Anti virus and spyware pop ups please help

shaune · #1 24th Sep 2007, 10:06

Hi all
My computer has suddenly slowed down, and pages keep flashing up telling me my system could be infected and subscribe to various anti virus sites such as pc cleaner, ultimate defender, spyware scan, system alert etc. every time i open a new screen 4 or 5 of these same ones will pop up.
i am running mcafee, adaware antivirus, and cc cleaner non of the above will remove this.
any advise greatly appreciated as this is driving me nuts
thanks in advance

**evilfantasy** · #2 24th Sep 2007, 14:05

Hi Shaune. Lets see what we can do to get you cleaned up.

First:
If you don't have Spybot Search & Destroy please download it.Here

* Click the Spybot.exe Icon to start the installation.
* Follow the prompts using the default settings and just click your way through the installer by using the Next button.
* After the installation has finished, you will see a Spybot - Search & Destroy button on your desktop and in your start menu. Click on it to start Spybot-S&D the first time.
* The first time you start Spybot-S&D, it will display a Wizard.
+ It is very important to keep up-to-date. Be sure to check for updates now and use the Immunize feature.
+ I suggest using the Resident SDHelper.
+ I don't activate the TeaTimer which does provide realtime protection but has been problematic.
* After the tutorial has finished, you will find yourself on the Settings or Update page.
+ The left side of the program has a navigation bar that can lead you to all functions of the program.
* Click labeled Spybot-S&D and this leads you to the main page.
* The first button in this toolbar is named Check for problems. That is the button you press to start the scanning. Lean back and watch the scan progress.
+ Once the scan is complete you can distinguish between the red entries, which represent spyware and similar threats, and the green entries, which are usage tracks.
+ All problems displayed in red are regarded as real threats and should be dealt with. For the green entries removal is non-critical, but depends on your personal preferences.
* Now it's time to use the Fix selected problems button. This will remove all threats found.
* Once the cleaning is done exit Spybot.
Note: Some forms of malware can not be removed by Spybot on the first attempt. If this is the case Spybot will ask to remove the entries upon restarting the computer. After restarting the computer run Spybot again. If the problem is still there we will deal with that with special removal tools.

Disable Spybot's TeaTimer so it doesnt interfere with the HijackThis fixes,
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer again once the system is clean.
=====================

Next:
Download HijackThis Here
Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\HijackThis.
Some new versions save to C:\Program Files\Trend Micro\HijackThis
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
DO NOT PUT HijackThis.exe ON THE DESKTOP OR IN A TEMP FOLDER.
This is important because it will create backups and they are easily lost if not installed correctly.

*Important*
Rename the Hijackthis.exe file to Analyze.exe. This is important because some new forms of malware can hide from HijackThis.exe. Right click the HijackThis.exe file in C:\Program Files\HijackThis and choose rename. Type in Analyze.exe and press the enter key.
Right click the Analyze.exe file and send to desktop to create a shortcut.

Next click on the "Do a system scan and save a log file button". It will scan and then a log will open in notepad.
Right click the notepad and click "select all" Right click again and select "copy"
Paste the log in your next reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
====================

If spybot finds anything it can not remove then please let me know.

Once I get a look at the HijackThis (HJT) log we will know where to go from there.

shaune · #3 25th Sep 2007, 10:50

hi again and thank alot for all the help so far, i have done what you said and it found various threats but they are still appearing. the log it spealed is listed below, if you can be of any further assistance would be much appreciated,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:43:31, on 25/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\Mixer.exe
F:\Program Files\Lexmark 6300 Series\lxcdmon.exe
F:\Program Files\Lexmark 6300 Series\ezprint.exe
F:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
F:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
F:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
F:\Program Files\McAfee\MSK\MskAgent.exe
F:\Program Files\SiteAdvisor\6172\SiteAdv.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
F:\Program Files\Common Files\Teleca Shared\Generic.exe
F:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
F:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
F:\PROGRA~1\McAfee\MSC\mcpromgr.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
f:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\PROGRA~1\McAfee\MPS\mps.exe
f:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee\MSK\MskSrver.exe
F:\Program Files\SiteAdvisor\6172\SAService.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\McAfee\MPS\mpsevh.exe
F:\Program Files\Yahoo!\browser\ybrowser.exe
F:\WINDOWS\System32\lxcdcoms.exe
F:\WINDOWS\System32\wuauclt.exe
F:\PROGRA~1\Yahoo!\browser\ycommon.exe
F:\Program Files\Yahoo!\browser\ybrwicon.exe
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxcdPSW X.EXE
F:\Program Files\Trend Micro\analyze.exe\analyzeexe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - F:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - f:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - f:\PROGRA~1\mcafee\mps\mcpopup.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - F:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [lxcdmon.exe] "F:\Program Files\Lexmark 6300 Series\lxcdmon.exe"
O4 - HKLM\..\Run: [EzPrint] "F:\Program Files\Lexmark 6300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "F:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [MMTray] "F:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "F:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AAWTray] F:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [MskAgentexe] F:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] F:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [LXCDCATS] rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCDtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MBkLogOnHook] F:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] F:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Reader\AdobeCollabSync.exe
O4 - Global Startup: BT Yahoo! Help.lnk = F:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - F:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - F:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O21 - SSODL: msmdev - {B71E88D1-3158-41DA-877B-AD1C15040A30} - F:\WINDOWS\msmdev.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - F:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcd_device - Unknown owner - F:\WINDOWS\System32\lxcdcoms.exe
O23 - Service: MBackMonitor - McAfee - F:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - F:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - F:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - F:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - F:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - F:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: YPCService - Yahoo! Inc. - F:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 10590 bytes

**evilfantasy** · #4 25th Sep 2007, 14:37

Hi.

First go into Spybot and turn off the Tea Timer so it does not block any of the fixes.
You can turn it back on after we are done.

Do a HijackThis scan & place a check next to these items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O21 - SSODL: msmdev - {B71E88D1-3158-41DA-877B-AD1C15040A30} - F:\WINDOWS\msmdev.dll
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

=========================

1. Download this file combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next post please add.
Combofix Log
Fresh HijackThis Log

Also let me know how things are now.