Spyware problems

[JamesBone]

I have problems with hijacks again.

I ran spyblaster, spybot, adaware, with the latest updates.
I ran AVG with latest updates, keeps showing viruses.
I no longer have google toolbar, I'm how it got deleted.
I have a few images attached of problems I having.
There is a search bar that appears int eh bottom right, that is always there on reboot. I have to end its process "desktop.exe" to get it off.
I have a "Connect To" area in my start menu that mysteriously appeared and has something strange to connect to. It was never there before.
The culprits are in a hidden folder "isrvs" in Windows, but I can't delete them. And whats even worse, if you actually browse the "WINDOWS" directory, you can see a program called "edmond" start up.
My google toolbar has disappeared off of IE.

Here is my current hijack log. Trusted sites reappear, even after running certain scripts.

Logfile of HijackThis v1.99.0
Scan saved at 1:58:22 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Software\APPLIC~1\AVG\avgcc.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Software\APPLIC~1\AVG\avgamsvr.exe
C:\Software\APPLIC~1\AVG\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Software\Graphics\Adobe\Photoshop 7.0\Photoshop.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Dell\My Documents\My Programs\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG7_CC] C:\Software\APPLIC~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

 

[grahamd]

heres two brilliant programs for spyware etc www.noadware.net
cwshredder.net
although noadware is not free,try them

 

[MFDnNC]

download http://www.mvps.org/winhelp2002/DelDomains.inf - don’t run yet

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

Print this and boot to safe mode

Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute

Fix these with HJT

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these folders

C:\WINDOWS\isrvs

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin
Boot and post a new log

 

[JamesBone]

I've done that already, the deldomain that is

I booted up into Safe Mode in Windows. Then went into the WINDOWS directory and deleted that file. Then I ran AVG, and Adaware and Spybot, while in safe mode. I got rid of all the stuff. And I ran hijack this and cleaned it out. Only the bad ones that had to do with that one folder. I still get them when I boot up.

:edit: maybe its because I forgot to delelte the temp folder. Anyway, I had done the above mentioned stuff before except delete the temp. So I guess that my conclusion

Anyway, here is my log now
Logfile of HijackThis v1.99.0
Scan saved at 5:06:25 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Software\APPLIC~1\AVG\avgamsvr.exe
C:\Software\APPLIC~1\AVG\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Dell\My Documents\My Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

 

[JamesBone]

A problem I still see. Everything looks ok, but after a lenght of time. I still get the same spyware loaded on my system.

I left the computer on and came back in the room, and noticed that the same darn program was running again. Some porn thing called dddd.exe And those darn folders are back.

 

[MFDnNC]

That last log was not a complete log and is dddd.exe the exact name??

 

[JamesBone]

Yes, it is. the spacing is messed up on it. Sorry I edited it.

Yes, dddd.exe is the name. Various stuff keeps showing up.

I notice Iexplore is running in the background...um..no, its not. But it says it is on the processes.
I get ad pop ups.
A file called kalvdfo32 keeps popping up in the system32 folder, no matter how many times I try to clean stuff out.
And last but not least, Elite Toolbar folder show up in the Windows dir

I think I got everything I noticed.

I thought I was clean, and I was doing some school work and after 30 minutes of typing away, dddd.exe popped up again.

Anyway, the above log is invalid now because after so many minutes, or an hour, I get stuff again. Thats the log I'm aiming at, but it doesn't stay that way for long.

 

[JamesBone]

I think I found it. Its Kalvsys virus? Possible someone got if from looking at porn using IE? Well, I don't ever use IE, so I know who to blame for this now.

But there is so much information on this.

Whats the direct way to get rid of this thing. I have read that someone was charged phonebills, I'm not sure if that has anything to do with it. But it was in the related topic I read.

Edit:
Ok, I got rid of the Kalv stuff. I deleted all the windows files, and the registry files. I still get a dddd.exe poping up. In fact, they sometimes get copied to the Windows directory. Mainly, everytime I boot, I get this running, and it trys dialing something. These files get created in the Documents and Setting folder in the user folder, in my case "Dell" .

4gfgfg.exe
commands.cfg
dddd.exe
dfe.exe
eree.exe
feee.exe
htt.exe
op.exe
sfee.exe

When those are made is when I get that extra network connection showing up too. So I'm not totally sure if I got rid of everything. I'm almost scared to open up IE to find out, knowing that that is what generates the kalv* files.
When I do a search for created files for today, (specifically 9:30am-11:00am) because thats when the kalv files were created, I can't get anything but hijack logs and such.

What is creating these above files? Its on a timely basis too it seems.

Any help would be greatly apprieciated.

 

[JamesBone]

Nothing is solved.

Easiest way here is to dump my computer, but I want to refrain from having to do that.

Suggestions?