TechSpot

IE PopUp windows...need help!

By Steve05
Apr 16, 2005
  1. I have made my system as clean as possible within safe mode but though Adaware etc says there is nothing else there, I know there is.
    I am using Windows XP with service pack 1

    I was searching in Google images when a whole lot of porn popped up and since then I have been getting new IE windows appearing with Mamma search and whichoption.com and spotresults.com search windows.

    My home page has not been overwritten and these windows open up as new rather than changing where I am. Here are my HJT results.

    Logfile of HijackThis v1.99.1
    Scan saved at 11:06:28, on 13/04/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Donald Graham\Desktop\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Microsoft Update] iexplorer.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [Microsoft Update] iexplorer.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
    O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecurity/ActiveXTester/ActiveXTester.ocx
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1721945d922bb9f1dd16/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101643890718
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fpr8039ue.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  2. ricvai7

    ricvai7 TS Rookie Posts: 31

    With only HijackThis open, mark the following then click Fix Checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O4 - HKLM\..\Run: [Microsoft Update] iexplorer.exe
    O4 - HKCU\..\Run: [Microsoft Update] iexplorer.exe
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1721945d922bb9f1dd16/netzip/RdxIE601.cab
    O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fpr8039ue.dll

    Reboot to Safe Mode and delete this file:
    C:\WINDOWS\system32\fpr8039ue.dll
     
  3. Steve05

    Steve05 TS Rookie Topic Starter Posts: 51

    Thanks for the quick reply....relly appreciated it...:)

    I followed you instructions as far as I could. When I ran HJT again the following files were not there so I could not delete them.

    O4 - HKLM\..\Run: [Microsoft Update] iexplorer.exe
    O4 - HKCU\..\Run: [Microsoft Update] iexplorer.exe
    O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fpr8039ue.dll

    I deleted the others you posted but thought it not wise to look for C:\WINDOWS\system32\fpr8039ue.dll
    as it was not in the HJT results this time.

    I am still getting pop up sex search and dating windows (wherever they came from!) and this is the latest HJS result.

    By the way, www.supanet.com is my normal home page.

    Logfile of HijackThis v1.99.1
    Scan saved at 09:54:36, on 15/04/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Donald Graham\Desktop\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Spy\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\gcasServ.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
    O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecurity/ActiveXTester/ActiveXTester.ocx
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1721945d922bb9f1dd16/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101643890718
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O20 - Winlogon Notify: Run - C:\WINDOWS\system32\m8poli7318.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  4. Steve05

    Steve05 TS Rookie Topic Starter Posts: 51

    you will see from my last posting that the file
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
    is still there even after deleting it.

    Could it be that this file is renaming itself and is now
    O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fpr8039ue.dll

    and after another reboot will become something else?

    I have looked and done a search for fpr8039ue.dll in system32 but cannot locate it?
     
  5. ricvai7

    ricvai7 TS Rookie Posts: 31

    Yes, there is another file - not yet identified - which is behind this/

    Go to this site! ... - the section on free online virus checker - and run RAV on your system. (I suggest you also run one or two of the others but, in any case, run RAV last.) Give us the complete log from RAV when finished.
     
  6. Steve05

    Steve05 TS Rookie Topic Starter Posts: 51

    Here is the RAV report. Could it be that the Trojan remover prog that I downloaded last week is the culprit?

    Scan started at 17/04/2005 14:09:28

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\ied_s7.cab->ied_s7_c_7.exe - TrojanDownloader:Win32/Mediket.M -> Infected
    C:\eied_s7.cab->eied_s7_c_153.exe - TrojanDownloader:Win32/Mediket.U -> Infected
    C:\WINDOWS\system32\winguard.exe - Win32/HLLW.Forbot -> Infected
    C:\Documents and Settings\Donald Graham\Local Settings\Temp\sdexe.exe - TrojanDownloader:Win32/PurityScan.T -> Infected
    C:\Documents and Settings\Donald Graham\Application Data\mcem.exe - TrojanDownloader:Win32/PurityScan.T -> Infected
    C:\Documents and Settings\Donald Graham\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-32d30b87-15b8846a.zip->Matrix.class - TrojanDownloader:Java/OpenStream.C -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP5\A0000974.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP5\A0001001.dll - TrojanDownloader:Win32/IstBar.GD.dll -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP6\A0001255.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP6\A0001258.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP6\A0001277.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP6\A0001304.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP7\A0001367.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP7\A0001521.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP7\A0001527.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP7\A0001529.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP8\A0001564.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP8\A0002581.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP8\A0002589.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP8\A0002604.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002649.exe - TrojanClicker:Win32/Agent.BN -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002655.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002722.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002841.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002850.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002853.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002863.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002986.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0003056.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0003110.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0003118.exe - TrojanDownloader:Win32/Agent.IL -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP41\A0015742.com - TrojanDownloader:Win32/Small.XA -> Infected
    C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP44\A0016209.com - TrojanDownloader:Win32/Small.XA -> Infected

    Scanned
    ============================
    Objects: 58584
    Directories: 3604
    Archives: 1265
    Size(Kb): 370414
    Infected files: 33

    Found
    ============================
    Viruses found: 9
    Suspicious files: 0
    Disinfected files: 0
    Mail files: 802
     
  7. ricvai7

    ricvai7 TS Rookie Posts: 31

    You've got bugs!

    For now, ignore all of the entries in C:\System Volume Information\ - these are System Restore contents. If you do a System Restore, you will return these viruses to your computer - so just don't do a System Restore in the meantime if you can help it! (Some people suggest emptying System Restore first. I agree with the great Mow Green that a leaky boat is better than no boat when you're adrift, and that you'd probably rather return temporarily to a virus-ridden state than lose your entire system, so keep these in place for now.) When we have finished all other repairs on the system, make a new System Restore point then empty old SR stores by running Disk Cleanup and, on the last tab, use the System Restore button to wipe out all but your most recent one.)

    Stripping these items out for now, we are left with the following bad guy files:

    C:\ied_s7.cab->ied_s7_c_7.exe
    C:\eied_s7.cab->eied_s7_c_153.exe
    C:\WINDOWS\system32\winguard.exe
    C:\Documents and Settings\Donald Graham\Local Settings\Temp\sdexe.exe
    C:\Documents and Settings\Donald Graham\Application Data\mcem.exe
    C:\Documents and Settings\Donald Graham\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-32d30b87-15b8846a.zip

    Boot to Safe Mode and delete all of these.
    _________________
     
  8. Steve05

    Steve05 TS Rookie Topic Starter Posts: 51

    Seems like the problem was solved...credit goes to u ricvai...thanks...:) I'd never imagined this site is so cool...it just takes less than 3 hours to solve the problem... awesome!

    After reboot, i can surf the net without pop-up at all...but some other problem has occured...when i removed the infected files using AV software, i spot one of the files has .msc file extension. I know that file must be there for a reason so i tried to tun gpedit.msc to find out either it's still running or not. The Group Policy running well but some features are gone...Local Computer Policy > User Configuration > under Administrative Templates i can only see one folder ( Windows Component ) and under Windows Component key, there's only one subkey (windows Media Player)...
    It supposed to have more than that rite? Correct me if i'm wrong....So what do u think ricvai?
     
  9. ricvai7

    ricvai7 TS Rookie Posts: 31

    I'm glad to hear that...u did well steve...:)

    I understand your problem with msc...and i've expected this things would happen. Here some tips u can use to activate the whole features in gpedit.msc again...

    1st u need to find these files in your windows folder or you also can copy it from ur friend's pc with same version of windows to find these files in c:/Windows/System32/..........(make sure the pc is okay)

    appmgmts.dll
    appmgr.dll
    fdeploy.dll
    gpedit.msc
    gpedit.dll
    gptext.dll
    fde.dll

    Copy those files and paste it in your own pc in c:\Windows\System32

    And then find the following files in drive c:\Windows(not sure where are they)

    system.adm
    inetres.adm
    conf.adm

    Copy the following file into C:\Windows\system32\GroupPolicy\Adm (create the directory if the folder doesn't exist, for your information it's a hidden folder, so make sure u've made a setting to enable view all the hidden files)

    and finally,type the following commands in a command window:

    regsvr32 gpedit.dll
    regsvr32 fde.dll
    regsvr32 gptext.dll
    regsvr32 appmgr.dll
    regsvr32 fdeploy.dll

    After registry service is done, restart your pc and management concole will be in default. But this is only works with xp pro since home don't have mmc.

    But i think it's can be done by using the steps above and create a new folder in c:\windows\system32\grouppolicy\adm and follow the rest steps to use gpedit.msc in xp home..

    Good luck! :rolleyes:
     
  10. Steve05

    Steve05 TS Rookie Topic Starter Posts: 51

    Super thanks to u ricvai....the gpedit.msc just run perfectly after i've attemp the steps. I should copy this tips for refference...
     
  11. x8ight4our5ivex

    x8ight4our5ivex TS Rookie

    I too am getting the sexsearch popups. I have no idea how to rid them. They popup at the most random times and have been with me for 3 months now. How do I go about ridding them ?

    I would normally use "search" for other popups I dealted with in the past, but I get no "sexsearch" results for these particular popups
     
  12. IronDuke

    IronDuke TS Rookie Posts: 856

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...