popup troubles HJT log included

I messed up my work computer and haven't heard back from the IT department on help fixing it. A couple of weeks ago I happened upon a site that flooded my system with a ton of nasty stuff. I tried fixing it myself before I came here and got a lot of it. But the whole system is still slow, some adware/spyware keeps installing on startup, and popups continue with IE.

Here is a list of what I have done so far:

-Update and Run Spybot including using Immunize feature
-Update and Run Ad-Aware
-Update and Run Microsoft Antispyware (beta)
-Went to Add/remove programs and removed anything suspicious
-Manually stopped the processes used by DMVlite and then deleted that program (this was before I found this site)
-Switch to Firefox
-Run and svaed a log using Hjt based on advise in other posts

Here is the log from HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 11:15:26 AM, on 3/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\WorldCom IP VPN Remote Access\cvpnd.exe
C:\WINNT\system32\DRIVERS\dcfssvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitezzi32.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [yqdxhv] c:\winnt\system32\yqdxhv.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~1\SpyWareWall.exe
O4 - Global Startup: Cisco Systems IP VPN Remote Services.lnk = C:\Program Files\WorldCom IP VPN Remote Access\ipsecdialer.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adsenv.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adsenv.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = adsenv.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Access Manager Configuration Service (AMBroker) - Unknown owner - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\cvpnd.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\system32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe

Thanks in advance for any help you can give.

 

Welcome to WindowsBBS Branleo

You have a nasty new virus that infects explorer.exe, and currently there is only one known way to properly clean it. Instructions follow. Good luck.


Please print this out and/or save it to text where you can access it in safe mode.

Go here to download the free KAV Personal 5.0 Trial (good for 30 days).
http://www.kaspersky.com/index.html

Click on *downloads* on the left menu.

Then scroll down and click on *trial versions*.

Then choose *Kaspersky Anti-Virus Personal 5.0*.

You will then have a list of the trial downloads to choose from (choose a location closest to you).

Choose *save* and it should create and save to a KAV folder on your hard drive.

Navigate to the KAV folder and doubleclick on kav5.0trial_personalen.exe to install it.

You will see this screen showing the default folder it will install into. Click on *next*.

If KAV detects another AV running on your PC it will advise you to uninstall it.
You can do that or you can disable the existing AV program and then press *yes* to continue.
The way to disable resident protection differs for different anti-virus programs. You might try right clicking on the icon for your AV program in the Windows System tray (on the lower right hand part of the screen) and looking at the different options.
Alternatively, you may disable your AV from starting with Windows using msconfig (Start > Run and type msconfig and OK. Click on the Startup Tab, uncheck all the startups relating to your AntiVirus and reboot).
The important thing is to set your current AV *not* to scan as your files are accessed, so that KAV can do its job.

Next you will see the Kaspersky Anti-Virus Personal 5.0 Setup Wizard. It will advise you to close all other applications before starting setup. Do that and then press *Next* to continue.

You will then be presented with the License Agreement. Read that and when done you can agree to continue.

Next is the Customer Information screen. Just fill that in as you prefer and click on *next* to continue.

You will be presented with some important KAV notes. Copy these and save in Wordpad/Notepad to refer back to if needed.

Please remove the green checkmark the box that says *Operate according to Recommended settings* This is so you can do a custom install.

Press *next* to continue after you have read those and unchecked the box for recommended settings.

On the next screen, please uncheck the box for *use real-time protection against network attacks*.
This has been known to cause problems on PCs running certain firewalls, you can try enabling it later after the initial install and scan.

You may leave the *iStreams technology* box checked if you like but it is generally recommended not to checkmark that box if you are going to uninstall KAV again after the infection has been removed.

Now it will choose the Destination folder (mine was fine as pre-selected by KAV). Click *next* to continue.

Now you will get the *finish* screen.

KAV will now open. If you are running a firewall, allow KAV to connect to get the updates it needs. Wait while the updates are downloaded and installed.

Now get the *extended database* of updates as well, to remove the AdWare that Virus.Win32.Bube. may have downloaded. Look under *Settings*, and then *Configure Updater* Choose Extended Database. Click *OK* and then *Check for Updates* and you will get another smaller update which will install.

Now click on *Settings*, choose *Configure On-demand scan settings*, select *Perform recommended action* and click *OK*. You might prefer to set the scan level to maximum, just to be sure that nothing is hiding in an email database.

Close KAV and any open programs you have running.


It is recommended you run the scan in SAFE MODE.

* Boot into safe mode.
How to start the computer in Safe mode (here are instructions if you need them).
http://service1.symantec.com/SUPPOR...src=sec_doc_nam
Once you have booted into safe mode, physically disconnect from the Internet.

* Open KAV but do not start the scan yet.

* now, and this is very important :

* Press Ctrl + ALT+DEL and bring up task manager, go to processes tab, right click on explorer.exe and then select stop process.

Now your desktop will go blank and you will have no taskbar or menu, etc. You will still have taskmanager and KAV open on the desktop, so do not close them.


* Now Start a full system scan. Click on the protection tab and Choose *Scan My Computer*.
* It will take some time, probably 2 or 3 hours, and will delete any infected files it finds.
* KAV will disinfect all files detected as Virus.Win32.Bube and many related malware it has downloaded.
* When it has finished, on the Taskmanger, press file/newtask and type explorer to regain the desktop, etc.
* Close KAV &Taskmanager.
* Reboot back into normal mode.

Additional cleanup may be needed. Post a new HijackThis log when done. Please be sure to post in the forum if you have any questions.

IMPORTANT NOTE! This virus changes security settings to your trusted zone and in the Windows Security Center. Please be sure to check all of your security settings after disinfecting.

 

Follow up HJT log and errors

OK, I followed the above directions and KAV found and deleted a bunch of problems. However, now I cannot boot into normal mode. I get an error message after I enter my loggin information. The error is somthing like:

"C:\\WINNT\system32\lsas.exe' terminated unexpectedly with status code 128. The system will now shut down and restart" This is initiated by NT AUTHORITY/system.

I'm not sure if this is a network problem or a hardware one. I can boot into safe mode and do some work. I have been able to get the startup to accept my password and startup before the above error but explorer.exe doesn't run. And trying to prompt it from TaskManager results in the above error and shutdown. The task manager looks like everything is running.

For what it is worth, here is a new log that i just got from HJT in Safe Mode (i think it is specifically control mode?)

Logfile of HijackThis v1.99.1
Scan saved at 3:52:21 PM, on 3/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\WorldCom IP VPN Remote Access\cvpnd.exe
C:\WINNT\system32\DRIVERS\dcfssvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINNT\INF\unregmp2.exe" /UpdateWMP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "
O4 - Global Startup: Cisco Systems IP VPN Remote Services.lnk = C:\Program Files\WorldCom IP VPN Remote Access\ipsecdialer.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adsenv.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adsenv.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = adsenv.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = adsenv.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Access Manager Configuration Service (AMBroker) - Unknown owner - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\cvpnd.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\system32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe

 

There is a possible fix on the below link. Look under "To resolve this issue: ".
http://www.jsifaq.com/SUBM/tip6100/rh6116.htm