Pop ups (RESOLVED)

Fireman sam · #1 (**permalink**) 02-11-2005, 08:48 PM

Followed instructions from another thread, think I have done this right, getting lots of "violent" pop ups, by violent I mean lots and lots, hard to get rid of etc!

This has been going on for about a month or two, over the last 2 days I keep getting meilor-deamon emails saying emails could not be sent, upon checking the emails the address that are failing are address's I have never heard of... and have not tried to email.

Here is my log... thanks

Logfile of HijackThis v1.99.1
Scan saved at 19:37:54, on 02/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\yyvvja.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\B6B5B3B3B3BBB.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Documents and Settings\kevin mutlow\Local Settings\Temporary Internet Files\Content.IE5\6D25Y5GB\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshatwb.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: JustForMonkeys.Bananas - {7977A6ED-C4BD-490E-8C58-AA0849CA03A4} - C:\WINDOWS\system32\{7977A6ED-C4BD-490E-8C58-AA0849CA03A4}.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [E7E6E4E4E4ECE9E] B6B5B3B3B3BBB.exe
O4 - HKLM\..\Run: [lejertm] C:\WINDOWS\system32\yyvvja.exe r
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV0 2.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/557.../java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{931178D8-CCFD-4630-B523-630C5C2AA59B}: NameServer = 205.188.146.145
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Neal · #2 (**permalink**) 02-11-2005, 09:05 PM

Welcome to DAL,

You have the Nail/Epolvy Trojan infection, let's prepare for battle.

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite. Don't run the tool yet ok

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please run Ewido.

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

Fireman sam · #3 (**permalink**) 02-11-2005, 09:10 PM

Wow, that sounds hard.... not anting to sound un-gratefull, is there an easier way???

Thank you for you very prompt reply by the way

Neal · #4 (**permalink**) 02-11-2005, 09:47 PM

Just try it it really is a piece of cake and yes the only way

Fireman sam · #5 (**permalink**) 03-11-2005, 12:31 AM

Hi, thanks for your great help, cant say I followed your instructions right to the book... but downloaded all them programmes, played about a bit and have been surfing for half hour with no pop ups.... as yet!!

The ewido one kept crashing, got about 8-9 red lights up with the alarm, kept clicking remove then an error message would come up.

Anyway... here is my Log, has this nasty virus gone....

Logfile of HijackThis v1.99.1
Scan saved at 23:28:59, on 02/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\aqjrgv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\B6B5B3B3B3BBB.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Documents and Settings\kevin mutlow\Local Settings\Temporary Internet Files\Content.IE5\GXJ25RYL\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshatwb.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: JustForMonkeys.Bananas - {7977A6ED-C4BD-490E-8C58-AA0849CA03A4} - C:\WINDOWS\system32\{7977A6ED-C4BD-490E-8C58-AA0849CA03A4}.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [E7E6E4E4E4ECE9E] B6B5B3B3B3BBB.exe
O4 - HKLM\..\Run: [tgcitra] C:\WINDOWS\system32\aqjrgv.exe r
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV0 2.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/557.../java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{931178D8-CCFD-4630-B523-630C5C2AA59B}: NameServer = 205.188.146.145
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Fireman sam · #6 (**permalink**) 03-11-2005, 12:34 AM

Perhaps not, one just came up!

Neal · #7 (**permalink**) 03-11-2005, 03:43 AM

yep still there, let's try again and follow instructions as exactly as written please.

But first I need you to do the below:

I need you to submit file(s) to see if it(they) are infected or legit:--http://virusscan.jotti.org/

Files:

1. C:\WINDOWS\system32\aqjrgv.exe

2. C:\WINDOWS\system32\B6B5B3B3B3BBB.exe

copy/paste the results back here for me to look at, I suspect they are bad.

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

Try running Ewido again below please.

Do this now before the fix below.

Download CCleaner from here:
http://www.majorgeeks.com/download4191.html
or here:
http://www.filehippo.com/download_ccleaner.html

don't run the tool just yet
Install it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner. Just use the windows tab that is up front by default.

1.Uncheck "Cookies" under "Internet Explorer".

2.If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Now run CCleaner useing the windows tab only please

Reboot normal mode and procede with the fix.

Now try doing the fix

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

Run Ewido. Try again

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

Ewido is the heart and soul of this fix, if it doesn't work again then we will go in a different direction to get rid of some stuff that might be causeing the problems

Fireman sam · #8 (**permalink**) 03-11-2005, 02:43 PM

Hi again, and again thanks for your help. Lat night I did not follow your plan by the book as things happened in a different way, example you asked me to click on add tools in ad-ware, clicked on add tools but vx cleaner was not there.

Then Ewido started playing me about, tried it at least a dozn times, same error message... ewido has encountered a fault and can not continue.

Adware did find a load of things so I cleaned them, half hour later and it finds more... one in patciuler it does not like cleaning is a windows one.

I ran spyware doctor and took the below log, I have tried posting this about 3 times, although this site tells me the info has been posted it is not displayed, so this time I am breaking the log up... maybe it was too big for one thread??

Must say, the pop ups have slowed right down, only had it happen twice this morning, where as before it was about every other site I went to!

In my spam box there was 22 mailer deamon returned emails, none of which I have ever sent, deleted them and straight away another 6 come up.

Will post spyware doctor in another thread...

Thanks

Fireman sam · #9 (**permalink**) 03-11-2005, 02:52 PM

Scan Results:scan start: 03/11/2005 07:54:22
scan stop: 03/11/2005 08:08:58
scanned items: 100528
found items: 373
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Browser Defaults, Favorites and ZoneMap Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner

Infection Name Location Risk
Transponder.Bolger spoolsv.exe (C:\WINDOWS\system32\DrPMon.dll) High
Transponder.Bolger xrewfhz.exe (C:\WINDOWS\system32\xrewfhz.exe) High
ABetterInternet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\bsto-1 Elevated
ABetterInternet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\bsto-1## Elevated
ABetterInternet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\bsto-1##UninstallString Elevated
ABetterInternet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\bsto-1##DisplayName Elevated
ABetterInternet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\bsto-1##DisplayIcon Elevated
ABetterInternet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\bsto-1##URLInfoAbout Elevated
ABetterInternet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\bsto-1##Publisher Elevated
ABetterInternet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\bsto-1##HelpLink Elevated
ABetterInternet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\bsto-1##Contact Elevated
CasinoClient HKCU\Software\CMAPP High
CasinoClient HKCU\Software\CMAPP## High
CasinoClient HKCU\Software\CMAPP\Client High
CasinoClient HKCU\Software\CMAPP\Client## High
CasinoClient HKCU\Software\CMAPP\Client##Registered High
CasinoClient HKCU\Software\CMAPP\Client##aid High
CasinoClient HKCU\Software\CMAPP\Client##source High
CasinoClient HKCU\Software\CMAPP\Client##StubTracked High
CasinoClient HKCU\Software\CMAPP\Client##Downloaded High
CasinoClient HKCU\Software\CMAPP\Client##ConfigCache High
CasinoClient HKCU\Software\CMAPP\Client##ConfigDate High
CasinoClient HKCU\Software\CMAPP\Client##URLSearchHookVersion High
CasinoClient HKCU\Software\CMAPP\Client##HTMLFilterVersion High
CasinoClient HKCU\Software\CMAPP\Client##URLRedirectVersion High
CasinoClient HKCU\Software\CMAPP\Client##ShortcutTime High
CasinoClient HKCU\Software\CMAPP\Client##TPA High
Pops Stop HKCR\FunTools.PicShow High
Pops Stop HKCR\FunTools.PicShow## High
Pops Stop HKCR\FunTools.PicShow\CLSID High
Pops Stop HKCR\FunTools.PicShow\CLSID## High
Pops Stop HKCR\FunTools.PicShow\CurVer High
Pops Stop HKCR\FunTools.PicShow\CurVer## High

Fireman sam · #10 (**permalink**) 03-11-2005, 02:59 PM

Pops Stop HKCR\FunTools.PicShow.1
Pops Stop HKCR\FunTools.PicShow.1##
Pops Stop HKCR\FunTools.PicShow.1\CLSID
Pops Stop HKCR\FunTools.PicShow.1\CLSID##
Pops Stop HKCR\Interface\{FD3BE864-457E-4863-923A-61FB1A3E9BC2}
Pops Stop HKCR\Interface\{FD3BE864-457E-4863-923A-61FB1A3E9BC2}##
Pops Stop HKCR\Interface\{FD3BE864-457E-4863-923A-61FB1A3E9BC2}\ProxyStubClsid
Pops Stop HKCR\Interface\{FD3BE864-457E-4863-923A-61FB1A3E9BC2}\ProxyStubClsid##
Pops Stop HKCR\Interface\{FD3BE864-457E-4863-923A-61FB1A3E9BC2}\ProxyStubClsid32
Pops Stop HKCR\Interface\{FD3BE864-457E-4863-923A-61FB1A3E9BC2}\ProxyStubClsid32##
Pops Stop HKCR\Interface\{FD3BE864-457E-4863-923A-61FB1A3E9BC2}\TypeLib
Pops Stop HKCR\Interface\{FD3BE864-457E-4863-923A-61FB1A3E9BC2}\TypeLib##
Pops Stop HKCR\Interface\{FD3BE864-457E-4863-923A-61FB1A3E9BC2}\TypeLib##Version
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}##
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}\1.0
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}\1.0##
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}\1.0\0
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}\1.0\0##
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}\1.0\0\win32
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}\1.0\0\win32##
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}\1.0\FLAGS
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}\1.0\FLAGS##
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}\1.0\HELPDIR
Pops Stop HKCR\TypeLib\{7638761F-0CE1-4E68-9692-D623527A6B7B}\1.0\HELPDIR##
Pops Stop HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ##pshower
Pops Stop HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\PShow
Pops Stop HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\PShow##
Pops Stop HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\PShow##DisplayName
Pops Stop HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\PShow##UninstallString
Pops Stop HKLM\SOFTWARE\PicShow
Pops Stop HKLM\SOFTWARE\PicShow##
Pops Stop HKLM\SOFTWARE\PicShow##DistId
Pops Stop HKLM\SOFTWARE\PicShow##CrpId
Pops Stop HKLM\SOFTWARE\PicShow##Uninstall
Pops Stop HKLM\SOFTWARE\PicShow##cver
Pops Stop HKLM\SOFTWARE\PicShow##bver
Pops Stop HKLM\SOFTWARE\PicShow##VolId
Pops Stop HKLM\SOFTWARE\PicShow\Sys
Pops Stop HKLM\SOFTWARE\PicShow\Sys##
Pops Stop HKLM\SOFTWARE\PicShow\Sys##Registered
Pops Stop HKLM\SOFTWARE\PicShow\Sys##InstallT
Pops Stop HKLM\SOFTWARE\PicShow\Sys##InitFailCode
Pops Stop HKLM\SOFTWARE\PicShow\Sys##LastInitFail
Pops Stop HKLM\SOFTWARE\PicShow\Sys##Version
Pops Stop HKLM\SOFTWARE\PicShow\Sys##CfgXpT