Help! I am a newbie and am riddled with pop-ups!

Unknown · February 2005

My system is over run with pop ups and I fear spyware. I am getting pop ups even when internet exploer isn't open. Your help is greatly appreciated

Logfile of HijackThis v1.99.0
Scan saved at 8:51:16 PM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\pjykfa.exe
c:\windows\system32\calc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [system] C:\WINDOWS\system32\letsroll.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvyfu32.exe
O4 - HKLM\..\Run: [pjykfa] c:\windows\system32\pjykfa.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://206.65.172.231/check/netset//install/gtdowngc.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MATLAB Server - Unknown - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

jettamandan · February 2005

Please help!

Leonardo · February 2005

We'll get to you. Please be patient. All the members who help out in this forum are volunteers. They have to balance home life and work with their work here at the forums.

jettamandan · February 2005

My apologies, I am more used to automotive forums which once you fall off the main page your thread is done.

I am new and appreciate your help and patience!

jettamandan · February 2005

I hope that I haven't offended anyone here?

I sure could use some help

jettamandan · February 2005

How does one get help on this board

I have not bumped my posts?

I have IM'd to introduce myself

I have been patient, Do posts generally take a month for a response???

Buckeye_Sam · February 2005

Please post a new hijackthis log and I'll be glad to help you.

jettamandan · February 2005

Buckeye Sam, thank you

Logfile of HijackThis v1.99.0
Scan saved at 7:14:44 AM, on 2/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system32\hUHuG.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\SYSTEM32\hUHuG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dan\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B82664D-F8DC-F355-D4E9-830A750BF29F} - C:\WINDOWS\system32\hkzgu.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\Run: [j3OyMFU9] C:\windows\system32\j3OyMFU9.exe
O4 - HKLM\..\Run: [hUHuG.exe] c:\windows\system32\hUHuG.exe
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://206.65.172.231/check/netset//install/gtdowngc.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MATLAB Server - Unknown - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Buckeye_Sam · February 2005

It looks like you've done pretty well on your own. Are you still having the same problems as before?

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Viewpoint Manager

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6B82664D-F8DC-F355-D4E9-830A750BF29F} - C:\WINDOWS\system32\hkzgu.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\Run: [j3OyMFU9] C:\windows\system32\j3OyMFU9.exe
O4 - HKLM\..\Run: [hUHuG.exe] c:\windows\system32\hUHuG.exe
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist):

C:\windows\system32\j3OyMFU9.exe
c:\windows\system32\hUHuG.exe
C:\WINDOWS\system32\hkzgu.dll
lshosts32.exe
C:\Program Files\Viewpoint

Reboot your computer to go back to normal mode.

Please run on of these two online scans.
Make sure they are set to clean automatically:

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.

Reboot and post a new hijackthis log.

jettamandan · February 2005

Did everything you mentioned and ran the first online scan of the two. The scan found 6800 viruses. Here are some examples

mssvc32.exe Win32.Agobot.AIQ deleted C:\Documents and Settings\All Users\Documents\
Patch321.exe Win32.Vundo.O deleted C:\Documents and Settings\Dan\Local Settings\Temp\
Install.exe Win32.Secdrop.DZ deleted C:\
Dc49.exe Win32.Sdbot.GF deleted C:\RECYCLER\S-1-5-21-1281470776-4127155883-3842099475-1007\
A0019218.dll Win32.BettInet deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP371\
A0019253.exe Win32.SillyP2P.I deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP375\
A0020216.exe Win32.SillyP2P.I deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP375\

Then there were 6000 findings or so in this "SillyP2P"
and ends with

A0029174.exe Win32.SillyP2P.I deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP418\
A0029241.exe Win32.Imiserv.I deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422\
A0029262.exe Win32.Imiserv.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422\
A0029319.exe Win32.Imiserv.I deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423\
A0029377.exe Win32.SillyDl.CS deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP425\
A0029381.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP425\
A0029382.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP425\
A0029390.exe Win32.Memwatch.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP425\
A0029398.EXE Win32.SillyDl.EN deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP425\
A0029433.exe Win32.Imiserv.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP425\
A0029441.dll Win32.Imiserv.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426\
A0029443.exe Win32.Imiserv.I deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426\
A0029447.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426\
A0029448.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426\
A0029449.exe Win32.SillyDl.CS deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426\
A0029450.exe Win32.BettInet.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426\
A0029474.exe Win32.Daqa.F deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP427\
A0029490.exe Win32.Imiserv.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP427\
A0029496.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP427\
A0029499.dll Win32.Imiserv.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\
A0029501.exe Win32.Imiserv.I deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\
A0029505.exe Win32.SillyDl.CS deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\
A0029506.exe Win32.BettInet.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\
A0029533.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\
MFEX-13.DAT Win32.Imiserv.I deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\snapshot\
MFEX-19.DAT Win32.Imiserv.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\snapshot\
MFEX-2.DAT Win32.SillyDl.CS deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\snapshot\
MFEX-3.DAT Win32.SillyDl.CS deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\snapshot\
MFEX-4.DAT Win32.Imiserv.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\snapshot\
MFEX-5.DAT Win32.BettInet.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\snapshot\
A0029657.exe Win32.Imiserv.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP433\
A0029664.exe Win32.SillyDl.CS deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP434\
A0029665.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP434\
A0029666.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP434\
A0029667.dll Win32.Imiserv.C deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP434\
A0029718.exe Win32.SillyDl.DG deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP436\
A0029723.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP436\
A0029724.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP436\
A0029725.exe Win32.Memwatch.A deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP436\
A0029726.exe Win32.Memwatch.B deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP436\
A0029727.exe Win32.Memwatch.B deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP436\
A0029728.exe Win32.Memwatch.B deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP436\
A0029930.exe Win32.Sdbot.GF deleted C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP442\
systb.exe Win32.Imiserv.C deleted C:\WINDOWS\
eliteerror32.dat Win32.Startpage.NJ deleted C:\WINDOWS\SYSTEM32\
elitejwd32.exe Win32.Startpage.NJ deleted C:\WINDOWS\SYSTEM32\
eliteklc32.exe Win32.Startpage.NJ deleted C:\WINDOWS\SYSTEM32\
eliteues32.exe Win32.Startpage.NJ deleted C:\WINDOWS\SYSTEM32\
x.bat BAT.Secdrop deleted C:\

I deleted all of these.

I will follow this post with a HJT log.

jettamandan · February 2005

I am using Mozilla now and don't nearly have the pop ups that I used to. I have also run
spysweeper
spybot
ad aware
cwshredder

Logfile of HijackThis v1.99.0
Scan saved at 9:26:48 PM, on 2/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\windows\system32\hUHuG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\SYSTEM32\hUHuG.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Dan\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [hUHuG.exe] C:\windows\system32\hUHuG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://206.65.172.231/check/netset//install/gtdowngc.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MATLAB Server - Unknown - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Buckeye_Sam · February 2005

Most of that malware listed is in your system restore files. It's a good idea to flush them all out so that you don't reinfect yourself by restoring the malware.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O4 - HKLM\..\Run: [hUHuG.exe] C:\windows\system32\hUHuG.exe

Delete this file.

C:\windows\system32\hUHuG.exe

Reboot and post a new hijackthis log.

jettamandan · February 2005

When I run Hijack this and remove the hUGug.exe it is back when i reboot.

Also, I cannot find the hUGug.exe in C:WINDOWS/system32/hUGug.exe

I have also tried to delete this out of my runnig processes and it shows back up immediately?

Buckeye_Sam · February 2005

Download Killbox from http://www.bleepingcomputer.com/files/killbox.php
Extract the program to your desktop and double-click on its folder for it and then double-click on Killbox.exe to start the program.

1. In the killbox program, select the Delete on Reboot option.

2. In the field labeled Full Path of File to Delete copy this text.

C:WINDOWS/system32/hUGug.exe

3. Press the button that looks like a red circle with a white X in it. When it asks if you would like to Reboot now, press the YES button.

Please post a new hijackthis log.

Help! I am a newbie and am riddled with pop-ups!

Comments