 jaa
Premium Member
join:2000-06-13 |
jaa
Premium Member
2006-Jan-5 7:21 pm
Scans are clean, still have popups!! HJT logI have scanned this computer so many times, but I still get popups every few minutes - just an IE windows no toolbars.
Here is the HJT log - looks clean to me. Help!!
Logfile of HijackThis v1.99.1
Scan saved at 7:19:41 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Common Files\AOL\1120013954\ee\AOLHostManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\1120013954\ee\AOLServiceHost.exe
c:\program files\common files\aol\1120013954\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1120013954\ee\AOLServiceHost.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: www.ct-mls.com
O15 - Trusted Zone: *.rexplorer.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://dar.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://www.ct-mls.com/dss/ENUclientPro.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe |
actions · 2006-Jan-5 7:21 pm · (locked) |
jaa
1 edit |
jaa
Premium Member
2006-Jan-5 7:25 pm
Popup1 | 
Popup2 |
Here are images of two of the popups I got. When a popup is coming, I get a message in the IE status bar "opening about:blank" and then I get the popup. Edit: I also ran IE Fix and SFC. |
actions · 2006-Jan-5 7:25 pm · (locked) |
 lilhurricaneCrunchin' For Cures
Numquam oblita
join:2003-01-11
Purple Zone
1 edit |
Hey there jaa  Need you to do a couple more things...make sure you have really looked thru here: » Security Cleanup FAQ » Mandatory Steps Before Requesting AssistanceYou do need to run some online AV scans...they are listed in the link above as well. Get to it & post back when you're done  |
actions · 2006-Jan-5 7:51 pm · (locked) |
| lilhurricane |
to jaa
Oooooo...and please follow the Coolwebsearch tools too |
actions · 2006-Jan-5 7:53 pm · (locked) |
jaa
Premium Member
join:2000-06-13 |
jaa
Premium Member
2006-Jan-5 8:47 pm
I ran the online scanners before, and did the CWS again. Nothing. I'm running another NAV2005 scan, when that is done I'll do the online scanners again. |
actions · 2006-Jan-5 8:47 pm · (locked) |
|
| jaa |
jaa
Premium Member
2006-Jan-5 10:25 pm
NAV2005 found nothing, Panda found a few cookies and some HP programs, CWShredder found nothing, and Trend Micro scanner crashes IE now. |
actions · 2006-Jan-5 10:25 pm · (locked) |
| jaa |
jaa
Premium Member
2006-Jan-5 10:45 pm
New HJT Log.
Logfile of HijackThis v1.99.1
Scan saved at 10:42:14 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Common Files\AOL\1120013954\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1120013954\ee\AOLServiceHost.exe
c:\program files\common files\aol\1120013954\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1120013954\ee\AOLServiceHost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-malware\securitysuite.exe
C:\Program Files\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe |
actions · 2006-Jan-5 10:45 pm · (locked) |
 TheJoker
MVM
join:2001-04-26
Charlottesville, VA
2 recommendations |
to jaa
Have you downloaded and scanned with Ewido? If you have, please post the log along with the log of the on-line scanner you use. It may help give an idea what you have, since I see nothing in your HijackThis log at this point. I would add two additional logs also. Please download SilentRunners from here: http://www.silentrunners.org/Silent%20Runners.zipUnzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see. Please download RootKitRevealer from here: http://www.sysinternals.com/files/rootkitrevealer.zipUnzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see. |
actions · 2006-Jan-5 10:52 pm · (locked) |
jaa
Premium Member
join:2000-06-13
1 edit |
jaa
Premium Member
2006-Jan-5 11:43 pm
Here are the first two log files. Rootkit is still running. |
actions · 2006-Jan-5 11:43 pm · (locked) |
 heels_fan1.20.09 The start of Socialism
Premium Member
join:2003-02-07
Columbia, TN |
to jaa
When do you get thses pop-ups?
While seurfing or just at random times?
Do you get them even if IE (or whatever browser you use) is not even up and running?
These looks like the everyday common pop-up that come from websites. Nothing that comes from being infected with spyware/trojans/viruses. |
actions · 2006-Jan-6 12:07 am · (locked) |
jaa
Premium Member
join:2000-06-13 |
jaa
Premium Member
2006-Jan-6 7:10 am
Only when IE is up. But even if my start page is google, and all I do is start IE, I start getting the popups.
This is a strange one - I've cleaned up many computers and this one has me stumped. I think it is time for a clean install... |
actions · 2006-Jan-6 7:10 am · (locked) |
TheJoker
MVM
join:2001-04-26
Charlottesville, VA |
to jaa
We'll find it. Do you have the log from RootKitRevealer ? just go ahead and post it as text, there's no need to do it as an attachment (it's simpler to read that way). |
actions · 2006-Jan-6 7:51 am · (locked) |
jaa
Premium Member
join:2000-06-13 |
jaa
Premium Member
2006-Jan-7 8:58 am
Thanks for your help. Rookkitrevealer did find a bunch of stuff. About 5 things in the registry that seemed innocuous, and the ewido definitions.
I decided to just format the hard drive - besides the popups, I would get a blue screen every couple of days. It had been a couple of years, so it was due anyway. I probably should have just done that from the beginning instead of spending two days on it - it only took a couple of hours. |
actions · 2006-Jan-7 8:58 am · (locked) |
TheJoker
MVM
join:2001-04-26
Charlottesville, VA
1 recommendation |
to jaa
Ok. There are several free utilities you can use to help keep malware off your system: A HOSTS file will prevent Internet Explorer from communicating with sites associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at » www.mvps.org/winhelp2002 ··· osts.htm. IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at » netfiles.uiuc.edu/ehowes ··· #IESPYAD. A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at » www.javacoolsoftware.com ··· cts.html. I recommend reading Tony Klein's article How did I get Infected? at » www.computercops.biz/pos ··· 36-.html |
actions · 2006-Jan-7 12:36 pm · (locked) |
jaa
Premium Member
join:2000-06-13 |
jaa
Premium Member
2006-Jan-7 3:45 pm
Thanks again for all the help. One more question.
Is every XP computer worth cleaning? At a certain point, isn't is just easier to wipe it and reinstall?
My problem is figuring out which way to go. I almost always spend time cleaning, and ultimately do a reinstall anyway - either because of some type of stubborn malware, or more often an application or something else just does not work properly.
I know that is a pretty open-ended question, but something to consider - maybe a faq with some general considerations on "should I clean or should I reinstall?" |
actions · 2006-Jan-7 3:45 pm · (locked) |
lilhurricaneCrunchin' For Cures
Numquam oblita
join:2003-01-11
Purple Zone
2 recommendations |
said by jaa:....maybe a faq with some general considerations on "should I clean or should I reinstall?" We have something along those lines here at BBR » Security » When should I re-format? How should I reinstall? |
actions · 2006-Jan-7 4:19 pm · (locked) |
jaa
Premium Member
join:2000-06-13 |
jaa
Premium Member
2006-Jan-7 10:27 pm
Excellent faq!! I should have know someone already wrote it. Thanks. |
actions · 2006-Jan-7 10:27 pm · (locked) |
