Viruses, Spyware ???

vikkih110 · #1 (**permalink**) 16-06-2007, 03:23 PM

Hi,
i'm not great with computers so wondered if any of you guys could help me??!

Just recently i seem to get pop-up ads and ads saying i've got viruses and malware,which i have never had before. I run AVG anti-virus, spybot & zone alarm.
I have run the checks on AVG & spybot, but it doesnt show anything, i also downloaded AVG anti-spyware and ran this, but again it doesnt show anything.

What else can i do guys??
I'm grateful for any help.....these pop-ups are crazing me! plus i dont really want to do anything confidential, ie banking etc, if i'm not protected.

Cheers

Neal · #2 (**permalink**) 16-06-2007, 05:20 PM

At the bottom of my signature is a link that says read this first click on it and scroll down and find hijackthis link run the tool click on scan and save a log file, then copy/paste it right back here.

vikkih110 · #3 (**permalink**) 17-06-2007, 02:54 PM

i cannot install "hiack this". when i try and run it i get a msg.......
"this application has failed to start because MSVBM60.DLL was not found. Re-installing the application may fix this problem".
i tried deleting and re-installing, but it will not work

what am i doing wrong?

Neal · #4 (**permalink**) 17-06-2007, 11:37 PM

Let's try this:

Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.

vikkih110 · #5 (**permalink**) 18-06-2007, 07:43 PM

i am still getting the same message as i put in my last post!

Neal · #6 (**permalink**) 19-06-2007, 12:32 AM

I'm researching that, for the time being if you have XP do this:

1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

vikkih110 · #7 (**permalink**) 20-06-2007, 09:35 PM

ok, thanks. did the combofix thing, here is log.....

ComboFix 07-06-18.2 - C:\Documents and Settings\Vick\Desktop\ComboFix.exe
"Vick" - 2007-06-20 20:27:02 - Service Pack 2 NTFS

/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1461OinUninstaller.exe
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\wdtgew.dat
C:\WINDOWS\system32\wdtgew.exe
C:\WINDOWS\system32\wdtgew_nav.dat
C:\WINDOWS\system32\wdtgew_navps.dat

((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))

2007-06-20 20:26 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-20 20:15 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-17 14:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-17 14:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-17 14:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-16 13:58 <DIR> d-------- C:\Program Files\foolyou
2007-06-16 13:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-06-14 19:56 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-14 19:53 <DIR> d-------- C:\Program Files\MSBuild
2007-06-14 19:45 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-06-14 19:42 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-06-14 19:25 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-06-14 19:24 <DIR> d-------- C:\65c025ee7bdd6fbdb3bea3febd17
2007-06-14 19:18 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-06-14 19:18 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-06-14 19:18 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-06-07 20:41 <DIR> d-------- C:\Program Files\PC Doc Pro
2007-06-07 19:50 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-06-06 21:37 140,288 --a------ C:\DOCUME~1\ADMINI~1\vcleaner.exe
2007-06-06 21:14 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-06 21:14 <DIR> d-------- C:\Program Files\Channel4
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-03 21:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-05-30 17:56 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-05-23 20:24 <DIR> d-------- C:\DOCUME~1\Vick\APPLIC~1\InterVideo

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-06-17 18:16:43 -------- d-----w C:\DOCUME~1\Vick\APPLIC~1\LimeWire
2007-06-06 20:14:40 -------- d-----w C:\Program Files\Kontiki
2007-06-06 20:14:40 -------- d-----w C:\DOCUME~1\Vick\APPLIC~1\AOL
2007-06-06 20:13:39 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-05 17:32:03 1,664 ----a-w C:\DOCUME~1\Vick\APPLIC~1\wklnhst.dat
2007-06-05 17:22:17 -------- d-----w C:\Program Files\Yahoo!
2007-06-05 17:19:26 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-05 17:19:18 -------- d-----w C:\Program Files\Samsung
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14

15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 14:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-23 05:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 15:21]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-07-20 02:46]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-06 21:34]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 13:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"C:\Program Files\Kontiki\KHost.exe" -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
C:\Program Files\outlook\outlook.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

*Newly Created Service* - AVGASCLN

Contents of the 'Scheduled Tasks' folder
2007-06-20 19:29:00 C:\WINDOWS\tasks\Symantec NetDetect.job

************************************************** ************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 20:30:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Completion time: 2007-06-20 20:31:34
C:\ComboFix-quarantined-files.txt ... 2007-06-20 20:31

--- E O F ---

Neal · #8 (**permalink**) 20-06-2007, 10:12 PM

Thanks,

Please download VundoFix.exe to your desktop.[list][*]Double-click VundoFix.exe to run it.[*]Click the Scan for Vundo button.[*]Once it's done scanning, click the Remove Vundo button.[*]You will receive a prompt asking if you want to remove the files, click YES[*]Once you click yes, your desktop will go blank as it starts removing Vundo.[*]When completed, it will prompt that it will reboot your computer, click OK.[*]Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please download http://siri.urz.free.fr/Fix/SmitfraudFix.zip (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Please do not run any other option until asked to do so, Thanks

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Please post the smitfraudfix log. Thanks.

vikkih110 · #9 (**permalink**) 20-06-2007, 10:26 PM

vundofix will not work
it will download, but when i doubleclick on it to run it computer just makes an error noise and does nothing
??????

Neal · #10 (**permalink**) 21-06-2007, 12:21 AM

go here and download a file you need apparently:

http://www.microsoft.com/downloads/d...displaylang=en