Author Topic: Pop-up Madness - viruses & spyware  (Read 9656 times)

0 Members and 1 Guest are viewing this topic.

DaddyDave

  • Guest
Pop-up Madness - viruses & spyware
« on: October 29, 2005, 10:01:50 PM »
Hi all,

My PC's got a bug...

Popups... every 3-4 minutes
(examples: adv.eblocs., free-savings.com, cool-discount.com, searc-h.com, deal-foryou.com, ad-w-a-r-e.com, coupon-online.com, shop-savings.com, upspiral.com, yyy##.html, http://64.192.130.141/cgi-bin/7upV2?query=ron)

Random dlls (names like ir02l5do1.dll and fp4q03h5e.dll) keep appearing in my system32 folder.

Memory (512 Mb) sometimes drops below 85 Mb.

I have tried steps found in multiple forums....  When spyware programs say OK...  Reboot and it's back...

I have tried multiple spyware programs.... (ad-aware, spysweeper, ewido, spyware doctor, online sweepers, and more...)

Keeps coming back...

The concensus is it's look2me and findthewebsiteyouneed (although others have been caught).

I would appreciate any help.... Thanks in advance....  Dave


Current hijackthis and avast logs follow:

============================================================================================

Logfile of HijackThis v1.99.1
Scan saved at 3:54:42 PM, on 29/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AvastAntivirus\aswUpdSv.exe
C:\Program Files\AvastAntivirus\ashServ.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\ewido\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\AvastAntivirus\ashMaiSv.exe
C:\Program Files\AvastAntivirus\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVASTA~1\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\TotalCmd\TOTALCMD.EXE
D:\Temp1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/CanoeClassic/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [jv16PT - Privacy Protector] C:\Program Files\jv16 PowerTools 2005\jv16PT.exe -ExecTask "C:\Program Files\jv16 PowerTools 2005\Tasks\_PrivacyProtector\Task.jvb"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Copy of Sympatico.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120651790093
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{25AD464C-7511-4F41-9523-27E265C51CE6}: NameServer = 206.47.244.78 206.47.244.137
O17 - HKLM\System\CS2\Services\Tcpip\..\{25AD464C-7511-4F41-9523-27E265C51CE6}: NameServer = 206.47.244.78 206.47.244.137
O20 - Winlogon Notify: RunEx - C:\WINDOWS\system32\j06mlaj11do.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\AvastAntivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\AvastAntivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\AvastAntivirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\AvastAntivirus\ashWebSv.exe" /service (file missing)
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

==========================================

JS:Istbar [Trj]
Win32:Adan-024 [Adw]
Win32:Adware-gen. [Adw]
Win32:Beagle-BG3 [Wrm]
Win32:Beagle-CN2 [Wrm]
Win32:CTX
Win32:Dadobra-BG [Trj]
Win32:IstBar-AJ [Trj]
Win32:Trojan-gen. {Delphi}
Win32:Trojan-gen. {Other}
Win32:Trojan-gen. {UPX!}
Win32:Trojan-gen. {VC}
Win32:Trojano-2663 [Trj]
Win32:Trojano-2664 [Trj]
Win32:Trojano-305 [Trj]
Win32:Vibpack [Wrm]

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Pop-up Madness - viruses & spyware
« Reply #1 on: October 29, 2005, 10:07:28 PM »
Keeps coming back...

Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

Other option is scanning in SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222

Other good thing is disable System Restore, boot, enable it again. If you find a virus keeps coming back after you delete it, it's most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning. Enable/Disable System restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Pop-up Madness - viruses & spyware
« Reply #2 on: October 29, 2005, 10:17:24 PM »
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

To me this is suspect, no data behind the id.
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} -
As is
O20 - Winlogon Notify: RunEx - C:\WINDOWS\system32\j06mlaj11do.dll
But check out the on-line analysis and double check with google.

What surprises me most is with the amount of anti-everything that anything has managed to get on to your system. I suggest you check out the DropMyRights link in my signature. This will stop malware inheriting administrator privileges and reaping havoc, being able to dump files in the system folders and create registry entries, etc. This will limit the harm malware can do.

Edit: this may explain it if correct.
Quote
No active firewall was found on your system or the firewall you use is unknown to us. If you don´t use a firewall you should download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum www.hijackthis.de/forum

For an on-line analysis of your log visit this link - http://hijackthis.de/logfiles/91ddea2f4c6f38d8700b2ade5323772b.html
« Last Edit: October 29, 2005, 10:23:45 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Pop-up Madness - viruses & spyware
« Reply #3 on: October 29, 2005, 10:46:04 PM »
Hi DadddyDave,

This is something for BHO Demon, download it from here:
http://www.definitivesolutions.com/bhodemon.htm
Read the info and run the tool, see what it finds, ask here what eventually must be taken off or not. Then take a informed decision.
For more info on what you find: http://www.sysinfo.org/

polonus
« Last Edit: October 29, 2005, 10:49:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Pop-up Madness - viruses & spyware
« Reply #4 on: October 30, 2005, 09:32:55 AM »
Hi DaddyDave,

You need to run HijackThis! again, tick the entries that DavidR mentioned, click fix and reboot into safe mode (Tap F8 repeatedly while booting) and delete the .dll file if you can find it.

The 020 entry is often the result of a Look2Me infection, so it might be worth running a removal tool:

http://www.pchell.com/support/look2me.shtml

or:

http://securityresponse.symantec.com/avcenter/venc/data/spyware.look2me.html

Then check to see if the 020 has gone. If it hasn't tell us and we can try something else.

If it has, update all you security programs and run them again.

Good luck!
« Last Edit: October 30, 2005, 09:37:19 AM by FreewheelinFrank »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re: Pop-up Madness - viruses & spyware
« Reply #5 on: October 30, 2005, 09:52:00 AM »
If that does not work, you can try spy sweeper. It is very good in cleaning newer l2m Variants. The trialversio is able to  clean: http://www.webroot.com/consumer/downloads/
MfG Ralf

Spiritsongs

  • Guest
Re: Pop-up Madness - viruses & spyware
« Reply #6 on: October 30, 2005, 05:54:11 PM »
 :) DaddyDave's HJT log indicates he already has SpySweeper;
    since he has used Ad-Aware, I wondered why he did NOT ask
    their experts for help at www.landzdown.com !?

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re: Pop-up Madness - viruses & spyware
« Reply #7 on: October 30, 2005, 06:28:37 PM »
Hm, yes, but it seems like he uses an older Version of spy sweeper!? The 4.5 deletes newer look2me Variants without any problems.
MfG Ralf

DaddyDave

  • Guest
Re: Pop-up Madness - viruses & spyware
« Reply #8 on: October 31, 2005, 01:24:21 AM »
Hello all,

I seem to be clean!!!  5 hours and no pop-ups!!!  It took some doing....  HijackThis would not get rid of the j06mlaj11do.dll at first, but a combo of HJT, ewidos, SpySweeper and the PCHell utility (thanks FreewheelinFrank) got rid of everything....  Ended up with 46 infected .dlls...  all gone now.

Thanks to all of you who helped.

(BTW...  I posted to multiple forums for help over the last week, you guys were the only ones to respond.....  Thanks again)

Dave....

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Pop-up Madness - viruses & spyware
« Reply #9 on: October 31, 2005, 01:39:56 AM »
I seem to be clean!!!
Don't forget to run an avast boot time scanning  8)

(BTW...  I posted to multiple forums for help over the last week, you guys were the only ones to respond.....  Thanks again)
Dave, be used to the help level of avast! forum  8)
The best things in life are free.