Help Pls

[theoryTim]

Just about everytime I open Internet explorer or sometimes when i try to naviagate within it, I get these annoying pop-ups saying "Spyware Removal Wizard" and often http://count3.exitexchange.com/exit/1202882 pops up on the screen.


I've ran ewido's spyware removal, Up-to-date version of Kasperky, Ad-AWare's SE edition, and Panada's newest antivirus 2007 and it detects files and deletes them, but it keeps coming back not to mention HORRIBLE boot-up now.


PLEASE HELP! I have tried everything!
HIJackTHis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:34:06 PM, on 10/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
E:\Programs\Panda\pavsrv51.exe
E:\Programs\Panda\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Programs\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
E:\Programs\Panda\PsImSvc.exe
E:\Programs\Panda\APVXDWIN.EXE
e:\programs\panda\WebProxy.exe
E:\Programs\Panda\AvltMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Timmy Hill\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "E:\Programs\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [APVXDWIN] "E:\Programs\Panda\APVXDWIN.EXE" /s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Programs\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - E:\Programs\Panda\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - E:\Programs\Panda\PsImSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - H:\Alcohol 120\StarWind\StarWindService.exe (file missing)

[Mobo]

Hi Tim. there is nothing showing in your log so maybe run a full ewido scan and post its log afterwards to see what it finds.

As well please run it in safe mode http://www.cyberanswers.org/index.php?page=safemode

[theoryTim]

Hello Mobo.

I have ran all these scanners in safe mode. I have disabled System Restore.

I have run many of the supposedly Rogue-related fix software and no luck yet. They keep coming back. I would just low level format and be done with this as i've been on the curing stage for over 2 days and I cannot afford to dedicate anymore time between work and college.

Is this annoyance using a Microsoft Service to reproduce itself (im on Xp Home ed)? I looked in the services.msc but I didnt see anything strange? Also, I have cleared IE temp folders, cache, history, cleaned registry etc etc every fix that Ace Utilities has (if your familiar with that program.)


I will post links to several log files from different programs I run (panda antivirus 2007, HiJackThis log, and spyware Doctors log (all recent)

http://www.theoryofevil.com/panda.txt
http://www.theoryofevil.com/spywareDoctor.txt
http://www.theoryofevil.com/hijackthis.log

Any assistance would be appreciated far beyond you could ever imagine.

[Mobo]

In your two days of removal did you at any time remove a file similar to this with hijack this ?

O4 - HKLM\..\Run: [95c514b2.exe] C:\WINDOWS\system32\95c514b2.exe

with the last number/letter combo possible being different ?

[Mobo]

If you haven't reformatted then go to the control panel/ folder optopns.
Click on the view tab. click the options to "show hidden files and folders" as well as untick the "hide protected operating system files" then untick
"hide extensions for known file types"

Then open windows explorer and go to C:\Documents and Settings\Username\your user name\Application Data

In that folder look for a file with a name sililar to 95c514b2.exe


Copy and paste its name here please.

[theoryTim]

I personally dont remember deleting that file, I believe it was in a log of an old anti virus I was using.


I believed to have fixed the problem. atribune.org offered some programs that so far, has eliminated all the pop-ups since i've been using my computer.

Panta hasn't detected anything now on the scans.


Thank you for your help, if it manages to come back I will come back.

[Mobo]

Thats great news Tim..