local Settings\Temporary Internet Files\Content.IE5\NKCPG82O;Trojan.Packed.94;Deleted.;
hh[1].htm;C:\Documents and Settings\Daddy\Local Settings\Temporary Internet Files\Content.IE5\NKCPG82O;VBS.Psyme.239;Deleted.;
Process.exe;C:\RECYCLER\S-1-5-21-2000478354-1708537768-1060284298-1004\Dc7;Tool.Prockill;Incurable.Moved.;
A0176312.dll;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP480;Trojan.Virtumod;Deleted.;
A0180966.dll;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP484;Trojan.Virtumod;Deleted.;
A0182010.dll;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP485;Trojan.Virtumod;Deleted.;
A0184061.exe;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP485;Tool.Prockill;Incurable.Moved.;
A0184093.exe;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP485;Tool.ShutDown.11;Incurable.Moved.;
A0184257.exe;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP487;Tool.Prockill;Incurable.Moved.;
A0186768.exe;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP488;Trojan.Virtumod;Deleted.;
A0186769.exe;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP488;Tool.ShutDown.11;Incurable.Moved.;
wvurr.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
dlh9jkd1q5.exe;C:\WINDOWS\system32;Trojan.Packed.64;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
vexga4me1.exe\data001;C:\WINDOWS\system32\vexga4me1.exe;Probably BACKDOOR.Trojan;;
vexga4me1.exe\data002;C:\WINDOWS\system32\vexga4me1.exe;Probably BACKDOOR.Trojan;;
vexga4me1.exe;C:\WINDOWS\system32;Archive contains infected objects;Moved.;
~.exe;C:\WINDOWS\system32;Trojan.Packed.94;Deleted.;
backup-20070419-210907-411.dll;G:\Program Files\HijackThis\backups;Trojan.Virtumod;Deleted.;
A0186787.dll;G:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP488;Trojan.Virtumod;Deleted.;
tvplayer_setup.exe;I:\Online TV Player 3.0.920 Plus Crack;Trojan.Virtumod;Deleted.;
A0186788.exe;I:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP488;Trojan.Virtumod;Deleted.;

(part 3 below)...
 
You must log in or register to reply here.
Back
Top