Malware

Hello all!. I am new to the site and was referred here by one of my co-workers. Basically i tried to install a version of a program and when installed it created a malware. I am getting about 100 popups non stop. I have spysweeper and it does block them, but it keeps recreating more and more links. I tried deleting it, doing root scan, and even found it by Trent Micro. ADW_MULTDEF.A and also TROJ_ZLOB.ANT That is what it found. How do i remove this. Any help would be appreciated.

Welcome to the forum. Let’s have a look.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

I have to separate the due to the fact of character allowance.

Deckard’s System Scanner v20071014.68
Run by RH on 2008-03-23 10:08:56
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –
77: 2008-03-23 14:09:01 UTC - RP160 - Deckard’s System Scanner Restore Point
76: 2008-03-23 07:00:25 UTC - RP159 - System Checkpoint
75: 2008-03-22 07:00:19 UTC - RP158 - Software Distribution Service 3.0
74: 2008-03-21 22:55:09 UTC - RP157 - System Checkpoint
73: 2008-02-21 07:09:11 UTC - RP156 - System Checkpoint

– First Restore Point –
1: 2007-12-25 02:31:37 UTC - RP84 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

– HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-23 10:10:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\Documents and Settings\RH\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.trendmicro.com/go/tis/v16/download/x32
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM..\Run: [IntelliPoint] “c:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [trojanScanner] “C:\Program Files\Trojan Remover\Trjscan.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe” /startintray
O4 - HKCU..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe “RH”
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199041384507
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgamsvr.exe
O23 - Service: AVG7 Kernel (Avg7Core) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avg7core.sys
O23 - Service: AVG7 Wrap Driver (Avg7RsW) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avg7rsw.sys
O23 - Service: AVG7 Resident Driver XP (Avg7RsXP) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avg7rsxp.sys
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgupsvc.exe
O23 - Service: AVG7 Clean Driver (AvgClean) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgclean.sys
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgemc.exe
O23 - Service: AVG Network Redirector (AvgTdi) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgtdi.sys
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe


End of file - 6688 bytes

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Klpf - c:\windows\system32\drivers\klpf.sys <Not Verified; KL; KL klpf>
R0 Klpid - c:\windows\system32\drivers\klpid.sys <Not Verified; KL; KL klpid>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R1 smclibb - c:\windows\system32\drivers\smclibb.sys
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - “c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe” <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - “c:\program files\spyware terminator\sp_rsser.exe” <Not Verified; Crawler.com; Crawler Spyware Terminator>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

– Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description:
Device ID: DISPLAY\NTATIVRV01\5&12E569F3&0&80000008&01&00
Manufacturer:
Name:
PNP Device ID: DISPLAY\NTATIVRV01\5&12E569F3&0&80000008&01&00
Service:

– Scheduled Tasks -------------------------------------------------------------

2008-03-22 17:00:11 432 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-03-22 16:43:59 366 --a------ C:\WINDOWS\Tasks\RegCure.job
2008-03-21 17:19:45 384 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-02-20 18:32:23 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

– Files created between 2008-02-23 and 2008-03-23 -----------------------------

Nothing created in this timespan.

– Find3M Report ---------------------------------------------------------------

2008-03-21 17:56:39 0 d-------- C:\Program Files\Trojan Remover
2008-02-17 22:50:01 0 d-------- C:\Program Files\World of Warcraft
2008-02-17 09:21:48 4096 --a------ C:\WINDOWS\system32\crash
2008-02-10 23:30:28 0 d-------- C:\Program Files\Alwil Software
2008-01-27 19:43:20 0 d-------- C:\Documents and Settings\RH\Application Data\AVG7
2008-01-27 18:59:13 0 d-------- C:\Program Files\Common Files\Kaspersky Lab
2008-01-27 18:59:11 0 d-------- C:\Program Files\Common Files
2008-01-27 18:59:04 0 d-------- C:\Program Files\Kaspersky Lab
2008-01-27 18:36:26 0 d-------- C:\Documents and Settings\RH\Application Data\Simply Super Software
2008-01-27 15:25:52 0 d-------- C:\Program Files\Lavasoft
2008-01-27 15:25:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-27 15:16:33 0 d-------- C:\Program Files\TuneUp Utilities 2007
2008-01-27 14:31:01 0 d–h----- C:\Program Files\InstallShield Installation Information
2008-01-26 18:49:49 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-01-13 21:38:47 331 --a------ C:\Documents and Settings\RH\Application Data\iPodMusicLiberatorPrefsV4
2008-01-13 18:49:46 33 --a------ C:\Documents and Settings\RH\Application Data\pcouffin.log
2008-01-13 18:49:45 47360 --a------ C:\Documents and Settings\RH\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-01-13 18:49:45 1144 --a------ C:\Documents and Settings\RH\Application Data\pcouffin.inf
2008-01-13 18:49:45 7887 --a------ C:\Documents and Settings\RH\Application Data\pcouffin.cat
2008-01-13 18:36:02 164 --a------ C:\install.dat
2008-01-13 18:09:51 52 --ah----- C:\Documents and Settings\RH\Application Data\iml_system_file

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [03/17/2005 09:05 PM]
“CTHelper”=“CTHELPER.EXE” [08/11/2006 02:56 PM C:\WINDOWS\CTHELPER.EXE]
“CTxfiHlp”=“CTXFIHLP.EXE” [08/11/2006 02:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
“IntelliPoint”=“c:\Program Files\Microsoft IntelliPoint\ipoint.exe” [02/05/2007 04:52 PM]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [06/11/2007 05:25 AM]
“TrojanScanner”=“C:\Program Files\Trojan Remover\Trjscan.exe” [01/01/2008 08:20 PM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [12/04/2007 09:00 AM]
“SpySweeper”=“C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe” [10/01/2007 05:40 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
“Index Washer”=C:\Program Files\Webroot\Washer\WashIdx.exe “RH”

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Kaspersky Anti-Hacker.lnk - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe [5/11/2006 10:05:33 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 8:05:56 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=“Service”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

Newly Created Service - GTNDIS5

– Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7357 more entries in hosts file.

– End of Deckard’s System Scanner: finished at 2008-03-23 10:11:11 ------------

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3000+
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 1022.48 MiB / 430.5 MiB
Pagefile Memory (total/avail): 2460.16 MiB / 1788.8 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.25 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 68.94 GiB total, 42.32 GiB free.
D: is CDROM (No Media)

\.\PHYSICALDRIVE0 - SiI RAID 0 Set 0 SCSI Disk Device - 68.95 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 68.94 GiB - C:

– Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Kaspersky Anti-Hacker v1.9.0.37 (Kaspersky Lab)
AV: AVG 7.5.425 v7.5.425 (GRISOFT) Disabled Outdated
AV: avast! antivirus 4.7.1098 [VPS 080323-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe”="C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe:
:Enabled:Nero Home”
“C:\WINDOWS\system32\dpvsetup.exe”=“C:\WINDOWS\system32\dpvsetup.exe::Enabled:Microsoft DirectPlay Voice Test"
“C:\WINDOWS\system32\rundll32.exe”="C:\WINDOWS\system32\rundll32.exe:
:Enabled:Run a DLL as an App”
“C:\Program Files\LimeWire\LimeWire.exe”=“C:\Program Files\LimeWire\LimeWire.exe::Enabled:LimeWire"
“C:\Program Files\iTunes\iTunes.exe”="C:\Program Files\iTunes\iTunes.exe:
:Enabled:iTunes”
“C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgamsvr.exe”=“C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgamsvr.exe::Enabled:avgamsvr.exe"
“C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgcc.exe”="C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgcc.exe:
:Enabled:avgcc.exe”
“C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgemc.exe”=“C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgemc.exe::Enabled:avgemc.exe"
“C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avginet.exe”="C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avginet.exe:
:Enabled:avginet.exe”

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\RH\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SYSTEM-888891DE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\RH
LOGONSERVER=\SYSTEM-888891DE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\PROGRA~1\Java\JRE16~2.0_0\bin;C:\PROGRA~1\Java\JRE16~2.0_0\bin;C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem;.
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 31 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=1f00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\RH\LOCALS~1\Temp
TMP=C:\DOCUME~1\RH\LOCALS~1\Temp
USERDOMAIN=SYSTEM-888891DE
USERNAME=RH
USERPROFILE=C:\Documents and Settings\RH
windir=C:\WINDOWS

– User Profiles ---------------------------------------------------------------

RH I[/I]

– Add/Remove Programs ---------------------------------------------------------

→ C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
→ C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
→ C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
→ C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
→ C:\WINDOWS\UNNeroVision.exe /UNINSTALL
→ C:\WINDOWS\UNRecode.exe /UNINSTALL
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 → MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX → C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin → C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Apple Mobile Device Support → MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update → MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility → C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe”
ATI Display Driver → rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
AVG Anti-Spyware 7.5 → C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Combined Community Codec Pack 2007-07-22 → “C:\Program Files\Combined Community Codec Pack\unins000.exe”
DivX Content Uploader → C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player → C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Easy WiFi Radar 1.0.3 → C:\PROGRA~1\MAKAYA~1\EASYWI~1\Setup.exe /remove
iTunes → MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
Java™ 6 Update 2 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Anti-Hacker → “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\uninstall.exe”
Linksys Wireless-G PCI Adapter → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe” -l0x9
Microsoft Office 2000 Premium → MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Mozilla Firefox (2.0.0.12) → C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Essentials → MsiExec.exe /I{07059A92-DAB8-442C-85FE-0B0938E41033}
PC Optimizer Pro ver.4.5.17 → “C:\Program Files\PC Optimizer Pro\unins000.exe”
QuickTime → MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RegCure 1.5.0.0 → C:\Program Files\RegCure\uninst.exe
Rome - Total War → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{51D386C4-0227-46A9-AC45-61F0A50E7AFF}\setup.exe” -l0x9 -removeonly
Samsung USB Driver (MCCI 4.34) WHQL v3.0 → C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{FAD03728-DA19-4313-959F-872A9C432A86}
SeaStorm 3D Screensaver (remove only) → “C:\Program Files\SeaStorm 3D Screensaver\Uninstall.exe”
Spy Sweeper → “C:\Program Files\Webroot\Spy Sweeper\unins000.exe”
Spybot - Search & Destroy → “C:\Program Files\Spybot - Search & Destroy\unins000.exe”
Spyware Terminator → “C:\Program Files\Spyware Terminator\unins000.exe”
TeamSpeak 2 RC2 → “C:\Program Files\Teamspeak2_RC2\unins000.exe”
Trojan Remover 6.6.5 → “C:\Program Files\Trojan Remover\unins000.exe”
TuneUp Utilities 2007 → MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
V CAST Music → MsiExec.exe /X{3249FD43-B24B-413F-B786-F8FEA32FA747}
V CAST Music Essentials Manager → C:\PROGRA~1\VERIZO~1\VCASTM~2\Setup.exe /remove /q0
Ventrilo Client → MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Window Washer → C:\WINDOWS\Unwash6.exe
WinRAR archiver → C:\Program Files\WinRAR\uninstall.exe
World of Warcraft → C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe

– Application Event Log -------------------------------------------------------

Event Record #/Type788 / Error
Event Submitted/Written: 03/23/2008 10:10:44 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt with error: A connection with the server could not be established

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type2190 / Warning
Event Submitted/Written: 03/22/2008 07:36:27 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type2157 / Error
Event Submitted/Written: 03/21/2008 05:56:26 PM / 03/21/2008 05:56:51 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type2147 / Error
Event Submitted/Written: 03/21/2008 05:54:56 PM / 03/21/2008 05:55:20 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type2142 / Error
Event Submitted/Written: 03/21/2008 05:50:17 PM / 03/21/2008 05:50:42 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type2110 / Error
Event Submitted/Written: 03/21/2008 05:44:24 PM / 03/21/2008 05:44:49 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

– End of Deckard’s System Scanner: finished at 2008-03-23 10:11:11 ------------

You also have avg antvirus installed. Only one should be installed at a time . Please uninstall it.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

c:\windows\system32\drivers\smclibb.sys

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

You can attach the logs by using the additional options button on the reply page.

http://www.virustotal.com/analisis/f703268fcbb958bdee9b7ca0887da79c

Combo

How are things now?

I need a Hijackthis log please. If DSS didn’t download HJY for you, you can get one here

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:45 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.trendmicro.com/go/tis/v16/download/x32
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM..\Run: [IntelliPoint] “c:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [trojanScanner] “C:\Program Files\Trojan Remover\Trjscan.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199041384507
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgamsvr.exe
O23 - Service: AVG7 Kernel (Avg7Core) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avg7core.sys
O23 - Service: AVG7 Wrap Driver (Avg7RsW) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avg7rsw.sys
O23 - Service: AVG7 Resident Driver XP (Avg7RsXP) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avg7rsxp.sys
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgupsvc.exe
O23 - Service: AVG7 Clean Driver (AvgClean) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgclean.sys
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgemc.exe
O23 - Service: AVG Network Redirector (AvgTdi) - GRISOFT, s.r.o. - C:\Documents and Settings\RH\Desktop\Grisoft-AVG75\avgtdi.sys
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe


End of file - 6484 bytes

Are you still getting the popups?

What I see in thelogs are: AVG is still installed, but disabled and windows firewall is off. Do you have any other firewall?

Yes i am still getting them. The trojen is still there. I use kaspersky internet security and it is on high. I downloaded this when i thought i was downloading a video game.

I believe Kaspersky Anti-Hacker is a firewall.

I noticed rodneyownd’s Java is out of date. Update 5 is the newest.
http://www.filehippo.com/download_java_runtime/

Any ideas Oldman?

You can try a rootkit scan. http://files.avast.com/files/beta/aswar.exe Save to desktop.

no rootkits were found. /begs for oldman

Okay we look deeper.

When setting the dates, please set both to 90 days. Thanks.

Download OTScanit to your Desktop and double-click on it to extract the files.

[*]Close ALL OTHER PROGRAMS.
[*]Open the OTScanit folder and double-click on OTScanit.exe to start the program.
[*]Check the box that says Scan All User Accounts
[*]Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
[*]Under Additional Scans check the following:

[*]Reg - BotCheck
[*]File - Purity Scan

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:
[*]Click Add Reply
[*]Under the reply panel is the Attachments Panel
[*]Browse for the attachment file you want to upload, then click the green Upload button
[*]Once it has uploaded, click the Manage Current Attachments drop down box
[*]Click on
http://www.geekstogo.com/forum/style_images/11168623649/folder_attach_images/attach_add.png
to insert the attachment into your post

Exclude this one messed up one of the dates.