Pop up attack&Green double underlined words

I've searched through a bit & followed the Removing Spyware & Malware thread. In attempt to save a few posts i will list everything i have run & the reports. hope this helps, thanks in advance


I am under pop up attack (normally shopping ads), with or without IE use/activity on my part.Also, various words are double underlined & display in green on web pages. If clicked they redirect IE. This began about 2-3 mos ago with very little pop up activity but has grown in the last few weeks to 20-30 pop ups overnight.


Scanned in Spy Bot SD -
No immediate threats found

Scanned with Adaware 6.0 -
10scans removed 52 objects, Quarantined 36

Ran NOD 32 virus scanner-
found variants of Win 32 adaware but could not remove. Copied to quarantine.

Scanned w/ Bit Defender -
BitDefender Online Scanner - Real Time Virus Report
Generated at: Tue, May 16, 2006 - 14:55:11

Scan Info
Scanned Files 625559
Infected Files 32

Virus Detected
Trojan.Sillydl.36864.A 1
Trojan.Downloader.Qoologic.AL 1
Application.Adware.Funweb.A 2
XM.Compat.{A,B} 1
Trojan.Downloader.Qoologic.AC 12
Trojan.Lowzones.AM 1
Trojan.Sillydl.65536.DLL 1
Trojan.Downloader.Qoologic.AD 10
Trojan.Downloader.Qoologic.AE 3

Scanned w/ CA
No viruses found

Scanned w/ Panda

Incident Status

Location





Spyware:Cookie/Hbmediapro Not disinfected

C:\Documents and Settings\Alliance

Shippers\Cookies\allianceshippers@adopt.hbmediapro[2].txt




Spyware:Cookie/PointRoll Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance

shippers@ads.pointroll[1].txt




Spyware:Cookie/Apmebf Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance shippers@apmebf

[2].txt


Spyware:Cookie/Atwola Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance shippers@atwola

[1].txt


Spyware:Cookie/Azjmp Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance shippers@azjmp

[2].txt


Spyware:Cookie/Belnk Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance shippers@belnk

[1].txt


Spyware:Cookie/Enhance Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance shippers@c.enhance

[1].txt


Spyware:Cookie/GoClick Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance

shippers@c.goclick[1].txt




Spyware:Cookie/did-it Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance shippers@did-it

[1].txt


Spyware:Cookie/Belnk Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance

shippers@dist.belnk[2].txt




Spyware:Cookie/OfferOptimizer Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance

shippers@offeroptimizer[2].txt




Spyware:Cookie/Overture Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance

shippers@perf.overture[1].txt




Spyware:Cookie/RealMedia Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance

shippers@realmedia[1].txt




Spyware:Cookie/Target Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance shippers@target

[1].txt


Spyware:Cookie/BurstBeacon Not disinfected

C:\Documents and Settings\Alliance Shippers\Cookies\alliance

shippers@www.burstbeacon[1].txt




Spyware:Spyware/Support Not disinfected

C:\Program Files\Support.com\bin\tgcmd.exe




Adware:adware/elitebar Not disinfected

C:\WINDOWS\eliteunstall.exe




Adware:Adware/PopupSearches Not disinfected

C:\WINDOWS\JUSTIN2.exe[²Ã¨Ã‡]




Adware:adware/exact.bargainbuddy Not disinfected

C:\WINDOWS\launcher.exe




Spyware:Spyware/SafeSurf Not disinfected

I delete cookies somewhat regularly & really want to delete all that came up on Panda manually but am not sure if this is the thing to do. Next post is the Hijackthis scan after doing all the above. thanks again in advance!

 

Hijackthis scan

Logfile of HijackThis v1.99.1
Scan saved at 5:15:13 PM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\RJSOFF~1\RJSOFF~2.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\notepad.exe
C:\Mochasoft\mtn5250.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alliance Shippers\My Documents\AntiSpyware\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = col-proxy.alliance.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = asi.alliance.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nse3835.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {70F6A776-579A-4C95-BA88-134253907752} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe "
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe "
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [adstart] iexplore.exe http://__adstart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCzfw003
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147181523425
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5BD6C8A-0F90-4C27-A5F1-1121433AC01E}: NameServer = 192.168.2.9
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: RJS iSeries Office Integrator Service (rjsofficeservice) - RJS Software Systems Inc. - C:\PROGRA~1\RJSOFF~1\RJSOFF~2.EXE

 

TonyT- thank you will do it a.m. tomorrow. i almost got rid of the mirar ones & the adstart just figuring they were a problem as i have heard of mirar before.

Arie- strange i never noticed it until now but i do see it is doing this on my home pc as well & i have no problems with it.

 

Deleted everything as advised & all seems fixed. THANK YOU!!!!!

Do i need to do something with these found by bit defender or were they taken care of with the deleteing of items with hijackthis?

Trojan.Sillydl.36864.A 1
Trojan.Downloader.Qoologic.AL 1
Application.Adware.Funweb.A 2
XM.Compat.{A,B} 1
Trojan.Downloader.Qoologic.AC 12
Trojan.Lowzones.AM 1
Trojan.Sillydl.65536.DLL 1
Trojan.Downloader.Qoologic.AD 10
Trojan.Downloader.Qoologic.AE 3

 

Ewido Full system scan

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:41:35 PM, 5/17/2006
+ Report-Checksum: FF9AAB4B

+ Scan result:

HKU\S-1-5-21-3647607285-3761886937-2117245221-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Cleaned with backup
C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP594\A0028231.dll -> Adware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP594\A0028235.dll -> Adware.EZula : Cleaned with backup
C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP659\A0030850.exe -> Adware.EZula : Cleaned with backup
C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP659\A0030854.dll -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\PLSRemote.exe -> Not-A-Virus.RemoteAdmin.Win32.PLSRemot : Cleaned with backup


::Report End

 

Clean!

going back, looking closer at the report Bitdefender did attempt to clean each one & then deleted each one when cleaning failed. not sure why it wouldn't have come up when i pasted it into thread, sorry.

i have cleared the restore points as well. seems like all is well. THANKS AGAIN!