IE PopUp windows...need help!

Status
Not open for further replies.

Steve05

Posts: 51   +0
I have made my system as clean as possible within safe mode but though Adaware etc says there is nothing else there, I know there is.
I am using Windows XP with service pack 1

I was searching in Google images when a whole lot of porn popped up and since then I have been getting new IE windows appearing with Mamma search and whichoption.com and spotresults.com search windows.

My home page has not been overwritten and these windows open up as new rather than changing where I am. Here are my HJT results.

Logfile of HijackThis v1.99.1
Scan saved at 11:06:28, on 13/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Donald Graham\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Update] iexplorer.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Microsoft Update] iexplorer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecurity/ActiveXTester/ActiveXTester.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1721945d922bb9f1dd16/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101643890718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fpr8039ue.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
With only HijackThis open, mark the following then click Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [Microsoft Update] iexplorer.exe
O4 - HKCU\..\Run: [Microsoft Update] iexplorer.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1721945d922bb9f1dd16/netzip/RdxIE601.cab
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fpr8039ue.dll

Reboot to Safe Mode and delete this file:
C:\WINDOWS\system32\fpr8039ue.dll
 
Thanks for the quick reply....relly appreciated it...:)

I followed you instructions as far as I could. When I ran HJT again the following files were not there so I could not delete them.

O4 - HKLM\..\Run: [Microsoft Update] iexplorer.exe
O4 - HKCU\..\Run: [Microsoft Update] iexplorer.exe
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fpr8039ue.dll

I deleted the others you posted but thought it not wise to look for C:\WINDOWS\system32\fpr8039ue.dll
as it was not in the HJT results this time.

I am still getting pop up sex search and dating windows (wherever they came from!) and this is the latest HJS result.

By the way, www.supanet.com is my normal home page.

Logfile of HijackThis v1.99.1
Scan saved at 09:54:36, on 15/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Donald Graham\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Spy\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\gcasServ.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecurity/ActiveXTester/ActiveXTester.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1721945d922bb9f1dd16/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101643890718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\m8poli7318.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
you will see from my last posting that the file
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
is still there even after deleting it.

Could it be that this file is renaming itself and is now
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fpr8039ue.dll

and after another reboot will become something else?

I have looked and done a search for fpr8039ue.dll in system32 but cannot locate it?
 
Yes, there is another file - not yet identified - which is behind this/

Go to this site! ... - the section on free online virus checker - and run RAV on your system. (I suggest you also run one or two of the others but, in any case, run RAV last.) Give us the complete log from RAV when finished.
 
Here is the RAV report. Could it be that the Trojan remover prog that I downloaded last week is the culprit?

Scan started at 17/04/2005 14:09:28

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\ied_s7.cab->ied_s7_c_7.exe - TrojanDownloader:Win32/Mediket.M -> Infected
C:\eied_s7.cab->eied_s7_c_153.exe - TrojanDownloader:Win32/Mediket.U -> Infected
C:\WINDOWS\system32\winguard.exe - Win32/HLLW.Forbot -> Infected
C:\Documents and Settings\Donald Graham\Local Settings\Temp\sdexe.exe - TrojanDownloader:Win32/PurityScan.T -> Infected
C:\Documents and Settings\Donald Graham\Application Data\mcem.exe - TrojanDownloader:Win32/PurityScan.T -> Infected
C:\Documents and Settings\Donald Graham\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-32d30b87-15b8846a.zip->Matrix.class - TrojanDownloader:Java/OpenStream.C -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP5\A0000974.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP5\A0001001.dll - TrojanDownloader:Win32/IstBar.GD.dll -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP6\A0001255.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP6\A0001258.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP6\A0001277.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP6\A0001304.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP7\A0001367.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP7\A0001521.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP7\A0001527.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP7\A0001529.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP8\A0001564.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP8\A0002581.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP8\A0002589.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP8\A0002604.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002649.exe - TrojanClicker:Win32/Agent.BN -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002655.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002722.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002841.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002850.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002853.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002863.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0002986.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0003056.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0003110.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP9\A0003118.exe - TrojanDownloader:Win32/Agent.IL -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP41\A0015742.com - TrojanDownloader:Win32/Small.XA -> Infected
C:\System Volume Information\_restore{A5E505AC-2B92-4B55-B8D9-28F592263683}\RP44\A0016209.com - TrojanDownloader:Win32/Small.XA -> Infected

Scanned
============================
Objects: 58584
Directories: 3604
Archives: 1265
Size(Kb): 370414
Infected files: 33

Found
============================
Viruses found: 9
Suspicious files: 0
Disinfected files: 0
Mail files: 802
 
You've got bugs!

For now, ignore all of the entries in C:\System Volume Information\ - these are System Restore contents. If you do a System Restore, you will return these viruses to your computer - so just don't do a System Restore in the meantime if you can help it! (Some people suggest emptying System Restore first. I agree with the great Mow Green that a leaky boat is better than no boat when you're adrift, and that you'd probably rather return temporarily to a virus-ridden state than lose your entire system, so keep these in place for now.) When we have finished all other repairs on the system, make a new System Restore point then empty old SR stores by running Disk Cleanup and, on the last tab, use the System Restore button to wipe out all but your most recent one.)

Stripping these items out for now, we are left with the following bad guy files:

C:\ied_s7.cab->ied_s7_c_7.exe
C:\eied_s7.cab->eied_s7_c_153.exe
C:\WINDOWS\system32\winguard.exe
C:\Documents and Settings\Donald Graham\Local Settings\Temp\sdexe.exe
C:\Documents and Settings\Donald Graham\Application Data\mcem.exe
C:\Documents and Settings\Donald Graham\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-32d30b87-15b8846a.zip

Boot to Safe Mode and delete all of these.
_________________
 
Seems like the problem was solved...credit goes to u ricvai...thanks...:) I'd never imagined this site is so cool...it just takes less than 3 hours to solve the problem... awesome!

After reboot, i can surf the net without pop-up at all...but some other problem has occured...when i removed the infected files using AV software, i spot one of the files has .msc file extension. I know that file must be there for a reason so i tried to tun gpedit.msc to find out either it's still running or not. The Group Policy running well but some features are gone...Local Computer Policy > User Configuration > under Administrative Templates i can only see one folder ( Windows Component ) and under Windows Component key, there's only one subkey (windows Media Player)...
It supposed to have more than that rite? Correct me if i'm wrong....So what do u think ricvai?
 
I'm glad to hear that...u did well steve...:)

I understand your problem with msc...and i've expected this things would happen. Here some tips u can use to activate the whole features in gpedit.msc again...

1st u need to find these files in your windows folder or you also can copy it from ur friend's pc with same version of windows to find these files in c:/Windows/System32/..........(make sure the pc is okay)

appmgmts.dll
appmgr.dll
fdeploy.dll
gpedit.msc
gpedit.dll
gptext.dll
fde.dll

Copy those files and paste it in your own pc in c:\Windows\System32

And then find the following files in drive c:\Windows(not sure where are they)

system.adm
inetres.adm
conf.adm

Copy the following file into C:\Windows\system32\GroupPolicy\Adm (create the directory if the folder doesn't exist, for your information it's a hidden folder, so make sure u've made a setting to enable view all the hidden files)

and finally,type the following commands in a command window:

regsvr32 gpedit.dll
regsvr32 fde.dll
regsvr32 gptext.dll
regsvr32 appmgr.dll
regsvr32 fdeploy.dll

After registry service is done, restart your pc and management concole will be in default. But this is only works with xp pro since home don't have mmc.

But i think it's can be done by using the steps above and create a new folder in c:\windows\system32\grouppolicy\adm and follow the rest steps to use gpedit.msc in xp home..

Good luck! :rolleyes:
 
Super thanks to u ricvai....the gpedit.msc just run perfectly after i've attemp the steps. I should copy this tips for refference...
 
I too am getting the sexsearch popups. I have no idea how to rid them. They popup at the most random times and have been with me for 3 months now. How do I go about ridding them ?

I would normally use "search" for other popups I dealted with in the past, but I get no "sexsearch" results for these particular popups
 
Status
Not open for further replies.
Back