BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Please Help! Pop-ups and unwanted sites with underlined links?!?! Do I have a virus or ad/spyware?
   
BullGuard Antivirus Forum > Virus Removal > Removal Tools > Please Help! Pop-ups and unwanted sites with underlined links?!?! Do I have a virus or ad/spyware?  
Forum Quick Jump
 
New Topic Post reply to : Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware? Printable version of : Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?
[ << Previous Thread | Next Thread >> ]

Dan1
New Member


Date Joined Nov 2004
Total Posts : 27
 
   Posted 3/26/2005 6:15 PM (GMT +2)    Quote: Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?Alert an admin about: Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?
Hi there seems to be sometyhing wrong with my computer.  On every web page I open there are numerous underlined words linking to random search sites and other unwanted pop-ups and sites.  There are constant "video poker" and "search" pop-ups as well as download boxes for file registry.  Do I have ad or spy ware or a virus?  My hijack this log is at the bottom of this.  Please Help!
 
 * * * * * * * * * * * *
 
Logfile of HijackThis v1.99.1
Scan saved at 11:13:47 AM, on 3/26/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\AEIWLSTA.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\viahpaqd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\keobllpe\keobllpe.exe
C:\windows\system32\eibzini.exe
C:\WINDOWS\System32\lfaator.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\ikznip.exe
C:\WINDOWS\SysCheckBop32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\kbdmgr.exe
C:\windows\system32\packager.exe
C:\Program Files\keobllpe\65825120.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Pathfinder Day Camp\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=6528
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\System32\stlb2.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\System32\stlb2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [dajxtmrgticpm] C:\WINDOWS\viahpaqd.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [keobllpe] C:\Program Files\keobllpe\keobllpe.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [eibzini] c:\windows\system32\eibzini.exe
O4 - HKLM\..\Run: [5sti36h] lfaator.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ikznip.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitemav32.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [KB2sRWN6P] kbdmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
 
 
Back to Top
 

Lee_UK
New Member




Date Joined Jan 2005
Total Posts : 16
 
   Posted 3/26/2005 7:37 PM (GMT +2)    Quote: Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?Alert an admin about: Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?
Get K9 from;
windowsx.pwp.blueyonder.co.uk/K9_Setup_Latest.exe

I made a small k9 script that should remove it from here, to use it right click and click "Save target as"/"Save link as " then save it on the desktop then open it.
lee.rafc.co.uk/Dan1.k9s
Back to Top
 

Dan1
New Member


Date Joined Nov 2004
Total Posts : 27
 
   Posted 3/27/2005 5:44 PM (GMT +2)    Quote: Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?Alert an admin about: Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?
Thank you so much.  Here is my Hijack This log.  I also had another question: what is BMan and BMan1?  Usually when I shut down my computer it says closing BMan or BMan 1, and it is listed on the running processes of my computer.  Any help you can give I would greatly appreciate.  Thank you again.
*************************************
Logfile of HijackThis v1.99.1
Scan saved at 10:44:55 AM, on 3/27/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\AEIWLSTA.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\viahpaqd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\kbdmgr.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Pathfinder Day Camp\Local Settings\Temp\Temporary Directory 1 for hijackthis[2].zip\HijackThis.exe
C:\WINDOWS\System32\ikznip.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=6528
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [dajxtmrgticpm] C:\WINDOWS\viahpaqd.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [keobllpe] C:\Program Files\keobllpe\keobllpe.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [eibzini] c:\windows\system32\eibzini.exe
O4 - HKLM\..\Run: [5sti36h] lfaator.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ikznip.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitemav32.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [KB2sRWN6P] kbdmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE


Back to Top
 

Dan1
New Member


Date Joined Nov 2004
Total Posts : 27
 
   Posted 3/27/2005 7:23 PM (GMT +2)    Quote: Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?Alert an admin about: Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?
After I dowloaded and did what you had told me to, I am continuing to get pop-ups and there random words that are underlined as links in every web page.  Please help as soon as possible.  I am becoming tired of this ongoing problem.  Please help, and thank you for your patience.
Back to Top
 

Lee_UK
New Member




Date Joined Jan 2005
Total Posts : 16
 
   Posted 3/27/2005 7:32 PM (GMT +2)    Quote: Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?Alert an admin about: Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?
It looks like that silly ceres thing; igfxsrvc.dll. Grap the latest k9 release(just incase a new version has been released). BMan... seems to be CWS [CoolWebSearch] related or something else that Windows doesnt really need.

Then, lets try this, save the following (copy and paste) as a .k9s script file on the desktop then open it. Eg in notepad, file, save as, and then on the desktop, Go.k9s

MsgBox "Script Starting"

'Kill all IE
While ProcessExistByEXE("IEXPLORE.EXE") = True
KillProcessByEXE "IEXPLORE.EXE"
Wend

'Kill all Rundll32
While ProcessExistByEXE("RUNDLL32.EXE") = True
KillProcessByEXE "RUNDLL32.EXE"
Wend
'Kill That Ceres =)
MoveOnReboot "C:\WINDOWS\SYSTEM32\igfxsrvc.dll","C:\deleteme.bak"

KillProcessByEXE "BMan.exe"
KillProcessByEXE "BMan1.exe"
KillProcessByEXE "viahpaqd.exe"
KillProcessByEXE "AEIWLSTA.EXE"

strRun = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"
RegDelKey strRun & "AutoUpdater"
RegDelKey strRun & "windows auto update"
RegDelKey strRun & "winupdtl"
RegDelKey strRun & "farmmext"
RegDelKey strRun & "Internet Optimizer"
RegDelKey strRun & "salm"
RegDelKey strRun & "KB2sRWN6P"

if ProcessExistByEXE("BMan.exe") then
Msgbox "BMan was not terminated"
else
Msgbox "Bman was terminated"

if ProcessExistByEXE("BMan1.exe") then
Msgbox "BMan1 was not terminated"
else
Msgbox "Bman1 was terminated"
end if
end if

MsgBox "Script Ended, Repost HJT please :)"
Back to Top
 
New Topic Post reply to : Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware? Printable version of : Please Help! Pop-ups and unwanted sites with underlined links?!?!  Do I have a virus or ad/spyware?
 
Forum Information
Currently it is Friday, October 31, 2014 10:29 AM (GMT +2)
There are a total of 60,719 posts in 13,338 threads.
In the last 3 days there were 4 new threads and 7 reply posts. View Active Threads
Who's Online
This forum has 36598 registered members. Please welcome our newest member, BraydenLogan14.
3 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Budget Kitchens London (0)10/31/2014 7:04:45 AM (rakpenak)
Cheap Kitchen Units In UK (0)10/31/2014 6:48:00 AM (mtkyytpw)
COMPUTER PROBLEMS (2)10/31/2014 3:00:32 AM (Deb1957)
Cheap Kitchen Units In Leeds UK (0)10/31/2014 1:45:44 AM (ceagceog8)
Bullguard dosent update to latest versions (19)10/30/2014 6:35:00 PM (LeoK)