I have some kind of virus that's really annoying, its popping up random IE ads to ad.103092804.com (yes, Ive done some research on this and I know it resolves to a domain etc etc).

Ive run spybot and AVG free and any other reputable tools I could get to run, but most things just close themselves automatically if I try to run them (hijack this and any system utility like msconfig or the computer management window)

so while I would love to give you a hijackthis log, I cant, can anyone help?

(system restore is off, has always been off since my first boot into windows after initial installation).

Recommended Answers

All 9 Replies

so while I would love to give you a hijackthis log, I cant, can anyone help?

-- What is your OS?
-- Can you get any of the cleaning tools to run in Safe Mode?
-- Have you tried renaming hijackthis.exe to your name.exe or something random and then trying to run it in Normal Windows Boot? (a HJT log in Safe Mode doesn't show much)
-- Have you tried DSS from the Read Me Sticky at the very top of the Forum?

If you can answer/try the above for me, I'll let you know if I can be of assistance.

Best Luck :)
PP

-- What is your OS? - Windows XP Pro Corporate SP2 on a Macbook Pro
-- Can you get any of the cleaning tools to run in Safe Mode? - No same problem
-- Have you tried renaming hijackthis.exe to your name.exe or something random and then trying to run it in Normal Windows Boot? (a HJT log in Safe Mode doesn't show much) - Yup still closes itself
-- Have you tried DSS from the Read Me Sticky at the very top of the Forum? - Yup, I always follow all instructions in stickies before I post, always, on every forum.

*edit*

lol tricked it into running DSS by running it in Win95 compatibility mode, here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:39 PM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qgekltrrd\winlogon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Downloads\dss.exe
C:\DOWNLO~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startzone.info/h
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\qgekltrrd\winlogon.exe
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O1 - Hosts: 1.1.1.1 bleepingcomputer.com
O1 - Hosts: 1.1.1.1 techguy.org
O1 - Hosts: 1.1.1.1 forums.techguy.org
O1 - Hosts: 1.1.1.1 yandao.com
O1 - Hosts: 1.1.1.1 www.yandao.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Startup: winlogon.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\xampp\filezillaftp\filezillaserver.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\xampp\service.exe (file missing)

There is another process that starts itself (ive killed it recently, itll be back soon), called, ILS8e05l.exe that automatically runs iexplorer.exe and opens popups, if I end it, it closes ALL of the windows at once.

hope this helps you figure out my problem!

I'm a bit pressed for time, but let's have a look......

This looks a lot like something from the Chode family of Trojans. If that is the case, then we'll need to address the changes it likely has made to the registry. But first, let's start with the following:

-- Did you just download this? Is it legit?
C:\DOWNLO~1\Administrator.exe

-- Please Download HostsXpert and Extract it from the ZIP to its own folder
-- Run HostsXpert and Select Restore MS Hosts File and then Click OK
-- Close HostsXpert.
You might want to keep this handy tool for use in the future.
If you have issues running this, no worries - we'll do it later.


There are a few other items as well.

Run HJT and FIX the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startzone.info/h --> unless you set this. Looks scammy to me.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\qgekltrrd\winlogon.exe

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - Startup: winlogon.lnk = ?

FIX those with HJT and then boot to Safe Mode and Delete this Folder ---> C:\WINDOWS\system32\qgekltrrd


Let me know how you fare with the above.

-- Then, see if you can get DSS to run fully in normal windows boot.

If DSS won't run, you could try this AT YOUR OWN RISK:
You could try running this early beta of a tool I've been writing off and on for a while. It should be safe - many of the components are not included.

Download PeekabooXP.zip and EXTRACT the PeekabooXP Folder to your C:\ Drive It needs to be there to run properly.
-- You'll need to disable your AV temporarily before you run PeekabooX. It might hang if you don't
-- Open the PeekabooXP folder on the C:\ drive and DoubleClick Run This.bat and follow the prompts.
-- A log ought to pop up in notepad - post that for me.

I'll try to check back as time permits. I'm a bit harried with work these days.

Cheers :)
PP

Wow, that was awesome, like magic man. My windows stopped dissappearing, I could finally clean up my startup and services, and I havnt seen a single IE window. Thank you for the very clear and easy to follow instructions. I learned a lot from this, and found some very valuable tools. Thank you so much.

Thank you so much.

You're welcome! Happy to help.

There are a few issues that remain to be dealt with (updating Java, etc..) plus I imagine a bit of malware cleanup as well. If you need further assistance, please post a full DSS log.

Cheers :)
PP

The popups came back xD Here's the full log from DSS:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-14 23:10:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:12 PM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ILS8e05l.exe <---this is the process that causes the popups
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Downloads\dss.exe
C:\DOWNLO~1\ADMINI~1.EXE <---- and I have no idea what this is

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4213 bytes

-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-14 22:07:05 0 d-------- C:\WINDOWS\CSC
2008-08-14 12:31:04 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-14 10:22:21 2 ---hs---- C:\WINDOWS\system32\taskkill.com
2008-08-14 10:22:21 2 ---hs---- C:\WINDOWS\system32\netstat.com
2008-08-14 10:00:56 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVGTOOLBAR
2008-08-14 08:23:39 0 d--h----- C:\$AVG8.VAULT$
2008-08-14 08:12:40 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 08:12:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-08-14 08:12:37 0 d-------- C:\Program Files\AVG
2008-08-14 08:12:37 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-13 21:04:10 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-13 20:01:32 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-08-13 20:00:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-08-13 20:00:20 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-08-13 18:02:00 80898 --a------ C:\WINDOWS\system32\ILS8e05l.exe
2008-08-12 05:07:52 0 d-------- C:\Downloads
2008-08-06 15:48:03 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-30 03:14:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\DivX


-- Find3M Report ---------------------------------------------------------------

2008-08-14 22:20:58 836 --a------ C:\WINDOWS\bthservsdp.dat
2008-07-12 21:53:42 0 d-------- C:\Program Files\TechSmith
2008-07-12 21:50:22 0 d-------- C:\Program Files\Reference Assemblies
2008-07-06 09:47:16 0 d-------- C:\Program Files\DivX
2008-05-30 11:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 11:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 11:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 11:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 11:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 11:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 11:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 11:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 11:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-24 20:11:22 16 --a------ C:\WINDOWS\popcinfot.dat
2008-05-24 20:09:08 0 --a------ C:\WINDOWS\popcreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
08/14/2008 08:12 AM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [08/14/2008 08:12 AM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/08/2007 08:58 PM]
"nwiz"="nwiz.exe" [10/08/2007 08:59 PM C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:00 PM C:\WINDOWS\system32\bthprops.cpl]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [10/08/2007 10:06 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/14/2008 08:12 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winlogon"="" []
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlogon]
C:\Program Files\Boot Camp\KbdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XAMPP"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"MySql"=2 (0x2)
"LexBceS"=2 (0x2)
"idsvc"=3 (0x3)
"FileZilla Server"=2 (0x2)
"CSHelper"=2 (0x2)
"Apache2.2"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


-- End of Deckard's System Scanner: finished at 2008-08-14 23:10:31 ------------

C:\WINDOWS\system32\ILS8e05l.exe <---this is the process that causes the popups
C:\Downloads\dss.exe
C:\DOWNLO~1\ADMINI~1.EXE <---- and I have no idea what this is

My fault there - Administrator.exe is what DSS changed Hijackthis.exe to. I don't normally see it running from Downloads Folder, hence my confusion.... No worries.


The baddies that jump out at me are these:

2008-08-14 10:22:21 2 ---hs---- C:\WINDOWS\system32\taskkill.com
2008-08-14 10:22:21 2 ---hs---- C:\WINDOWS\system32\netstat.com
2008-08-13 18:02:00 80898 --a------ C:\WINDOWS\system32\ILS8e05l.exe
2008-05-24 20:11:22 16 --a------ C:\WINDOWS\popcinfot.dat
2008-05-24 20:09:08 0 --a------ C:\WINDOWS\popcreg.dat

It would probably be easiest and "cleanest" in terms of removal if you tried running MBA-M as per the Read Me linky. It ought to be able to clean this.
Please post that log.


If you are unable to run MBA-M, then please follow the steps in the linky below to run combofix and post that log for me:

How To Use ComboFix


Will try to check back Friday evening.
PP :)

MBA-M found nothing when I scanned with it.

Here is the log from combofix

ComboFix 08-08-14.05 - Administrator 2008-08-15 14:07:28.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1561 [GMT -6:00]
Running from: C:\Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\ZEBWPTQB\interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\ZEBWPTQB\interclick.com\ud.sol
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\NetworkService\Cookies\system@azjmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
C:\WINDOWS\system32\taskkill.com

.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-15 00:13 . 2008-08-15 00:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 00:13 . 2008-08-15 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 00:13 . 2008-08-15 00:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-15 00:13 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-15 00:13 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-14 20:26 . 2008-08-14 20:26 <DIR> d-------- C:\Deckard
2008-08-14 12:31 . 2008-08-14 12:31 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-14 10:00 . 2008-08-14 10:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVGTOOLBAR
2008-08-14 08:23 . 2008-08-14 08:23 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 08:12 . 2008-08-14 08:12 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 08:12 . 2008-08-14 08:12 <DIR> d-------- C:\Program Files\AVG
2008-08-14 08:12 . 2008-08-14 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 08:12 . 2008-08-14 08:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-08-14 08:12 . 2008-08-14 08:12 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 08:12 . 2008-08-14 08:12 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-13 18:02 . 2008-08-14 08:08 80,898 --a------ C:\WINDOWS\system32\ILS8e05l.exe
2008-08-12 05:07 . 2008-08-12 05:07 <DIR> d-------- C:\Downloads
2008-08-06 15:48 . 2008-08-06 15:48 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-30 03:14 . 2008-07-30 03:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 03:53 --------- d-----w C:\Program Files\TechSmith
2008-07-13 03:50 --------- d-----w C:\Program Files\Reference Assemblies
2008-07-06 15:47 --------- d-----w C:\Program Files\DivX
2008-07-02 20:59 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-18 18:31 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-30 17:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-30 17:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 17:22 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-05-30 17:22 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-30 17:22 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-05-30 17:19 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-30 17:19 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-04-25 22:28 0 ----a-w C:\Program Files\temp01
2008-02-24 22:11 0 ----a-w C:\Program Files\AstonWriteTest.txt
.

------- Sigcheck -------

2008-07-02 14:59 359040 21314f610bf3664fec05fc682e7cb354 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-08 20:58 8433664]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-10-08 22:06 419120]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 08:12 1232152]
"nwiz"="nwiz.exe" [2007-10-08 20:59 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 12:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlogon]
--a------ 2007-10-08 22:06 419120 C:\Program Files\Boot Camp\KbdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XAMPP"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"MySql"=2 (0x2)
"LexBceS"=2 (0x2)
"idsvc"=3 (0x3)
"FileZilla Server"=2 (0x2)
"CSHelper"=2 (0x2)
"Apache2.2"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 08:12]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-10-08 22:04]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-10-08 22:05]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 08:12]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-10-08 20:56]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-10-08 20:56]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-10-08 20:56]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-10-08 20:56]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-10-08 20:56]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-10-08 20:56]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-10-08 20:56]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-10-08 20:56]
S4 Apache2.2;Apache2.2;C:\xampp\apache\bin\apache.exe []
S4 CSHelper;CopySafe Helper Service;C:\WINDOWS\system32\CSHelper.exe []
S4 XAMPP;XAMPP Service;C:\xampp\service.exe []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dkm2804g.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.google.com/mail/#inbox|http://zilvia.net/|http://maxforums.org/
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 14:08:33
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySql]
"ImagePath"="C:/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySql]
"ImagePath"="C:/xampp/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-08-15 14:08:51
ComboFix-quarantined-files.txt 2008-08-15 20:08:50

Pre-Run: 17,528,209,408 bytes free
Post-Run: 17,760,059,392 bytes free

153

MBA-M found nothing when I scanned with it.

That's odd - I fully expected MBA-M to remove those.

Well, Combofix got some of it on the first pass. Let's have a go at the little that remains:


-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well.
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix.
-- Let Combofix run as before and post me that log

-- Go and Update your Java here ---> http://www.java.com/en
--> Please note that, before updating your Sun Java, you MUST remove ALL older versions that may be on your machine or you will still be vulnerable to some exploits/weaknesses such as VUNDO which may target and force execution on older runtime environments.
-- Do this by going into Add or Remove Programs and removing any versions that differ from the current version listed at the Java site. They may look similar to the following:
Java 2 Runtime Environment SE v1.4.2.06
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2


Please post me the new ComboFix log and let me know if you are still having problems.

PP :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.