Adware & Spyware keeps reloading itself

I have run Spy-Bot S&D, Ad-Aware, stinger, avg70 and they all seem to find the spyware, trojans, viruses but non of these programs seem to be able to permently remove the problem files. The same Pop web sites keep appearing, even while the anti spyware programs are running a scan. Elitebar seems to be gone now but popupsearch and other will just not go away, some of them seem to imitate windows error messages or warnings, other popups offer to fix the problem.

Another weird thing is when these spyware/trojans are re-installing themselves the computer makes a strange tick, tick tick sound?? not sure what that means.

I would be most grateful for any help given.

Hijackthis log:-

Logfile of HijackThis v1.98.2
Scan saved at 14:40:58, on 14/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Radan Software\radan2002\radan\bin\radlicence2.exe
C:\Program Files\Radan Software\radan2002\radan\bin\RADRAFT.exe
C:\ED\Edward\Edward\getright\getright\GetRight\getright.exe
C:\ED\Edward\Edward\getright\getright\GetRight\getright.exe
C:\Program Files\Radan Software\radan2002\radan\bin\RADRAFT.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\ED\Edward\Edward\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\ED\Edward\Edward\getright\getright\GetRight\xx2gr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvgsg32.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with GetRight - C:\ED\Edward\Edward\getright\getright\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\ED\Edward\Edward\getright\getright\GetRight\GRbrowse.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {07E9CDF4-20D2-46B1-B681-663968F527CE} - http://www.begin2search.com/toolbar/bar/winb2s32.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/uk/ringtone/ringtone.exe

Hi all

I really am becoming desperate on this issue. These popup web pages are begining to impact quite badly on me being able to do any work on the PC.

If there is more info that I need to provide, then please let me know and I will post the infomation if I can.

Please could someone be kind enough to help.

Many thanks

Maybe I can be of some use, I'm still learning a bit about the HijackThis and what not to delete etc. but looking at your logfile, the problem looks pretty obvious.

Alright, so first you have to reboot your computer in Safe Mode; to do this, start tapping F8 as its loading.

Run HijackThis in Safe Mode and put a check next to the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
O16 - DPF: {07E9CDF4-20D2-46B1-B681-663968F527CE} - http://www.begin2search.com/toolbar/bar/winb2s32.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/uk/ringtone/ringtone.exe

Next, click "Fix Checked", this will delete all the selected files from your computer. If HJT has made backups of the files, it may be an idea to delete them

Then reboot in normal mode and run Ad-Aware and AVG and allow them to "clean up"

Post a fresh HijackThis log.
Im sorry if I couldnt help, maybe someone with a little more knowledge on these things like Tom Myboy can have a look

Let me know what happens

JuanCarlos

Hi eddiejon,

If you stull need help, please post a fresh HijackThis log.

Tom

Hi guys

JuanCarlos thank for the advice, I followed your instructions and the problem seems to have gone. I have never tried to fix problems with Hijackthis in safe mode before, but it did do the trick.

I also deleted/fixed this file
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvgsg32.exe
You did not list it, but I did not recognise it as a legitimate file, I hope I did the right thing.

Tom Myboy – Sorry it has taken me so long to reply, but I wanted to let the system run for a bit to check that nasty files did not return, thanx.

Here is my fresh log:-

Logfile of HijackThis v1.98.2
Scan saved at 08:46:06, on 20/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Radan Software\radan2002\radan\bin\radlicence2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Radan Software\radan2002\radan\bin\RADRAFT.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avginet.exe
C:\WINDOWS\System32\taskmgr.exe
C:\SolidWorks\SLDWORKS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\ED\Edward\Edward\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with GetRight - C:\ED\Edward\Edward\getright\getright\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\ED\Edward\Edward\getright\getright\GetRight\GRbrowse.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab



Thanx for your help guys, you are great

It seems like a harmless random named file, you should be ok.

That's a good idea to use you machine a bit. Helps to see if more problems crop up.

I'd like to see a fresh log with the newest version of HijackThis

Please update HijackThis, you are using an outdated version. The new version does a better job of detecting malware:

Open HijackThis, click Config > Misc Tools > Check for Update online

Or download a copy of version 1.99 at:

http://www.majorgeeks.com/download3155.html

If you downloaded the newer version, please delete the older version you are using now.

Post a fresh log with this new version.

Tom

Tom

I have updated hijackthis and below is the latest log. Once again thanx for your help.

Logfile of HijackThis v1.99.0
Scan saved at 10:04:44, on 21/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Radan Software\radan2002\radan\bin\radlicence2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Radan Software\radan2002\radan\bin\RADRAFT.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avginet.exe
C:\WINDOWS\System32\taskmgr.exe
C:\SolidWorks\SLDWORKS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\ED\Edward\Edward\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with GetRight - C:\ED\Edward\Edward\getright\getright\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\ED\Edward\Edward\getright\getright\GetRight\GRbrowse.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Radan Licence Server - Unknown - C:\Program Files\Radan Software\radan2002\radan\bin\radlicence2.exe

You are clean! Good work!

The last line in your log seems to be an unknown service:

O23 - Service: Radan Licence Server - Unknown - C:\Program Files\Radan Software\radan2002\radan\bin\radlicence2.exe

Do you have Radan Sheet Metal CADCAM Software installed on this machine? Your input will help the authors that keep the listings for these services updated.

Also...

I don't see a firewall running in your log.

ZoneAlarm has a free firewall:

http://www.zonelabs.com/store/conte...reeDownload.jsp

Tom

Hi Tom

Yes we do use Radan software and the license in on my machine, although I am not sure why it says service UNKNOWN.

The internet and email are on a LAN, which my machine accesses, so the firewall is apparently installed on the host PC (I say apparently because that is what our IDIOT TECHNOLOGIST “IT” manager has told me). I tried to install zone alarm on my PC but it fell over and I had to do a systems restore. Can I run zone alarm on my PC over the network even if there is a firewall on the server/host internet machine?

Thanx once again for your help

Thank you for the input on the Radan service. It has been added to the database

You probably will not be able to run a firewall then. As long as the one on the server is up to date and is maintained properly, you should be ok.

How is you machine running now?

Because you were infected, backups of the malware may be in System Restore.

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 Click OK.

Create a new Restore Point:

Start > All Programs > Accessories > System Tools > System Restore > tick Create a Restore Point > Next > enter a name for the Restore Point Creation (Today, Removed Spyware, etc.) > Create > Close.

The date and time will automatically be added.

Tom