tsubasa74j
asked on
popup flood - help!
Hi! when i open ie6 i've every 2 minutes another popup flood window - sometimes is italian about bank, antyspyware etc...
so i use spyware terminator with wimclam but the pop up continue to show. spyware terminator say that they are dangerous sites and i check the "don't show me again" and " don't go there" options but tey continue to show!
how can i resolve this problem definitively?
ps: the phising sites are: antyspyware.com and others......
so i use spyware terminator with wimclam but the pop up continue to show. spyware terminator say that they are dangerous sites and i check the "don't show me again" and " don't go there" options but tey continue to show!
how can i resolve this problem definitively?
ps: the phising sites are: antyspyware.com and others......
I've used malwarebytes with GREAT success. I would suggest that you download and update it. Then boot into Safe Mode (F8 at startup) and then run the scan.
It's free and you can get it from www.malwarebytes.org
David
It's free and you can get it from www.malwarebytes.org
David
Malware Bytes and www.spybot.com
You can also run HiJackThis and paste the log here.
You can also run HiJackThis and paste the log here.
ASKER
update situation: i've notice that when i digit one passphrase in google for example "ebay" a popup with other bid sites appears or another example when i digit money a popup with money or bank is shown
it's like a rootkit virus that monitor my press on keyboard and launch spam trough ie6.
any ideas?
it's like a rootkit virus that monitor my press on keyboard and launch spam trough ie6.
any ideas?
Are you asking what we think or how to get rid of this? It is definitely redirecting your searches using IE 6 and it is probably a combination of a trojan and spyware. You should follow the first 3 posts and get rid of this issue immediately.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
my hjackthis log: 2 considerations: too many reg keys hku about cfmon and 4 voice about micrsoft start and search page
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\ibmpms vc.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\vssvc. exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd. exe
C:\WINDOWS\system32\igfxpe rs.exe
C:\WINDOWS\system32\ctfmon .exe
C:\documents and settings\utente1\impostazi oni locali\dati applicazioni\wugsscm.exe
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EX E
C:\D\HiJackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60327
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,SearchAssist ant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,CustomizeSea rch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Programmi\File comuni\Adobe\Acrobat\Activ eX\AcroIEH elper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A 0F997BA588 C} - C:\Programmi\Skype\Toolbar s\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Programmi\Java\jre1.6.0 _05\bin\ss v.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe rs.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Programmi\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh eck.exe
O4 - HKLM\..\Run: [Motorola PcSync] "C:\Programmi\Motorola\Mot orola PcSync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminat orShield.e xe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [wugsscm] "c:\documents and settings\utente1\impostazi oni locali\dati applicazioni\wugsscm.exe" wugsscm
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Programmi\Java\jre1.6.0 _05\bin\ss v.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Programmi\Java\jre1.6.0 _05\bin\ss v.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D 32B190E9B0 7} - C:\Programmi\Skype\Toolbar s\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~1\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1 830C7DD7F5 D} - C:\PROGRA~1\FILECO~1\Skype \SKYPE4~1. DLL
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpms vc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Drive r\1150\Int el 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\ibmpms
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\vssvc.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.
C:\WINDOWS\system32\igfxpe
C:\WINDOWS\system32\ctfmon
C:\documents and settings\utente1\impostazi
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EX
C:\D\HiJackThis.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Programmi\ThinkVantage
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [Motorola PcSync] "C:\Programmi\Motorola\Mot
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [wugsscm] "c:\documents and settings\utente1\impostazi
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpms
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Drive
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe
ASKER
another consideration: xpnetdiag.exe (uhm!!!) why?
C:\documents and settings\utente1\impostazi oni locali\dati applicazioni\wugsscm.exe
O4 - HKCU\..\Run: [wugsscm] "c:\documents and settings\utente1\impostazi oni locali\dati applicazioni\wugsscm.exe" wugsscm
O4 - HKCU\..\Run: [wugsscm] "c:\documents and settings\utente1\impostazi
ASKER
i was thinking the same thing!
i'll kill the process and i'll use hijack!
i'll give you result tomorrow!
i'll kill the process and i'll use hijack!
i'll give you result tomorrow!
ASKER
it's an sql process so no problem on this process.
my antivirus gdata have found this virus
Virus: VBS:Malware-gen
address: it.powerfulvirusremover200 8.com
gdata show often a page that blocks phishing web page known but it shows me alwas
is there a mode to delete it definitively?
my antivirus gdata have found this virus
Virus: VBS:Malware-gen
address: it.powerfulvirusremover200
gdata show often a page that blocks phishing web page known but it shows me alwas
is there a mode to delete it definitively?
http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&DisplayLang=en