TechSpot

Annoying "security warning" pop ups

By jmo07
Oct 6, 2009
  1. If someone can please help it would be very much appreciated.
    Basically I keep geting "security warning" pop ups that say

    Current Site: http;//ad.doubleclick.net (this varies to different current sites)
    res://ieframe.dll

    and also from time to time I get "script error" pop ups even after going to my internet options and make sure the box is NOT selected to notify me of script errors.

    The "security warning" pop ups seem to happen mostly when I'm opening,deleting, or doing anything withmy yahoo e-mail messages. Also when I go to certain websites like www.espn.com, or other sites as well. It does not do it for every site I go to but it does pop up A LOT.

    I have ran both McAfee as well as Webroot Spyweeper with Antivirus and nothing comes up.

    I've ran ccleaner twice then ran Hijack This, Malwarebytes' Anti-Malware, SUPERAntiSpyware. I have included the logs from those 3 programs.

    Hope someone can help getting rid of those annoying pop ups.

    Thanks in advance.
     

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Update XP to Service Pack 3, and include any additional critical or hardware updates. You have some "suspicious" stuff in the hijackthis log, but lets do the Windows updates first
     
  3. jmo07

    jmo07 TS Rookie Topic Starter Posts: 17

    Ok I've updated to Service Pack 3 and have installed critical updates. So far I'm still experiencing the same problem.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    jmo07 , you do have malware. If you still need help, please let me know. I see at least two different infections in these logs.
     
  5. jmo07

    jmo07 TS Rookie Topic Starter Posts: 17

    Hi Bobbye, thank u for all your help. Yes, I still need help. I've ran McAfee, Webroot Spysweeper, Malwarebytes' Anti-Malware, and SUPERAntiSpyware Free Edition. The last couple of times I've ran those programs everything came out clean saying no infections found. What can I do to remove the malware that you found in the logs I provided?
     
  6. WinXPert

    WinXPert TS Guru Posts: 445

    My general rule in cleaning an infected PC is to perform a scan on a clean boot not safe mode. If you can borrow a BartPE bootable from a friend and an updated copy of any portable virus scanner do a full scan. If you no longer need your System Restore Points delete them all. Also manually delete all temp files. If you have a hidden directory named RECYCLER delete that too. Reboot and clean your registry program choise is up to you.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  8. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    I wonder if this is the same system
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you look at the logs, you will understand that it is the same problem- that when the first help was given in July, the thread was abandoned and the user now shows almost the identical entries. So not recurrence but rather 'same.'
     
  10. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Maybe jmo07, just wants company... or post counts :confused:
     
  11. jmo07

    jmo07 TS Rookie Topic Starter Posts: 17

    Hi Bobbye,
    It's the same problems as back in July. I first did the 3 steps suggestions that was made which was to run cccleaner followed by Malwarebytes' Anti-Malware, SUPERAntiSpyware Free Edition, and HighjackThis. It seemed to remove alot of stuff that McAfee and my antispywear system didnt find before. It worked better then before after running them, So I was ok with it being that my system was working better. The first few times I ran the programs recommended it seemed to find more and more stuff. So I figure, as long as I run them a few more times i'd would eventually get rid of everything. Well to make a long story short it did work much better. Was still getting pop ups but no where near as bad as it was it first. Now it seems like its getting just as bad again. Only this time everytime I run the programs recommended everything comes up clean.

    lol @ Tmagic. no, not looking for post counts but company...maybe, just the kind of company that could help with advise on how to get rid of this pop ups permenatly. I do appreciate all the help you both (Bobbye and Tmagic) have provided so far.
     
  12. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Your Hijackthis log shows XP Service Pack 2. You are missing some critical Windows Updates including Service Pack 3 and most likely some critical and hardware updates too
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    jmo07, getting the Windows updates isn't going to get rid of the malware. I believe this is a continuation of the problem in July and that although some unctions might have improved, the infection was still on the system.

    Since the logs are now a week old, please update Malwarebytes and Superantispyware and attach new logs in your next reply. Then rescan with HijackThis and paste (Ctrl V) the log in your next reply.

    We will go from there- but only if you stick with it.
     
  14. jmo07

    jmo07 TS Rookie Topic Starter Posts: 17

    Hi Bobbye/Tmagic650,
    I'm attaching current logs that I ran today. Since the first reply I've update and installed Service Pack 3 and have installed all critical updates as current as of today Oct 14. Let me know if there is anything else I need to provide to see what I can do to fix the problem. Thanks for all the help.
     

    Attached Files:

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you. Now let's see if we can find and remove all the malware:

    First, uninstall the My Web Search option from Add/Remove Programs

    • [1] Click on Start, Settings, Control Panel
      [2] Double click on Add/Remove Programs
      [3] Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.
    • My Web Search (Smiley Central or FWP product as applicable)
    • My Way Speedbar (Smiley Central or other FWP as applicable)
    • My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
    • My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
    • Search Assistant - My Way
      [4] Reboot your Computer into Safe Mode:
      [5] Using Windows Explorer (right click on Taskbar> Explore)> open My Computer> Drive C> double-click on the Program Files folder
      [7] Right-click and delete the folders for:
    • FunWebProducts
    • MyWebSearch
      8) MyWebSearch should now be completely uninstalled from your computer.

    I'll have you remove some orphan entries later.

    Remove 024 Desktop from HijackThis:

    • [1] Click on Start> Control Panel> Display> Desktop tab
      [2] Click on Customize Desktop> Web tab
      [3] Uncheck and delete everything you find in there (except for "My current home page")
      [4] Uncheck "Lock Desktop Items" box if it is checked
      [5] Apply> OK> Close.

    Question: Is Spysewwper just the anti-malware program or is it the version including antivirus? IF Yes, you need to remove either Spysweeper or McAfee. IF No, no problem.

    But you do have left over Norton entries. Please run the following according to the instructions given:
    [*] Download the Norton Removal Tool HERE and save to the desktop.
    • Double-click the Norton Removal Tool icon.
    • Follow the on-screen instructions.
    • Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

    When you have finished the above:
    Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here

    Please run an on-line virus scan at Kaspersky OnLine Scan (Please post the results of the scan(s) in your next reply)

    Follow with new scan from HJT. Paste the HJT log and attach report from SDFix and Kaspersky.
     
  16. jmo07

    jmo07 TS Rookie Topic Starter Posts: 17

    Hey Bobbye,
    I ran into a problem right from the beginning steps. I did not see "My Web Search" on my programs list. The only thing I found that I tried to delete was "Web Savings from Ebates'.

    When I tried to delete it I got an error message that said the following:

    "WJ View Error"
    "Error: Could not execute Main:
    System cannot find the file specified"

    Should I continue forward with the next steps after the first 8 you mentioned or is this something I need to take care of first?
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Go ahead and run SDFix first. If it doesn't delete the entries, I'll have you do it manually. The error is due to the malware.
     
  18. jmo07

    jmo07 TS Rookie Topic Starter Posts: 17

    Hey Bobbye,
    I did what you asked me to do.
    I ran SDFix in SafeMode. After it was done I tried going to Control Panel then Add/Remove Programs and I tried one more time to delete "Web Savings from Ebates". It gave me the same error message.

    SDFix found and deleted 2 trojans. I'm attaching a copy of the SDFix Report.

    I tried to run the on-line virus scan at Kaspersky OnLine Scan but was unable to. They posted the following message on their site: "The current Kaspersky Online Scanner is unavailable"
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I should have caught this sooner, but missed it:
    It is suggested that only one antivirus program be run.You should decide which you want to keep and remove the others for the following reasons:
    • Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
    • Multiple antivirus programs can also slow down the system.

    Since both of the programs are paid prograsms, I will leave it up to you as to which one to uninstall. Here are tools that will help with the removal:

    First, disable this program- it can be temporary if you decide to keep this program, but any Real Time program can affect the scans:
    Spy Sweeper Shields
    • Right click on the SpySweeper icon in the system tray. [​IMG]
    • Click on 'Shields'
    • Choose the Windows System tab and uncheck Critical Shields, Memory Shield, and Spy Installation Shield.
    • Exit the program.
    • (Once you are clean, you can re-enable the Shields)

    Here are the removal tools: McAfee Removal

    Webroot Spysweeper is known to be difficult to uninstall, but try this first: Exit the program first:
    Start> All Programs> Spysweeper> double-click on "uninstall spysweeper'
    If you can't find that, use Windows Explorer:
    Right click on start> Explore> Local Drive> Programs, click on the + sign to expand Spysweeper> double-click on unins000.exe.

    If that still doesn't work and you want to remove it, let me know and I will give you the directions for the zipped uninstaller tool.

    Spysweeper is also know to clutter up the system with files it has found. If you look in the SDFix log, you will see dozens of tmp files jut for 10/16.

    Here is another good online scanner:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Then reescan with HJT. Paste a new log in your next reply.
    Attach the Nod32 AV scan results.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Additional Post:

    You have some very old entries still showing up. Please check what they are for- if you no longer want/need/use them, right click> delete on each file:
    Fri 19 Apr 2002 4,348 ...H. --- "C:\Documents and Settings\Jesus\My Documents\My Music\License Backup\drmv1key.bak"
    Wed 25 Sep 2002 19,456 ...H. --- "C:\Documents and Settings\Jesus\Application Data\Microsoft\Word\~WRL3195.tmp"
    Wed 23 Apr 2003 21,504 ...H. --- "C:\Documents and Settings\Jesus\Application Data\Microsoft\Word\~WRL0041.tmp"
    Wed 23 Apr 2003 22,016 ...H. --- "C:\Documents and Settings\Jesus\Application Data\Microsoft\Word\~WRL3719.tmp"
    Sat 27 Jul 2002 23,552 ...H. --- "C:\Documents and Settings\Jesus\Application Data\Microsoft\Word\~WRL0004.tmp"
    Wed 23 Apr 2003 22,528 ...H. --- "C:\Documents and Settings\Jesus\Application Data\Microsoft\Word\~WRL3172.tmp"
    Mon 16 Feb 2004 212,992 A..H. --- "C:\Documents and Settings\Jesus\My Documents\My Music\License Backup\drmv2lic.bak"
    Thu 1 Jan 2004 400 ...H. --- "C:\Documents and Settings\Jesus\My Documents\My Music\License Backup\drmv2key.bak"

    Any time you have a document open Word creates a temp copy of it- when you finish your document and close word the temp files will disappear..To find the file do this:
    Open the search screen> Files and Folders> Tools> Folder Options> view tab> check 'show hidden files and folders'> Apply> OK.

    Make sure the search location is the Local (C usually) Drive. Search for each file. Deal with it- finish and close or delete.
    Go back and rehide the files and folders.
     
  21. jmo07

    jmo07 TS Rookie Topic Starter Posts: 17

    OK, I've deleted all the old entries you mentioned.
    I ran Eset NOD32 Online AntiVirus while I disabled McAfee.
    I'm including the log that it created.

    I shut down Webroot Spy Sweeper so it is no longer running in the computer.
    I'm thinking if I have to delete either McAfee or Webroot Spysweeper, I'll delete Webroot.
    Webroot Spysweeper was only anti-mailware program. If you wanted a virus protection it had to be purchased separetely. Webroot just recently just over a month ago included a virus protection with the program. However I never turned on the virus protection on since I have McAfee. The reason I kept Spy Sweeper is because it found and got rid of a lot of spyware the McAfee did not find and afterwards my computer ran better. However McAfee found more virus than Webroot. Plus it also includes a firewall which Spy Sweeper doesn't. Since I shut down the program to no longer be runnning should I still delete it? If so what will happen with all the spyware that it found and it put on its quarentine? I'm including a pic of just o few options that Spy Sweeper had so you can see.
     
  22. jmo07

    jmo07 TS Rookie Topic Starter Posts: 17

    Here is also my new HJT Log as requested:

    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Yahoo!\browser\YBROWSER.EXE
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\YAHOO!\browser\ycommon.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSYYYYYYYYUS
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Sally's Spa\Images\stg_drm.ocx
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15d5f698ea12de536105/netzip/RdxIE601.cab
    O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F08} (OC web Installer) - http://www.xbang.com/contprov/dwnld/objectCubeInstall.cab
    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/013483.exe
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 9399 bytes
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    jmo, thanks for clarifying the Spysweeper issue. You can keep it as an anti-malware program if you like. There is a part of it that runs in Real Time though, which is best temporarily disabled for the scans when cleaning. If you do decide to remove Spysweeper though, you should go in and delete whatever it has put in quarantine first.

    It appears that you might have Smiley Central installed:
    [​IMG]

    This program and other Fun Web programs bring MyWebSearch with them. This is described as Adware:
    • Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used.
    • Some types of adware are also spyware and can be classified as privacy-invasive software.

    To remove My Web Search:

    • [1] Click on Start> Settings> Control Panel
      [2] Double click on Add/Remove Programs
      [3] Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.
    • My Web Search (Smiley Central or FWP product as applicable)
    • My Way Speedbar (Smiley Central or other FWP as applicable)
    • My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
    • My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
    • Search Assistant - My Way

      [4] Reboot your Computer and run HijackThis

    With HijackThis, scan for and Check the following if present:
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZSYYYYYYYYUS

    Close all Windows except for HJT and click on "Fix Checked".

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    • [5]Using Windows Explorer> open My Computer> Drive C> and double-click on the Program Files folder.
      [6] Right-click and delete the folders for:
      • FunWebProducts
      • MyWebSearch
      MyWebSearch should now be uninstalled from your computer.

      You also have an entry with the potential for adware and spyware:
      O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/013483.exe

      This is an Adult Content Dialer- A program that can secretly change your dialup connection setting so that instead of calling your local internet provider, your PC calls are routed to an expensive 0900 or international phone number.

      If you were not aware that you had it or want to remove it, disable this way:
      Open IE> Tools> Manage Add ons> Look for Dialer> click to highlight> Disable.

      When done, run SDFix to remove any remaining entries:

      Download SDFix HERE and save it to your Desktop.
      • Double click SDFix.exe and it will extract the files to %systemdrive%
        (Drive that contains the Windows Directory, typically C:\SDFix)

        Boot into Safe Mode
      • Restart your computer and start pressing the F8 key on your keyboard.
      • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

        Run SDFix
      • Open the extracted SDFix folder and double click RunThis.bat to start the script.
      • Type Y to begin the cleanup process.
      • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
      • Press any Key and it will restart the PC.
      • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
      • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      • Attach Report.txt back here

      Please rescan with HijackThis when finished and paste in new log.
      Attach the SDFix report.

      Hopefully we are coming to an end of the cleaning. Has there been any improvement in the original problems?
     
  24. jmo07

    jmo07 TS Rookie Topic Starter Posts: 17

    Hi Bobbye,
    I have seen a HUGE improvement so far. I used to get the "security warning" everytime I went into a new page of certain websites like espn, myspace, facebook, other websites as well but most commonly yahoo. Especially yahoo. EVERYTIME I would open my e-mail, deleted a message or went to either a previous or next message I would get that pop each and every single time. Since your last instructions for the past 2 days now I dont get them at all when I browse thru my messages or I am in yahoo. When I go to the sites it used to give me problems. That pop up no longer comes up. I went from getting it almost everytime to maybe only twice the the whole day now. What I do get once or twice now is a "IE Script Error". I've gone to my internet options and made sure the box is uncheck to make sure I dont get those script errors but I still get it. It's not annoying because I get it only initially once or twice but then that's it.

    OK, so I've followed your most recent instructions. I'm surprised about that Smiley Central or that dialer that you mentioned because I never installed that. I remember I got an IM that had a smiley central thing and it prompted me to install Smiley Central a long time ago but I never went thru with installing it.

    I got rid of the following with HJT: "O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZSYYYYYYYYUS"

    I was not able to find the following:
    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/013483.exe

    I went to disable it by doing the following:
    Open IE> Tools> Manage Add ons> Look for Dialer> click to highlight> Disable.

    It was not on my IE, Tools Add Ons. I'm attaching a picture of the add ons that I have so you can see. There was one add on, which is highlighted that I did not know what it was. Since I was not able to disable it can I delete it thru HJT instead?

    The one that I'm really stomped in is My Web Search. It's not on my add/remove programs list. I've gone thru my Windows Explorer> open My Computer> Drive C> Program Files folder

    I deleted it a long time ago even before I started getting help from you so it's still not showing on my Program Files Folder.

    There's no Fun Wen Products that I can find on neither my programs folder or add/remove programs such as:

    My Web Search (Smiley Central or FWP product as applicable)
    My Way Speedbar (Smiley Central or other FWP as applicable)
    My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
    My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
    Search Assistant - My Way

    I beleive you are right and we are almost done with the cleaning process. As I mentioned I've gone from getting those pop ups almost everytime I clicked on a page, opened or deleted a new e-mail message to only getting it about twice or so a day.

    I'm also attaching the 2 new logs you requested (HJT and SDFix Report).

    I am really please with the improvements so far. I can't thank you enough. I've learned a lot of trouble shooting tips from you. My sister has been having problems with her laptop as far. The performance has slowed down that I will be applying some of the trouble shooting tips I've learned so far to see if she has malware also.

    Let me know if all you need is those 2 new logs you requested or if I forgot something. I'm pasting the HJT report and attaching the SD Fix Report.
     
  25. jmo07

    jmo07 TS Rookie Topic Starter Posts: 17

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:03:38 PM, on 10/19/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Sally's Spa\Images\stg_drm.ocx
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15d5f698ea12de536105/netzip/RdxIE601.cab
    O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F08} (OC web Installer) - http://www.xbang.com/contprov/dwnld/objectCubeInstall.cab
    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/013483.exe
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 9359 bytes
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...