Can't stop IE redirect/popups (worked through all suggested troubleshooting)

Hello everyone! Thanks for this nice forum and all the great suggestions and files. I would still be at square one if it wasn't for this place! Now down to business!

Symptoms:
Periodically, IE will redirect a page to another site. The site is typically some medication website (I will post a partial address when it happens again; as I was typing this - TrustedPharmacy). Also, an IE window will popup randomly when not even using IE. This window is always green background with black text, talking about buying stocks. Additionally, there are various links added to IE's Favorites, desipte repeated attempts to delete them. Finally, I get a windows pop-up titled "Windows Security Center" saying that it detects suspictious network activity. There are a pair of Yes/No buttons attached to this dialog.

All of these problems occurred after surfing to a single site. It should be noted that initially, I had many more problems, ranging from toolbar addons, to homepage hijacking. These problems have been eliminated; only the above remain.

Troubleshooting performed:
I have ran through all suggested troubleshooting listed on these forums. Any deviations are noted below.

From the post "DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal":

Getting Started -
Step 2. None of the listed services have been noted at any time subsequent to the attack.

Scanning and Cleaning Steps -
Step 1. Neither of the online scans worked when I attempted them. I don't know if it is an acceptable substitute, but I have ran multiple Sym. AV Corp Ed. scans. The last scan came up clean (the scan before that contained Trojan.StartPage). Stinger ran successfully.

All other steps in this post were completed successfully. Additionally, I have run BitDefender online scan and ADS SPY; I am running Windows XP SP1 and it is up-to-date.

From the post "When all else fails - Generic Solution to HSA (Only the Best) & About:Blank hijack ":
I ran through this completely and discovered no problems.

I am at a loss as to what to try next. I have run HijackThis many times and nothing stands out to me.

Finally, I am currently running Microsoft AntiSpyware and SpywareGuard, in addition to enabling Spybot's Immunize.

I will post my latest HijackThis log momentarily. Thank you in advance for everyone's help! I really appreciate it!!

 

HijackThis log

 

Thanks for the insanely prompt reply! Apologies for the log; I got carried away in my efforts to provide all the data I could.

I have run those two programs as you wrote out. Is there anything specific I should do now?

 

My status is that nothing has happened so far, so I'll take that as a good sign. The problem is that the occurances were fairly random in nature, so I'm not sure that nothing happening right now means things are fixed. Is there something I can do to check things out right now?

 

Update:
Just sitting here, the page I was browsing got redirected to some supposed search site for poker. Looking at the source of the page, it seems like all the links go to the same ip address.

What other info can I give you to help out?

 

Ok, Windows Update is complete; 20 critical updates installed (I thought it was up to date... should I set it for automatic updating?).

Spy Sweeper found about half a dozen things and those have been fixed. Attached is the log.

 

That's about how I feel. I think I'll just sign up for the notifications.

Unfortunately (or fortuntately), as soon as I opened an IE window, Spy Sweeper gave an alert that the Adware sexandpoker version 1 was trying to run. I, of course, denied the attempt. I believe that I should perform another sweep with Spy Sweeper. Is that what you recommend?

 

Running in safe mode and logging into the admin profile, I ran Spy Sweeper again, and it did find that adware; I then deleted it. The next test, not in safe mode, found nothing. Things seem to be going well so far!

Question: Do you think it is worth it to subscribe to Spy Sweeper? I am pretty happy with it, seeing as how it found numerous items lots of other programs missed. Just wondering.

Thanks for all the help! I truly appreciate it!

 

Hmm, it looks like my prognosis wasn't quite right. As soon as I started up IE, I got an alert that the adware was attempting to run again. I am going to run Spy Sweeper again in safe mode. I am running Win XP Pro and when I start safe mode there are two user id's to log into, mine and administrator. This time I am going to run it on both logins, in safe mode, then start normally and run it again on the one login I get for normal booting.

Sound good?

 

Ok, it finally happened again, so I can tell you what is going on.
When I brought up IE for the first time since boot up, it loaded majorgeeks.com but then Spy Sweeper poped up and showed the following warning:
Spy Installation Shield: warning sexandpoker is trying to run on your system (paraphrase cause the popup window went away when I started typing here). Do you wish to allow it?

Once I click on deny, in the Spy Sweeper log area at the bottom there is a line that reads:
"Spy Installation Shield: found: Adware: sexandpoker, version 1 -- Execution Denied"

I will run the scan and post where and what file it finds with the adware.

 

Ok, just ran the sweep and it found two things, one cookie and the adware. The cookie is a new one that hasn't shown up previously.

Adjuggler cookie - c:\documents and settings\mylogin\cookies\mylogin@rotator.adjuggler[1].txt

Adware (sexandpoker) - c:\windows\system32\cisvcc.exe

I'll keep them in quarantine in case you have more questions.

 

Just had another "Windows Security Center" popup. Surfing real quick, it seems like this is a WinXP SP2 only feature. Is this correct? I have a screen shot if that will help.

 

Ok, here's the current status:
I just started up my computer again, and got the familiar popup about SS finding the adware sexandpoker. I did a sweep (not in safe mode) and it again found the file C:\Windows\system32\cisvcc.exe. I had this quarantined and exited. I then performed a search for the file, to see if I could find it. I couldn't, so I removed it from quarantine and tried again, without sucess. I then rebooted in safe mode and tried the search again, without any luck. I ran SS in safe mode and it found the file again in the same place.

I have my folder options to show hidden files and system files (both of those boxes are unchecked. I'm not sure how to find it. An interesting note is that on reboot I don't get an alert that SS finds the adware again, so it seems that the file is created on powerup, not reboot. I currently have 2 copies of the file in SS's quarantine, so whatever is creating it is creating the same file.

What next?

 

Apologies for the unclear description earlier. I had already performed the search as you said, and it came up blank. The same scenario just occurred again (on powerup and first start of IE, SS blocked the adware from running). I ran the search twice with no luck. That's why I couldn't post info about the date and similar files, because I can't find the file. Any suggestions?

A strange thing happened when I tried to submit this post, it appeared that something was trying to redirect IE to something called googlesyndication and then some ip address. Not sure if this is related or not.

[edit] PS - I had a typo earlier, the filename was cisvvc.exe.

 

An update on those Windows Security Center popups:
They annunciate as a critical alert, and break out of programs already running. Just cause I was annoyed, I clicked on "Yes" and ZoneAlarm pops up an alert saying that "rsdndin.exe is trying to access 'http://cyber-spyware.com/detected...'". I tried searching my hard drives for that program and couldn't find it.

 

Ok, here's what happened:
Nothing found on any of those files. I looked manually and I searched for those filenames and variants.

I don't think Plist found anything, but when I rebooted into normal mode, no alerts were annunciated. The cisvvc.exe problem seems to only occur on powerup not reboot. The rdsndin.exe problem seems to be random. (Just my impression of the rdsndin.exe; haven't found a pattern yet)

Should I run this whole procedure again after a powerdown, then powerup? I'm pretty sure that cisvvc.exe will rear its ugly head again if I do that.

 

Latest update:
I ran Pfind again after powerup; the file is attached. FYI, the batch file has never had any problems running, but this is the first time I ran it from the C:\ drive; it was previously on another physical HDD.

I have downloaded the other two files as you requested and those logs are attached.

Last tid-bit: My Symmantec AV has announced that it caught a virus in its real-time scans 3 times in the past 24 hours. On all occassions it quanrantined the file and I deleted the file from quarantine. The file it found was: Trojan.Adclicker in C:\Windows\help\SPAlert.chm. Haven't figured out a pattern for that one, but it is always the realtime scan getting it.

What's next boss?

PS These two files are the Pfind and Qoollogic files.

 

RKTOOL log.

 

Ok, I double-checked the view options and they are/were set up per your directions. I again could not find the file cisvvc.exe in the C:\Windows\system32 folder, but I did find the ntfsnpla.exe file and renamed it with the .xxx extension. Before repowering/rebooting I ran a Spy Sweeper scan and it found the cisvvc.exe adware, which I quarantined and deleted.

I have repowered & rebooted and the ntfsnpla.exe file has not reappeared. So far, I also have not gotten any messages about the cisvvc.exe file trying to run.

So now do I just wait and see?

 

On startup today, Spy Sweeper popped up another alert for cisvvc.exe. I've attached a screen shot, so maybe you can see something that I've missed in the setup.

What should I do next?

 

I uninstalled Spy Sweeper, but I can't find the file.