Serious Spyware/Adware problem (security thread didn't help)

[TheRaven2156]

m infected by spyware/adware and constantly get pop-ups every couple minutes ive tried about 20 programs to get rid of them and it wont work here is my HijackThis analysis.... please help!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 1:11:06 AM, on 01/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\JEREMY~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [mquypvjA] C:\WINDOWS\mquypvjA.exe
O4 - HKLM\..\Run: [ms078675-119235] C:\WINDOWS\ms078675-119235.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ResChanger2004] NONE
O4 - HKCU\..\Run: [zurw] C:\PROGRA~1\COMMON~1\zurw\zurwm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - F:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - F:\Program Files\Titan Poker\casino.exe
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - F:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - F:\Program Files\Noble Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda...86/client/wuweb_site.cab?1141164199343
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3FD085C-E067-4189-B7B2-1CC23A10E149}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\m8rmli9118.dll (file missing)
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\guard.tmp
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing

 

[amdskip]

Copy and paste your log here: http://www.hijackthis.de/

Stop some of that software from starting up too even though its safe.

 

[Diasper]

It looks like you might have a more serious issue than just pop-ups.

I'm not an expert but there are a few things I'd recommend checking into as I don't know what these are. Some of these may be fine but others will be malware. This list is by no means definitive:

O4 - HKLM\..\Run: [ms078675-119235] C:\WINDOWS\ms078675-119235.exe
O4 - HKCU\..\Run: [zurw] C:\PROGRA~1\COMMON~1\zurw\zurwm.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3FD085C-E067-4189-B7B2-1CC23A10E149}: NameServer = 192.168.0.1
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\m8rmli9118.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\guard.tmp
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe


From my quick checks some of those are bad eg: H323TSP looks to be adware.looktome and the culprit generating popups while nvsvcd.exe and guard.tmp are backdoor trojans. The others are all suspect and likely to be malware. I would also check the EULAs of some of those poker software clients you have as they could in theory be sending you ads.

You can check stuff yourself - google search entries you are not sure of or look suspect.

Still I am by no means a qualified enough expert on this before you go deleting stuff. So please get a second opinion - as the second poster said goto other tech support forums for help who specialise more in HJT logs.

Sorry I can't be of more help.

 

[mechBgon]

I suggest trying the routine I typed up: http://www.omnicast.net/~tmcfadden/scan.txt This runs a special one-shot scanner/cleaner from McAfee (not Stinger). Used as directed, it'll go after some of the worst spyware/adware in addition to Trojans, worms and viruses.

Be aware that PartyPoker is one of the threats it'll remove :evil:

Also, since you appear to have Kaspersky AntiVirus Personal 5 installed, make sure to switch on the Extended databases. Kaspersky configuration instructions w/ video After making this change, update it, reboot into Safe Mode, and run a full scan.

Lastly, some of the worst spyware/adware is now using rootkits. When Windows is running in normal mode, run F-Secure BlackLight beta to check for rootkits.

 

[PurdueRy]

search google for the A squared free edition and run that. It should get rid of some of it.

 

[iroast]

Download this:

http://www.mlin.net/files/StartupCPL_EXE.zip

delete everything except for your nvidia, logitech and d-link stuff

 

[BadThad]

mechBgon offers solid advice.

O4 - HKLM\..\Run: [ms078675-119235] C:\WINDOWS\ms078675-119235.exe
O4 - HKCU\..\Run: [zurw] C:\PROGRA~1\COMMON~1\zurw\zurwm.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3FD085C-E067-4189-B7B2-1CC23A10E149}: NameServer = 192.168.0.1
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\m8rmli9118.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\guard.tmp
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

Yes, all of these are the problem. Looks like he has one of those polymorphic malware applications probably installed as a rootkit: zurwm.exe If you delete this from startup, I bet it will simply rename itself and run under a different name at startup.

You're in for quite a battle IMO.

EDIT - Might add....all you poker players get nailed with malware when you install their "applications". Something to think about after you get this fixed.