WinAntiVirus Pop-ups

[Tampa1adam]

I ran a bad .exe file the other day and got infested by more spyware/adaware/viruses than I've ever seen. I'm using Windows XP SP2.

I ran several scans by ad-aware and spybot, and they barely helped. I ran housecall's virus scan but that restarted my comp so I went ahead and got Kaspersky Anti Virus and ran that. It found 46 items which all got either quarantined, disinfected, or deleted.

Things are a lot better now, but clearly not 100%. I was getting several pop-ups whenever I did a search on like google, so in Internet Explorer I went to Tools -> Manage Add-Ons... and disabled everything in that list. This stopped several pop-ups from coming up, but I'm still getting 2 pop-ups, 1 prompting me to buy a program called WinAntiVirus, and I forget the other.

Other than this everything seems to be OK, the Hijackthis log scan didn't find anything considered "Nasty" but I'll still upload the log, and a screenshot of what's in my Manage Addons list(I've enabled some things I know are legit).

Please help, I'd rather not reinstall my OS... again........

OK Manage Attachments button isn't working. I'll put the links here:
Addons Screenshots: http://www.xleet.com/addons.jpg
Hijackthis Log: http://www.xleet.com/hijackthis.log

[Edit]
Added Hijackthis log attachment to this post.

[jholland1964]

Hello Adam,
FIrst of all during your HJT scan you show a lot of totally unnecessary programs running in the background, no less than three instances of Internet Explorer. The first rule for running a HJT scan is CLOSE ALL BROWSERS. So please do this for all future scans.
Another unnecessary program running during the scan was PlayOnline. Obviously you are a gamer, that is fine, but this program, to me anyway, is questionable in itself. Here is the description given of this program on several sites I use for research;

"Installs programs. Deletes programs. Invokes dll components. Modifies the hostsfile. Runs other programs. Communicates with web sites using httpout protocols. Terminates processes. Hijacks running processes. Has outbound communications. Could log keystrokes."

While it is a legal program, probably used by many, I am somewhat leery of it. Read what it can do on your system. I believe you are possibly opening doors you may not want to open. You can do what you want, I would recommend removal but that is your choice. In any case, shut it down totally until the computer is clean and right now it is not clean.
It would help some if we knew the names and locations of objects removed by your anti-virus program. If you can access that information post it here.
You need to go to READ ME Before Posting A Request For Assistance!
Follow every instuction there, including the downloading and running of Ewido. Pay close attention to the steps which need to be taken disconnected from the internet AND in safe mode.
Once you have completed all the steps in PP's link then reboot to normal mode, and run a new HJT scan with all browsers, im's and gaming programs shut down. Save that new log and post it back here with the Ewido log. We will see where things stand. There may be other steps to follow but I want to see how much we can remove with the scans given in PP's link.
Judy

[Tampa1adam]

Thank you for your post!

PlayOnline is a process from a game called Final Fantasy XI, I had it open during the scan, sorry. Here is the new HJT log and virus scan log, I had to edit down the virus scan log because it listed the result for each file scanned, which made the file save 296 Megs, I only deleted this section, the rest is probably the important stuff. I'll be sure to follow the steps in that thead you posted as well.

[jholland1964]

Which virus scan removed these items? Looks like it removed many! Complete the steps in the link, exactly as specified, including the scans in safe mode. Be sure to save the Ewido log.
Once complete then reboot to Normal Mode and BE CERTAIN THAT ALL BROWSERS ARE CLOSED AND NOT RUNNING and run HJT again and post the log here along with the Ewido log. Then we can better tell where things stand.
Judy

[Tampa1adam]

I still haven't had time to run the any of the items in that post. I did run E-wido and another HJT scan, so I'll upload those here.

Ewido log was too big to add as an attachment so here it is:
E-wido log: http://www.xleet.com/ewido.txt - It's sorta hard to read if u open it with IE, but if you pull it from your cache local and open it, it's formatted in a way that's alot easier to read

[jholland1964]

There ARE several nasty items showing in your Ewido log, why didn't you tell the program to fix?

[Tampa1adam]

Oh, I didn't have time to find the delete function, I had to be to work at 10 AM, and my post time was 9:53 :P.

Anyway, I just remote desktopped into my comp and deleted them, what should I do next? I have about 160 gigs of data on my HDD, so all these scans take all night... so it's sort of tedious trying to do all the items in that post as I want to run each scan one at a time to prevent conflicts...

[jholland1964]

All steps must be run one at a time. This will not be a short process, it may have been removed if you had taken the time to find the delete key in Ewido. They would have been deleted automatically. If you don't have time then I can't help.

and deleted them

What "them" did you delete? The thing is Adam, deleting items one at a time will take forever. This is why we recommend these scans and various programs. You think the scans take a long time...searching out manually each and every file one of these things will leave on the hard drive will take MORE than a long time. And while you are doing your searching and deleting some of these baddies can be reproducing someplace else on the hard drive

Here is why, if you really want to clean up the computer, you should follow the instructions given...
These are just six of the multiple entries in your Ewido scan that you ran but didn't have time to find the delete option;

Downloader.IstBar>>>manual removal instructions 1 and 1/2 pages of files which must be removed.

Downloader.Small>>>creates it's own registry entry and will download it's own executables and store them in a minimum of six locations on the computer...this is just the original file. It DID show in two locations on the scan.


Downloader.Zlob.amy>>>often silently downloads and installs rogue security programs such as SpywareQuake, SpyFalcon and WinAntivirusPro, but may install other malware as well. Some variants of Trojan-Downloader.Zlob.Media-Codec have backdoor functionality, giving a remote attacker the ability to control and use the infected machine for malicious purposes.

Safety Bar -> Adware.Generic>>>hijacks the user's browser an installs a toolbar without permission. It makes false claims about the user's computer being infected with malware and recommends that the user purchase a number of fake security products in order to fix their problem. It is responsible for downloading trial versions of these fake security products which in turn hound the user to purchase their product.

WinRAR\patch.exe>>>Violates Physical Memory Protection allowing it to take control of yout PC. Could use your PC to send mass mail using SMTP protocols. Has a keylogger that can spy on and log keystrokes without your knowldege or permission. Modifies Internet Browser Settings. Creates multiple copies of the Trojan infection on your PC. Creates registry run keys to ensure it is restarted every time you boot your PC. Installs other malicious programs. Examines which processes are running on your PC allowing it to explore vulnerabilities in Windows and your antivirus and anti-spyware products. Modifies the Hosts File which could stop your antivirus or anti-spyware protection or put your personal information at risk. Connects with 3rd party computer systems and forwards data via the internet. Hijacks other processes.

Zedo>>>Zedo cookies store information about a PC user’s interaction with a specific website.

Your choice Adam, if you want help we are here, if you want to do this manually then good luck.

[Tampa1adam]

What "them" did you delete?

Oh, I was at work when I made that post, what I was saying is I remote desktopped to my home PC, had E-wido still open, then found the delete button and fixed everything it found.

I finally found the cause of my pop-up pains and got rid of it yesterday. Remember the screenshot of my Internet Add-ons?? Well every time I'd restart my computer, I'd see the ssqrs.dll set back to enabled when it was previously disabled... so I did a bunch of searches on that dll... turns out I had the latest version of Virtumonde infections and after that I found a fix here.

I waited a day to reply to ensure I didn't get any more pop-ups, and I haven't .

I haven't scanned since I removed that, so I'll upload a HJT log just to be sure I get everything it happily installed on my machine off... Thanks for all your help jholland!

[jholland1964]

Good find and fix Adam!
One item remaining in your HJT log that I see is this one;
O20 - Winlogon Notify: winzoa32 - winzoa32.dll (file missing)
Run HJT again, place a checkmark next to that one, if it still shows, and click the FIX button.
Exit HJT.
Reboot, run HJT again to be certain that the entry is gone.
If it is and you feel comfortable that the system is clean then I would recommend setting a new, clean Restore Point by Right Clicking My Computer. Choose Properties, System Restore. Place a checkmark in turn off the system restore. You will get a box asking if you are sure, say yes. Exit out. Then do the reverse and re-enable System Restore.