I got a couple of things happening. I’m getting a system error balloon in the bottom corner then IE opens with fake window error messages. After I close those out and use Goggle and I click on a search item, it redirects to non related crap. It first shows an IP address then search-daily.com then advertisement.

Norton comes up with a “downloader.misleadAAP” virus. I delete the thing and do a full scan and it doesn’t show but it keeps returning. Also ran spysweeper, and nothing. I’ve checked processes running, startip items, services and I can’t find nothing.

Any help would be appreciative

Thanks

Can you post a screenshot of the balloon message?

You can test RogueRemover (http://www.malwarebytes.org/rogueremover.php).

Also, I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

Sounds like a wareout infection, if you could post a hijackthis log to confirm I will clear it for you

Download & Run HijackThis.exe

[*]Download HJTInstall.exe to your Desktop.
[*]Doubleclick HJTInstall.exe to install it.
[*]By default it will install to C:\Program Files\Trend Micro\HijackThis .
[*]Click on Install.
[*]It will create a HijackThis icon on the desktop.
[*]Once installed, it will launch Hijackthis.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Copy/Paste the log to your next reply please.

Don’t use the Analyse This button, its findings are dangerous if misinterpreted.
Don’t have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Logfile of HijackThis v1.99.1
Scan saved at 6:42:57 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Eddie\My Documents\BF2\BF2CC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thebadforums.com/forums/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {417C89E8-E017-48E6-BA5A-711F2BEFB886} - C:\WINDOWS\system32\ativcox.dll
O2 - BHO: (no name) - {5826E541-6182-4CAC-8D26-3122A92098B4} - C:\WINDOWS\system32\ativcox.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {E588CF08-BDAA-4A3F-A0CF-AA3FFD265FD9} - C:\WINDOWS\system32\ativcox.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [amd_dc_opt] “C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe”
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe”
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM..\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe” /startintray
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe”
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167354198234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167377943125
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Here are some screen shots as well

http://i211.photobucket.com/albums/bb270/El_Cubano_Loco/Error.jpg

http://i211.photobucket.com/albums/bb270/El_Cubano_Loco/Error2.jpg

Do not click or install anything from that message!
Also I’ll search the board for wareout to see what I get…

I did not…It opened a bunch of windows and saying I needed to scan…I “X” out of the windows

Maybe F-Secure helps: http://support.f-secure.com/enu/home/ols.shtml
Maybe FixWareout: http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Ran the fix but still the redirection in IE is occuring…The balloon didn’t pop up though

Username “Eddie” - 01/16/2008 19:08:23 [Fixwareout edited 9/01/2007]

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully. 
 
~~~~~ Postrun check 
....
....
~~~~~ Misc files. 
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"amd_dc_opt"="\"C:\\Program Files\\AMD\\Dual-Core Optimizer\\amd_dc_opt.exe\""
"StartCCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe\""
"vptray"="C:\\PROGRA~1\\NavNT\\vptray.exe"
"SpySweeper"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe /startintray"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"StartCCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

And now… are you clean just running FixWareout?

Ran the fix but still the redirection in IE is occuring…The balloon didn’t pop up though

http://i211.photobucket.com/albums/bb270/El_Cubano_Loco/Error-1.jpg

Did you follow my directions on #1 reply?

RogueRemover - nothing
SUPERantispyware - nothing
Spyware Terminator - nothing
Trend Micro RootkitBuster - nothing
HijackThis log - already posted

I didn’t bother with the other two

I still can’t get rid of this crap. I’ve posted my Hijack log and tried everything that has been posted. I guess i got to reload

http://i211.photobucket.com/albums/bb270/El_Cubano_Loco/Error-2.jpg

Sorry, I need a cleanup expert to follow this… I can’t help further.

One snag you may get caught on is the fact that it may embed .dll files into your Windows login files, and listed antispyware may not fix the problem. Manually deleting these files may be the only way to fix this problem, as most anti-spyware programs do not run before login.

http://en.wikipedia.org/wiki/WinFixer#Removal

In this case, it looks like it’s ativcox.dll.

O2 - BHO: (no name) - {417C89E8-E017-48E6-BA5A-711F2BEFB886} - C:\WINDOWS\system32\ativcox.dll
O2 - BHO: (no name) - {5826E541-6182-4CAC-8D26-3122A92098B4} - C:\WINDOWS\system32\ativcox.dll
O2 - BHO: (no name) - {E588CF08-BDAA-4A3F-A0CF-AA3FFD265FD9} - C:\WINDOWS\system32\ativcox.dll

Can you delete it in Safe Mode with Command Prompt?

This is a particularly nasty bug. It’s apparently a mimic, as I see many people posting here and other forums with similar events, but many different names for the bug.

From my own experience, this bug is attaching itself to IE, as an BHO, or Browser Helper Object. I have tried many, (10-12 at least) different combinations of spy detection/virus detection programs to relieve this problem, including all those mentioned here on this forum. As these programs can identify the problem, none as of yet can fix it. I cannot change the attributes of the file thru any cmd processes, and the file continues to tell me that access is denied. (Even thru a DOS CMD) What they did fix however, was the registry changes this bug makes and they partially disable it successfully. (Control Panel restoration, and the nasty camouflaged buttons that look like actual windows alert scareens and redirect your click to another virus laden website.)

As far as the pop up message in your start bar, and the redirect of your browser clicks is concerned, I have found a work around, however it requires some diligence on your part to make it go away.

At the top of your IE window, are several standard window choices, or pull down menus. Choose Tools>Manage add ons. Allow a few seconds for the window to populate with the add ons currently loaded in IE at which time you should identify the unremovable add on and disable it with a click. My monster was named crypt3.dll.

Restart your browser and you will no longer be redirected, or receive those nasty balloons. The next time you start your computer, first thing to do is check the Tools> manage add ons options again, to assure that your add on has not returned.

Should be fixable if you have a Windows CD (or maybe an Ubuntu live CD?), or ComboFix may help:

http://forum.avast.com/index.php?topic=32790.msg274307#msg274307