Slow PC and lots of pop-ups

Thanks so much, noah.

When I did the first Hijack This search, I could not find any of the files that you mentioned, but I suppose that only means that I had no need to worry in the first place.

Here is a new Hijack This log:

Logfile of HijackThis v1.98.2
Scan saved at 2:57:31 AM, on 12/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Smartek\WordSmart\trayicon.exe
C:\Program Files\iMesh\Client\iMeshClient.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carl Rex Hubbard II\My Documents\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordSmart Tray Icon.lnk = C:\Program Files\Smartek\WordSmart\trayicon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {40D61F04-59E4-4C8D-BF6E-697AB9C21F43} - http://www.instantchess.com/applet/chessbar.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102187486002
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

 

The log looks clean. Can I assume that RAV came up clean also?

I cannot stress enough the importance of getting the needed Windows Updates.

If all is clean, re-enable system restore and create a manual restore point. I also recommend you download Spybot 1.3 from my signature and install. Allow it to load SD Helper. Open it up and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click IE tweaks and at least lock the HOSTS file.
Then download and install IESpyad.

That will give you some added layers of protection against unwanted parasites.

Let us know if you have any questions about any of the recommendations.

Also, this hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK ". Exit Program.

If you did already have Spybot S&D installed you may also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.


control.exe may have been deleted.
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.

 

noah,

Here is the RAV scan log:

Scan started at 12/7/2004 10:57:51 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Carl Rex Hubbard II\My Documents\backup-20041203-144203-379.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp->ADS:zpvwn - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp->ADS:qruqm - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\1600 x 1200 IBM Americas Map.bmp->ADSlfah - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\agknne.dll->ADS:rclnt - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\apiyd.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\d3da32.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\icrac.txt->ADS:ldcfo - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\iecd.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\iis6.log->ADS:wktif - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\iis6.log->ADS:grlkc - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\ipfw.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\javaev32.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\netst.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\ntcn32.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\setupact.log->ADS:kjuye - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\Welcome.ini->ADS:vgwvt - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\Windows Update.log->ADS:kgqtn - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\system32\atldw32.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\system32\cryg32.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\system32\d3ac.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\system32\d3dl32.dll - TrojanDownloader:Win32/Agent.EJ -> Infected
C:\WINDOWS\system32\sdkry.dll - TrojanDownloader:Win32/Agent.EJ -> Infected

Scanned
============================
Objects: 33621
Directories: 2502
Archives: 6532
Size(Kb): 1456989
Infected files: 17

Found
============================
Viruses found: 2
Suspicious files: 6
Disinfected files: 0
Mail files: 52

 

C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp->ADS:zpvwn - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp->ADS:qruqm - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\1600 x 1200 IBM Americas Map.bmp->ADSlfah - TrojanDownloader:Win32/WinShow.AK -> Suspicious

Interesting. Are those files really .bmp (bitmap pictures)? I've read about infected picture files but haven't run across anyone who actually had any.

 

Newt,

I would click on them to tell you, but I have the (probably unfounded) fear that doing so will somehow aggravate the condition. If not, just let me know.

Thanks,

Rex

 

Noah,

Thanks for the links and help.

1) For some reason, I am unable to update the SpywareBlaster program. It said that the firewall may be preventing the updates; other potential problems were mentioned. What should I do?

2) My AOL Instant Messenger and Imesh cannot connect to the Internet. Can this be corrected, given all of the items that I deleted?

3) There is a shell32.dll file, but not a shell.dll file in system32. Is the first the one to which you're referring, or am I missing the file?

 

Rex - I can't swear they won't do damage to you.

However, I'd love to see them so if you would be willing to zip them (which will render them totally harmless to your system) and email me the zip folder, I'd appreciate it.

 

You should have both the shell.dll and the shell32.dll in that folder.

Has your firewall prompted you to allow those programs internet access? (Aim, SpywareBlaster)

I have attached a zip file to this post. Download and save to your desktop, then extract to it's own folder. Open and right click/copy the zip.exe. Open C:\Windows and right click paste. Then open C:\Windows\system32 folder and right click/paste. **A copy of zip.exe MUST be in both folders for it to work properly.

Reboot to safe mode and open the WinShowRemove folder, then double click each of the .bat files in turn. This will create two zip files in C:.........bad32.zip and badwin.zip

Now open C:\Windows and right click/copy each of those bmp files from the RAV scan, then right click badwin.zip and paste, one at a time.

Open My Documents and delete the backup-20041203-144203-379.dll file.

Empty all temp folders and recycle bin. Reboot back to windows and come back to this post. Click here and attach the two bad zip files to an email to me.

attachment removed as it has served it's purpose and would not be suitable for use by anyone else......noahdfear

 

noah,

Now please don't become angry if I erred, but when I was in Safe Mode and I double-clicked on both of the 'bad' files, a screen popped up giving me the options "extract ", "run ", "cancel ". So I clicked on 'run' for both of them, not knowing what else to do (I had a bad feeling about extracting them). Anyway, when I checked to see if any zipped files bearing those names had been installed, I could not find any. Once I saw that, I decided to tell you immediately and not proceed to any further step.

Just to bring you up-to-date, I deleted one-by-one the files that the RAV scan displayed before your last post. So I may have already accomplished the task to which you just set me.

For what it's worth, I'm receiving about one pop-up per hour, so the rate is down significantly.

Thanks again; I await further instruction.

P.S. I will be driving the entire day tomorrow, and it may be a few days before I can find an Internet connection at my new location. But I will not abandon the post.

 

I really don't know why you got the options you did. That, if I understand you correctly, happened when you double clicked the badwin.bat and bad32.bat files that were extracted from the downloaded zip file?

Regardless, by deleting those files prior to running the bat files, you would not have gotten the badwin.zip and bad32.zip files in C: My only purpose for doing it that way was to keep a copy of those files safe, while I checked them out. Some of the reported infected files were normal Windows files, and when viewed, may not have really been infected and could have been put back. Or, if they were infected, I may have been able to edit out the infection and again, replace them. No great loss either way, as they were only installation logs that I was concerned with. Other than that, zipping them up and sending to me would have allowed me to see the infected dlls also, and possibly submit them for further study. Again, no great loss that you manually deleted them. Did you empty the recycle bin?

Is the popup by chance the same one every time? If so, an address would be appreciated if you can get it.

Did you zip up the bmp files for Newt? If you still have a copy, plaese forward to me also, at the link given above.

Did you get the Windows Updates?

Please post another HJT log.

BTW, I don't get angry, and don't feel I have any reason to be. You've responded well to our recommendations (well, except for the Windows Updates .....LOL).

 

Noah,

It appears to be a pop-up related to casinos every time. How do I find the address, should it occur again?

I downloaded those Windows Updates two days ago; sorry for not telling you.

For some reason, the last time I ran SpyBot, it picked up over twice as many things as it did the time before last. Oh well.

I e-mailed you the zip folder. I guessed that Newt's address is 'newt@windowsbbs.com', so I sent it there. Whether that is right or not, I do not know.


Logfile of HijackThis v1.98.2
Scan saved at 9:27:42 PM, on 12/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Smartek\WordSmart\trayicon.exe
C:\Program Files\iMesh\Client\iMeshClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carl Rex Hubbard II\My Documents\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordSmart Tray Icon.lnk = C:\Program Files\Smartek\WordSmart\trayicon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {40D61F04-59E4-4C8D-BF6E-697AB9C21F43} - http://www.instantchess.com/applet/chessbar.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102187486002
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

 

If you have the status bar set to view in IE, you should be able to hover on the popup and see the address in the status bar at the bottom of the page. You could also try right clicking it and viewing the properties. I don't see anything in your log to suggest the cause. Do you get the popup when opening a certain page/site?

This excerpt from your HJT log;
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
tells me that you are still missing some critical updates.

Don't recall anything in your logs to suggest a problem with VX2, but lets check anyway. In an Internet Explorer window, copy and paste the following command into the address bar, then hit enter.

javascript:navigator.userAgent

Copy and paste the text of the resulting window into your next reply. It will be something similar to this; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)

Would you locate your latest Spybot scan log and post it's contents please.

 

If anyone on the forum has email setup, you can click on their username and get a dropdown. It has their current email address although you won't see it. Also, here are mine in a picture so they can't be bot harvested.

LOL - I may even have a live address of 'newt@windowsbbs.com' but if so, I have no idea if it redirects to home or work or to a old email address that is no longer functional. Nothing seen at home as of now.

 

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Cydoor and DSO Exploit are the ones that seem impossible to delete for good.

Thanks again, guys. I'll try to be back as soon as possible.

 

The pop-up that I just saw came up when I signed onto AOL Instant Messenger. It was (no surprise) an AOL "Get 5 billion free hours" type of pop-up.

A SysTweak.com pop-up also came up.

 

Nothing out of the ordinary on the browser check.

Those sound like normal popups, not caused by any intruders on your system. The Google toolbar should block most of those if the blocker is turned on. If you update your comp to SP2, it also has a pretty effective popup blocker that will be installed automatically.

The DSO exploits are a glitch in Spybot. Do a search here for it. I posted a thread about it with links for more info.

BTW, never did get the email. try again? Click here

 

Newt and noahdfear,

Thank you again for helping me. I think that my spyware problems have been almost entirely eliminated. When I get back to my laptop (still away for the holidays), I will try to remember to send you two the corrupted images that you requested earlier but that I could not send because of an inability to find your e-mail addresses.

-Noesis