I'm new here and have a huge problem

I've got some big pop up issues and I've tried very many steps to remove them.

I've ran ad aware and spybot scans with the updates downloaded.

I've used spysweeper and spyware doctor.

I ran Norton and and Online virus scanner that helped detect a folder containing over 1400 malicious files but I'm still having pop-up issues.

I ran a hijack this log and am going to place it in here.

If anyone here has time to help with this issue, I would greatly appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 4:52:31 PM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets/activexplayer/SMALStreaming.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\mvr4l99q1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

 

garrfoster: Welcome to the Board! I can't offer any suggestions to solve your problem, but there are some real sharp people here who no doubt can. They are very likely going to want to know which version of Windows you have and also what browser you're using when the pop-ups appear. Which e-mail program you use might also make a difference. So get back to us with that info, and hang in there, somebody should be offering some real help soon.

 

Hello and welcome.
looks to me like you have look2me and cachecachekit trojan.

please do the following:

turn off spyware doctor for now. keep it from starting up at system start. you can turn it back on later if you prefer that 1 over spysweeper. I recommend spysweeper though.
Next download, instal and run Cr*p Cleaner at http://www.ccleaner.com
keep using this after you get your system fixed.
now you will need to restart and run HighJack this and put a checkmark on the items listed below and click on fix selected items.

O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\mvr4l99q1.dll
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class)

next I would recommend that you download and install ewido at http://download.ewido.net/ewido-setup.exe when you fire this program up it will give you an error message. no big deal. you will check for and download updates then let it do its thing. (click on scan)

now restart again and then get a good anti-virus program. namely AntiVirXP Classic at http://www.antivir-pe.de/en/
follow these instructions.
it will start a scan immediately after install. click on the button at the bottom to stop it and check for updates. (right click on the umbrella in taskbar. click on internet update. other settings from here I will post separate for.) then open up the configuration settings. 1st window is scan settings. check both boot records and report unknown boot records. check all files and start with memory with medium priority. repair window. check on repair without prompt. then if not repairable select delete with prompt. this way if something you need is unrepairable you will know what it is to replace. next is unwanted programs. check the "activate all types ". you can change this later. next window is Heuristic. activate macro and win32 with medium priority. click "OK" at bottom. now at the top left of toolbar click "scan" and kick back for a bit. amount of time will depend on speed of system and how infected it is. whatever it pulls up do not delete. QUARANTINE and dont worry. This way you can see what everything is and make record.
even after (and before) scan the guard will be scanning all local drives if you hear a jingle and a window pops up, QUARANTINE.and like I said dont worry this guy will knock there socks off.
I almost forgot. whenever you have to restart make sure the little umbrella is open in the systray. if not open main program and under option>config>micellanious click load guard at sys start. now you will go through anything it finds and repair or wipe them clean. replace anything you had to wipe with fresh load.
now if you dont already have it download, install, update and enable all protection for spywareblaster at http://www.javacoolsoftware.com it is version 3.4
restart again (i know its a pain but needed to make sure things are completely dealt with) and do another highjack this log and post it.

Thank you and I hope this helps.

 

Mr Smith, I think you just saved my computer.

all of the pop ups i had are completely gone but here's the hijackthis log you asked me to post again

Logfile of HijackThis v1.99.1
Scan saved at 12:54:59 AM, on 12/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\i6jqlg1516.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



Thanks so much again for the help, I really appreciate it.

 

ok sounds like you are getting there. got rid of a couple things but still see some issue we need to clear up, i believe. Did you run the AntiVirus program I asked you to run?
if not, here is the link again. AntiVirXP Personal at http://www.antivir-pe.de/en/
use the AntiVir Personal Classic. it is free. you can uninstall it and keep the nortons if you like after we are done. follow the directions in my previous post on this program and make sure you shut down norton anti virus and make sure you disable it from starting up again until we are done. dont have more than 1 program doing a particular task. OK? also get this
CCleaner at CCleaner at http://www.ccleaner.com/ccdownload.asp
and run it before each restart. you will need to probably do 2 scans with each of the following programs:
AdAware SE
Spybot Search & Destroy
AntiVir XP
Fix or remove anything any of them find.
after each scan run CCleaner and then restart computer.

ill have more for you in a bit. have to get the info together proper for you.

oh and run HiJack this again when you are done so we can see whats up and post the log.

 

ok here is the info I promised you. Please follow exactly.
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find

Remote Packet Capture Protocol v.0 (experimental)

Rightclick and choose "Properties ". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled ". Click Apply then OK. File-Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Now run HiJack This and place a checkmark next to the following items:
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\i6jqlg1516.dll (file missing)
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\i6jqlg1516.dll (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
click on fix selected.
close HiJack This and run CCleaner.
Now under the start menu > all programs > accessories > system tools click on system restore and create a new restore point. Name it whatever you like. close out of there when it is complete and open Disk Cleanup. (in the same location as system restore) under the more options tab you will see system restore. click on the clean up button. then click OK. when it is finished, run CCleaner again. now shut down your computer, wait 10 - 15 seconds and you can then restart your computer.
now run HiJack this and post your new log.
thank you.

you can now make 1 more pass (scan) with Ewido just to be sure.
and then (if you wish) uninstall the AntiVirXP and restart the Nortons Anti Virus. make sure you only run the spyware doctor OR spysweeper and IMUNIZE your system with Spybot Search and Destroy. there is a 1 click button for that.