Unwanted Pop Ups 1

[glenmac]

I keep getting unwanted pop up windows. They are mainly for gambling sites. Also I delete nameserver entries using Hijack this but after booting they keep returning. I've run every scanner like adaware, spysweeper and search and destroy numerous times and they give me a clean bill of health. here is my Hijackthis log. Can anyone help, thih has been going on for a week Arrrgh!

Logfile of HijackThis v1.99.0
Scan saved at 7:40:11 AM, on 15/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\dllhost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\sprmover.exe
C:\WINNT\system32\smbdins.exe
C:\WINNT\system32\sethcd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
C:\Documents and Settings\Administrator\Desktop\virichecks\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) -

http://activex.microsoft.com/activex/controls/iexplorer/x86/marquee.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) -

http://sc.communities.msn.com/controls/chat/msnchat42.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) -

http://autos.en.msn.ca/components/ocx/survid/MSSurVid.cab

O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) -

http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MySql - Unknown - C:/mysql/bin/mysqld-nt.exe
O23 - Service: ASUS Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Glen

http://lantzvillecomputers.ca

 

[carrr]

Boot into safe mode and delete these files:

C:\WINNT\system32\sprmover.exe
C:\WINNT\system32\smbdins.exe
C:\WINNT\system32\sethcd.exe

If fesity, use Pocket Killbox on them:

http://www.bleepingcomputer.com/files/killbox.php

Reboot.


Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[glenmac]

You da man!!!! a star for you. Curious, do you know who gives these things?

Glen

http://lantzvillecomputers.ca

 

[carrr]

Can be inadvertent consent by the user, or could be of the "drive-by" variety (i.e. you go to a site and the crud starts loading).

If you haven't played with it yet, try the Microsoft Beta:

http://www.microsoft.com/athome/security/spyware/software/default.mspx

I've been impressed by it blocking capabilities.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[glenmac]

Thanks again I'm giving it a try.

Glen

http://lantzvillecomputers.ca

 

[glenmac]

Arggh it's back! Somehow the files returned, so I deleted them again. I'll tell what happened maybe someone has another idea. First IPconfig tried to run (I stopped it using Zone alarm) then sprmover.exe tried to run (stopped it the same way) then the popups started again. Checked for the files again and there they were. I'm thinking trojen, but I'm running AVG and doing regular scans. My computer slows right down when the sequence of events starts happening. All help will be much appreciated. Some of the popups are of a raunchy nature and I have children using this system. I may have to format.

Glen

http://lantzvillecomputers.ca

 

[glenmac]

Adendam to last post, after running hijackthis again after deleting the files. The nameservers were back as well. Deleted them , we'll see.

Glen

http://lantzvillecomputers.ca

 

[diogenes10]

http://www.mwti.net/antivirus/free_utilities.asp

Here is a scanner you can run that might help find hidden reloader files.



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[glenmac]

thanks for nothing diogenes10

Glen

http://lantzvillecomputers.ca

 

[glenmac]

My apologies diogenes10 it helped.

Glen

http://lantzvillecomputers.ca