Spyware Warrior

[blitzy]

Attached is my most recent HijackThis log. I've already scanned and re-scanned my computer using SpyBot, Adaware & McAfee AND I've uninstalled the suspicious spyware programs that I found via the Control Panel. I have also did a scan using the Panda Software, and it found 19 viruses on my harddisks. However, when I tried to view the report, my IE browser wouldn't allow me because it was set in 'HIGH' security for the moment. So, I'm not sure what Panda Software found and what it removed. When it was scanning, my entire screen was literally filled with pop-ups that just wouldn't stop showing up. Please help! Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 6:42:17 PM, on 4/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\system32\clubbox.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\andtqbjo\kvjfo.exe
C:\WINDOWS\system32\jutcspme\ppppdx.exe
C:\WINDOWS\system32\obkvjvey\nfscfvpx.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AdsGone\adsgone.exe
C:\WINDOWS\system32\fscagent.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg2.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport\NTIEHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -l
O4 - HKLM\..\Run: [kvjfo] C:\WINDOWS\system32\andtqbjo\kvjfo.exe
O4 - HKLM\..\Run: [ppppdx] C:\WINDOWS\system32\jutcspme\ppppdx.exe
O4 - HKLM\..\Run: [nfscfvpx] C:\WINDOWS\system32\obkvjvey\nfscfvpx.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clubbox.co.kr
O15 - Trusted Zone: http://www.iluvshinhwa.net
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {207048D8-A40B-4505-AE24-92FF13BEB269} (myDancerCTL Class) - http://www.anycall.com/i_event/dancefestival/help/myDancer1027.cab
O16 - DPF: {2C520C08-1ADA-4CEC-AFFD-D0D1BD268D60} (PDUpdate Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDUpdate.cab
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/touch.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.samsungcard.co.kr/XecureDemo/XecureObject/xw50_install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A555B624-1393-46BD-ADFF-4455DD650FC5} (MediaShell T-Player Control) - http://mediashell.teruten.com/Download/TPlayer/21011/TPlayer.cab
O16 - DPF: {BCA9A936-F557-408E-8301-D5B2B302EFD6} (SiUpdaterCtrl Class) - http://www.anycall.com/i_event/dancefestival/help/iDanceUpdater1016.cab
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/samsungcard/npx.cab
O16 - DPF: {E76AAE10-AF57-4AEA-B33D-C3EDFA414DAE} (S2MPlayer Control) - http://musicmember.sbs.co.kr/Player/S2MPlayer.cab
O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr/new/sp2/SiteSigning.CAB
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox28 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\mvacm32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[TeMerc]

Hello and welcome to Spyware Warrior forums.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Please head over to either Trend Micro or Panda ActiveScan and do an online, free, full system scan. Be sure and have the 'Auto Clean' button checked.
Trend Micro
Panda ActiveScan

Please go to Add/Remove, and if found, uninstall the following:
eMule


Please go to 'Task Manager' by hitting Ctrl+Alt+Delete and 'End Task' on the following process(es):
C:\WINDOWS\system32\clubbox.exe
C:\WINDOWS\system32\andtqbjo\kvjfo.exe
C:\WINDOWS\system32\jutcspme\ppppdx.exe
C:\WINDOWS\system32\obkvjvey\nfscfvpx.exe
C:\WINDOWS\system32\fscagent.exe

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing


O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg2.dll


O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -l

O4 - HKLM\..\Run: [kvjfo] C:\WINDOWS\system32\andtqbjo\kvjfo.exe

O4 - HKLM\..\Run: [ppppdx] C:\WINDOWS\system32\jutcspme\ppppdx.exe

O4 - HKLM\..\Run: [nfscfvpx] C:\WINDOWS\system32\obkvjvey\nfscfvpx.exe

O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE

O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart


O15 - Trusted Zone: http://www.clubbox.co.kr
O15 - Trusted Zone: http://www.iluvshinhwa.net
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)


O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab

O16 - DPF: {207048D8-A40B-4505-AE24-92FF13BEB269} (myDancerCTL Class) - http://www.anycall.com/i_event/dancefestival/help/myDancer1027.cab

O16 - DPF: {2C520C08-1ADA-4CEC-AFFD-D0D1BD268D60} (PDUpdate Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDUpdate.cab

O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/touch.cab

O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab

O16 - DPF: {A555B624-1393-46BD-ADFF-4455DD650FC5} (MediaShell T-Player Control) - http://mediashell.teruten.com/Download/TPlayer/21011/TPlayer.cab

O16 - DPF: {BCA9A936-F557-408E-8301-D5B2B302EFD6} (SiUpdaterCtrl Class) - http://www.anycall.com/i_event/dancefestival/help/iDanceUpdater1016.cab

O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0002.exe

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/samsungcard/npx.cab

O16 - DPF: {E76AAE10-AF57-4AEA-B33D-C3EDFA414DAE} (S2MPlayer Control) - http://musicmember.sbs.co.kr/Player/S2MPlayer.cab

O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr/new/sp2/SiteSigning.CAB

O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox28 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab


O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\mvacm32.dll

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\system32\mvacm32.dll <<<--file
C:\WINDOWS\IEXPLOR.EXE <<<--file
C:\Program Files\eMule<<<<---folder
C:\WINDOWS\system32\obkvjvey<<<<---folder
C:\WINDOWS\system32\jutcspme<<<<---folder
C:\WINDOWS\system32\andtqbjo<<<<---folder
C:\WINDOWS\system32\clubbox.exe<<<--file
C:\WINDOWS\system32\rtneg2.dll <<<--file
C:\WINDOWS\system32\fscagent.exe <<<--file


To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log please.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog

[blitzy]

I've done all of the steps above and removed all except:
C:\WINDOWS\system32\clubbox.exe
O15 - Trusted Zone: http://www.clubbox.co.kr
O15 - Trusted Zone: http://www.iluvshinhwa.net
O15 - Trusted Zone: http://*.sbs.co.kr

These are sites and programs that I know are safe to use.

new log.....

[TeMerc]

OK, got a few to get still.

Did either of the av scans remove anything?

Reboot into 'Safe Mode', go to 'Task Manager', and 'End Task' on the following process(es) if present:
C:\WINDOWS\system32\ptytneoo\tavmfo.exe
C:\WINDOWS\system32\yxjrn\gqbsodd.exe
C:\WINDOWS\system32\canxkne\fcbfwgsd.exe
C:\WINDOWS\WinTask.exe

Search for, and delete, if found, the following files/folders:
C:\WINDOWS\system32\ptytneoo<<<<---folder
C:\WINDOWS\system32\yxjrn<<<<---folder
C:\WINDOWS\system32\canxkne<<<<---folder
C:\WINDOWS\WinTask.exe<<<--file

While still in 'Safe Mode', run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O4 - HKLM\..\Run: [tavmfo] C:\WINDOWS\system32\ptytneoo\tavmfo.exe

O4 - HKLM\..\Run: [gqbsodd] C:\WINDOWS\system32\yxjrn\gqbsodd.exe

O4 - HKLM\..\Run: [fcbfwgsd] C:\WINDOWS\system32\canxkne\fcbfwgsd.exe

O4 - HKLM\..\Run: [C:\WINDOWS\WinTask.exe] C:\WINDOWS\WinTask.exe

O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe


Reboot into Normal mode and post a new HJT log please.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog

[blitzy]

The Panda ActiveScan only removed 2-3 viruses/trojans that it found. The rest couldn't be removed with the free version. And, no matter what I've done so far, the pop-ups continue to show up. When they do, it's not just one at a time, it's like 20 at once!

Here's the new log:

[TeMerc]

OK, give any of these other online scans a shot, tho, your log appears clear. BTW, where were the viruses found, file path location? Let me know.

Trend Housecall - http://housecall.trendmicro.com/

RAV AntiVirus Scan Online - http://www.ravantivirus.com/scan/

BitDefender Online Virus Scan - http://www.bitdefender.com/scan/licence.php

McAfee FreeScan - http://us.mcafee.com/root/mfs/default.asp

Symantec Scan - http://security1.norton.com/ssc/home.asp?j=1&langid=us&venid=sym&plfid=23&pkj=OOMWORVWHFHMFNZMBBX
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog