BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Excessive IE pop-ups... specific malware uncertain
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Excessive IE pop-ups... specific malware uncertain  
Forum Quick Jump
 
New Topic Post reply to : Excessive IE pop-ups... specific malware uncertain Printable version of : Excessive IE pop-ups... specific malware uncertain
[ << Previous Thread | Next Thread >> ]

Qbert
New Member


Date Joined Jun 2007
Total Posts : 6
 
   Posted 7/10/2007 9:50 PM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
Hi Touch,
 
I've recently been experiencing excessive pop-ups on IE.  I followed several of the instructions you suggested to another poster (Jony) minus the specific file deletions, and the pop-ups stopped, only to return the next day.  I would really appreciate your help on this one.  Thanks in advance.
 
My logs:
 
Logfile of HijackThis v1.99.1
Scan saved at 11:57:44 AM, on 7/10/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\AEIWLSTA.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\PROGRA~1\SSTEM~1\alg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Documents and Settings\a\Local Settings\Temporary Internet Files\Content.IE5\SD2FO1QZ\alternativ[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRA~1\ALADDI~1\INTERN~1\ic3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRA~1\ALADDI~1\INTERN~1\PopFiltr.dll
O2 - BHO: (no name) - {476E39F8-A760-84CC-1A67-838DBE2785C8} - C:\WINDOWS\System32\qge.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing)
O2 - BHO: (no name) - {F7A8F969-83E3-4503-8879-C01706D47990} - C:\WINDOWS\System32\xxwwt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E70CE7C0726B954E2C2832213329D26033AAC
O4 - HKLM\..\Run: [WinFSG] "C:\Program Files\Aladdin Systems\Internet Cleanup\MSFG.exe"
O4 - HKLM\..\Run: [NBMonitor] "C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" -boot
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [Updn] "C:\PROGRA~1\SSTEM~1\alg.exe" -vt yazb
O4 - HKCU\..\Run: [Yrti] "C:\Documents and Settings\a\Application Data\s?stem32\n?pdb.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: xxwwt - C:\WINDOWS\System32\xxwwt.dll (file missing)
O20 - Winlogon Notify: xxyyaaa - xxyyaaa.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\uakufle.exe (file missing)
 
 
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
 + Created at: 12:21:41 PM 7/9/2007
 + Scan result: 
 
C:\WINDOWS\SYSTEM32\pnenttn.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\offun.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32o.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\stub_mma2.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
[1432] C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
[1780] C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKU\S-1-5-21-1237143924-1241131794-556406494-1001\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Web Buying\v1.7.4\webbuying.exe -> Adware.Small : Cleaned with backup (quarantined).
C:\Program Files\CHAT\qucopat83122.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\F2\mwspasrt83122.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\vtusssq.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
[1112] C:\WINDOWS\System32\xxwwt.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
[176] C:\WINDOWS\System32\xxwwt.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\retadpu.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\WINDOWS\retadpu1000106.exe.tmp -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\Program Files\poolsv\svhost.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\F3\626wr.exe -> Downloader.Small.eqn : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\abvbfrxp.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\enakknqh.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\jjivvsag.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\Program Files\poolsv\k11u72.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\o09PrEz\o09PrEz1099.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\F4\wen2.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\F1\bk53.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\a\Cookies\a@casalemedia[3].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\WINDOWS\SYSTEM32\cemvdgrx.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\wctdxieq.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\wnscpsv32.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end
 
 
********************************* ROOTCHK-(08-07-07)-LOG, by ejvindh
Mon 07/09/2007 12:30:54.33
Driver Core (visible) is present. Run COMBOFIX by sUBs or SDFIX by AndyManchesta.
Driver nm (visible) is present. Run COMBOFIX by sUBs.
********************************* ROOTCHK-LOG-end

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 12:30:54
Windows 5.0.2195 Service Pack 3
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
hidden processes: 0
hidden services: 0
hidden files: 0
 
Back to Top
 

Qbert
New Member


Date Joined Jun 2007
Total Posts : 6
 
   Posted 7/10/2007 10:13 PM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
Almost forgot my Combofix log :-) :
 
"a" - 07/10/2007 15:02:03 - ComboFix 07-07-10.1 - Service Pack 3  [color=red][b]FAT32 [/b][/color]

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\a\APPLIC~1.\sstem3~1
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\Common Files\ymante~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\sstem~1
C:\Program Files\sstem~1\alg.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\setup.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\rau001978.exe
C:\WINDOWS\start.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\qge.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnscpsv32.exe
C:\WINDOWS\wr.txt

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent
-------\nm
-------\Windows Overlay Components

(((((((((((((((((((((((((   Files Created from 2007-06-10 to 2007-07-10  )))))))))))))))))))))))))))))))

2007-07-10 15:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-10 12:16 <DIR> d-------- C:\DOCUME~1\a\DoctorWeb
2007-07-10 10:14 <DIR> d-------- C:\VundoFix Backups
2007-07-09 12:42 218,112 --a------ C:\alternativ.exe
2007-07-09 11:26 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-07-09 11:12 <DIR> d-------- C:\Program Files\CCleaner
2007-07-09 11:08 1,853,982 ---hs---- C:\WINDOWS\SYSTEM32\twwxx.bak2
2007-07-02 17:11 1,844,234 ---hs---- C:\WINDOWS\SYSTEM32\twwxx.bak1
2007-07-02 17:01 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Aladdin Systems
2007-07-02 15:51 <DIR> d-------- C:\DOCUME~1\a\APPLIC~1\Aladdin Systems
2007-07-02 14:17 8,190 --a------ C:\WINDOWS\b122.exe.bin
2007-07-02 14:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\F9
2007-07-02 14:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\F5
2007-07-02 14:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\F4
2007-07-02 14:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\F3
2007-07-02 14:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\F2
2007-07-02 14:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\F1
2007-06-23 14:07 <DIR> d-------- C:\DOCUME~1\a\APPLIC~1\Steinberg

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
05-11-21 15:54  399424 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
01-03-02 12:02  37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f0c8547-2639-4c91-b8aa-c7eca24c3163}]
04-07-21 17:41  110592 --a------ C:\PROGRA~1\ALADDI~1\INTERN~1\ic3hlpr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F2E844B-8211-46ff-8262-772F03295CF4}]
04-06-15 11:03  49152 --a------ C:\PROGRA~1\ALADDI~1\INTERN~1\PopFiltr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7A8F969-83E3-4503-8879-C01706D47990}]
   C:\WINDOWS\System32\xxwwt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [99-11-30 23:40  C:\WINDOWS\SYSTEM32\tp4mon.exe]
"SystemTray"="SysTray.Exe" [02-07-24 12:00  C:\WINDOWS\SYSTEM32\systray.exe]
"Synchronization Manager"="mobsync.exe" [02-07-24 12:00  C:\WINDOWS\SYSTEM32\mobsync.exe]
"LTSMMSG"="LTSMMSG.exe" [01-08-02 22:28  C:\WINDOWS\LTSMMSG.exe]
"AGRSMMSG"="AGRSMMSG.exe" [06-03-14 12:58  C:\WINDOWS\AGRSMMSG.exe]
"AEIWLSTA.EXE"="AEIWLSTA.exe" [06-03-14 12:58  C:\WINDOWS\SYSTEM32\AEIWLSTA.exe]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [04-10-14 10:17 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06-04-01 23:46 ]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [04-10-27 16:07 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-05-27 20:04 ]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [02-10-14 12:09 ]
"WinFSG"="C:\Program Files\Aladdin Systems\Internet Cleanup\MSFG.exe" [04-07-19 11:58 ]
"NBMonitor"="C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe" [04-10-29 11:06 ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [07-06-11 02:25 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [05-12-08 13:55 ]
"BullGuard 5.0"="C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" [06-04-19 20:30 ]
"InstantTray"="C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [04-09-02 10:37 ]
"IW_Drop_Icon"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [04-07-30 15:10 ]
"Updn"="C:\PROGRA~1\SSTEM~1\alg.exe" []
"Yrti"="C:\Documents and Settings\a\Application Data\s?stem32\n?pdb.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [07-05-30 05:29 ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxwwt]
C:\WINDOWS\System32\xxwwt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyaaa]
xxyyaaa.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
Contents of the 'Scheduled Tasks' folder
2007-04-08 06:00:02  C:\WINDOWS\tasks\Tune-up Application Start.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 15:06:11
Windows 5.0.2195 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-10 15:07:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-07-10 15:07
 --- E O F ---
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/11/2007 8:13 AM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
Hello smile
 
 

1.      Download AVG Anti-Virus Free Edition

2.      AVG Free Anti-Virus can be downloaded from the AVG website.
3.      Scroll down the page and click Download Free Version. Under the Windows section, click to download the file under AVG Free for Windows installation files. Click OK to save the file to your PC.
4.      Double-click the file you downloaded, and click Next on the welcome screen. Click Accept to agree to the License Agreement. Choose Standard Installation then click Next.
5.      A window will now pop-up if there are any available updates. Click Update to download them. AVG will download and automatically install any updates. Click OK when finished.
6.      Back on the First Run window, click Next to proceed. Leave the Daily Scanning settings as they are and click Next.
7.      You now have the option to perform a scan to test your computer for viruses.
8.      Click Scan computer!
 
Reboot, post new hijackthis log


Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

Qbert
New Member


Date Joined Jun 2007
Total Posts : 6
 
   Posted 7/12/2007 6:55 PM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
The pop-ups have stopped, but AVG still detected and removed 3 trojans.
Here is my new hjt. log:
Logfile of HijackThis v1.99.1
Scan saved at 11:53:38 AM, on 7/12/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\AEIWLSTA.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\a\Local Settings\Temporary Internet Files\Content.IE5\W3IBS18N\alternativ[1].exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRA~1\ALADDI~1\INTERN~1\ic3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRA~1\ALADDI~1\INTERN~1\PopFiltr.dll
O2 - BHO: (no name) - {F7A8F969-83E3-4503-8879-C01706D47990} - C:\WINDOWS\System32\xxwwt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [WinFSG] "C:\Program Files\Aladdin Systems\Internet Cleanup\MSFG.exe"
O4 - HKLM\..\Run: [NBMonitor] "C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" -boot
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [Updn] "C:\PROGRA~1\SSTEM~1\alg.exe" -vt yazb
O4 - HKCU\..\Run: [Yrti] "C:\Documents and Settings\a\Application Data\s?stem32\n?pdb.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: xxwwt - C:\WINDOWS\System32\xxwwt.dll (file missing)
O20 - Winlogon Notify: xxyyaaa - xxyyaaa.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/12/2007 8:34 PM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
Right. I can see the infections -
 
 
Please download free  Trial of Superantispyware
 
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.
close the program
 
 
Please download ATF Cleaner:
 http://www.atribune.org/ccount/click.php?id=1 by Atribune.
This program is for XP and Windows 2000 only
 
 
Download and install DrWebCureit:
 
to your desktop.
 
 
 
 
Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.
 
 
 
 
 
 
 
 
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch (Windows XP) only.
Java Cache
Recycle Bin
NB. It's normal after running ATF cleaner that the PC will be slower to boot the first time.
 
 
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green  arrow in lower right corner It will now scan your  drive(s), say yes to all
 
After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
 
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
 
 
 
 
Start Superantispyware.
Hit - Scan Your Computer - button
Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next,
it will scan now. When scan have finished, put a checkmark with  all items it found. Next, after cleaning, allow it to Reboot
 
 
 
Start Superantispyware again –
Click Preferences and then click the statistics/logs tab.
Click the dated log and press view log and a text file will appear.
 
 
 
Post this log along with fresh hijackthis log, Dr.Web log and tell how things are running  ?
 
 
 
 
 
 
 
 
 
 
 
 
 


Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

Qbert
New Member


Date Joined Jun 2007
Total Posts : 6
 
   Posted 7/19/2007 5:46 PM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
Hi Touch,


I've been away from my computer, so I didn't get the chance post again.  But I'm back smile


Ok, since my last post my computer has been very slow (especially at start-up).  I think it may be because I have an old version of Bullguard that starts automatically at start-up.  It even overrides superanti-spyware.  I've tried to remove it several times, but it won't because it says that bullguard is "currently running".  I disabled all of its features, but it just won't be removed.
And here are my logs.  There was no log or infections found by DrWeb:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/15/2007 at 00:14 AM
Application Version : 3.9.1008
Core Rules Database Version : 3269
Trace Rules Database Version: 1280
Scan type       : Complete Scan
Total Scan Time : 00:50:18
Memory items scanned      : 394
Memory threats detected   : 0
Registry items scanned    : 4198
Registry threats detected : 3
File items scanned        : 19424
File threats detected     : 8
Trojan.Windows Overlay Components/SysMon
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#DisplayName
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#UninstallString
Adware.ClickSpring/Outer Info Network
 C:\Documents and Settings\a\Start Menu\Programs\Outerinfo\Terms.lnk
 C:\Documents and Settings\a\Start Menu\Programs\Outerinfo\Uninstall.lnk
 C:\Documents and Settings\a\Start Menu\Programs\Outerinfo
Adware.ClickSpring/Yazzle
 C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1549OINUNINSTALLER.EXE.VIR
 C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\POOLSV\YAZZLEBUNDLE-1549.EXE.VIR
Adware.ClickSpring-Variant
 C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\SSTEM~1\ALG.EXE.VIR
Trojan.Unknown Origin
 C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSCPSV32.EXE.VIR
Adware.ClickSpring/Resident
 C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QGE.DLL.VIR


Logfile of HijackThis v1.99.1
Scan saved at 10:34:08 AM, on 7/19/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\AEIWLSTA.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\a\Local Settings\Temporary Internet Files\Content.IE5\H7SRO4MD\alternativ[1].exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRA~1\ALADDI~1\INTERN~1\ic3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRA~1\ALADDI~1\INTERN~1\PopFiltr.dll
O2 - BHO: (no name) - {F7A8F969-83E3-4503-8879-C01706D47990} - C:\WINDOWS\System32\xxwwt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [WinFSG] "C:\Program Files\Aladdin Systems\Internet Cleanup\MSFG.exe"
O4 - HKLM\..\Run: [NBMonitor] "C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" -boot
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [Updn] "C:\PROGRA~1\SSTEM~1\alg.exe" -vt yazb
O4 - HKCU\..\Run: [Yrti] "C:\Documents and Settings\a\Application Data\s?stem32\n?pdb.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: xxwwt - C:\WINDOWS\System32\xxwwt.dll (file missing)
O20 - Winlogon Notify: xxyyaaa - xxyyaaa.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

 
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/20/2007 10:28 AM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
Ok. We´ll see if We can remove BG manually -
 
 
Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:
O2 - BHO: (no name) - {F7A8F969-83E3-4503-8879-C01706D47990} - C:\WINDOWS\System32\xxwwt.dll (file missing)
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" –boot
O4 - HKCU\..\Run: [Updn] "C:\PROGRA~1\SSTEM~1\alg.exe" -vt yazb
O4 - HKCU\..\Run: [Yrti] "C:\Documents and Settings\a\Application Data\s?stem32\n?pdb.exe"
O20 - Winlogon Notify: xxwwt - C:\WINDOWS\System32\xxwwt.dll (file missing)
O20 - Winlogon Notify: xxyyaaa - xxyyaaa.dll (file missing)
 
 
 
You may want to print this or save it to notepad as we will go to safe mode.

 
 
Re-start your PC in   Safe Mode
 
 
 

Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.
 
Delete-
 
 
Folders:
C:\Program Files\BullGuard Software\BullGuard 5.0
 
 
Reboot, post new hijackthis log
 


Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

Qbert
New Member


Date Joined Jun 2007
Total Posts : 6
 
   Posted 7/21/2007 7:09 PM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
Wow, everything seems to be working great.  My computer speed has increased, and no more pop-ups; and no BG at startup smile


Ok, before i post my hjt I have a few questions.  Will the freeware that I was prompted to download be sufficient enough to protect me in the future; or will I need to download or purchase more software when they expire?  And also, do I delete the infected files from my "quarantines", or will that unleash them back into my system?


I just want to avoid those annoying pop-ups.  Although I have learned alot more about my computer during the process.


Ok Touch, thanks again for the help.  You all provide a great service here.  And please never go to the "Dark Side".  You would make for quite the adversary smile


And I encourage EVERYONE who reads this to donate to the freeware sites!


Logfile of HijackThis v1.99.1
Scan saved at 11:40:00 AM, on 7/21/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\AEIWLSTA.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\a\Desktop\Hijackthis program.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRA~1\ALADDI~1\INTERN~1\ic3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRA~1\ALADDI~1\INTERN~1\PopFiltr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [WinFSG] "C:\Program Files\Aladdin Systems\Internet Cleanup\MSFG.exe"
O4 - HKLM\..\Run: [NBMonitor] "C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE










Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/23/2007 8:24 AM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
That´s good news smilewinkgrin
 
 
First thing to do is -
 
Check for Security Updates : Windows Update
 
Then download Zone Alarm basic protection Firewall –
 
 
 
AVG Antivirus is an excellent program
 
 
Just delete - delete the infected files from my "quarantines" - and they are completely removed from Your computer
 
 
You may want to read TonyKlein´s article  about how to prevent against  spyware/hijackers in the future
http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html                                       


Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

Qbert
New Member


Date Joined Jun 2007
Total Posts : 6
 
   Posted 7/29/2007 11:48 PM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
Hi Touch, everything is going well as far as there being no more pop-ups on my computer.  But my computer has slowed down during start up, after the Superanti-spyware ran an updated scan.  Is this to be expected?  There were only a few cookies found, but I just wanted to know if everything is still all right before I downloaded the firewall.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/30/2007 4:56 AM (GMT +3)    Quote: Excessive IE pop-ups... specific malware uncertainAlert an admin about: Excessive IE pop-ups... specific malware uncertain
Open superantispyware - Preferences - uncheck - load at startup. See if it help ?


Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 
New Topic Post reply to : Excessive IE pop-ups... specific malware uncertain Printable version of : Excessive IE pop-ups... specific malware uncertain
 
Forum Information
Currently it is Saturday, August 30, 2014 3:16 PM (GMT +3)
There are a total of 60,580 posts in 13,312 threads.
In the last 3 days there were 0 new threads and 4 reply posts. View Active Threads
Who's Online
This forum has 36293 registered members. Please welcome our newest member, Connie Burns.
2 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Bullguard 2014 Firewall and high DPC latency (15)8/30/2014 12:06:05 PM (ComFox)
Blocking of sites (4)8/29/2014 8:49:52 PM (Leto)