Infected with malware!

I`ve noticed over the last 10-12 days, that I am getting pop ups, plus my computer sometimes runs slowly!

I have ran adaware (found 80 items) ran Ewido (found 247 items) ran trend micro spyware (found 347 items). I deleted them all.

But i still get pop ups? What is going one? Some entries in my hijackthis log look suspicious!

Logfile of HijackThis v1.99.1
Scan saved at 14:40:32, on 09/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\REGIST~1\Regclean.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gtakvhrvgkhrjqjrfdzpb.info/D7qIdRVyym5W4PeD5ihsnpLYUTWtRwU1kqxJO7YOIQSTWa2cHqplv35ovQWJoq2W.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mhirwwqistvrpdzu.com/D7qIdRVyym6_8/fnL_SoUyFXiW0Srdlht/l92K5prnk.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {882CFCB4-3654-5586-1498-C8787BCD13E6} - C:\DOCUME~1\Owner\APPLIC~1\SIXTH4~1\coalless.exe
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [KYE_Showicon] “C:\Program Files\USB Storage RW\shwicon.exe” -t"KYE\USB Storage RW"
O4 - HKLM..\Run: [StorageGuard] “C:\Program Files\VERITAS Software\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [WCOLOREAL] “C:\Program Files\Coloreal\coloreal.exe”
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM..\Run: [Lexmark X74-X75] “C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [flaw nurb this show] C:\Documents and Settings\All Users\Application Data\SECTCHINFLAWNURB\intraping.exe
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [vc ball city warn] C:\Documents and Settings\All Users\Application Data\multideadvcball\readmefrag.exe
O4 - HKLM..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - HKCU..\Run: [Compbuild] C:\DOCUME~1\Owner\APPLIC~1\STOPST~1\body grey.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27f037ef43f3dae47905/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Omar, looking back over your previous post you seem to be regularly experiencing these problems, perhaps it is time to review your security.

  1. I would stop using IE, with its Browser Helper Objects, activeX it is a magnet to malware and its integration into the OS any exploit of your browser could also exploit your OS.

Try one of the alternative non-ie based browsers, firefox, opera, etc.

  1. Don’t browse or connect to the internet with administrator privileges unless absolutly necessary (windows update), check out the DropMyRighs link in my signature.

  2. Ensure you have the latest version of JRE (JAVA) because older versions can be vulnerable to malware. First remove ALL OLDER VERSIONS FROM ADD/REMOVE.
    Then get the latest update from here http://www.java.com/en/download/index.jsp

Fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http :// www dot gtakvhrvgkhrjqjrfdzpb.info/D7qIdRVyym5W4PeD5ihsnpLYUTWtRwU1kqxJO7YOIQ STWa2cHqplv35ovQWJoq2W.html (link edited)
R3 - Default URLSearchHook is missing
O4 - HKLM..\RunServices: [avnort] C:\WINDOWS\msmbw.exe

Aside from there there are a number of unknown entries that you need to check out and possibly scan using the paperclip icon on the saved on-line analysis page .http://hijackthis.de/logfiles/8ca8b23bd8ff8b2714985c2a5fac8182.html

Hi Omar,

This is a worm for which Symantec have a removal tool:

O4 - HKLM..\RunServices: [avnort] C:\WINDOWS\msmbw.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.removal.tool.html

Also do as David suggests, and try running all you anti-spyware programs in safe mode as well. (Tap F8 while booting.)

Also try Spybot Search & Destroy if you haven’t already.

:slight_smile: Omar :

 Since you have Ad-Aware, I would advise you to go to :
 www.landzdown.com ; this forum is staffed by ALL the
 Experts who used to advise on the now-defunct Lavasoft
 Ad-Aware Support forums, including their HijackThis Experts.
 As DavidR mentioned, your Sun Java is 5 updates behind
 and should be completely removed & replaced with the
 current "Update 6".
 And BEFORE running HijackThis, "real-time protection"
 components of programs like Ewido should be TEMPORARILY
 disabled.