Pop-up Madness - viruses & spyware

Hi all,

My PC’s got a bug…

Popups… every 3-4 minutes
(examples: adv.eblocs., free-savings.com, cool-discount.com, searc-h.com, deal-foryou.com, ad-w-a-r-e.com, coupon-online.com, shop-savings.com, upspiral.com, yyy##.html, http://64.192.130.141/cgi-bin/7upV2?query=ron)

Random dlls (names like ir02l5do1.dll and fp4q03h5e.dll) keep appearing in my system32 folder.

Memory (512 Mb) sometimes drops below 85 Mb.

I have tried steps found in multiple forums… When spyware programs say OK… Reboot and it’s back…

I have tried multiple spyware programs… (ad-aware, spysweeper, ewido, spyware doctor, online sweepers, and more…)

Keeps coming back…

The concensus is it’s look2me and findthewebsiteyouneed (although others have been caught).

I would appreciate any help… Thanks in advance… Dave

Current hijackthis and avast logs follow:

============================================================================================

Logfile of HijackThis v1.99.1
Scan saved at 3:54:42 PM, on 29/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AvastAntivirus\aswUpdSv.exe
C:\Program Files\AvastAntivirus\ashServ.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\ewido\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\AvastAntivirus\ashMaiSv.exe
C:\Program Files\AvastAntivirus\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVASTA~1\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\TotalCmd\TOTALCMD.EXE
D:\Temp1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/CanoeClassic/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [anvshell] anvshell.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [jv16PT - Privacy Protector] C:\Program Files\jv16 PowerTools 2005\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2005\Tasks_PrivacyProtector\Task.jvb”
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [THGuard] “C:\Program Files\TrojanHunter 4.2\THGuard.exe”
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - Global Startup: Copy of Sympatico.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120651790093
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O17 - HKLM\System\CCS\Services\Tcpip..{25AD464C-7511-4F41-9523-27E265C51CE6}: NameServer = 206.47.244.78 206.47.244.137
O17 - HKLM\System\CS2\Services\Tcpip..{25AD464C-7511-4F41-9523-27E265C51CE6}: NameServer = 206.47.244.78 206.47.244.137
O20 - Winlogon Notify: RunEx - C:\WINDOWS\system32\j06mlaj11do.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\AvastAntivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\AvastAntivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\AvastAntivirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\AvastAntivirus\ashWebSv.exe" /service (file missing)
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

==========================================

JS:Istbar [Trj]
Win32:Adan-024 [Adw]
Win32:Adware-gen. [Adw]
Win32:Beagle-BG3 [Wrm]
Win32:Beagle-CN2 [Wrm]
Win32:CTX
Win32:Dadobra-BG [Trj]
Win32:IstBar-AJ [Trj]
Win32:Trojan-gen. {Delphi}
Win32:Trojan-gen. {Other}
Win32:Trojan-gen. {UPX!}
Win32:Trojan-gen. {VC}
Win32:Trojano-2663 [Trj]
Win32:Trojano-2664 [Trj]
Win32:Trojano-305 [Trj]
Win32:Vibpack [Wrm]

Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

Other option is scanning in SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222

Other good thing is disable System Restore, boot, enable it again. If you find a virus keeps coming back after you delete it, it’s most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning. Enable/Disable System restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405

For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

To me this is suspect, no data behind the id.
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} -
As is
O20 - Winlogon Notify: RunEx - C:\WINDOWS\system32\j06mlaj11do.dll
But check out the on-line analysis and double check with google.

What surprises me most is with the amount of anti-everything that anything has managed to get on to your system. I suggest you check out the DropMyRights link in my signature. This will stop malware inheriting administrator privileges and reaping havoc, being able to dump files in the system folders and create registry entries, etc. This will limit the harm malware can do.

Edit: this may explain it if correct.

No active firewall was found on your system or the firewall you use is unknown to us. If you don´t use a firewall you should download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum www.hijackthis.de/forum

For an on-line analysis of your log visit this link - http://hijackthis.de/logfiles/91ddea2f4c6f38d8700b2ade5323772b.html

Hi DadddyDave,

This is something for BHO Demon, download it from here:
http://www.definitivesolutions.com/bhodemon.htm
Read the info and run the tool, see what it finds, ask here what eventually must be taken off or not. Then take a informed decision.
For more info on what you find: http://www.sysinfo.org/

polonus

Hi DaddyDave,

You need to run HijackThis! again, tick the entries that DavidR mentioned, click fix and reboot into safe mode (Tap F8 repeatedly while booting) and delete the .dll file if you can find it.

The 020 entry is often the result of a Look2Me infection, so it might be worth running a removal tool:

http://www.pchell.com/support/look2me.shtml

or:

http://securityresponse.symantec.com/avcenter/venc/data/spyware.look2me.html

Then check to see if the 020 has gone. If it hasn’t tell us and we can try something else.

If it has, update all you security programs and run them again.

Good luck!

If that does not work, you can try spy sweeper. It is very good in cleaning newer l2m Variants. The trialversio is able to clean: http://www.webroot.com/consumer/downloads/

:slight_smile: DaddyDave’s HJT log indicates he already has SpySweeper;
since he has used Ad-Aware, I wondered why he did NOT ask
their experts for help at www.landzdown.com !?

Hm, yes, but it seems like he uses an older Version of spy sweeper!? The 4.5 deletes newer look2me Variants without any problems.

Hello all,

I seem to be clean!!! 5 hours and no pop-ups!!! It took some doing… HijackThis would not get rid of the j06mlaj11do.dll at first, but a combo of HJT, ewidos, SpySweeper and the PCHell utility (thanks FreewheelinFrank) got rid of everything… Ended up with 46 infected .dlls… all gone now.

Thanks to all of you who helped.

(BTW… I posted to multiple forums for help over the last week, you guys were the only ones to respond… Thanks again)

Dave…

Don’t forget to run an avast boot time scanning 8)

Dave, be used to the help level of avast! forum 8)