Virus / and adware

Ok so my bosses box had 3 trojans on it cleaned them off. and there was a copy of virtual bouncer and another of the extortionware spyware removers. I uninstalled them. cleaned the trojans and ran adaware and spybot search and destroy untill they came up with nothing left to fix 190 some odd problems in all. However he is still getting popups with out anywindows being opened.

here is the hijack this log.

Logfile of HijackThis v1.97.7
Scan saved at 9:42:12 AM, on 10/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mnmsrvc.exe
c:\pavfn\platinum\Pavsrv50.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
c:\pavfn\platinum\AVENGINE.EXE
C:\WINNT\TIREMOTE\wuser32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\kukuty.exe
C:\pavfn\platinum\APVXDWIN.EXE
C:\pavfn\Remupd.exe
C:\Program Files\SED\SED.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\macromed\flash\GetFlash.exe
A:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cig/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cig
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ScanInicio] c:\pavfn\platinum\inicio.exe
O4 - HKLM\..\Run: [APVXDWIN] c:\pavfn\platinum\APVXDWIN.EXE
O4 - HKLM\..\Run: [Agente] c:\pavfn\Remupd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\RunServices: [PandaScheduler] c:\pavfn\platinum\Pavsched.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cig
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7470.392662037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://advancedmeetings.webex.com/c...ex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = colinsgrp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD604A9-FD81-4601-AA64-83AE59022770}: Domain = colinsgrp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = colinsgrp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = colinsgrp.com

This line looks weird: O14 - IERESET.INF: START_PAGE_URL=http://cig

Remove it and see.


Also, the popups could be occuring because the Messenger service is still enabled under Windows.

Kill these :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cig/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cig
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

These look worrisome as well:
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

Very important: Run hijack in same mode to delete the above entries. Then delete the files referenced as well.

give a2 a go it has a different perspective. It turns up stuff that spybot and adware don't look for.