Zekko

Been getting lots of Windows warnings and Internet Explorer popups about malware like every 30 seconds, fake virusscanners and the likes. I first thought it might be the Vundo virus, but I tried VundoFix.exe and the likes, they all said Vundo couldn't be found.

I did find a process constantly running called "iebtm.exe" and also "iebtmm.exe". I also found them in the registery, but I could neither end the process nor remove the registery entry.

I ran Deckard's System Scanner, and it asked me for HijackThis. I let it finish it's scan without using HijackThis, closed the resulting logs, installed HijackThis and ran it again, but this time it only gave me a main.txt file, no extra.txt. I tried uninstalling HijackThis and rebooting, but it wouldn't give me an extra.txt file.

I've been having another problem for about a month now, maybe more. At startup, when the desktop loads, the taskbar freezes for about a minute. After that, it's fine. I couldn't find a solution on the internet so I always just waited for it. I don't expect it to have anything to do with the popups, though.

Help, please?


Deckard's System Scanner v20071014.68
Run by Jeroen Delcour on 2008-08-01 23:29:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jeroen Delcour.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:29:58, on 1-8-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Applications\wcs.exe
C:\Program Files\Applications\iebtm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Applications\wcm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Applications\iebtmm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeroen Delcour\Bureaublad\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JEROEN~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} - C:\Program Files\Applications\iebt.dll
O3 - Toolbar: Internet Service - {38BF827A-D7C5-46E1-A9A2-47B1B5BB5438} - C:\Program Files\Applications\iebr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Applications\wcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerclue.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerclue.com/redirect.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5305 bytes

-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 23:24:36 0 d-------- C:\Program Files\Trend Micro
2008-08-01 22:47:02 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-08-01 22:29:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-08-01 22:29:35 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Mijn documenten
2008-08-01 22:29:35 0 dr------- C:\Documents and Settings\Administrator\Menu Start
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Favorieten
2008-08-01 22:29:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-08-01 22:29:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-01 22:29:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-01 22:29:26 0 d--hs---- C:\WINDOWS\CSC
2008-08-01 22:20:26 0 d-------- C:\VundoFix Backups
2008-08-01 21:03:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 20:00:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 18:43:44 0 d-------- C:\Program Files\Applications
2008-07-25 11:55:01 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\EVEMon
2008-07-20 13:22:51 0 d-------- C:\Documents and Settings\All Users\Application Data\CCP
2008-07-04 14:38:53 0 d-------- C:\Program Files\MSXML 4.0


-- Find3M Report ---------------------------------------------------------------

2008-08-01 23:16:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 22:26:08 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\uTorrent
2008-08-01 16:51:09 0 d-------- C:\Program Files\Xfire
2008-07-25 15:08:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-24 18:43:41 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Xfire
2008-07-09 14:44:45 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Hamachi
2008-07-02 08:35:34 1838 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-28 12:29:48 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Ulead Systems
2008-06-28 12:24:34 0 d-------- C:\Program Files\Windows Media Components
2008-06-28 12:24:22 0 d-------- C:\Program Files\Ulead Systems
2008-06-28 12:22:37 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-06-28 12:22:35 0 d-------- C:\Program Files\Common Files
2008-06-27 14:13:04 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-06-23 22:08:49 60812 --a------ C:\WINDOWS\War3Unin.dat
2008-06-23 21:57:09 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-06-23 21:57:09 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-06-22 17:07:38 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-18 15:55:52 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\SPORE Creature Creator
2008-06-18 14:29:39 0 d-------- C:\Program Files\MSN Messenger
2008-06-18 14:28:47 0 d-------- C:\Program Files\Windows Live
2008-06-18 12:43:36 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Mozilla
2008-06-14 22:33:22 681 --a------ C:\WINDOWS\mozver.dat
2008-06-11 23:15:13 0 d-------- C:\Program Files\Common Files\BioWare
2008-06-10 21:49:03 455928 --a------ C:\WINDOWS\system32\perfh013.dat
2008-06-10 21:49:03 76816 --a------ C:\WINDOWS\system32\perfc013.dat
2008-05-31 16:44:49 967 --a------ C:\WINDOWS\ScUnin.pif
2008-05-31 16:44:49 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-05-31 16:44:49 27427 --a------ C:\WINDOWS\scunin.dat
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}]
01-08-2008 23:27 7680 --a------ C:\Program Files\Applications\iebt.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{38BF827A-D7C5-46E1-A9A2-47B1B5BB5438}"= C:\Program Files\Applications\iebr.dll [01-08-2008 18:43 85504]

[-HKEY_CLASSES_ROOT\CLSID\{38BF827A-D7C5-46E1-A9A2-47B1B5BB5438}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03-05-2008 05:46]
"nwiz"="nwiz.exe" [03-05-2008 05:46 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [21-03-2007 16:49 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03-05-2005 20:43 C:\WINDOWS\Alcmtr.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19-07-2008 16:38]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [03-05-2008 05:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28-03-2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30-03-2008 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04-08-2004 01:15]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 01:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"=C:\Program Files\Applications\wcs.exe
"start"=C:\Program Files\Applications\iebtm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 20-12-2001 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-08-01 23:30:12 ------------