Still Getting Pop-Ups [HJT Log]

Still Getting Pop-Ups

Hello,
First of all, I want to thank all of you in advance who may be able to provide me with some assistance. I've been working on a friend's computer who had the most spyware I have ever seen on a system. You should have seen how many HijackThis O4's !!!

Anyway, I've cleaned up a bunch of junk, cleared out some dll startup errors, and ran a bunch of spyware removal tools most of you recommend (spybot, ad-aware, ewido, mwav, cwshredder). I've looked thru the HT log, but I'm guessing I'm missing some things. I've gone on liutilities.com, iamnotageek.com, and castlecops.com among others in an attempt to clear most of the junk. Many of the popups have finally disappeared, yet I'm still getting a few. Seems like it's the occasional "www.fixer.com" one, plus some other random ones.

Looks as though I'm missing something. Any suggestions. I posted the latest HT log (after just running ad-aware and spybot):


Logfile of HijackThis v1.97.7
Scan saved at 1:59:07 AM, on 8/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\IEXPLOR.EXE
C:\windows\system32\tvdxregv.exe
C:\WINDOWS\System32\jbrjpb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\aiid\uame.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wintask.exe
C:\PROGRA~1\VBouncer\VIRTUA~1.EXE
C:\PROGRA~1\ADDEST~1\ADDEST~1.EXE
C:\Virus Protection\HijackThis.exe
C:\Program Files\CMAPP\Client\cmappclient.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [4RKLLEE2GMJRXG] C:\WINDOWS\SYSTEM32\ULLMD.EXE
O4 - HKLM\..\Run: [znmuhc] C:\WINDOWS\System32\znmuhc.exe
O4 - HKLM\..\Run: [Nitto Hacking] C:\WINDOWS\System32\Nitto Hacking.exe
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\vsysxx2r.exe dvd
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [scxafwf] c:\windows\system32\bewdhgt.exe
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\tvdxregv.exe dvd
O4 - HKLM\..\Run: [uoqivgh] c:\windows\system32\xsjkkd.exe r
O4 - HKLM\..\Run: [4eaxdlz4] C:\Program Files\4eaxdlz4\4eaxdlz4.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jbrjpb.exe reg_run
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe "
O4 - HKCU\..\Run: [Trse] C:\Program Files\aiid\uame.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\vsysxx2r.exe
O4 - Startup: Zstart.lnk = C:\WINDOWS\system32\hffsysinst5.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123391844875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123391837375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Lastly, I have come here often looking for assistance, and I have always come away with an unbelievable amount of help. And in every situation, all of you have always corrected my issues. For this, I thank you so much. And I appreciate you looking at my latest issue.

Thanks again,
Paul
(cintoman)

 

Hello Paul,

Logfile of HijackThis v1.97.7

Latest version is 1.99.1 http://radiosplace.com/

Regards - Charles

 

Hello,
Thanks for your help Tony T !! charlesvar: My latest HijackThis (V1.99) log is below. BTW, what I seen to be getting now are popups related to VirtualBouncer, and that *&^$* winfixer.com site. Anyways, here's the log.

Thanks again for your continued help:

Logfile of HijackThis v1.99.1
Scan saved at 1:18:01 PM, on 8/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\nikn.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
c:\windows\system32\tvdxregv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7a57263d52ef89a3cee46b33df8a0a10\update\update.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\VBouncer\VIRTUA~1.EXE
C:\Virus Protection\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [4RKLLEE2GMJRXG] C:\WINDOWS\SYSTEM32\ULLMD.EXE
O4 - HKLM\..\Run: [Nitto Hacking] C:\WINDOWS\System32\Nitto Hacking.exe
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\vsysxx2r.exe dvd
O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jbrjpb.exe reg_run
O4 - HKLM\..\Run: [ZStart] c:\windows\system32\tvdxregv.exe dvd
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe "
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\vsysxx2r.exe
O4 - Startup: Zstart.lnk = C:\WINDOWS\system32\hffsysinst5.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123391844875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123391837375
O20 - Winlogon Notify: Nitto Hacking - Nitto Hacking.dll (file missing)
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\mai.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\bkxasvc.exe (file missing)

Paul
(Cintoman)

 

Hello, do this in the order I have here.

Disable System Restore.

Go to Start\Run, type in Services.Msc and press Enter. Locate this in the list.

Windows VisFx Components

Left click on it, then Stop the Service. Then right click on it, select Properties, and set to Disable.

Open HJT, and click on 'Open misc tools section', then click on "Open Process Manager ". Locate these in the list, highlight each one and click on 'Kill Process'.

C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\nikn.exe
c:\windows\system32\tvdxregv.exe
C:\PROGRA~1\VBouncer\VIRTUA~1.EXE

Open HJT, and click on 'Open misc tools section', then click on "Delete a file on reboot', a File Open window will appear. Copy/Paste the following into it.

C:\WINDOWS\System32\exp.exe

Then click on Open, and you will be prompted to reboot, select No at this time. Do the same for these.

C:\WINDOWS\System32\wintask.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\nikn.exe
C:\WINDOWS\SYSTEM32\ULLMD.EXE
C:\WINDOWS\ttupt.exe
c:\windows\system32\tvdxregv.exe
C:\WINDOWS\System32\jbrjpb.exe
C:\WINDOWS\system32\hffsysinst5.exe
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\bkxasvc.exe
C:\WINDOWS\system32\vsysxx2r.exe

Rescan with HJT, and remove these items with all browsers closed.

O4 - HKLM\..\Run: [4RKLLEE2GMJRXG] C:\WINDOWS\SYSTEM32\ULLMD.EXE
O4 - HKLM\..\Run: [Nitto Hacking] C:\WINDOWS\System32\Nitto Hacking.exe
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\vsysxx2r.exe dvd
O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jbrjpb.exe reg_run
O4 - HKLM\..\Run: [ZStart] c:\windows\system32\tvdxregv.exe dvd
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe "
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\vsysxx2r.exe
O4 - Startup: Zstart.lnk = C:\WINDOWS\system32\hffsysinst5.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: Nitto Hacking - Nitto Hacking.dll (file missing)
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\mai.dll
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\bkxasvc.exe (file missing)

Close HJT, and open Windows Explorer, and browse to this folder.
C:\Documents and Settings\All Users.Windows\Start Menu\Programs\Startup

Delete "nikn.exe "

The items in orange I could not identify, although Mai.Dll may be associated with a program called "IBM Lotus SmartSuite ". Maybe something new here with either of them? I can only find "Nitto Hacking" related to gaming.


Reboot into Safe Mode.
Delete all files and folders located in these folders.
C:\Windows\Prefetch
C:\Windows\Temp
C:\Documents and Settings\username\Local Settings\Temp

Delete these folders, these are all adware.
C:\Program Files\SurfSideKick 3
C:\Program Files\VBouncer
C:\Program Files\PrecisionTime

Then run the ewido scan while in Safe Mode, it can work wonders in this mode.

Reboot into Normal mode, and then enable System Restore. Please post a new HJT.
Would you tell me what you know about the things in orange?

 

Hello again,
Thank you for your reply and for all your help markp62. I really appreciate it.

I ran all your steps accordingly, rebooted, and ran HijackThis again. My log is below. As for the items in orange, I already removed them after my last posting, as I suspected they weren't legit. Things are looking a lot better now, but here's my latest log:

BTW: jbrjpb.exe and vsyss2r.exe are still showing up in the HT log despite both files not being present in c:\windows\system32. Also, under "processes running ", it's showing: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\nikn.exe despite the file not being there either.



Logfile of HijackThis v1.99.1
Scan saved at 3:00:16 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Virus Protection\CounterSpy\sunasDTServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Virus Protection\CounterSpy\sunasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\nikn.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Virus Protection\CounterSpy\sunasServAlert.exe
C:\Virus Protection\CounterSpy\sunasServAlert.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Virus Protection\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\system32\vsysxx2r.exe dvd
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Virus Protection\CounterSpy\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Virus Protection\CounterSpy\sunasServ.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\jbrjpb.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123391844875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123391837375
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you again for all your continued help !!!!

Paul

 

With the reappearance of the startup and the files are not there, I believe there is a DLL file hooked into either Internet Explorer or Explorer.Exe.
Get Process Viewer. And unzip to the desktop. Doubleclick RunMe.BAt, press 1 then Enter, and a log will be created in Notepad. Then press 2 then Enter, and another log should appear in another Notepad. Post both those logs here. They will be quite long so it will take more than one post.

 

Hello again,

Well, as much as I appreciate you latest reply for my help, unfortunately, my friend needed his system back yesterday, and I was unable to do what you suggested. However, I did reboot a few times, and ran HJT, and surprisingly, those entries did not show up any longer. In addition, I was doing some surfing using Mozilla, and haven't had anymore popups.

So, what I did was forward your latest suggestion to him, in the hopes that he runs it. I'm not sure if he will or not.

Nevertheless, I want to sincerely thank you markp62 immensely for all of the assistance you provided me. It was truly immeasurable, and very very much appreicated. Likewise to charlesvar and TonyT.

Thank you again !!!
Paul