Solved

popup flood - help!

Posted on 2008-10-29
11
919 Views
Last Modified: 2013-12-09
Hi! when i open ie6 i've every 2 minutes another popup flood window - sometimes is italian about bank, antyspyware etc...
so i use spyware terminator with wimclam but the pop up continue to show. spyware terminator say that they are dangerous sites and i check the "don't show me again" and " don't go there" options but tey continue to show!
how can i resolve this problem definitively?
ps: the phising sites are: antyspyware.com and others......
0
Comment
Question by:tsubasa74j
11 Comments
 
LVL 7

Expert Comment

by:JasperIAM
ID: 22831079
Try Microsofts Anti-Spyware software, Windows defender. I've had good luck with it.

http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&DisplayLang=en

0
 
LVL 27

Expert Comment

by:David-Howard
ID: 22831663
I've used malwarebytes with GREAT success. I would suggest that you download and update it. Then boot into Safe Mode (F8 at startup) and then run the scan.
It's free and you can get it from www.malwarebytes.org
David
0
 
LVL 4

Expert Comment

by:smittyboom
ID: 22831865
Malware Bytes and www.spybot.com
You can also run HiJackThis and paste the log here.
0
 

Author Comment

by:tsubasa74j
ID: 22833190
update situation: i've notice that when i digit one passphrase in google for example "ebay" a popup with other bid sites appears or another example when i digit money  a popup with money or bank  is shown
it's like a rootkit virus that monitor my press on keyboard and launch spam trough ie6.
any ideas?
0
 
LVL 4

Expert Comment

by:smittyboom
ID: 22833300
Are you asking what we think or how to get rid of this? It is definitely redirecting your searches using IE 6 and it is probably a combination of a trojan and spyware. You should follow the first 3 posts and get rid of this issue immediately.  
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 8

Accepted Solution

by:
-Mystique- earned 500 total points
ID: 22839201
That behavior is typical browser hijacker behavior, although since you mention antispyware, its also equally possible you're dealing with a rogue (malicious fake) antispyware.  Rogues have  legitimate sounding names (XP Antivirus  2008 is one rogue that has been prevalent this summer, its name sounds real.  Like most rogues, it pops up Windows alerts and warning windows that look entirely real.)  I will give you info on Browser Hijackers first , and t hen give you info on rogues and rogue removal.

Open Task Manager and check its processes window.  Anything you see in the processes window that you don't recognize, check here to see what it is and what it does.
http://www.tasklist.org/

Malware often create processes with names that closely resemble legitimate process names. Some examples I've seen are SPOOL32.EXE, IEXPLORE6.EXE.  Some malware use a legitimate process name, one hijacker I once encountered hid as csrss.exe which is also a legitimate file, and that particular malware deleted all my antivirus, antispy etc app  .exe files.  I was running Noirton Antivirus and Spybot S&D at this time  (approximately 2 years ago).  I've never seen anything like that malware.  It blocked attempts to scan and clean with Housecall and other online scanners I tried.  When I tried to reinstall S&D, that malware immediately deleted the exe, denied me access to taskmanager and anything else that I tried to get into to manually remove it.  It wiped out all my previous system restore points so I couldn't use system restore to get rid of it. What it was, I don't know.  I submitted my findings to several major antimalware sites but never got any info and I've only once or twice seen anybody else describe having malware that had these behaviors.  That was the nastiest thing I'd ever seen and the only way I managed to remove it was to move things I wanted to keep to a new HD and then reformat and reinstall the infected HD.  

Here is BleepingComputer's step by step tutorial on how to remove browser hijackers.
http://www.bleepingcomputer.com/tutorials/tutorial42.html

This page also gives good clear instructions on how to find and remove browser hijackers.. Its an older article but valid.
http://www.cyberwalker.com/faqs/computer-threats/how-to-fix-browser-hijack.html

HijackThis is a freeware tool that will greatly help you or someone else who is familiar with reading HJT logs, be able to identify malware processes on your pc.
HijackThis is freeware and can be downloaded here.
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Although there are people in many forums including EE, who are willing to read the results of a HJT log for you, you can also use these online readers or download the freeware HijackThis reader.
Online hijack this log analyzers
http://hjt.networktechs.com/
http://www.hijackthis.de/
http://www.prevx.com/hijackthis.asp
http://www.help2go.com/component/detective/
http://www.2-spyware.com/hjt.php

FREEWARE HIJACK THIS READER
http://www.hollmen.dk/content/view/69/31/
This is the only Hijackthis log analyzer I've ever seen that you can DOWNLOAD and run to analyze HJT logs. And its FREEWARE.  I really like this reader.  It opens the analyzed logfiles in a browser window and gives you detailed information on everything in the log.  

http://www.majorgeeks.com/HijackReader_d5385.html
Hijack Reader can also be downloaded here, and the description here probably is more informative.
Here are some key features of "HijackReader":

· Automatically reads HijackThis logs
· Gives advice on what to fix
· Can output the report to text (txt) or web (html) format
· The web report includes a link, for quick Google searching, based on the object in question
· Requires no installation or DLL files. Does not write any settings to the registry or create any files, unless the user wants it to
· Completely portable. Can be run from a USB-flash drive, CD, etc.
· No internet connection required (unless you want to check things using the Google function)

AnVir Task Manager freeware version has HijackThis included in it and will run and save HJT logs in addition to performing other useful functions. (BTW Anvir Task Manager and Spybot S&D do not conflict with each other except that if you run S&D Tea Timer, you will have to give both Anvir AND TeaTimer permission to allow or deny changes anything tries to make to your system !
http://www.anvir.com/products.htm

Rogues & Rogue Removers
Here is a link t o a list of rogue security software where you can check to see if a software is a rogue or not.  Most of the rogues have legitimate sounding names.
http://www.ca.com/be/en/securityadvisor/pest/browse.aspx?cat=rogue%20security%20software

There is a LOT of other helpful information, tools, etc at the above link, that will help anyone who is dealing with malware of almost any kind.

More links with good information on rogues:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.castlecops.com/f190-Rogue_Anti_Spyware.html
http://www.nomorespyware.50megs.com/index.html
http://www.2-spyware.com/corrupt-anti-spyware

malwarebytes forum on the most recent rogues
http://malwarebytes.org/forums/index.php?showforum=30

Rogue removal information here.  When you start reading this page, you'll probably be surprised at the extremely legitimate looking names of the rogues.
http://www.2-viruses.com/category/rogue-anti-spyware

There is a huge collection of links for tools for detecting and cleaning malware from your pc at this PC Hell page.
Essential Tools for Removing Spyware, Adware, and Malware
http://www.pchell.com/support/spywaretools.shtml

Malwarebytes has the Rogue Remover program and the freeware version is very good.
http://www.malwarebytes.org/rogueremover.php

After your system is clean, here are some things to do that will greatly help protect you against t hreats.

A HOSTS FILE and HOSTFILE MANAGER FREEWARE will also do much to help prevent you from exposure to a lot of malware and hijacker tactics.
Free hostfile manager
HostsMan
http://www.abelhadigital.com/
freeware hosts file manager and editor

Best free hostsfile list I've seen (available here)
Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Spybot Search & Destroy has been mentioned in other posts, and it is an excellent program.  Its TEA TIMER real-time protection feature is what will protect you against hijackers, etc.  Tea Timer alerts you and asks your permission anytime anything tries to change your registry, startup, homepage, e tc and blocks the change until you allow the change or deny the change.  

Spybot Search & Destroy detects and  cleans malware from your pc very well and I personally have had it block adware bundled with a legit program, it allowed the legit program to install while it stopped the bundled WhenU Save adware totally from attempting to install.

Another useful site with lots of info on a variety of threats is:
http://temerc.com/hddncounttuts.html
Adware, malware, spyware and hijacker help, discussions and information
Temerc Ultimate Countermeasures Page

I hope with the information I've given you, you'll be able to find and remove the hijacker/rogue that's causing your problems.  If not, posting a HJT log here will greatly help people who are good at reading HJT logs, identify your malware.
0
 

Author Comment

by:tsubasa74j
ID: 22841656
my hjackthis log: 2 considerations: too many reg keys hku about cfmon  and 4 voice about micrsoft start and search page

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE
C:\D\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Programmi\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motorola PcSync] "C:\Programmi\Motorola\Motorola PcSync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wugsscm] "c:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe" wugsscm
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe

0
 

Author Comment

by:tsubasa74j
ID: 22841662
another  consideration: xpnetdiag.exe (uhm!!!) why?
0
 
LVL 4

Expert Comment

by:smittyboom
ID: 22841933
C:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe
O4 - HKCU\..\Run: [wugsscm] "c:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe" wugsscm
0
 

Author Comment

by:tsubasa74j
ID: 22869962
i was thinking the same thing!
i'll kill the process and i'll use hijack!
i'll give you result tomorrow!
0
 

Author Comment

by:tsubasa74j
ID: 23036990
it's an sql process so no problem on this process.
my antivirus gdata have found this virus
Virus: VBS:Malware-gen
address: it.powerfulvirusremover2008.com
gdata show often a page that blocks phishing web page known but it shows me alwas
is there a mode to delete it definitively?
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
An overview of how to create reports in Adobe Analytics (formerly Omniture Site Catalyst) using pageNames, events, eVars and props. This video will show you how to install the Omniture Debugger tool so can see (and test) what is being passed int…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now