Spyware/adware/popups just wont go away

[jim532]

Ok, I've followed the instructions in the Sticky before posting here, and I've tried a few other tricks of my own, and I've ran the FIXWAREOUT program and VundoFix and Mcafee's Stinger I can't seem to cure this problem I've got.

I get pop ups the moment I open Internet explorer. They are and most recently I got an error message regarding func.js and as I am posting this message Symantec AV told me it found func.exe to be a trojan. Poolsv.exe seemed to be a problem too but for some reason Auto-protect hasn't alerted me of any issues about it in the last 30 min.
Here's my log file

Logfile of HijackThis v1.99.1
Scan saved at 10:55:22 AM, on 6/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HJThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49A951BC-8301-4447-9250-CDA462FA4647} - C:\WINDOWS\system32\gebca.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {A3EA747D-F096-480C-BFA9-BDAD9731898B} - C:\Program Files\ComPlus Applications\meqotaz83122.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\gebcdbb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.mole.com/iNotes.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {37FFF4B4-94C5-41EA-9ED2-E43FF8420C68} (ILPrintClientLib3.ILPrintClient) - http://editest.guitarcenter.com/TPM/...ClientLib3.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153330034281
O16 - DPF: {8A06B159-CC63-42EA-9371-7934474C5D38} (ILPrintClientFontLib.ILPrintClientFont) - http://editest.guitarcenter.com/TPM/...entFontLib.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.kitchenette.homeip.net/ac...CamControl.cab
O16 - DPF: {AB828640-9B09-4752-9C41-070FCAF537F3} (DVRRemote Control) - http://192.168.1.13/DVRRemote.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://68.111.41.18:5900/activex/AMC.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E9856E3-3E13-41E6-B6EC-041B4ADB24B9}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E9856E3-3E13-41E6-B6EC-041B4ADB24B9}: NameServer = 68.94.156.1,68.94.157.1
O20 - Winlogon Notify: gebca - C:\WINDOWS\system32\gebca.dll
O20 - Winlogon Notify: gebcdbb - C:\WINDOWS\SYSTEM32\gebcdbb.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winyxb32 - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[jim532]

Everything was ok for about a while yesterday, so i left the PC sitting idle overnight and I came in and found popups, get redirected while browsing in IE, and messages in windows defender about win32/fotomoto and Vundo again. I've attached my HJT log again don't know if its changed since yesterday. But any help in getting rid of this problem would be appreciated.

thanks

Jim

[pheonix73]

Make sure to follow all the steps in the read me before posting sticky.There may be many more baddies that you are unaware of and untill all the appropriate logs have been posted,the moderators here won't know which course to take.As for what you do have there are many reasons they won't go away,but they will be addressed once you have posted back here with the logs.Hope all works out.

[jim532]

okI have followed the instructions in the sticky post again and attached the logs.
On friday I cleaned up the PC and all seemd well I left the PC connected sitting Idle over the weekend and came in to find pop-ups and messages from Windows defender and Symantec auto protect.

[TurcoLoco]

Hi Jim,

I am trying to fill in for Judy while she is out on vacation but I have been very busy lately so I am a bit behind. She should be back to pick up the slack but if not, I will do my best to follow up, ok?

Hang in there!

[jholland1964]

Can I ask that you please turn off Windows Defender, AdAware 2007 Service.



Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Update your AdAware2007. Then reboot to SAFE MODE

Using the F8 Method

1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode.

Once in SAFE MODE please run a full system Scan with AdAware. Be sure to quarantine everything found. One item showing in your logs is the Look2Me infection AdAware 2007 has this removal tool fully integrated into the program.
Also run the AVG Anti-spy program in SAFE MODE and fix all that is found.
Once you have completed the above steps then reboot into normal mode and run a new scan with HJT and post that log along with the new AVG log.

[jim532]

thanks again for your help I followed the instructions and I've attached all relative information. One thing that is very persistant is whenever I open the browser for the first time after rebooting is I get a script error refering to a file called func.js, then immediatly after Auto-protect finds and deletes a file call func.exe.

thanks again,

jim

[jholland1964]

Were you able to use the VundoFix and get a log from that? If you haven't done that can you please run it following the instructions given above, save the log and then also run a new HJT and post that new log too.

[jim532]

yes i did run vundofix and from what I can see, there is no option for a log file. It did tell me when it was done scanning that no infected files were found.
Just for kicks and though, I am attaching my HJT log again maybe it has changed who knows.

thanks

jim

[jholland1964]

Please TURN OFF the AdAware 2007. Don't allow it to autostart.
I really don't need to see that log. Do not allow it to run until we are finished unless told to do so.

Enable Viewing of Hidden Files and Folders

Please run the Kaspersky Online Virus Scanner and attach the ScanLog with your post for assistance. If you have trouble with it, please try one of the others in the list below. You do have to use Internet Explorer for this scan. It will not clean but will generate a log for us to look at. We need to see that log.

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that Combofix log and a NEW HiJackthis log and the Kaspersky log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall