popup flood - help!

Posted on 2008-10-29
Last Modified: 2013-12-09
Hi! when i open ie6 i've every 2 minutes another popup flood window - sometimes is italian about bank, antyspyware etc...
so i use spyware terminator with wimclam but the pop up continue to show. spyware terminator say that they are dangerous sites and i check the "don't show me again" and " don't go there" options but tey continue to show!
how can i resolve this problem definitively?
ps: the phising sites are: and others......
Question by:tsubasa74j
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 22831079
Try Microsofts Anti-Spyware software, Windows defender. I've had good luck with it.

LVL 27

Expert Comment

ID: 22831663
I've used malwarebytes with GREAT success. I would suggest that you download and update it. Then boot into Safe Mode (F8 at startup) and then run the scan.
It's free and you can get it from

Expert Comment

ID: 22831865
Malware Bytes and
You can also run HiJackThis and paste the log here.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22833190
update situation: i've notice that when i digit one passphrase in google for example "ebay" a popup with other bid sites appears or another example when i digit money  a popup with money or bank  is shown
it's like a rootkit virus that monitor my press on keyboard and launch spam trough ie6.
any ideas?

Expert Comment

ID: 22833300
Are you asking what we think or how to get rid of this? It is definitely redirecting your searches using IE 6 and it is probably a combination of a trojan and spyware. You should follow the first 3 posts and get rid of this issue immediately.  

Accepted Solution

-Mystique- earned 500 total points
ID: 22839201
That behavior is typical browser hijacker behavior, although since you mention antispyware, its also equally possible you're dealing with a rogue (malicious fake) antispyware.  Rogues have  legitimate sounding names (XP Antivirus  2008 is one rogue that has been prevalent this summer, its name sounds real.  Like most rogues, it pops up Windows alerts and warning windows that look entirely real.)  I will give you info on Browser Hijackers first , and t hen give you info on rogues and rogue removal.

Open Task Manager and check its processes window.  Anything you see in the processes window that you don't recognize, check here to see what it is and what it does.

Malware often create processes with names that closely resemble legitimate process names. Some examples I've seen are SPOOL32.EXE, IEXPLORE6.EXE.  Some malware use a legitimate process name, one hijacker I once encountered hid as csrss.exe which is also a legitimate file, and that particular malware deleted all my antivirus, antispy etc app  .exe files.  I was running Noirton Antivirus and Spybot S&D at this time  (approximately 2 years ago).  I've never seen anything like that malware.  It blocked attempts to scan and clean with Housecall and other online scanners I tried.  When I tried to reinstall S&D, that malware immediately deleted the exe, denied me access to taskmanager and anything else that I tried to get into to manually remove it.  It wiped out all my previous system restore points so I couldn't use system restore to get rid of it. What it was, I don't know.  I submitted my findings to several major antimalware sites but never got any info and I've only once or twice seen anybody else describe having malware that had these behaviors.  That was the nastiest thing I'd ever seen and the only way I managed to remove it was to move things I wanted to keep to a new HD and then reformat and reinstall the infected HD.  

Here is BleepingComputer's step by step tutorial on how to remove browser hijackers.

This page also gives good clear instructions on how to find and remove browser hijackers.. Its an older article but valid.

HijackThis is a freeware tool that will greatly help you or someone else who is familiar with reading HJT logs, be able to identify malware processes on your pc.
HijackThis is freeware and can be downloaded here.

Although there are people in many forums including EE, who are willing to read the results of a HJT log for you, you can also use these online readers or download the freeware HijackThis reader.
Online hijack this log analyzers

This is the only Hijackthis log analyzer I've ever seen that you can DOWNLOAD and run to analyze HJT logs. And its FREEWARE.  I really like this reader.  It opens the analyzed logfiles in a browser window and gives you detailed information on everything in the log.
Hijack Reader can also be downloaded here, and the description here probably is more informative.
Here are some key features of "HijackReader":

· Automatically reads HijackThis logs
· Gives advice on what to fix
· Can output the report to text (txt) or web (html) format
· The web report includes a link, for quick Google searching, based on the object in question
· Requires no installation or DLL files. Does not write any settings to the registry or create any files, unless the user wants it to
· Completely portable. Can be run from a USB-flash drive, CD, etc.
· No internet connection required (unless you want to check things using the Google function)

AnVir Task Manager freeware version has HijackThis included in it and will run and save HJT logs in addition to performing other useful functions. (BTW Anvir Task Manager and Spybot S&D do not conflict with each other except that if you run S&D Tea Timer, you will have to give both Anvir AND TeaTimer permission to allow or deny changes anything tries to make to your system !

Rogues & Rogue Removers
Here is a link t o a list of rogue security software where you can check to see if a software is a rogue or not.  Most of the rogues have legitimate sounding names.

There is a LOT of other helpful information, tools, etc at the above link, that will help anyone who is dealing with malware of almost any kind.

More links with good information on rogues:

malwarebytes forum on the most recent rogues

Rogue removal information here.  When you start reading this page, you'll probably be surprised at the extremely legitimate looking names of the rogues.

There is a huge collection of links for tools for detecting and cleaning malware from your pc at this PC Hell page.
Essential Tools for Removing Spyware, Adware, and Malware

Malwarebytes has the Rogue Remover program and the freeware version is very good.

After your system is clean, here are some things to do that will greatly help protect you against t hreats.

A HOSTS FILE and HOSTFILE MANAGER FREEWARE will also do much to help prevent you from exposure to a lot of malware and hijacker tactics.
Free hostfile manager
freeware hosts file manager and editor

Best free hostsfile list I've seen (available here)
Blocking Unwanted Parasites with a Hosts File

Spybot Search & Destroy has been mentioned in other posts, and it is an excellent program.  Its TEA TIMER real-time protection feature is what will protect you against hijackers, etc.  Tea Timer alerts you and asks your permission anytime anything tries to change your registry, startup, homepage, e tc and blocks the change until you allow the change or deny the change.  

Spybot Search & Destroy detects and  cleans malware from your pc very well and I personally have had it block adware bundled with a legit program, it allowed the legit program to install while it stopped the bundled WhenU Save adware totally from attempting to install.

Another useful site with lots of info on a variety of threats is:
Adware, malware, spyware and hijacker help, discussions and information
Temerc Ultimate Countermeasures Page

I hope with the information I've given you, you'll be able to find and remove the hijacker/rogue that's causing your problems.  If not, posting a HJT log here will greatly help people who are good at reading HJT logs, identify your malware.

Author Comment

ID: 22841656
my hjackthis log: 2 considerations: too many reg keys hku about cfmon  and 4 voice about micrsoft start and search page

Running processes:
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Programmi\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motorola PcSync] "C:\Programmi\Motorola\Motorola PcSync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wugsscm] "c:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe" wugsscm
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - - C:\Programmi\Spyware Terminator\sp_rsser.exe


Author Comment

ID: 22841662
another  consideration: xpnetdiag.exe (uhm!!!) why?

Expert Comment

ID: 22841933
C:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe
O4 - HKCU\..\Run: [wugsscm] "c:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe" wugsscm

Author Comment

ID: 22869962
i was thinking the same thing!
i'll kill the process and i'll use hijack!
i'll give you result tomorrow!

Author Comment

ID: 23036990
it's an sql process so no problem on this process.
my antivirus gdata have found this virus
Virus: VBS:Malware-gen
gdata show often a page that blocks phishing web page known but it shows me alwas
is there a mode to delete it definitively?

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
antispam / virus gateway 5 76
Hiding Adsense on Mobile Devices 2 76
Can video ads be made that can't be skipped? 5 60
facebook Ad campaign 1 11
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
In this blog, I will share you some basic tips for content marketing and to rank your website on Google.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
An overview of how to create reports in Adobe Analytics (formerly Omniture Site Catalyst) using pageNames, events, eVars and props. This video will show you how to install the Omniture Debugger tool so can see (and test) what is being passed int…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question