PDA

View Full Version : Malware Prob



BWillia
2007-04-18, 04:24
I recently was affected with some bad malware. I've tried running the following spyware programs to attempt to zap this from my system: Ad-aware SE, Spybot S&D, AVG Anti-spyware, Panda Antivirus, and SpyCatcher. None of these have fully cleaned my system. Symptoms are the usual: pop-up windows both inside my browser and outside. It doesn't seem to activate until I open my browser after first powering up.

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 9:24:26 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft

Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - G:\Program

Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {5689A996-459E-44AE-832D-2DE47478DF76} - C:\WINDOWS\system32\wvurr.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} -

C:\WINDOWS\system32\htwfflyo.dll (file missing)
O2 - BHO: (no name) - {E1DADA05-3E74-43B0-B3CE-FC347DB7C76B} -

C:\WINDOWS\system32\pmnlkih.dll (file missing)
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean

4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean

4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus

XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio

Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator

6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator

6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpyCatcher Reminder] "G:\Program Files\SpyCatcher 2006\SpyCatcher.exe"

reminder
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall

2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = G:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SpyCatcher Protector.lnk = G:\Program Files\SpyCatcher

2006\Protector.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -

http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.excite.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385

835968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: pmnlkih - pmnlkih.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvurr - C:\WINDOWS\system32\wvurr.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program

Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies -

G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program

Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program

Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program

Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program

Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program

files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda

Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner -

%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program

Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean

4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda

Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program

Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks in advance for your help!

BWillia
2007-04-18, 04:58
In attempting to be proactive, I decided to try and run Vundofix 6.3.19 with instructions from another post. My problems still exists...here's my new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:00:52 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\apvxdwin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
g:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - G:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {5689A996-459E-44AE-832D-2DE47478DF76} - C:\WINDOWS\system32\wvurr.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\htwfflyo.dll (file missing)
O2 - BHO: (no name) - {E1DADA05-3E74-43B0-B3CE-FC347DB7C76B} - C:\WINDOWS\system32\pmnlkih.dll (file missing)
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpyCatcher Reminder] "G:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = G:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SpyCatcher Protector.lnk = G:\Program Files\SpyCatcher 2006\Protector.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.excite.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385835968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: pmnlkih - pmnlkih.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BWillia
2007-04-18, 05:44
Sorry, forgot to post my VendoFix from above step.


VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:35:22 PM 4/18/2007

Listing files found while scanning....

C:\WINDOWS\system32\rruvw.bak1
C:\WINDOWS\system32\rruvw.ini
C:\WINDOWS\system32\wvurr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rruvw.bak1
C:\WINDOWS\system32\rruvw.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rruvw.ini
C:\WINDOWS\system32\rruvw.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvurr.dll
C:\WINDOWS\system32\wvurr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

pskelley
2007-04-19, 17:24
Welcome to the forum, sometimes pro-active is good and other times it is not. Reading and following the directions is always good:"
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
I don't know if you are following this information or not:
http://forums.spybot.info/showthread.php?t=4394
But let me give you a little information about this junk:
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog

One thing I know that can cause the fix problems is out of date Java programs, that can also get you the infections, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

You are running an old version: Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
and the fix even told you that. Start by downloading the newest Java version and uninstall all old versions in add remove programs.

Next, the fix needs time to learn the bad files and remove them. I have seen it take as many as six runs, once in a while it will not remove a file at all, but that is rare. Here is your issue, and you can also see it in your HJT log:
Attempting to delete C:\WINDOWS\system32\wvurr.dll
C:\WINDOWS\system32\wvurr.dll Could not be deleted.
Until you kill it all it will morph and put itself back, nice stuff huh?
Run the fix until it removes the junk, then post the Vundofix log and a new HJT log and I will see what is left to do.

Thanks

BWillia
2007-04-19, 22:51
Hello pskelley,
Thanks for responding to my request. I accept all punishments and beat-down's you may decide to throw upon me for not following all instructions and being too proactive.

I'm at work now, but I'll post a latest HJT log and Vundofix log (I've ran Vundofix a few times since my last posting and it has come up empty) tonight. I used HJT to remove the wvurr.dll file (maybe a bad move), but I'm still getting the pop-ups.

As I said, "Captain Pro-active" here will accept all verbal abuse and punishment you can dish out. Feel free to vent. Although this spyware was a royal pain, trying to fix it was kinda fun....could I be a junior security expert in training? (Yes, I hear the groans from Florida clear up here in Delaware).

I'll post my results later tonight. Thanks again for your help with this.

BWillia
2007-04-19, 22:52
P.S. I was afraid to keep posting HJT logs for fear of bumping...at least I read that part of the instructions properly. :red:

BWillia
2007-04-20, 01:09
VundoFix Log
-------------

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 5:48:31 PM 4/20/2007

Listing files found while scanning....

No infected files were found.



Hijack This Log:
--------------
Logfile of HijackThis v1.99.1
Scan saved at 6:08:08 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\apvxdwin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
g:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\psimreal.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\avciman.exe
G:\Program Files\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - G:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpyCatcher Reminder] "G:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = G:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SpyCatcher Protector.lnk = G:\Program Files\SpyCatcher 2006\Protector.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.excite.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385835968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BWillia
2007-04-20, 01:13
Also if it helps here's a log from running the online Panda Antivirus scan last night (nothing has been messed with on my system since then):


Incident Status Location

Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daddy\Application Data\jugskindmags\once style.exe
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Daddy\Cookies\daddy@hitbox[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Daddy\Desktop\SmitfraudFix\Process.exe

pskelley
2007-04-20, 03:01
Thanks for returning the information, I am still showing this:

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.If you have not removed the old versions of Java, please uninstall them in Add Remove programs.

I do not see LOP/C2 Media in your log: http://inetexplorer.mvps.org/data/lop.htm
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daddy\Application Data\jugskindmags\ <<< Delete that folder
Navigate to the folder in red and delete it!!

C:\Documents and Settings\Daddy\Desktop\SmitfraudFix\ <<< delete that folder in red

G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\ <<< follow the instructions in this link to run that program, delete or quarantine anything it finds and post the scan report.
http://forums.security-central.us/showthread.php?t=3165

Post the AVG Anti-Spyware scan results and let me know how the computer is running.

Do you own this program? G:\Program Files\SpyCatcher 2006\SpyCatcher.exe

O15 - Trusted Zone: http://*.excite.com <<< are you sure that belongs in your "Trusted Zone"?

Thanks

BWillia
2007-04-20, 05:17
Thanks. Dunno what happened with the Java Update...no other versions were showing in my add/remove programs (I had removed 2 other versions before updating to environment 6 update 1 which I verified on JAVA's site.) I uninstalled it, then reinstalled it again and verified it on JAVA's web site. However, running VundoFix STILL shows an old version even after rebooting:

---------------------------------------
VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 9:10:46 PM 4/20/2007

Listing files found while scanning....

No infected files were found.


---------------------------------------

I double checked my add/remove programs and still don't see any versions of Java except the environment 6, update 1 version. I'm really miffed on this one.


- I can't seem to delete the jugskindmags directory. When I try, I get a message which says "Cannot Delete...The directory is not empty." When I open it, I don't see any files inside and I do have the Tools-->Folder Options-->Show hidden files and folders checked.

- Successfully deleted the SmitfraudFix folder.

- AVG Results:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:16:03 PM 4/20/2007

+ Scan result:



G:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP480\A0179605.exe -> Adware.RegistryDoc : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@cartoonnetwork.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@getmusicfree.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.12:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.6:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.7:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.8:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.11:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.14:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.15:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.22:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.23:C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\default.3sr\cookies-1.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.


::Report end



- Spycatcher 2006 was an application I downloaded from tenebril.com. I can uninstall it if need be.

- The http://*.excite.com in the trusted zone was something or other I had used awhile ago to allow me to login to excite's internet mail (had to have it for something which I can't remember now). We can remove it as it's no longer needed.

Thanks again for your help.

BWillia
2007-04-20, 05:26
Forgot to mention how the comp is running...seems to be running a little better, but I'm still getting the pop-up windows.

pskelley
2007-04-20, 14:27
Good morning and thanks for the feedback. Please post your uninstall list so I can have a look:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

The jugskindmags directory is as I posted in the link for you, LOP/C2 media which is a pain, usually gets installed with messengerplus because the EULA is not read. It can and will create popups. I am interested in where the popups are directing you. Vundo directs to rouge spyware products like Winfixer/errorsafe, etc.
We can run a tool which is complex or you can delete the folder manually, you know where it is located now. Boot to safe mode and do it:
http://www.bleepingcomputer.com/tutorials/tutorial61.html

Spycatcher 2006: if you don't own it, I suggest uninstalling it, Windows Defender will problably do a better job without another program running doing the same thing.

As far as your "TrustedZone", I personally allow nothing in mine, that is a lot of access to your computer you are giving that website.

Cookies in Firefox: http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html

So...get rid of LOP, that should stop the popups, then post the uninstall list and a new HJT log for a last look along with your comments.

Thanks...Phil

BWillia
2007-04-20, 18:58
Will do. I'm at work now, but will get you the results later this evening.

BWillia
2007-04-21, 03:07
Good Evening Phil,
Here's the latest:

- I booted to safe mode and successfully removed the jugskindmags directory , emptied my recycle bin, and verified it did not reappear on reboot.

- Here are some of the links that have been popping up:

http://www.jack.com
http://cnasq.com/home
http://www.smashits.com
http://www.count2.exitexchange.com
http://www.musicplustv.com
http://www.search123.com
http://c5.zedo.com
http://www.netster.com
http://www.pcsecurityshield.com
http://www.rootv.com
http://url.cpvfeed.com
http://www.netster.com
http://www.viduku.com
http://arn.aavalue.com
...and a few non-browser pop-ups such as Ebay (with "spyware" filled in the search box) and NESTER.

- I uninstalled Spycatcher 2006

- I removed the trusted zone of Excite.com in IE

- Here's the uninstall list from HJT:

µTorrent
7-Zip 3.13
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop CS
Adobe Reader 7.0
AirPlus XtremeG
AnalogX DLLArchive
ANIO Service
ANIWZCS2 Service
A-Ray Scanner 2.0.2.3
ATI - Software Uninstall Utility
ATI Display Driver
AVG Anti-Spyware 7.5
AVI MPEG Video Converter
AVI/MPEG/ASF/WMV Splitter 2.31
AVI/MPEG/RM/WMV Joiner 4.61
BitLord 1.1
BitTorrent 3.4.2
Boardmaker version 5
CachemanXP 1.1
Canon Camera Window for ZoomBrowser EX
Canon FV M10, OPTURA20 WIA Driver
Canon PhotoRecord
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Card Services Remote Access Toolkit
CleanUp!
ClrMamePro
CursorXP
DiscWizard for Windows
Diskeeper Professional Edition
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD X Rescue
DVDXCopy Platinum 3.2.1
Easy CD & DVD Creator 6
Easy Graphic Converter 1.2
EAX4 Unified Redist
eMule
EPSON Scan! II
Family Lawyer 2004
Far Cry
Fraps (remove only)
Future Pinball
Google Video Player
Guild Wars
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Image Resizer Powertoy for Windows XP
Immersion TouchWare Gaming Trial
Java(TM) SE Runtime Environment 6 Update 1
Kazaa Lite Resurrection 0.0.8
K-Lite Codec Pack 2.79 Full
LifeGlobe Goldfish Aquarium
LimeWire PRO 4.10.9
Living Marine Aquarium 2 Full Screen Saver
Logitech SetPoint
Macromedia Flash Player 8
MadOnion.com/3DMark2001 SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.3)
MSI Live Update 3
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
NVIDIA Drivers
NvMixer
Panda ActiveScan
Panda Antivirus + Firewall 2007
PC Alert 4
PCBugDoctor version 1.0.0.4
PeerGuardian 2.0
Picasa 2
Pinnacle Hollywood FX 5
PowerQuest PartitionMagic 7.0
QuickTime
RealPlayer
RomCenter 2.62
Sansa Media Converter
Sansa Updater
SecureClean4
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Sierra Utilities
SmartSound Quicktracks Plugin
SP2 Connection Patcher
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Star Wars Jedi Knight Jedi Academy
Star Wars Republic Commando
Starcraft
Studio 9
Studio 9.1 Patch
SUPER © Version 2007.bld.21 (Jan 4, 2007)
TorrentAid v1.0
Tweak UI
TweakNow RegCleaner Standard
Ulead VideoStudio 8.0
Uniblue Registry Booster
Unique v1.01
Unlocker 1.8.5
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Virtual Desktop Manager Powertoy for Windows XP
Visual Pinball
What's Running 2.2
Winamp (remove only)
Window Washer 5
Windows Defender
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WingMan Software
WinPcap 3.1
WinRAR archiver
WM Recorder 11.0
WM Recorder 11.2
ZoneAlarm

--------------------------------------
Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:58:53 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\apvxdwin.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\WINDOWS\System32\svchost.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
G:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
g:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
G:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\Program Files\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - G:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385835968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


- Lastly after doing all this, I was still getting the pop-up windows (after also deleting my cookies and privacy info in IE and Firefox).

As always, thanks for your help.

Regards,
Brett

pskelley
2007-04-21, 03:43
Thanks for returning the information and the feedback, this one may be though. I will look at the HJT log first:

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - G:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
Use HJT to delete that line, not causing the problem but with the missing file, is just clutter.

I see programs I do not know, but nothing that looks like malware. You should look to see if you do not know anything that is there, the same with the uninstall list.

Uninstall List.

Brett, you have a bunch of stuff I just do not know and any of it could be our problem. I have no way of knowing if one of these games is causing the adware popups. They often say free but rarely are and usually exact their price in adware. Take a look at the uninstall list. I see nothing that I can point at but I do not recognize a third of the stuff you have installed on your computer.

Let's move on and see if we can spot another reason. Since LOP was there, perhaps more is hiding, this tool will tell us:

1) Thanks to skate_punk_21 and anyone else who helped with this fix.

Please download NoLop to the Desktop from one of these links:
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16

Close any programs you have running since a reboot is required
Double click NoLop.exe to run it
Next, click the button labeled: Search and Destroy
<<your computer will now be scanned for infected files>> When the scan finishes, if infected, you are prompted to reboot
Click OK

Now click: REBOOT
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please Post the contents of C:\NoLop.log along with a new HijackThis log

2) Let's check for a rootkit like this:
Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.
Please don't fix anything, most if not all will be valid

Restart the computer and post the results of NoLop, the results of BlackLight and a new HJT log.

I appreciate any feedback you can provide, something happened at some point that caused these problems on your computer and I am interested in any thoughts you have.

Thanks

BWillia
2007-04-21, 04:34
Armed with my bowl of cookies and cream, I dive in....

- I ran NoLop and it came up empty. No issues found (could't post a log).

- Same thing happend with Blacklight. Here's the log:

04/21/07 21:12:30 [Info]: BlackLight Engine 1.0.61 initialized
04/21/07 21:12:30 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/21/07 21:12:30 [Note]: 7019 4
04/21/07 21:12:30 [Note]: 7005 0
04/21/07 21:12:38 [Note]: 7006 0
04/21/07 21:12:38 [Note]: 7011 236
04/21/07 21:12:38 [Note]: 7026 0
04/21/07 21:12:38 [Note]: 7026 0
04/21/07 21:12:43 [Note]: FSRAW library version 1.7.1021
04/21/07 21:19:58 [Note]: 2000 1012
04/21/07 21:20:11 [Note]: 7007 0



Here's the latest HJT log after removing that missing DLL:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:31 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
g:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
G:\Program Files\uTorrent\utorrent.exe
G:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\Program Files\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385835968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I do have a lot of programs, but most (except for some recent spyware scanners used to try and remedy this issue) existed prior to this problem. I do believe though I know what happened. I had downloaded a torrent file called "Online TV Player 3.0.920." I'm usually pretty careful about looking at this kind of stuff, but I was careless on this one. Avast did pick up a trojan worm and blocked it (either during or after the patch file install). I actually went back out tonight and regrabbed the torrent so I now have the files used in the install (I of course didn't install it)...but figured it may help if you would like to see them.

Thanks,
Brett

BWillia
2007-04-21, 06:29
Something else that may (or may not) be important - it appears that most (if not all at this point) of the pop-ups are using IE or some kind of other generic GUI window. I haven't seen a pop-up in Firefox for quite awhile. Also, the pop-ups don't seem to start until I open a browser...they tend to come a little later after opening.

pskelley
2007-04-21, 13:10
Let me just comment first that we are searching for a needle in a haystack. Different scanners will find different items and even though BlackLight is great, a super hidden rootkit could still be present.

I have no way to scan those torrent files, but you may use these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

You can also use Panda, I am sure it will scan individual files for you.

I need to make sure you do not have more than one user Account. If you should, then I need to see a HJT log from each use while signed in to their account.

Remove NoLop and BlackLight from your computer.

To scan for hidden Smitfraud, download Smitfraudfix from here:
http://siri.geekstogo.com/SmitfraudFix.php Follow ONLY these directions:

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

_______________________________________________________

Credit: miekiemoes

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


Post the report from Dr.Web and the C:\rapport.txt from Smitfraudfix. If you have multiple users, post their HJT log, labeled so we will know who they belong to.

Thanks

BWillia
2007-04-21, 23:04
Here's the latest:

1) I ran Smitfraud. Here's the log:

SmitFraudFix v2.171

Scan done at 14:28:12.78, Sun 04/22/2007
Run from C:\Documents and Settings\Daddy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\WINDOWS\System32\svchost.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
G:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\~.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Daddy


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Daddy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Daddy\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 71.242.0.12
DNS Server Search Order: 71.250.0.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E4B519D-0D82-437A-86CE-DBC28CEABCD6}: DhcpNameServer=71.242.0.12 71.250.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7E4B519D-0D82-437A-86CE-DBC28CEABCD6}: DhcpNameServer=71.242.0.12 71.250.0.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7E4B519D-0D82-437A-86CE-DBC28CEABCD6}: DhcpNameServer=71.242.0.12 71.250.0.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=71.242.0.12 71.250.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=71.242.0.12 71.250.0.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=71.242.0.12 71.250.0.12


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



(more to come)....

BWillia
2007-04-21, 23:06
(part 2)...

2) Dr.Web Cureit results:


PCBug Doctor v1.0.0.4 Trial to Full by Great Elmo!!.EXE;C:\Documents and Settings\All Users\Documents;Tool.GameCrack;Incurable.Moved.;
winsys2f.dll;C:\Documents and Settings\All Users\Documents\Settings;Probably BACKDOOR.Trojan;Incurable.Moved.;
winsys2f.dll~;C:\Documents and Settings\All Users\Documents\Settings;Probably BACKDOOR.Trojan;Incurable.Moved.;
tvplayer_setup.exe;C:\Documents and Settings\Daddy\Desktop\Online TV Player 3.0.920 Plus Crack;Trojan.Virtumod;Deleted.;
Process.exe;C:\Documents and Settings\Daddy\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
1.dllb;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
5.dllb;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.Packed.64;Deleted.;
ma1x1ddv.game;C:\Documents and Settings\Daddy\Local Settings\Temp;Dialer.Maxd;Deleted.;
v3x1.g22me\data001;C:\Documents and Settings\Daddy\Local Settings\Temp\v3x1.g22me;Probably BACKDOOR.Trojan;;
v3x1.g22me\data002;C:\Documents and Settings\Daddy\Local Settings\Temp\v3x1.g22me;Probably BACKDOOR.Trojan;;
v3x1.g22me;C:\Documents and Settings\Daddy\Local Settings\Temp;Archive contains infected objects;Moved.;
v4x6.gam5e;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.DownLoader.13046;Deleted.;
v5x2.g3ame;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.DownLoader.20822;Deleted.;
v5x4.ga2me;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.DownLoader.14813;Deleted.;
v6xt4.game;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.Packed.38;Deleted.;
vx1t1.game;C:\Documents and Settings\Daddy\Local Settings\Temp;Trojan.Packed.68;Deleted.;
adv_4[1].exe;C:\Documents and Settings\Daddy\Local Settings\Temporary Internet Files\Content.IE5\NKCPG82O;Trojan.Packed.94;Deleted.;
hh[1].htm;C:\Documents and Settings\Daddy\Local Settings\Temporary Internet Files\Content.IE5\NKCPG82O;VBS.Psyme.239;Deleted.;
Process.exe;C:\RECYCLER\S-1-5-21-2000478354-1708537768-1060284298-1004\Dc7;Tool.Prockill;Incurable.Moved.;
A0176312.dll;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP480;Trojan.Virtumod;Deleted.;
A0180966.dll;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP484;Trojan.Virtumod;Deleted.;
A0182010.dll;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP485;Trojan.Virtumod;Deleted.;
A0184061.exe;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP485;Tool.Prockill;Incurable.Moved.;
A0184093.exe;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP485;Tool.ShutDown.11;Incurable.Moved.;
A0184257.exe;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP487;Tool.Prockill;Incurable.Moved.;
A0186768.exe;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP488;Trojan.Virtumod;Deleted.;
A0186769.exe;C:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP488;Tool.ShutDown.11;Incurable.Moved.;
wvurr.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
dlh9jkd1q5.exe;C:\WINDOWS\system32;Trojan.Packed.64;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
vexga4me1.exe\data001;C:\WINDOWS\system32\vexga4me1.exe;Probably BACKDOOR.Trojan;;
vexga4me1.exe\data002;C:\WINDOWS\system32\vexga4me1.exe;Probably BACKDOOR.Trojan;;
vexga4me1.exe;C:\WINDOWS\system32;Archive contains infected objects;Moved.;
~.exe;C:\WINDOWS\system32;Trojan.Packed.94;Deleted.;
backup-20070419-210907-411.dll;G:\Program Files\HijackThis\backups;Trojan.Virtumod;Deleted.;
A0186787.dll;G:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP488;Trojan.Virtumod;Deleted.;
tvplayer_setup.exe;I:\Online TV Player 3.0.920 Plus Crack;Trojan.Virtumod;Deleted.;
A0186788.exe;I:\System Volume Information\_restore{B1BB2BF4-6A2B-4968-9528-9576A73B9521}\RP488;Trojan.Virtumod;Deleted.;

(part 3 below)...

BWillia
2007-04-21, 23:13
(part 3)...

3) Interestingly enough, here's the log file PANDA Antivirus for today's activity:

Panda Antivirus + Firewall 2007 incident report

EVENT DATE RESULTS ADDITIONAL INFORMATION
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Virus detected: Trj/Shutdown.Z 04/22/07 15:51:44 Disinfected Location: c:\documents and settings\daddy\doctorweb\quarantine\a0186769.exe
Virus detected: Trj/Shutdown.Z 04/22/07 15:51:44 Disinfected Location: c:\documents and settings\daddy\doctorweb\quarantine\a0184093.exe
Virus detected: Trj/Spamer.BB 04/22/07 15:14:00 Disinfected Location: c:\windows\system32\vexga8me6.exe
Virus detected: W32/Sdbot.JYK.worm 04/22/07 15:14:00 Disinfected Location: c:\windows\system32\vexga4m1et4.exe
Virus detected: Trj/Clicker.AAS 04/22/07 15:13:59 Disinfected Location: c:\windows\system32\vexga3me2.exe
Virus detected: Trj/Alanchum.UR 04/22/07 15:13:59 Disinfected Location: c:\windows\system32\vexga1me4t1.exe
Virus detected: Trj/Clicker.SU 04/22/07 15:13:59 Disinfected Location: c:\windows\system32\vexg6ame4.exe
Virus detected: Trj/Disablekey.BF 04/22/07 15:13:04 Disinfected Location: c:\windows\system32\max1d164v.exe
Adware detected: Adware/Adsmart 04/22/07 15:12:36 Eliminated Location: c:\windows\system32\dlh9jkd1q1.exe
Adware detected: adware/spymarshal 04/22/07 14:52:04 Eliminated Location: c:\windows\xpupdate.exe
Tracking program detected: Application/BraveSentry 04/22/07 14:46:32 Eliminated Location: c:\program files\bravesentry\bravesentry2.dll
Tracking program detected: Application/BraveSentry 04/22/07 14:46:25 Eliminated Location: c:\program files\bravesentry\bravesentry.exe
Tracking program detected: Application/MalwareAlarm 04/22/07 14:46:11 Eliminated Location: c:\program files\bravesentry\bravesentry0.dll
Tracking program detected: Application/MalwareAlarm 04/22/07 14:46:00 Eliminated Location: c:\program files\bravesentry\bravesentry1.dll
Tracking program detected: Application/BraveSentry 04/22/07 14:45:16 Eliminated Location: c:\program files\bravesentry\bravesentry3.dll
Adware detected: Adware/BraveSentry 04/22/07 14:45:16 Eliminated Location: c:\program files\bravesentry\uninstall.exe
Virus detected: Trj/Shutdown.Z 04/22/07 14:43:03 Disinfected Location: c:\documents and settings\daddy\desktop\smitfraudfix\restart.exe
Virus detected: Trj/Shutdown.Z 04/22/07 14:24:13 Disinfected Location: c:\documents and settings\daddy\desktop\smitfraudfix\restart.exe
Spyware detected: Cookie/Server.iad.Liveperson 04/22/07 14:08:02 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@server.iad.liveperson[1].txt
Spyware detected: Cookie/Bluestreak 04/22/07 14:07:49 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@bluestreak[1].txt
Update 04/22/07 14:01:14 Incorrect Error: Error in the download process
Update 04/22/07 14:01:08 Incorrect Error: Error in the download process
Adware detected: adware/adsmart 04/22/07 13:58:48 Eliminated Location: c:\windows\system32\kernels32.exe
Spyware detected: Cookie/Statcounter 04/22/07 08:51:28 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@statcounter[1].txt
Spyware detected: Cookie/Statcounter 04/22/07 08:51:23 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@statcounter[1].txt
Spyware detected: Cookie/Statcounter 04/22/07 08:51:23 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@statcounter[2].txt
Spyware detected: Cookie/Statcounter 04/22/07 08:51:13 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@statcounter[1].txt
Update 04/22/07 08:28:56 OK New threat signatures: 333
Spyware detected: Cookie/Atlas DMT 04/22/07 00:22:03 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@atdmt[1].txt
Spyware detected: Cookie/FastClick 04/22/07 00:22:03 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@fastclick[1].txt
Spyware detected: Cookie/FastClick 04/22/07 00:22:02 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@fastclick[2].txt
Spyware detected: Cookie/YieldManager 04/22/07 00:22:01 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@ad.yieldmanager[2].txt
Spyware detected: Cookie/YieldManager 04/22/07 00:22:01 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@ad.yieldmanager[1].txt
Spyware detected: Cookie/FastClick 04/22/07 00:21:59 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@fastclick[2].txt
Spyware detected: Cookie/Atlas DMT 04/22/07 00:21:59 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@atdmt[1].txt
Spyware detected: Cookie/FastClick 04/22/07 00:21:59 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@fastclick[1].txt
Spyware detected: Cookie/Statcounter 04/22/07 00:21:57 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@statcounter[1].txt
Spyware detected: Cookie/RealMedia 04/22/07 00:20:11 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@realmedia[1].txt
Spyware detected: Cookie/Advertising 04/22/07 00:17:32 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@advertising[1].txt
Spyware detected: Cookie/Tribalfusion 04/22/07 00:13:16 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@tribalfusion[1].txt
Spyware detected: Cookie/Advertising 04/22/07 00:10:43 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@advertising[1].txt
Spyware detected: Cookie/FastClick 04/22/07 00:06:47 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@fastclick[1].txt
Spyware detected: Cookie/Traffic Marketplace 04/22/07 00:04:35 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@trafficmp[1].txt
Spyware detected: Cookie/Traffic Marketplace 04/22/07 00:04:35 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@trafficmp[2].txt
Spyware detected: Cookie/Traffic Marketplace 04/22/07 00:04:35 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@trafficmp[3].txt



It seemed to find a lot of issues that it hadn't before. Hope this may help. Notice that it found Trojan.virtumod in the Online TV folder which is
what I believe started all of this.


Also, I only have 1 account user on the computer (with administration privileges).

Was disappointed to see the pop-up windows still come us as I tried to post this last message. I'll do what it takes to try and get this clean.
Hoping not to have to go the route of reformatting, but if that's what it's going to take, then so be it.

Thanks yet again for your help.

pskelley
2007-04-21, 23:58
Who uses the computer besides you? These latest scans have indicated reasons for the problems you are having.
PCBug Doctor v1.0.0.4 Trial to Full by Great Elmo!!.EXE;C:\Documents and Settings\All Users\Documents;Tool.GameCrack;Incurable.Moved.;

C:\Documents and Settings\Daddy\Desktop\Online TV Player 3.0.920 Plus Crack;Trojan.Virtumod;Deleted.;

Let's clean the System Restore files, follow these instruction, make sure you turn SR off, reboot then turn SR back on.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

No Smitfraud infection, you can delete that tool, in fact delete all tools we downloaded for the fix so far except Dr. Web.

Since these are redirects, let look for hidden Wareout infection:
Thanks to LonnyBJones and anyone else who helped with this fix.

1) Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

2) Now let's do a good cleaning like this:
* Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Make sure you clean out the Prefetch folder:
http://www.tunexp.com/tips/maintain_your_computer/clean_your_prefetch_to_improve_performance/
NOTE** your computer may run a little slower for a boot or two until Windows repopulates Prefetch with needed files.

3) Now run Dr. Web again and post the results of the scan along with the report from Fixwareout and a new HJT log.

Thanks

BWillia
2007-04-22, 05:34
The PCBug Doctor was an uninstall. I missed this the other time around and tried to uninstall it. It's gone now. The Online TV Player program was the torrent I went and regrabbed in case you wanted to look at it (since this was the cause of the issue). Since you didn't, it's also now deleted.

I turned off System Restore and turned it back on. Here's the FixWareout log:


Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
C:\Documents and Settings\Daddy\Application Data\Install.dat Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMixerTray"="C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NvMixerTray.exe"
"SecureClean4RegManager"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\scregmanager4.exe\""
"SecureClean4Tray"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\sctray4.exe\""
"D-Link AirPlus XtremeG"="G:\\Program Files\\D-Link\\AirPlus XtremeG\\AirPlusCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"G:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"G:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"Windows Defender"="\"G:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"APVXDWIN"="\"G:\\Program Files\\Panda Software\\Panda Antivirus + Firewall 2007\\APVXDWIN.EXE\" /s"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="G:\\Program Files\\CursorXP\\CursorXP.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»



A run of Dr. Web again came up completely empty. No baddies found. Since there were no baddies, I couldn't generate a report.

I cleaned out all my cookies, cache and prefetch folder. Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:09 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
G:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\psimreal.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\avciman.exe
G:\Program Files\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121385835968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


As always, thanks for the help.

BWillia
2007-04-22, 07:22
Still getting the pop-ups. Not sure if this will help you or not, but I noticed that there are 3 folders sitting in my c:\Program Files directory that are bogus. They are:

C:\Program Files\xerox
C:\Program Files\msn gaming zone
C:\Program Files\microsoft frontpage

I couldn't delete them so I booted into safe mode and was successfully able to delete them. However, on reboot they reappeared again.

pskelley
2007-04-22, 12:41
OK Brett, let discuss this a bit, first you need to understand that the crack (illegal) is not all that is downloaded, often these sites send junk along with it that is hard if not near impossible to find. I am also seeing anyone of a dozen program in your uninstall list that may well have come with adware to create popups. I do not have the time to have every users remove the junk one by one to see if we can find the hidden item causing the problem. You might consider when this all started and start looking at the installation dates of programs to see if you can spot something installed around the time the popups started.
I see this in the log: http://www.excite.com/ and I thought we removed it? It could well be creating popups. Please look under options in your Google toolbar and make sure the popup blocker is activated.

C:\Program Files\xerox
C:\Program Files\msn gaming zone
C:\Program Files\microsoft frontpage
I would look hard at those, even though they look legit, hackers call their junk whatever they want. Open them and look at the files, scan the files with these tools:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
They do not look like Windows files, look at properties of the files. There should be no reason you can't delete them, you did say there is only one user account, is it also the administrative account? You may need administrative rights to remove them?

Keep in mind that the Guard function in AVG Anti-Spyware might also block changes. If need be uninstall the program and try it then, make sure Windows Defender is disabled also.

I see no problems in the HJT log. I see Fixwareout did remove on .dat file. It also reset your hosts file so there is no reason to look there.
Let's has another look for a hidden rootkit, this is a new tool so we will be using it for the first time together, just follow the instructions:

Please read this information before you proceed,
if programs are running the results will be effected as described.
http://www.sophos.com/readmes/readsar.txt

Please download Sophos Anti-Rootkit,and save it on your desktop.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste:-
%temp%\sarscan.log
then press Enter.
7. This should open the log from the rootkit scan.
Post the log into your next reply.
Note: If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.

Let's also look at the results from this scanner:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and the results from the rootkit scan and any comments you think will help.

Thanks

BWillia
2007-04-22, 18:17
Good morning,
Here's the latest based on your last reply:

1) The http://www.excite.com is the home page setting. We removed the http://www.excite.com from the "Trusted Zones" of IE.

2) The reason I'm suspicious about those directories I mentioned earlier is that they supposedly contain no files in them (right clicking on properties shows 0 files), yet they continually can't be deleted. Also, I'm suspicious of their naming convention because of their lack of capitalization. Unfortunately, I couldn't run the online virus scan for individual files because there supposedly aren't any in those folders and the online sites wouldn't allow me to upload folders.

3) I disabled the real-time guards for Windows Defender and AVG. Here's the results of Sophos:

Sophos Anti-Rootkit Version 1.2 (data 1.01) (c) 2006 Sophos Plc
Started logging on 4/23/2007 at 10:41:04 AM
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters\SymbolicLinkValue
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012004072220040723
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Automation Protocols
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Suffixes\video/x-ivf
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\User Trusted External Applications\G:\PROGRA~1\DAP\DAP.EXE
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Viewers\video/x-ivf
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Pinnacle Systems\Studio 9\Preferences\SmartSound Folder
Stopped logging on 4/23/2007 at 10:44:49 AM

Not sure what that DAP.EXE file is. I couldn't locate the directory...but I think DAP might've been a download accelerator freeware program that no longer resides on my comp.

4) Here's the results of combofix:

"Daddy" - 07-04-23 10:52:25 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\Daddy\Desktop\


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dlh9jkd1q2.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\vexg4am1et2.exe
C:\WINDOWS\system32\vexga5me3.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\Documents and Settings\All Users.\documents\settings
C:\WINDOWS\system32\bund1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm
-------\LEGACY_NM
-------\LEGACY_NPF


((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))


2007-04-23 10:40 <DIR> d-------- C:\SOPHTEMP
2007-04-23 00:11 <DIR> d-------- C:\Program Files\msn gaming zone
2007-04-23 00:11 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-04-22 14:36 <DIR> d-------- C:\DOCUME~1\Daddy\DoctorWeb
2007-04-22 14:27 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-22 14:27 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-21 21:10 106 --a------ C:\delete.bat
2007-04-19 22:08 3,156 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-19 21:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic
2007-04-19 21:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-04-18 20:34 97,280 --a------ C:\VundoFix.exe
2007-04-18 19:16 71,552 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-04-18 19:01 9,216 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2007-04-18 19:01 44,544 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-04-18 19:01 36,864 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2007-04-18 19:01 23,296 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2007-04-18 19:01 185,472 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2007-04-18 19:01 181,696 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-04-18 19:01 16,256 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2007-04-18 19:01 141,312 --a------ C:\WINDOWS\system32\drivers\netflt.sys
2007-04-18 19:01 103,936 --a------ C:\WINDOWS\system32\drivers\netfltdi.sys
2007-04-18 19:01 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-04-18 19:00 57,344 --a------ C:\WINDOWS\system32\pavipc.dll
2007-04-18 19:00 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2007-04-18 19:00 245,760 --a------ C:\WINDOWS\system32\PavSHook.dll
2007-04-18 19:00 16,640 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
2007-04-18 19:00 139,264 --a------ C:\WINDOWS\system32\TpUtil.dll
2007-04-18 19:00 101,888 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2007-04-18 18:52 26,752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2007-04-18 18:52 165,120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-04-17 21:07 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-04-17 00:17 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-16 23:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-16 08:33 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-16 08:32 <DIR> d-------- C:\WINDOWS\system32\micro1


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-21 21:41 -------- d-------- C:\DOCUME~1\Daddy\APPLIC~1\utorrent
2007-04-20 20:21 8786 --a------ C:\WINDOWS\mozver.dat
2007-04-18 19:00 -------- d--h----- C:\Program Files\installshield installation information
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --------- C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --------- C:\WINDOWS\system32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvMixerTray"="C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NvMixerTray.exe"
"SecureClean4RegManager"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\scregmanager4.exe\""
"SecureClean4Tray"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\sctray4.exe\""
"D-Link AirPlus XtremeG"="G:\\Program Files\\D-Link\\AirPlus XtremeG\\AirPlusCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"G:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"G:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"Windows Defender"="\"G:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"APVXDWIN"="\"G:\\Program Files\\Panda Software\\Panda Antivirus + Firewall 2007\\APVXDWIN.EXE\" /s"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CursorXP"="G:\\Program Files\\CursorXP\\CursorXP.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E1DADA05-3E74-43B0-B3CE-FC347DB7C76B}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gcasServ"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SP2 Connection Patcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SP2ConnPatcher"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyCatcher Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyCatcher"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bc535920-fc72-11d9-a5ab-000d8858167a}]
Shell\AutoRun\command setupSNK.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MEMSWEEP2


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 10:53:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-23 10:54:01
C:\ComboFix-quarantined-files.txt ... 07-04-23 10:54


5) Just a couple notes regarding the behavior of the pop-ups:

a) I don't get any pop-ups when I first boot the PC. They don't start until I try to open a browser window. So if I go into a game (i.e. Guild Wars) after booting, I don't seem to get any pop-ups.

b) When I surf the web in "Safe Mode with Networking", I don't get any pop-ups.

c) Another experience that may help...I entered the phrase "Panda Scan" in the search box toolbar (points to google) of IE. A pop-up occurred with the phrase "a Scan" entered into the pop-up site (wish I could remember what site it was, but I didn't write it down). Looks like it missed the "Pand" part of the phrase I entered in the search box and only got the last couple of characters (processor was probably busy at time). Not sure if this behavior helps explain anything, but thought I'd mention it.

Thanks,
Brett

pskelley
2007-04-22, 18:41
To tell you the truth I have about exausted my thoughts. Since the popups don't start until you open a browser, my guess is they are coming from online. If it was something on the computer they would popup rather you are online or not.
I also get popups and the Google Toolbar stops 99% of them for me, install it and give it a try.
http://toolbar.google.com/T4/index_pack.html
When you download it, accept only the toolbar and popup blocker. They will try to get you to check a lot of junk that is eye candy and resource wasters. Once you get it in place, make sure you check under Options that the popup blocker is activated. Let me know if it helps.

I do not have the time to look over those reports from Sophos and combofix, a quick glance showed nothing, I normally avoid logs on Sunday...my day of rest.

Thanks

BWillia
2007-04-24, 20:45
No problem. I really want to express my thanks to you for helping me with this issue. You guys/gals provide a terrific service for the online community, often a thankless job. Keep up the good fight. :)

BWillia
2007-04-27, 15:02
All clean. Looks like the final missing piece to this puzzle was solved by Spy Sweeper. Here's the log:

10:06 PM: Removal process completed. Elapsed time 00:00:20
10:06 PM: A reboot was required but declined.
10:06 PM: Quarantining All Traces: zedo cookie
10:06 PM: Quarantining All Traces: burstnet cookie
10:06 PM: Quarantining All Traces: videodome cookie
10:06 PM: Quarantining All Traces: tribalfusion cookie
10:06 PM: Quarantining All Traces: trafficmp cookie
10:06 PM: Quarantining All Traces: targetnet cookie
10:06 PM: Quarantining All Traces: webtrendslive cookie
10:06 PM: Quarantining All Traces: valuead cookie
10:06 PM: Quarantining All Traces: realmedia cookie
10:06 PM: Quarantining All Traces: mediaplex cookie
10:06 PM: Quarantining All Traces: imrworldwide.com cookie
10:06 PM: Quarantining All Traces: goclick cookie
10:06 PM: Quarantining All Traces: fortunecity cookie
10:06 PM: Quarantining All Traces: findwhat cookie
10:06 PM: Quarantining All Traces: excite cookie
10:06 PM: Quarantining All Traces: exitexchange cookie
10:06 PM: Quarantining All Traces: 2o7.net cookie
10:06 PM: Quarantining All Traces: atlas dmt cookie
10:06 PM: Quarantining All Traces: tacoda cookie
10:06 PM: Quarantining All Traces: yieldmanager cookie
10:06 PM: Quarantining All Traces: websponsors cookie
10:06 PM: Quarantining All Traces: drsnsrch.com hijack
10:06 PM: HKLM: system\controlset001\services\core\ is in use. It will be removed on reboot.
10:06 PM: C:\WINDOWS\system32\drivers\core.sys is in use. It will be removed on reboot.
10:06 PM: core adware is in use. It will be removed on reboot.
10:06 PM: Quarantining All Traces: core adware
10:06 PM: Quarantining All Traces: trojan-dropper-micro1
10:06 PM: Quarantining All Traces: virtumonde
10:06 PM: Removal process initiated
9:57 PM: Traces Found: 39
9:57 PM: Custom Sweep has completed. Elapsed time 00:43:38
9:57 PM: File Sweep Complete, Elapsed Time: 00:41:17
9:45 PM: Warning: TCompressedFile.GetStreams(1): Stream read error
9:37 PM: Warning: TCompressedFile.GetStreams(1): Stream read error
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:33 PM: ApplicationMinimized - EXIT
9:33 PM: ApplicationMinimized - ENTER
9:26 PM: Warning: SweepDirectories: Cannot find directory "e:". This directory was not added to the list of paths to be scanned.
9:24 PM: Warning: Failed to open file "c:\documents and settings\daddy\application data\mozilla\firefox\profiles\default.3sr\parent.lock". The operation completed successfully
9:23 PM: C:\WINDOWS\system32\drivers\core.sys (ID = 513403)
9:16 PM: C:\WINDOWS\system32\micro1 (ID = 2147550659)
9:16 PM: Found Trojan Horse: trojan-dropper-micro1
9:16 PM: Starting File Sweep
9:16 PM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
9:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:16 PM: c:\documents and settings\daddy\cookies\daddy@zedo[1].txt (ID = 3762)
9:16 PM: Found Spy Cookie: zedo cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@www.burstnet[1].txt (ID = 2337)
9:16 PM: Found Spy Cookie: burstnet cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@videodome[2].txt (ID = 3638)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@videodome[1].txt (ID = 3638)
9:16 PM: Found Spy Cookie: videodome cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@tribalfusion[3].txt (ID = 3589)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@tribalfusion[1].txt (ID = 3589)
9:16 PM: Found Spy Cookie: tribalfusion cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@trafficmp[3].txt (ID = 3581)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@trafficmp[1].txt (ID = 3581)
9:16 PM: Found Spy Cookie: trafficmp cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@targetnet[1].txt (ID = 3489)
9:16 PM: Found Spy Cookie: targetnet cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@tacoda[3].txt (ID = 6444)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@tacoda[2].txt (ID = 6444)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@statse.webtrendslive[2].txt (ID = 3667)
9:16 PM: Found Spy Cookie: webtrendslive cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@reduxads.valuead[2].txt (ID = 3627)
9:16 PM: Found Spy Cookie: valuead cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@realmedia[1].txt (ID = 3235)
9:16 PM: Found Spy Cookie: realmedia cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@mediaplex[1].txt (ID = 6442)
9:16 PM: Found Spy Cookie: mediaplex cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@imrworldwide[2].txt (ID = 2845)
9:16 PM: Found Spy Cookie: imrworldwide.com cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@goclick[2].txt (ID = 2732)
9:16 PM: Found Spy Cookie: goclick cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@fortunecity[1].txt (ID = 2686)
9:16 PM: Found Spy Cookie: fortunecity cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@findwhat[1].txt (ID = 2674)
9:16 PM: Found Spy Cookie: findwhat cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@exitexchange[3].txt (ID = 2633)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@exitexchange[2].txt (ID = 2633)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@excite[2].txt (ID = 2631)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@excite[1].txt (ID = 2631)
9:16 PM: Found Spy Cookie: excite cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@count4.exitexchange[1].txt (ID = 2634)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@count1.exitexchange[1].txt (ID = 2634)
9:16 PM: Found Spy Cookie: exitexchange cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@cartoonnetwork.122.2o7[1].txt (ID = 1958)
9:16 PM: Found Spy Cookie: 2o7.net cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@atdmt[3].txt (ID = 2253)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@atdmt[2].txt (ID = 2253)
9:16 PM: Found Spy Cookie: atlas dmt cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@anad.tacoda[1].txt (ID = 6445)
9:16 PM: Found Spy Cookie: tacoda cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@ad.yieldmanager[2].txt (ID = 3751)
9:16 PM: Found Spy Cookie: yieldmanager cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@a.websponsors[1].txt (ID = 3665)
9:16 PM: Found Spy Cookie: websponsors cookie
9:16 PM: Starting Cookie Sweep
9:16 PM: Registry Sweep Complete, Elapsed Time:00:00:16
9:16 PM: HKU\S-1-5-21-2000478354-1708537768-1060284298-1004\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
9:16 PM: Found Adware: drsnsrch.com hijack
9:16 PM: HKLM\system\controlset002\services\core\ (ID = 2118420)
9:16 PM: HKLM\system\controlset002\enum\root\legacy_core\ (ID = 2118399)
9:16 PM: HKLM\system\controlset001\services\core\ (ID = 2118343)
9:16 PM: HKLM\system\controlset001\enum\root\legacy_core\ (ID = 2118323)
9:16 PM: Found Adware: core adware
9:16 PM: HKLM\software\microsoft\uniqdata\ (ID = 1997747)
9:16 PM: Found Adware: virtumonde
9:15 PM: Starting Registry Sweep
9:15 PM: Memory Sweep Complete, Elapsed Time: 00:01:58
9:13 PM: Starting Memory Sweep
9:13 PM: Start Custom Sweep
9:13 PM: Sweep initiated using definitions version 902
9:11 PM: The Internet Communication shield has blocked access to: WWW.THESERIALS.COM
9:11 PM: The Internet Communication shield has blocked access to: WWW.THESERIALS.COM
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: Off
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
9:08 PM: Shield States
9:08 PM: Spyware Definitions: 902
9:06 PM: Spy Sweeper 5.3.2.2361 started
9:06 PM: Spy Sweeper 5.3.2.2361 started
9:06 PM: | Start of Session, Thursday, April 26, 2007 |
***************

tashi
2007-05-04, 20:06
Thank you for letting us know, as the problem appears to be resolved this topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.