Yesterday I was asked to look at this clients PC. All of a sudden the popups are unbearable. It was running Symantec Endpoint 11.0.780. I came onsite and installed and unmanaged Endpoint Client 11.0.3001. It is the newest version. I updated the defs and ran a scan. It found a virus and was quarantined. I am still getting alot of popups. Registry tools and virus remover 2008 to name a few. I am sending along a Hijackthis log. Any help would be greatly appreciated. Thanks!!
Logfile of HijackThis v1.99.1
Scan saved at 1:03:58 PM, on 11/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchos
t.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aa
wservice.e
xe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\cmd.ex
e
D:\SAV32CLI.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon
.exe
C:\Program Files\HijackThis\HijackThi
s.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Common Files\Adobe\Acrobat\Active
X\AcroIEHe
lper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD
.EXE
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 5 SE\Ulead DVD MovieFactory 5\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe
rs.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
Play.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
C9C571A826
3} - C:\PROGRA~1\MICROS~2\Offic
e12\REFIEB
AR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
0C0F0318AF
E} - C:\WINDOWS\system32\Shdocv
w.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
E41684E07B
B} -
http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {CE9A27A0-C6B2-11D3-B3A3-0
090275BE2C
2} (local operation Class) -
http://bpnwww.mbco.com/MillerReports/cabs/local-operation.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
060082AA75
C} (GpcContainer Class) -
https://india2.webex.com/client/T26L/support/ieatgpc.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-0
0C04F8EC29
4} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-0
0B0D022E94
5} - C:\PROGRA~1\COMMON~1\MICRO
S~1\OFFICE
12\MSOXMLM
F.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dims
ntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde
v.dll
O20 - Winlogon Notify: __c00EB4E7 - C:\WINDOWS\system32\__c00E
B4E7.dat
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
4D524869DB
5} - C:\WINDOWS\system32\WPDShS
erviceObj.
dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aa
wservice.e
xe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
tsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
P~1\LUCOMS
~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe