• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 974
  • Last Modified:

popup flood - help!

Hi! when i open ie6 i've every 2 minutes another popup flood window - sometimes is italian about bank, antyspyware etc...
so i use spyware terminator with wimclam but the pop up continue to show. spyware terminator say that they are dangerous sites and i check the "don't show me again" and " don't go there" options but tey continue to show!
how can i resolve this problem definitively?
ps: the phising sites are: antyspyware.com and others......
1 Solution
Try Microsofts Anti-Spyware software, Windows defender. I've had good luck with it.


I've used malwarebytes with GREAT success. I would suggest that you download and update it. Then boot into Safe Mode (F8 at startup) and then run the scan.
It's free and you can get it from www.malwarebytes.org
Malware Bytes and www.spybot.com
You can also run HiJackThis and paste the log here.
Enhanced Intelligibility Without Cable Clutter

Challenge: The ESA office in Brussels wanted a reliable audio conference system for video conferences. Their requirement - No participant must be left out from the conference and the audio quality must not be compromised.

tsubasa74jAuthor Commented:
update situation: i've notice that when i digit one passphrase in google for example "ebay" a popup with other bid sites appears or another example when i digit money  a popup with money or bank  is shown
it's like a rootkit virus that monitor my press on keyboard and launch spam trough ie6.
any ideas?
Are you asking what we think or how to get rid of this? It is definitely redirecting your searches using IE 6 and it is probably a combination of a trojan and spyware. You should follow the first 3 posts and get rid of this issue immediately.  
That behavior is typical browser hijacker behavior, although since you mention antispyware, its also equally possible you're dealing with a rogue (malicious fake) antispyware.  Rogues have  legitimate sounding names (XP Antivirus  2008 is one rogue that has been prevalent this summer, its name sounds real.  Like most rogues, it pops up Windows alerts and warning windows that look entirely real.)  I will give you info on Browser Hijackers first , and t hen give you info on rogues and rogue removal.

Open Task Manager and check its processes window.  Anything you see in the processes window that you don't recognize, check here to see what it is and what it does.

Malware often create processes with names that closely resemble legitimate process names. Some examples I've seen are SPOOL32.EXE, IEXPLORE6.EXE.  Some malware use a legitimate process name, one hijacker I once encountered hid as csrss.exe which is also a legitimate file, and that particular malware deleted all my antivirus, antispy etc app  .exe files.  I was running Noirton Antivirus and Spybot S&D at this time  (approximately 2 years ago).  I've never seen anything like that malware.  It blocked attempts to scan and clean with Housecall and other online scanners I tried.  When I tried to reinstall S&D, that malware immediately deleted the exe, denied me access to taskmanager and anything else that I tried to get into to manually remove it.  It wiped out all my previous system restore points so I couldn't use system restore to get rid of it. What it was, I don't know.  I submitted my findings to several major antimalware sites but never got any info and I've only once or twice seen anybody else describe having malware that had these behaviors.  That was the nastiest thing I'd ever seen and the only way I managed to remove it was to move things I wanted to keep to a new HD and then reformat and reinstall the infected HD.  

Here is BleepingComputer's step by step tutorial on how to remove browser hijackers.

This page also gives good clear instructions on how to find and remove browser hijackers.. Its an older article but valid.

HijackThis is a freeware tool that will greatly help you or someone else who is familiar with reading HJT logs, be able to identify malware processes on your pc.
HijackThis is freeware and can be downloaded here.

Although there are people in many forums including EE, who are willing to read the results of a HJT log for you, you can also use these online readers or download the freeware HijackThis reader.
Online hijack this log analyzers

This is the only Hijackthis log analyzer I've ever seen that you can DOWNLOAD and run to analyze HJT logs. And its FREEWARE.  I really like this reader.  It opens the analyzed logfiles in a browser window and gives you detailed information on everything in the log.  

Hijack Reader can also be downloaded here, and the description here probably is more informative.
Here are some key features of "HijackReader":

· Automatically reads HijackThis logs
· Gives advice on what to fix
· Can output the report to text (txt) or web (html) format
· The web report includes a link, for quick Google searching, based on the object in question
· Requires no installation or DLL files. Does not write any settings to the registry or create any files, unless the user wants it to
· Completely portable. Can be run from a USB-flash drive, CD, etc.
· No internet connection required (unless you want to check things using the Google function)

AnVir Task Manager freeware version has HijackThis included in it and will run and save HJT logs in addition to performing other useful functions. (BTW Anvir Task Manager and Spybot S&D do not conflict with each other except that if you run S&D Tea Timer, you will have to give both Anvir AND TeaTimer permission to allow or deny changes anything tries to make to your system !

Rogues & Rogue Removers
Here is a link t o a list of rogue security software where you can check to see if a software is a rogue or not.  Most of the rogues have legitimate sounding names.

There is a LOT of other helpful information, tools, etc at the above link, that will help anyone who is dealing with malware of almost any kind.

More links with good information on rogues:

malwarebytes forum on the most recent rogues

Rogue removal information here.  When you start reading this page, you'll probably be surprised at the extremely legitimate looking names of the rogues.

There is a huge collection of links for tools for detecting and cleaning malware from your pc at this PC Hell page.
Essential Tools for Removing Spyware, Adware, and Malware

Malwarebytes has the Rogue Remover program and the freeware version is very good.

After your system is clean, here are some things to do that will greatly help protect you against t hreats.

A HOSTS FILE and HOSTFILE MANAGER FREEWARE will also do much to help prevent you from exposure to a lot of malware and hijacker tactics.
Free hostfile manager
freeware hosts file manager and editor

Best free hostsfile list I've seen (available here)
Blocking Unwanted Parasites with a Hosts File

Spybot Search & Destroy has been mentioned in other posts, and it is an excellent program.  Its TEA TIMER real-time protection feature is what will protect you against hijackers, etc.  Tea Timer alerts you and asks your permission anytime anything tries to change your registry, startup, homepage, e tc and blocks the change until you allow the change or deny the change.  

Spybot Search & Destroy detects and  cleans malware from your pc very well and I personally have had it block adware bundled with a legit program, it allowed the legit program to install while it stopped the bundled WhenU Save adware totally from attempting to install.

Another useful site with lots of info on a variety of threats is:
Adware, malware, spyware and hijacker help, discussions and information
Temerc Ultimate Countermeasures Page

I hope with the information I've given you, you'll be able to find and remove the hijacker/rogue that's causing your problems.  If not, posting a HJT log here will greatly help people who are good at reading HJT logs, identify your malware.
tsubasa74jAuthor Commented:
my hjackthis log: 2 considerations: too many reg keys hku about cfmon  and 4 voice about micrsoft start and search page

Running processes:
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Programmi\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motorola PcSync] "C:\Programmi\Motorola\Motorola PcSync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wugsscm] "c:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe" wugsscm
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe

tsubasa74jAuthor Commented:
another  consideration: xpnetdiag.exe (uhm!!!) why?
C:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe
O4 - HKCU\..\Run: [wugsscm] "c:\documents and settings\utente1\impostazioni locali\dati applicazioni\wugsscm.exe" wugsscm
tsubasa74jAuthor Commented:
i was thinking the same thing!
i'll kill the process and i'll use hijack!
i'll give you result tomorrow!
tsubasa74jAuthor Commented:
it's an sql process so no problem on this process.
my antivirus gdata have found this virus
Virus: VBS:Malware-gen
address: it.powerfulvirusremover2008.com
gdata show often a page that blocks phishing web page known but it shows me alwas
is there a mode to delete it definitively?

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now