1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

trojan.popper

Discussion in 'Windows - Virus and spyware problems' started by fincab, Jun 30, 2006.

  1. fincab

    fincab Guest

    Hi everyone:
    My PC is infected with trojan.popper I have Spyware Doctor, Spy Sweeper, and Norton Internet Security. None of them can eliminate it. They find it, say it's been deleted, but it always reappears. I call Norton; they charged me $40 to direct me to a FREE page of instruction thqat I had already tried. When I complained they just hung up!!! Can ANYBODY help?!?!? Trojan.popper is interferring with a lot of programs.

    Thank you, thank you, thank you.
     
  2. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
  3. fincab

    fincab Guest

    Hi:
    Thanks for the quick response. Here is the file:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:35:32 AM, on 6/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\csrss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    E:\WINDOWS\Explorer.EXE
    E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    G:\PC BackUp\NMSAccess.exe
    G:\PC BackUp\NSENGINE.exe
    g:\Spyware Doctor\sdhelp.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    E:\WINDOWS\system32\wdfmgr.exe
    E:\Program Files\Microsoft IntelliPoint\point32.exe
    E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    F:\iTunes\iTunesHelper.exe
    E:\Program Files\Common Files\Symantec Shared\ccApp.exe
    E:\WINDOWS\Mixer.exe
    E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    E:\WINDOWS\System32\alg.exe
    E:\Program Files\Winamp\winampa.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\Program Files\iPod\bin\iPodService.exe
    E:\Program Files\QuickTime\qttask.exe
    G:\PC BackUp\NbkCtrl.exe
    E:\Program Files\Messenger\msmsgs.exe
    G:\SPYWAR~1\swdoctor.exe
    E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    E:\Program Files\Internet Explorer\iexplore.exe
    E:\Documents and Settings\H. Finn MD.HSF.004\Local Settings\Temporary Internet Files\Content.IE5\UND3Z2UZ\HijackThis_v1.99.1[1].exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - G:\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - G:\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [DVD43] F:\DVDREG~2\DVDREG~1\DVDRegionFree.exe /hidden
    O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "G:\PC BackUp\NbkCtrl.exe"
    O4 - HKCU\..\Run: [NBJ] "F:\Nero\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Spyware Doctor] G:\SPYWAR~1\swdoctor.exe /Q
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147838620234
    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
    O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - E:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - G:\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - G:\Norton Internet Security\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NMSAccess - Unknown owner - G:\PC BackUp\NMSAccess.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NsEngine - Unknown owner - G:\PC BackUp\NSENGINE.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - g:\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

     
  4. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Unzip it (folder named SmitFraudFix) to your desktop:

    Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
    Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

    Download eScan to your desktop -> http://www.spywareinfo.dk/download/mwav.exe
    Run the file mwav.exe and unzip it to its default location, C:\Kaspersky

    1. Updating the scanner (close the eScan window if open)
    -> Go to My Computer
    -> C:\
    -> Kaspersky
    -> Run the file kavupd.exe, it starts downloading updates
    -> When downloading is finished, go to C:\Downloads
    -> Copy all the files in the Downloads folder by pressing CTRL+A and then CTRL+C
    -> Then go back to the C:\Kaspersky folder and paste the files by pressing CTRL+V
    -> Answer Yes to all when it asks about replacing files
    -> Now the scanner has been updated

    2. Scanner settings
    -> Go to folder C:\Kaspersky and run the file mwavscan.com (or mwavscan.exe)
    -> The scanner window opens
    -> Select the same settings than in this picture -> http://koti.mbnet.fi/pattaya1/eScan6.jpg
    -> When ready, press the Scan Clean button
    -> Scanning for infections begins

    3. Posting the results
    -> When the scan has finished (scan may take a quite long time), you'll need to post the findings
    -> Copy all the text in this field -> http://koti.mbnet.fi/pattaya1/eScan10.jpg
    -> Click the field, press CTRL+A, CTRL+C
    -> Then open Notepad and paste the findings into a new document by pressing CTRL+V
    -> Save the document to your desktop
    -> Post the contents of that textfile to here

    Boot comp
    Send asked logs
     
  5. fincab

    fincab Guest

    tapiiri:

    Here are the files you asked for.

    And again, Thanks so much for your help!


    SmitFraudFix v2.65

    Scan done at 20:28:51.60, Fri 06/30/2006
    Run from F:\smitfraud\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» E:\


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\H. Finn MD.HSF.004\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\HFINNM~1.004\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    =====================================================================

    Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
    Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\064F7AAF.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\0A4E076D.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\103A42A1.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\138D18B0.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\21FD5F29.WIN infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\22000926.exe infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\3015226E.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\38CD5642.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\4DEA5CBC.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\5210342F.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\57BD2FEF.exe infected by "Trojan.Win32.Dialer.oy" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\66561FF3.WIN infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\665949EF.exe infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\68460DD1.WIN infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\684D61C9.exe infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
    File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\78EB7503.exe infected by "Trojan-Downloader.Win32.Zlob.rj" Virus! Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{7F87E836-B1CD-4D96-BB59-153291F12E71}\RP58\A0007847.exe infected by "Trojan-Clicker.Win32.VB.ij" Virus! Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005779.dll tagged as "not-a-virus:AdWare.Win32.Suggestor.o". Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005780.exe infected by "Trojan-Downloader.Win32.Small.buy" Virus! Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005781.exe infected by "Trojan-Downloader.Win32.Small.bke" Virus! Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005782.dll tagged as "not-a-virus:AdWare.Win32.Suggestor.o". Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005784.dll infected by "Backdoor.Win32.Agent.oo" Virus! Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005785.dll tagged as "not-a-virus:AdWare.Win32.Suggestor.o". Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005786.exe infected by "Trojan-Downloader.Win32.Small.ayl" Virus! Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005787.exe tagged as "not-a-virus:AdWare.Win32.Raze.a". Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005788.exe infected by "Trojan-Downloader.Win32.Agent.sy" Virus! Action Taken: No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP78\A0006962.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
    File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP79\A0007514.exe tagged as not-a-virus:Downloader.Win32.Agent.h. No Action Taken.

    ..............................................................................................................................................................................................................................

    Total Critical Objects: 30
    Total Errors: 67
     
  6. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Clean your system restore :

    http://www.pchell.com/virus/systemrestore.shtml

    Only those we have to examine closer.

    Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
    Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.

    Locate and remove EZULA

    * Reboot your computer in Safe Mode

    http://www.pchell.com/support/safemode.shtml

    * Double-click smitfraudfix.cmd
    * Select 2 and hit Enter to delete infect files.
    * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Send it here along with a fresh HjT log.
     
  7. fincab

    fincab Guest

    Here are the other logs:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:31:54 AM, on 7/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\csrss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    E:\WINDOWS\Explorer.EXE
    E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    G:\PC BackUp\NMSAccess.exe
    G:\PC BackUp\NSENGINE.exe
    g:\Spyware Doctor\sdhelp.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    E:\WINDOWS\system32\wdfmgr.exe
    E:\Program Files\Microsoft IntelliPoint\point32.exe
    E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    F:\iTunes\iTunesHelper.exe
    E:\Program Files\Common Files\Symantec Shared\ccApp.exe
    E:\WINDOWS\Mixer.exe
    E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    E:\Program Files\Winamp\winampa.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\Program Files\QuickTime\qttask.exe
    G:\PC BackUp\NbkCtrl.exe
    E:\Program Files\Messenger\msmsgs.exe
    G:\SPYWAR~1\swdoctor.exe
    E:\Program Files\iPod\bin\iPodService.exe
    E:\WINDOWS\System32\alg.exe
    E:\Program Files\Internet Explorer\iexplore.exe
    E:\WINDOWS\system32\wuauclt.exe
    E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    E:\Program Files\Symantec\LiveUpdate\AUpdate.exe
    E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    E:\Documents and Settings\H. Finn MD.HSF.004\Local Settings\Temporary Internet Files\Content.IE5\UND3Z2UZ\HijackThis_v1.99.1[1].exe
    E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - G:\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - G:\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [DVD43] F:\DVDREG~2\DVDREG~1\DVDRegionFree.exe /hidden
    O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "G:\PC BackUp\NbkCtrl.exe"
    O4 - HKCU\..\Run: [NBJ] "F:\Nero\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Spyware Doctor] G:\SPYWAR~1\swdoctor.exe /Q
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147838620234
    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
    O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - E:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - G:\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - G:\Norton Internet Security\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NMSAccess - Unknown owner - G:\PC BackUp\NMSAccess.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NsEngine - Unknown owner - G:\PC BackUp\NSENGINE.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - g:\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    ====================================================================
    SmitFraudFix v2.65

    Scan done at 20:28:51.60, Fri 06/30/2006
    Run from F:\smitfraud\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode ***[It says "normal mode", but it was in Safe Mode.]***

    »»»»»»»»»»»»»»»»»»»»»»»» E:\


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\H. Finn MD.HSF.004\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\HFINNM~1.004\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    ====================================================================

    So, am I cured?
     
  8. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Yes looks good :)
     
  9. fincab

    fincab Guest

    Unfortuneately, the virus was not removed. When running a backup, I again got the following alert message from Norton Anitvirus. It is the same one I always get:

    Virus Location: \device\HarddiskVolumeShadowCopy3\System Volume Information\_restore{7F87E836-B1CD-4D96-BB59-153291F12E71}\RP58\A0007847.EXE

    Virus: Trojan.Popper

    Action Taken: Unable to repair this file.

    Action Taken: Access to the file was denied.

    ===============================================================

    Below are the removal instructions from Symantec. However, the is no "Windows Overlay Components" in services.msc and none of the registry key listed can be found by me or the registry FIND command.


    3. To find and stop the service
    Click Start > Run.
    Type services.msc, and then click OK.
    Locate and select the service "Windows Overlay Components".
    Click Action > Properties.
    Click Stop.
    Change Startup Type to Manual.
    Click OK and close the Services window.

    4. To scan for and delete the infected files
    Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
    For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
    Run a full system scan.
    If any files are detected, click Delete.


    Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

    After the files are deleted, restart the computer in Normal mode and proceed with the next section.

    Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

    Title: [FILE PATH]
    Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.


    5. To delete the value from the registry
    Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

    Click Start > Run.
    Type regedit
    Click OK.

    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.


    Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    In the right pane, delete any values that refer to the filenames noted in Step 4(c) above. The value will be of the form:

    "random" = "%Windir%\[RANDOM].exe"


    Navigate to and delete the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\OvMon
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Overlay Components
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Overlay Components


    Exit the Registry Editor.

    =================================================================

    This is SO frustrating!!! Any other ideas?

    Thanks
     
  10. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Hi fincab,

    Update escan, and norton.

    Turn off your system restore :

    http://www.pchell.com/virus/systemrestore.shtml


    * Reboot your computer in Safe Mode

    http://www.pchell.com/support/safemode.shtml

    Scan with both, escan All hard drives

    and norton :

    Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
    For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
    Run a full system scan.
    If any files are detected, click Delete.

    Boot normally. Let me know if appears error messages after rebooting.


    Then I'll make fix script to registry

     
  11. fincab

    fincab Guest

    Hi:

    The same error message appeared.

    Sorry
     

Share This Page