Pop-ups! HJT inside. =]
 

Logfile of HijackThis v1.99.1
Scan saved at 3:42:17 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\techtools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmr...1&bm=ho_search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\veheiewb.dll",forkonce
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)








One of the things I notice, is now, whenever I reboot I get an error on the file:
"O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\veheiewb.dll",forkonce"

It actually says the module is missing.

I'm leaning towards something having to do with that, but not too sure.

Pop-ups include "You have virii!" to "powered by Zedo!" advertisements.

System Restores are locked down, and error out, all of them(Yes, I've tried all of them.)

Done two scans with Spybot, and AVG, although it's a free AVG.


Any help as soon as possible would be great.



P.S.:

I know my computer blows, but I've never noticed I'm missing THAT many files to programs. I'm awefully tempted to just reinstall Windows. X.x

Re: Pop-ups! HJT inside. =]
 

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)

Go Start, run, type cmd -press Enter, paste into the window at the prompt the following line, press Enter and close the window:

sc delete maya70docserver

Okay, now for the real pest....
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply with a fresh hijackthis scan.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
And either:
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan. [this is quicker...]
or...
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through.... [this is slower..]
Post the kaspersky scan result, plus C:\Combofix.txt and a fresh hijackthis scan.

Re: Pop-ups! HJT inside. =]
 

I've done the combofix and the new HJT scan, and currently am using BlackLight, but that seems to be taking a drastically long time, but I can't blame it, I have way too much crap on this computer.

I've attached the ComboFix and HJT scans, simply to save some confusion and a mess of text. =]

Seems that ComboFix nuked a bunch of suspicious files in my SYSTEM32 Folder, and so far, no pop ups, but doing the BlackLight scan as said. ^^

Greatly appreciate the help Gerbil, you're the man. =]


But one question, what was the first part for? Just cleaning up unnecessary things?

Also, I've read in another thread, there should only be one svchost.exe running? HJT says there are 3, but in the actual Task Manager, it says I have 6. =/

I searched through my computer and deleted every one besides the one in I836, and in System32. The deleted are sitting in my recycle bin, safe to shred it?

Re: Pop-ups! HJT inside. =]
 

BlackLight scan is added.


Found nothing. ^^

Re: Pop-ups! HJT inside. =]
 

svchost.exe handles processes called from dll's by services you are running - the number of svchost's showing in TM at any particular time varies according to the services you have running.
The actual file - yes, there should only be a copy in system32 and one in I386 [sometimes in the latter the files are compressed inside cab files]
Yep, the first part was just cleaning out idle reg keys.
Fix this one also:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Delete Combofix and C:\Qoobox, C:\combofix.txt. Because it found a vundo infection you could try a quick scan with Vundofix; change the name of hijackthis.exe to imabunny.exe:
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!
Post the contents of C:\vundofix.txt plus a new HijackThis log if Vundo fix finds anything, otherwise you are clean to go.

Re: Pop-ups! HJT inside. =]
 

Actually did a VundoFix before, found nothing. ^^

The popups have stopped, I think I'm in the clear. :]

Re: Pop-ups! HJT inside. =]
 

Great stuff, hit the solved button when you think it is..
Cheers.

Re: Pop-ups! HJT inside. =]
 

Actually, I would like to see that vundofix log [C:\vundofix.txt] if you still have it cos I noticed that combofix picked up several vundo files.. just for my information..