7 replies to this topic

[jacruz]

Hello,

I have recently been plagued by popups on my system. I'm an everyday pc user for many years and have obviously been lucky to never have run into this problem before.

I have used both ad-aware and counterspy to try to address the problem. I have also used AVG to try to address the problem. I have run the three programs in safe mode with network and in normal mode. All three programs found and supposedly removed trojan horses found on the machine, but the popups remain.

Any help would be greatly appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 1:20:14 AM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2a429055-0875-4de7-8be6-4a661564629d} - C:\WINDOWS\system32\c_1dll.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://brewx.qualco...tall/isetup.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: c_1dll - C:\WINDOWS\SYSTEM32\c_1dll.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[shelf life]

hi jacruz,

Please download VundoFix.exe to your desktop.

http://www.atribune..../click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.


Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
-------------------------------------------
afterwards rescan and post a new hjt log

shelf life

[jacruz]

Thanks very much for your reply.

Here's the new HijackThis log. (BTW, I renamed HiJackThis.exe to hanalyzer.exe)

Logfile of HijackThis v1.99.1
Scan saved at 5:22:27 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\Hijackthis\hanalyzer.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2a429055-0875-4de7-8be6-4a661564629d} - C:\WINDOWS\system32\c_1dll.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://brewx.qualco...tall/isetup.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: c_1dll - C:\WINDOWS\SYSTEM32\c_1dll.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


----------------------------------------------

Here is Vundofix.txt


VundoFix V6.3.15

Checking Java version...

Sun Java not detected
Scan started at 5:16:38 PM 3/9/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp3D.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp3D.tmp.dll
C:\WINDOWS\system32\tmp3D.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

[jacruz]

Unfortunately, I am still getting popups from broadcaster.com and laughnetwork.com. :-(

[shelf life]

hi jacruz,

ok lets do this:

Download AVG Anti-Spyware from and save that file to your
desktop.
This is a 30 day trial of the program
http://www.ewido.net/en/download/

1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition
files.
3. On the main screen select the icon "Update" then select the "
Update now" link.
* Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of
the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then
select "Quarantine".
6. Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found
# Select the "Scanner" icon at the top and then the "Scan" tab
then click on "Complete System Scan".
# ewido will now begin the scanning process, be patient this may take a little
time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all
actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the
screen and save it to a text file somewhere so you can find it. please post the saved report in next reply,
if there are alot of cookies you can edit them out.

shelf life

[jacruz]

Thanks for the reply. I ended up running VirtumundoBeGone this morning and my system now seems to be back to normal. Thanks again for your insight into this problem. ---------------------------------------------------- [03/10/2007, 11:02:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jim\Desktop\VirtumundoBeGone.exe" ) [03/10/2007, 11:02:25] - Detected System Information: [03/10/2007, 11:02:25] - Windows Version: 5.1.2600, Service Pack 2 [03/10/2007, 11:02:25] - Current Username: Jim (Admin) [03/10/2007, 11:02:25] - Windows is in SAFE mode. [03/10/2007, 11:02:25] - Searching for Browser Helper Objects: [03/10/2007, 11:02:25] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) [03/10/2007, 11:02:25] - BHO 2: {2a429055-0875-4de7-8be6-4a661564629d} () [03/10/2007, 11:02:25] - WARNING: BHO has no default name. Checking for Winlogon reference. [03/10/2007, 11:02:25] - Checking for HKLM\...\Winlogon\Notify\c_1dll [03/10/2007, 11:02:25] - Found: HKLM\...\Winlogon\Notify\c_1dll - This is probably Virtumundo. [03/10/2007, 11:02:25] - Assigning {2a429055-0875-4de7-8be6-4a661564629d} MSEvents Object [03/10/2007, 11:02:25] - BHO list has been changed! Starting over... [03/10/2007, 11:02:25] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) [03/10/2007, 11:02:25] - BHO 2: {2a429055-0875-4de7-8be6-4a661564629d} (MSEvents Object) [03/10/2007, 11:02:25] - ALERT: Found MSEvents Object! [03/10/2007, 11:02:25] - Finished Searching Browser Helper Objects [03/10/2007, 11:02:25] - *** Detected MSEvents Object [03/10/2007, 11:02:25] - Trying to remove MSEvents Object... [03/10/2007, 11:02:26] - Terminating Process: IEXPLORE.EXE [03/10/2007, 11:02:27] - Terminating Process: RUNDLL32.EXE [03/10/2007, 11:02:27] - Disabling Automatic Shell Restart [03/10/2007, 11:02:27] - Terminating Process: EXPLORER.EXE [03/10/2007, 11:02:27] - Suspending the NT Session Manager System Service [03/10/2007, 11:02:27] - Terminating Windows NT Logon/Logoff Manager [03/10/2007, 11:02:27] - Re-enabling Automatic Shell Restart [03/10/2007, 11:02:27] - File to disable: C:\WINDOWS\system32\c_1dll.dll [03/10/2007, 11:02:27] - Renaming C:\WINDOWS\system32\c_1dll.dll -> C:\WINDOWS\system32\c_1dll.dll.vir [03/10/2007, 11:02:27] - File successfully renamed! [03/10/2007, 11:02:27] - Removing HKLM\...\Browser Helper Objects\{2a429055-0875-4de7-8be6-4a661564629d} [03/10/2007, 11:02:27] - Removing HKCR\CLSID\{2a429055-0875-4de7-8be6-4a661564629d} [03/10/2007, 11:02:27] - Adding Kill Bit for ActiveX for GUID: {2a429055-0875-4de7-8be6-4a661564629d} [03/10/2007, 11:02:27] - Deleting ATLEvents/MSEvents Registry entries [03/10/2007, 11:02:27] - Removing HKLM\...\Winlogon\Notify\c_1dll [03/10/2007, 11:02:27] - Searching for Browser Helper Objects: [03/10/2007, 11:02:27] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) [03/10/2007, 11:02:27] - Finished Searching Browser Helper Objects [03/10/2007, 11:02:27] - Finishing up... [03/10/2007, 11:02:27] - A restart is needed. [03/10/2007, 11:02:37] - Attempting to Restart via STOP error (Blue Screen!) [03/10/2007, 11:05:31] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jim\Desktop\VirtumundoBeGone.exe" ) [03/10/2007, 11:05:35] - Detected System Information: [03/10/2007, 11:05:35] - Windows Version: 5.1.2600, Service Pack 2 [03/10/2007, 11:05:35] - Current Username: Jim (Admin) [03/10/2007, 11:05:35] - Windows is in SAFE mode. [03/10/2007, 11:05:35] - Searching for Browser Helper Objects: [03/10/2007, 11:05:35] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) [03/10/2007, 11:05:35] - Finished Searching Browser Helper Objects [03/10/2007, 11:05:35] - Finishing up... [03/10/2007, 11:05:35] - Nothing found! Exiting...

[shelf life]

hi jacruz, ok good. you can still get avg antispyware if you want. can still update/scan after the 30 days. the real time protection or 'guard" becomes disabled after 30 days. shelf life

[little eagle]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php