IE constant pop-ips - Aeiiiiiiii

#1
Hi All,

I seem to have been invaded!! My laptop came with Windows Vista Home Premium installed. A few months ago I suddenly began having Internet Explorer launching browser windows unbidden. I did a system restore which fixed things nicely. I moved to Colorado (mountain time) from Washington (pacific time). I was invaded again after the move. I don't know if the time change had anything to do with this, but my system will no longer recognize the restore time frame choices properly. The computer will only now restore to a time that includes the invasion. When I now restore the bug remains.

Internet Explorer drives me crazy with launching browser windows constantly. I mainly use Firefox and want to try Opera. I have tried virus scanning, tune-up, adware detection software, the microsoft malicious software removal tool (which says nothing is there) and so on. NOTHING gets rid of the problem. I have AVG Free 8.0 installed. I get a message from the program that identifies an 'infected' file named CHDARTT.SYS. It says this file is associated with a virus....trojan jorse generic 10.yrn. I am offered the choice of 'healing' or 'removing' neither which ever permanently gets rid of it. The messages about the infection always reappear. I tried editing CHDARTT out of my registry. I get an error messae that says it couldn't be deleted. Aeiiiiiii.

Anyone experience this? Any ideas about what to do? TIA!!
 

mqudsi

Mostly Harmless
Staff member
#2
Hi gravelbrat, welcome to NST.

You'll probably need to run the antivirus scan from safe mode to get it to remove memory-resident viruses or other infected files.
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#4
Also run a Hijack This scan.

TrendSecure | TrendMicro Overview

Post the log in your post. I will analyze it real quick and give you some advice on what to do.

Cheers,
Mak
 
#5
Thanks to you both. I did the scan with AVG in safe mode. Unfortunately it finished while I was gone and was ended and closed when I returned. I rebooted in regular mode. The pop-ups are still happening. Here is the log from your suggestion Mak:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:09 PM, on 8/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {14387260-7755-4DBB-A080-6E65AC8AD048} - (no file)
O2 - BHO: (no name) - {1607FDCE-05E5-48F3-8378-D8C3BB0FA7E9} - (no file)
O2 - BHO: {fc7d42c2-89fa-4da8-0114-a3517aac45d1} - {1d54caa7-153a-4110-8ad4-af982c24d7cf} - (no file)
O2 - BHO: (no name) - {53FE12C2-4429-488F-847B-7B285F8F6778} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/CursorManiaFWBInitialSetup1.0.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210294568190
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - CMD Technology, Inc. - (no file)
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8128 bytes

****************************

Thank you greatly for the look!!
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#6
Hello,

In HiJack this remove these entries:

O2 - BHO: (no name) - {14387260-7755-4DBB-A080-6E65AC8AD048} - (no file)
O2 - BHO: (no name) - {1607FDCE-05E5-48F3-8378-D8C3BB0FA7E9} - (no file)
O2 - BHO: {fc7d42c2-89fa-4da8-0114-a3517aac45d1} - {1d54caa7-153a-4110-8ad4-af982c24d7cf} - (no file)
O2 - BHO: (no name) - {53FE12C2-4429-488F-847B-7B285F8F6778} - (no file)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O23 - Service: Command Service (cmdService) - CMD Technology, Inc. - (no file)


Then restart yoru PC and rescan with HiJack this and see if those entries are still there. If so let me know. Will have to go thru some other steps to remove some thigns.

Cheers,
Mak
 
#7
Hi Mak,

Yes, most of the items are gone. Here is the new log file in case anything else has cropped up:

************************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:02 PM, on 8/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210294568190
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - CMD Technology, Inc. - (no file)
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 7652 bytes
**********************************************************************************************

After the reboot I got the notice from AVG saying it found the CHDARTT.SYS file again. I responded by clicking ignore. Also, one unbidden IE window launched itself - Oyyyyy.

I appreciate this help very much. Thank you!!
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#8
Hello,

Please do this:

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

Post your ComboFix logs.

Cheers,
Mak
 
#9
Mak

Have made good progress. Just letting you know I will continue the attack tomorrow. I am trying to figure out how to enter the Vista Recovery Environment. My laptop didn't come with a CD to boot to. Instead there is a recovery partition on the hard drive. I have been reading about turning off my various malware tools for the combo scan.

I look forward to 'seeing' you tomorrow!

Darice G

Addendum:

Good day Mak,

Before I begin the scan with Combofix I wanted to make sure I have prepared properly. After reading entirely through the how-to material it appears that I do not have to run the scan from a recovery environment. Is that correct? I guess I have what was talked about, I can indeed boot from the bios into something that offers the kinds of choices it showed. But nothing more is said about the use of it after talking about how to get into it. Hmmm. Also - I have uninstalled AVG and will replace it after this process with the best thing you suggest. All other firewall, adware and so on items are turned off. BUT at one time I tried avast which did not correct the problem. I thought I uninstalled it. The windows security system in the malware section says it is still 'on'. I checked my system and there are instances of the software lurking in my registry. Is that why this message is appearing?

By the way, during the preparation to do this scan I found a message from Windows Defender that two items were found...a trojan and a tracker...I opted to remove them. It said this was successful but the pop-ups merrily continue. Sigh. Defender is turned off along with everything else.

Does it sound to you like I can effectively scan my computer now?

TIA!!
 
Last edited:

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#10
Hello Darice,

No you do not have to run ComboFix from teh Recovery Enviroment. I have run it right within a normal bootup.

I would advise to use Revo Unistaller to remove AVG or Avast. It will get rid of the application along with the Registry keys associated with it so that there will be no remains of it on your system

http://www.revouninstaller.com/revo_uninstaller_free_download.html

After running ComboFix and seeing the logs i will know what to do next to help you remove anything that is on the system. By the time this is finished you should have a clean system with your AV, Firewall and Defender all working like they should. :smile:

So run the scan and include the logs. If you do not wish to post the whole thing just save them as a .txt file and attach them to your post.

I will then analyze them and give you the next step.

cheers,
Mak
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#12
Okay lets try this. Can you boot into Safe Mode? Hit F8 after the BIOS screen but before Vista starts to load. From there choose Safe Mode or Safe Mode with Networking to access the internet.

From there i want you to run HiJack This again. But this time jsut remove this entry:

O23 - Service: Command Service (cmdService) - CMD Technology, Inc. - (no file)

From there i want you to close out HiJack This. Now i want you to open Computer. On the left side of that Windows you will see a link for Organize. Click it and then select Folder Options.

In there click the View tab. Here i want you to select to show hidden files and folders. I also want you to click to show system protected files. It is Recommended to have this on so you will get a pop up asking if you sure you want to do this. Say yes.

Now from here i want you to click okay to get out of that. Now i want you to go thru every folder in your

Prigram Files
Users>Local
User>(Sorry cant remember this name off hand)
User>Roaming
Documents

Check all those folder for anything related to CMD Technology. If you find the folder delete it. That should fully remove the spyware.

Now go into your Control Panel under Firewall and try to turn it on. Check your options for Windows Defender and get that turned on as well. The Antivirus will have to wait till you reboot. Since it is not active in Safe Mode.

Then when you reboot i want you to check your firewall and that see if it is still on and to scan with HiJack This again. I want to see if this Safe Mode stuff removed it or if i have to try somethign else.

Cheers,
Mak
 
#13
Bugger!! I went through everything you said to do. I couldn't find ONE instance of the CMD Tech file or folder. I looked in each program folder but not every sub-folder within those. Did you mean to do a manual search of every single folder within those areas? I also used search by various combinations of cap locks and names but found nothing but Windows Command Service files.

On the reboot the firewall and defender are still turned on. The new scan in HiJack still shows item 23 CMD etc..........Grrrrrrr!!!!!!!!!!!!
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#14
Okay new approach. Please go thru this guide:

http://www.tech-forums.net/pc/f51/spyware-removal-guide-osiris-165828/

The item in questino is adware. This guide is designed to remove almost all forums of adware and spyware. This should get rid of it for you. Then check your HiJack This log after you have complete the guide to make sure it is gone.

Cheers,
Mak
 
#15
Good morning Mak,

It is all done. All eight items of software are installed on my computer with one exception. The
Smitfraudfix was found to be malware and my system scrubbed it during the process!! I have not had an 'attack' this morning. Have used both Firefox and IE and not one pop-up. This is curious though - the item is still in the Hijack log I just ran this morning:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:56:04, on 8/5/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Hijackthis 2.0\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210294568190
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://www.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - CMD Technology, Inc. - (no file)
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32DRIVERS\xaudio.exe

--
End of file - 5636 bytes

**********************************
You know, I backed up all my stuff up to my external and was ready to scrub the entire system. It is a relief to just sit down and enjoy the internet without adverts in my face every 30 seconds.
Thank you very much for your time!!
Darice
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#16
Hello,

Glad to hear that most of this has been resolved. Okay well let me thnk here. Smitfraudfix is not malware. I do not know why the system said that. You cant run combofix. So lets try something else.

http://www.geekstogo.com/forum/How-to-use-SmitFraudFix-t109268.html
Can check this topic on how to use it correctly and find links to various downloads for it.

Also can try WebRoot SpySweeper.

Code:
[b]WebRoot SpySweeper[/b] from [url=http://www.webroot.com/shoppingcart/tryme.php?bjpc=64011][color=purple][b]HERE[/b][/color][/url] (It's a 2 week trial):
[list]
[*]Click [b]Download Now[/b] to download the program.
[*]Install it. Once the program is installed, it will open.
[*]It will prompt you to update to the latest definitions, click [b]Yes[/b].
[*]Once the definitions are installed, click [b]Options[/b] on the left side.
[*]Click the [b]Sweep Options[/b] tab.
[*]Under [b]What to Sweep[/b] please put a check next to the following:
[list][b]
[*]Sweep Memory
[*]Sweep Registry
[*]Sweep Cookies
[*]Sweep All User Accounts
[*]Enable Direct Disk Sweeping
[*]Sweep Contents of Compressed Files
[*]Sweep for Rootkits[/b]
[*]Please [b]UNCHECK[/b] Do not Sweep System Restore Folder.
[/list]
[*]Click [b]Sweep Now[/b] on the left side.
[*]Click the [b]Start[/b] button.
[*]When it's done scanning, click the [b]Next[/b] button.
[*]Make sure everything has a check next to it, then click the [b]Next[/b] button.
[*]It will remove all of the items found.
[*]Click [b]Session Log[/b] in the upper right corner, copy everything in that window.
[*]Click the [b]Summary[/b] tab and click [b]Finish[/b].
[*]Paste the contents of the session log you copied into your next reply.
[/list]
I will see if i can find info out about how to get that entry removed. From the looks of it the entry has no data and is inactive which is good. Now to jsut remove it from the logs.

Other than that how is everything else going? PC working better for you?

Cheers,
Mak
 

Terry60

Knows where his towel is.
Staff member
#17
The trouble is, most anti-malware sees anything that messes about in the same area, as malware even when it too is anti-malware.
I bought a commercial "300 types of solitaire" CD years ago which contained a piece of embedded adware for other products in an associated company. No amount of messing in the registry could remove it because it was hard coded to reinstate itself. Eventually the writers released a zap to remove it from their code when the company being advertised had long since gone belly-up.
For years the zap has sat in my download folder in case I ever reinstall the CD, and has caused no problem, but suddenly AVG in going from 7.5 to 8.0 has decided it's a Virus, not a fix.
(btw - anyone know why if I try to report it to AVG as a false positive, the reporting mechanism just reports a failure to send - no explanation. Anyone actually managed to report anything with AVG 8.0 ? )
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#18
Hello think i found a solution.

Check your Registry for these entries:

Code:
HKLM\SYSTEM\ControlSet004\Services\cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService
If they are present make a backup of your Registry. then go into Safe Mode as described before and remove them.

Then restart go into HiJack This and remove the entry again. See if that gets rid of it.

Terry,

With the apps out there now a days. There is a way to remove almost everything. Be it thru a Registry Script or something. But i have yet to find some form of Malware/Adware that can not be removed now.

Sadly Vista is tougher to work with cause most of the tools are not written for Vista. But there is a way. Just like i found above.

Just have to be bound and determined to get rid of it. As i usually am.

Cheers,
Mak
 

mqudsi

Mostly Harmless
Staff member
#19
I'm surprised people haven't rewritten these tools for Windows Vista yet... it's been, what, 2 years now?
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#20
Well strange thing is that most of the tools will work. There are very few errors like the one posted by Darice. I have helped many people with Vista using these same tools. But some users are a bit cautious when it comes to running these tools cause of seeing these errors.

Which then forces me to find alternative ways to remove the items in question. I could have removed that item long ago with a simple ComboFix Script. Which would have solved this issue many posts ago.

But since Darice is unsure and doesnt want to chance the issue i found other methods. Which is fine by me. I have no issue workign around it. Jsut takes more time. :wink:

Cheers,
Mak