[shifty]

Ive recently been getting some really annoying popups, mostly an Avssytemcare one that tells me my pc is in infected and links me to its site, then just loads of others open, some others are for winning ipods etc...damn annoying anyway. Im using firefox but they appear in IE.

Any way to stop this from happening?

Heres the hijackthis report:

Logfile of HijackThis v1.99.1
Scan saved at 13:42, on 2007-08-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
E:\Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

[evilfantasy]

I don't see any antivirus running. Is it disabled or do you have any that works properly?
If needed download Avast! HERE
Check for updates and let it fix what it finds.

Go into add/remove programs and see if anything you know shouldn't be there has been installed that you can un-install. Like toolbars.
Uninstall SpyNoMore. This has been known to be a rouge product in the past. they have supposedly cleaned up their act but we don't know this for sure.
Uninstall Java jre1.5.0_09. Then go here www.java.com and download the latest version.

Then run CCleaner. Use the default options.
If you do not have CCleaner please install it. Here
Once CCleaner is open use the default options and click Analyze and it will show a log of what will be removed. Next click Run Cleaner to remove everything.
Next on the upper left of CCleaner select the Registry/Issues tab.
Next click Scan For Issues. Next click Fix selected issues.
It will prompt you to make a backup. For the first run I would suggest doing so.

If you don't have Spybot Search & Destroy please download/install it. Here
Check for updates now and get any updates.
Look for the Immunize feature in Spybot and use it.
Do not use the Teatimer function.
Run Spybot and let it fix what it finds.

Let me know how things are and post a fresh HijackThis (HJT) log.

[shifty]

Ok I have done everything that you said, including reinstalling Avast.

Heres the new log:



Logfile of HijackThis v1.99.1
Scan saved at 18:42, on 2007-08-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
E:\Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

[evilfantasy]

Are you still getting the popups?
Did spybot or Avast remove anything?

Open HJT and select Do a system scan only.
Place a check mark next to these entries.
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
** Important ** Close all windows including this on before clicking Fix checked.

Your logs are looking OK so I need to know if the problem still is there.

[shifty]

Yes I am still getting the pop-ups. Avast detected and deleted about 6 trojans. Spybot deleted a few things too.

I've also just done what you suggested.

Hmmmm, seems like its really hidden.

[evilfantasy]

Run this online scannerPanda ActiveScan
PandaActiveScan will only fix certain viruses and trojans. Most items found will not be fixed. But the log produced is very useful in manual removal steps that may follow.
1. When the page appears, click the Scan your PC button.
2. In the next window, click the Check Now button
3. You now need to enter some information before you can run a scan
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
4. Click the Scan Now button
5. If you get a prompt about an Active-X component, allow the component to be installed.
6. Now a download to your PC will begin. This is a required component for the scan. It contains detection information. (Note: It may take a while to download based on your connection speed.)
7. When the download has completed, click on Local Disks to start the scan
8. When the scan is finished close the popup window and then click See Report
9. Click Yes to the prompt, then click Save Report
10. The default report name is Activescan.txt. Just save it where you can find it so you can attach it to your message.
Note: The scan may take a while.
Panda may not fix anything.
The log is what I need the most.

[Onur]

Try scaning with Ad-Aware SE 2007, I think this will reslove your Pop-Up problems.

[evilfantasy]

Quote:

Originally Posted by Onur

Try scaning with Ad-Aware SE 2007, I think this will reslove your Pop-Up problems.

Onur,
Please let me handle this one.
This is more of a virus than spyware.
Extra steps will be required.
Thanks

[Onur]

Ok, Sir.Your move, battle againest viruses and win the battle. Wink

[shifty]

Heres the log then:


Incident Status Location

Spyware :Cookie/Mediaplex Not disinfected C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\q3syr0sv.default\coo kies.txt[.mediaplex.com/]
Spyware :Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\q3syr0sv.default\coo kies.txt[.tribalfusion.com/]
Spyware :Cookie/Doubleclick Not disinfected C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\q3syr0sv.default\coo kies.txt[.doubleclick.net/]
Spyware :Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\q3syr0sv.default\coo kies.txt[.atdmt.com/]
Spyware :Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Stu\Cookies\stu@atdmt[2].txt
Spyware :Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Stu\Cookies\stu@atdmt[3].txt
Spyware: Cookie/Doubleclick Not disinfected C:\Documents and Settings\Stu\Cookies\stu@doubleclick[2].txt
Spyware: Cookie/Mediaplex Not disinfected C:\Documents and Settings\Stu\Cookies\stu@mediaplex[1].txt
Spyware :Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Stu\Cookies\stu@tradedoubler[1].txt
Spyware :Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Stu\Cookies\stu@tradedoubler[2].txt
Spyware: Cookie/Zedo Not disinfected C:\Documents and Settings\Stu\Cookies\stu@zedo[1].txt
Potentially unwanted tool: Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Spyware: Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vturo.dll.vir
Virus: Generic Malware Disinfected C:\WINDOWS\system32\vtuspmm.dll.vir
Hacktool: Generic Application Not disinfected D:\System Volume Information\_restore{D49D4773-9505-4C36-A674-FE0389901E2D}\RP59\A0004512.exe
Virus: Trj/SpaBot.AI Disinfected E:\Installations\Music\Vst's\FXPansion.BFD.Convert er.v1.0.1.MAC.OSX.Incl.KeyGen-DYNAMiCS.zip[FXPansion.BFD.Converter.v1.0.1.MAC.OSX.Incl.KeyGen-DYNAMiCS/KeyGen.exe]
Potentially unwanted tool: Application/RealSpy Not disinfected E:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP92\A0018004.exe