Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

FireFox and IE drown my PC with Bad URL popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby wojmur » December 20th, 2009, 5:26 pm

All done :) . Problem is still there :( . Requested logs follow.

Cheers,
-Wojtek
wojmur
Regular Member
 
Posts: 41
Joined: December 1st, 2009, 6:38 am
Location: down the hill past police academy
Advertisement
Register to Remove

combofix log.txt

Unread postby wojmur » December 20th, 2009, 5:27 pm

ComboFix 09-12-19.03 - rodzice 21/12/2009 7:55.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2047.1570 [GMT 11:00]
Running from: c:\documents and settings\rodzice\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091220-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log
c:\windows\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-20 20:34 . 2009-12-20 20:34 -------- d-----w- c:\program files\ERUNT
2009-12-18 10:38 . 2009-12-18 10:38 -------- d-----w- c:\documents and settings\rodzice\Application Data\Malwarebytes
2009-12-18 10:38 . 2009-12-03 05:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-18 10:38 . 2009-12-18 10:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 10:38 . 2009-12-18 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-18 10:38 . 2009-12-03 05:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 07:11 . 2009-12-15 07:11 139152 ----a-w- c:\documents and settings\rodzice\Application Data\PnkBstrK.sys
2009-12-15 07:11 . 2009-12-15 07:12 794408 ----a-w- c:\windows\system32\pbsvc(2).exe
2009-12-13 20:55 . 2009-12-13 20:55 -------- d-----w- c:\program files\Java
2009-12-13 20:42 . 2009-12-13 20:42 -------- d-----w- c:\documents and settings\rodzice\Application Data\Foxit
2009-12-13 20:40 . 2009-12-13 20:40 -------- d-----w- c:\program files\Foxit Software
2009-12-10 05:51 . 2009-10-21 05:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2009-12-10 05:51 . 2009-10-21 05:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2009-12-10 05:51 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2009-12-10 05:49 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2009-12-10 05:49 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2009-12-10 05:43 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2009-12-08 07:27 . 2009-12-08 07:27 -------- d-----w- C:\rsit
2009-12-01 10:48 . 2009-12-01 10:48 -------- d-----w- c:\program files\Trend Micro
2009-11-21 08:54 . 2009-11-21 08:54 -------- d-----w- c:\program files\QuickTime
2009-11-21 08:30 . 2009-11-21 08:31 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-11-21 08:30 . 2009-11-21 08:31 -------- d-----w- c:\program files\DVDVideoSoft
2009-11-21 08:25 . 2009-11-21 08:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-20 21:34 . 2009-11-20 21:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 20:29 . 2006-06-11 10:44 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2009-12-16 09:48 . 2009-11-13 21:59 -------- d-----w- c:\program files\SpeedFan
2009-12-14 02:09 . 2009-11-18 08:49 -------- d-----w- c:\program files\RealFlightG3
2009-12-13 20:55 . 2009-10-26 11:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-13 20:33 . 2008-03-05 20:00 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-09 11:56 . 2009-10-01 08:38 -------- d-----w- c:\program files\Line Adventures
2009-12-07 05:53 . 2006-10-15 20:47 -------- d-----w- c:\program files\RealFlight G3 Demo
2009-11-30 10:26 . 2008-06-23 09:05 -------- d-----w- c:\documents and settings\bartek\Application Data\U3
2009-11-24 23:54 . 2006-06-11 09:50 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2006-06-11 09:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2006-06-11 09:51 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-04-07 09:32 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-04-07 09:32 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2006-06-11 09:51 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2006-06-11 09:51 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2006-06-11 09:51 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2006-06-11 09:50 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-11-23 17:05 . 2009-11-23 12:26 664 ----a-w- c:\documents and settings\bartek\Local Settings\Application Data\d3d9caps.tmp
2009-11-21 08:54 . 2008-02-17 00:21 -------- d-----w- c:\program files\Common Files\Apple
2009-11-19 11:16 . 2009-11-19 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2009-11-19 11:16 . 2009-11-19 11:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2009-11-19 11:13 . 2009-11-19 11:13 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-11-19 11:13 . 2009-11-19 11:13 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-11-19 11:13 . 2009-11-19 11:13 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-11-19 11:13 . 2009-11-19 11:13 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-11-19 11:13 . 2009-11-19 11:11 -------- d-----w- c:\program files\Nexon
2009-11-19 11:13 . 2009-11-19 11:13 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-11-19 11:13 . 2009-11-19 11:13 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-11-19 03:37 . 2009-11-19 03:37 -------- d-----w- c:\program files\ProcessMonitor
2009-11-18 09:09 . 2006-10-15 20:47 -------- d-----w- c:\program files\Common Files\KnifeEdge
2009-11-09 10:10 . 2009-11-09 10:10 106496 ----a-r- c:\documents and settings\rodzice\Application Data\Microsoft\Installer\{7EEA397D-3E3D-4C60-8585-DC897C8D36E0}\NewShortcut11_A6A6CD1325034D31BF37376961FDF28E.exe
2009-11-09 10:10 . 2009-11-09 10:10 106496 ----a-r- c:\documents and settings\rodzice\Application Data\Microsoft\Installer\{7EEA397D-3E3D-4C60-8585-DC897C8D36E0}\NewShortcut1_1BDBC422ED094C568457884B64FA9C98.exe
2009-11-09 10:10 . 2009-11-09 10:10 106496 ----a-r- c:\documents and settings\rodzice\Application Data\Microsoft\Installer\{7EEA397D-3E3D-4C60-8585-DC897C8D36E0}\ARPPRODUCTICON.exe
2009-11-09 10:10 . 2009-11-09 10:10 -------- d-----w- c:\program files\RealFlight G4 Demo
2009-11-05 10:20 . 2005-07-08 00:41 27816 ----a-w- c:\documents and settings\bartek\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 08:04 . 2009-10-28 08:04 81 ----a-w- C:\CTX.DAT
2009-10-27 23:38 . 2009-10-27 23:31 48873208 ----a-w- c:\documents and settings\bartek\Application Data\LEGO Company\LEGO Digital Designer\setupLDD-PC-3_0_9.exe
2009-10-26 10:37 . 2009-06-08 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation
2009-10-26 10:34 . 2008-07-07 06:46 -------- d-----w- c:\program files\Atari
2009-10-26 10:30 . 2007-07-11 10:01 -------- d-----w- c:\program files\FreeRIP3
2009-10-21 05:38 . 2005-02-09 20:03 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38 . 2005-02-09 20:03 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 16:20 . 2005-02-09 20:03 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2001-08-23 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2001-08-23 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2001-08-23 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2004-03-11 02:27 . 2006-01-16 12:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2005-08-18 113152]
"OEM03Mon.exe"="c:\windows\OEM03Mon.exe" [2007-05-18 36864]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-12 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-13 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\rodzice\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-9-19 576000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [28/06/2008 6:04 PM 116264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/04/2008 8:32 PM 114768]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [14/01/2009 10:39 AM 72992]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/04/2008 8:32 PM 20560]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [29/03/2006 2:29 AM 1078560]
R3 OEM03Afx;Provides a software interface to control audio effects of OEM003 camera.;c:\windows\system32\drivers\OEM03Afx.sys [8/06/2007 2:00 AM 141376]
R3 OEM03Vfx;Creative Camera OEM003 Video VFX Driver;c:\windows\system32\drivers\OEM03Vfx.sys [5/03/2007 7:45 PM 7424]
R3 OEM03Vid;Creative Camera OEM003 Driver;c:\windows\system32\drivers\OEM03Vid.sys [25/04/2007 2:00 AM 235808]
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);c:\windows\system32\drivers\atirtcap.sys [10/02/2005 9:54 AM 49920]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\rodzice\Application Data\Mozilla\Firefox\Profiles\7v9b78y8.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 08:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6CF369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f00852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9d97bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9da4a21
SendHandler -> NDIS.sys @ 0xb9d8287b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-261478967-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d2,30,b8,2d,2b,bb,35,4e,e2,cb,18,06,95,6e,3e,1b,c6,6c,04,0a,5b,f8,10,
88,92,e2,24,2f,05,0b,b9,e8,a8,f2,8e,7d,fc,f6,d6,7f,02,cc,32,cb,5b,57,4d,ee,\
"??"=hex:fe,c7,7b,27,fc,5b,58,08,33,6c,42,33,39,0b,95,e2
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\WININET.dll
.
Completion time: 2009-12-21 08:13:39
ComboFix-quarantined-files.txt 2009-12-20 21:13

Pre-Run: 26,792,292,352 bytes free
Post-Run: 26,988,146,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Professional" /Fastdetect
multi(0)disk(0)rdisk(2)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 77AA11CC144757D12FACD40358B813B9
wojmur
Regular Member
 
Posts: 41
Joined: December 1st, 2009, 6:38 am
Location: down the hill past police academy

hijackthis.log

Unread postby wojmur » December 20th, 2009, 5:28 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:14 AM, on 21/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\OEM03Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [OEM03Mon.exe] C:\WINDOWS\OEM03Mon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = T:\Temp\{3A474798-9801-442C-9F23-8326CF1624D4}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d ... o-eula.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6026906781
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 6477 bytes
wojmur
Regular Member
 
Posts: 41
Joined: December 1st, 2009, 6:38 am
Location: down the hill past police academy

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby wojmur » December 20th, 2009, 8:13 pm

Just looking through these logs myself, not really understanding that much of it, but a thought just occurred to me. Not long before the symptoms started I installed a new online game on this PC: Nexon's "Combat Arms". I believe one of the recent updates for this game included some browser add-ons, to enable web based game start. I'm not using that feature, it's horribly cumbersome. I only start the game locally. But, maybe, the browser add-ons are causing all this. I could, perhaps, try disabling these add-ons to see if anything changes. What do you think?

-Wojtek
wojmur
Regular Member
 
Posts: 41
Joined: December 1st, 2009, 6:38 am
Location: down the hill past police academy

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby Dakeyras » December 20th, 2009, 8:21 pm

Hi. :)

Do use a Router at all?

What you mentioned about the Add-ons is something I have in mind concerning a reset of the browsers used. I would just like to check something else first as follows:-

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    CLASSPNP.SYS
    ACPI.sys
    atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

SystemLook.txt

Unread postby wojmur » December 21st, 2009, 3:11 am

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 18:03 on 21/12/2009 by rodzice (Administrator - Elevation successful)

========== filefind ==========

Searching for "CLASSPNP.SYS"
C:\WINDOWS\$NtServicePackUninstall$\classpnp.sys -----c 49664 bytes [14:08 09/09/2008] [12:14 03/08/2004] D86173B401470F06D9810F7962969DDF
C:\WINDOWS\ServicePackFiles\i386\classpnp.sys ------ 49536 bytes [20:02 09/02/2005] [19:16 13/04/2008] FE47DD8FE6D7768FF94EBEC6C74B2719
C:\WINDOWS\system32\drivers\classpnp.sys --a--- 49536 bytes [12:00 23/08/2001] [19:16 13/04/2008] FE47DD8FE6D7768FF94EBEC6C74B2719

Searching for "ACPI.sys"
C:\WINDOWS\$NtServicePackUninstall$\acpi.sys -----c 187776 bytes [14:08 09/09/2008] [12:07 03/08/2004] A10C7534F7223F4A73A948967D00E69B
C:\WINDOWS\ServicePackFiles\i386\acpi.sys ------ 187776 bytes [20:01 09/02/2005] [18:36 13/04/2008] 8FD99680A539792A30E97944FDAECF17
C:\WINDOWS\system32\drivers\acpi.sys --a--- 187776 bytes [12:00 23/08/2001] [18:36 13/04/2008] 8FD99680A539792A30E97944FDAECF17

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [14:08 09/09/2008] [11:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [21:10 20/12/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [20:02 09/02/2005] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [12:00 23/08/2001] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys --a--- 86656 bytes [12:24 09/02/2005] [12:00 23/08/2001] A64013E98426E1877CB653685C5C0009

-=End Of File=-
wojmur
Regular Member
 
Posts: 41
Joined: December 1st, 2009, 6:38 am
Location: down the hill past police academy

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby Dakeyras » December 21st, 2009, 4:16 am

Hi. :)

Do use a Router at all?
Yes or no?

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these file (if present):

C:\windows\system32\pbsvc(2).exe
C:\documents and settings\rodzice\Application Data\PnkBstrK.sys

Then empty the Recycle Bin.

Reset IE8:

  • Please download this Microsoft FixIt and save it to the desktop.
  • Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
  • Follow the on-screen prompts.
  • You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
  • Next time IE8 is launched you will be prompted to reapply settings again, this is normal.

Note: Any add-ons will require to be reapplied after the above reset.

Reset FireFox:

  • Click on Start >> Run...
  • Enter the following command:
    firefox.exe -safe-mode
  • In the open window, select Reset all preferences to default Firefox.
  • Click on Make the changes and restart.
  • After FireFox restarts click on Check for Updates...

When completed the above, please post back the following:

  • How is your computer performing now? Any problems encountered and or any further symptoms?
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby wojmur » December 21st, 2009, 6:19 am

Hello
Do use a Router at all?
Sorry, missed that :oops: . Yes my PC is on a home network behind a router.

C:\windows\system32\pbsvc(2).exe
C:\documents and settings\rodzice\Application Data\PnkBstrK.sys
Both deleted and Recycle Bin emptied.

IE8 reset. I haven't re-applied any add-ons at this stage. IE popups seem to be gone :cheers: .

Firefox - I haven't found the exact option you listed (perhaps because of my outdated version - 3.0.15 ?). The options I have are
Disable all add-ons
Reset toolbars and controls
Reset bookmarks to Firefox defaults
Reset all user preferences to Firefox defaults
Restore default search engines
Also, I was not sure if you meant for me to actually apply the updates afterwards, or just click on the Check for Updates... and stop. So in the end I left the firefox alone, awaiting your clarifications. The popups in firefox are still there, of course.

Thanks!
wojmur
Regular Member
 
Posts: 41
Joined: December 1st, 2009, 6:38 am
Location: down the hill past police academy

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby Dakeyras » December 21st, 2009, 3:31 pm

Hi. :)

Run the Reset FireFox procedure again and even though the wording is slightly different select the option for your version:-

Reset all user preferences to Firefox defaults

Then update FireFox after the reset.

As for your Router, reset this also and apply a new admin password. If not sure how to do this inform myself in your next reply the modal and exact make in use and I will gladly provide instructions how to do so.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby wojmur » December 21st, 2009, 4:40 pm

I've reset and upgraded the firefox now. The bad news is the firefox popups are still there.

And, somehow, the IE8 popups came back now again. I use abc.com and bleepingcomputer websites to test it. Yesterday, after resetting IE they kept loading clean in IE8 and not clean in FF. Today both browsers generate popups again.

As for the router, I would appreciate some guidance on how to reset it, though. I presume you don't just mean power cycle, which I've actually done just a few hours ago for other reasons. The model I'm using is Billion BIPAC-743GE, software version 4.58c . I've got a lot of custom settings I'd like to keep (or re-apply), if possible. Things like wireless setup, wireless client MAC filters, custom (schedule based) firewall settings, etc.

I'll change the admin password, though, from my other PC in five minutes.

Thanks for sticking with me
-Wojtek
wojmur
Regular Member
 
Posts: 41
Joined: December 1st, 2009, 6:38 am
Location: down the hill past police academy

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby Dakeyras » December 21st, 2009, 6:20 pm

Hi. :)

I've reset and upgraded the firefox now. The bad news is the firefox popups are still there.

And, somehow, the IE8 popups came back now again. I use abc.com and bleepingcomputer websites to test it. Yesterday, after resetting IE they kept loading clean in IE8 and not clean in FF. Today both browsers generate popups again.
I think the best thing here would be to disable all Add-Ons with each browser and reapply one at a time with one browser first to determine which specific Add-On is the remaining culprit. Tedious but either that or do not use any at all I'm afraid.

As for the router, I would appreciate some guidance on how to reset it, though. I presume you don't just mean power cycle, which I've actually done just a few hours ago for other reasons. The model I'm using is Billion BIPAC-743GE, software version 4.58c . I've got a lot of custom settings I'd like to keep (or re-apply), if possible. Things like wireless setup, wireless client MAC filters, custom (schedule based) firewall settings, etc.
A actual reset will put the Router back to factory defaults and you would most probably need to re-apply all custom settings.

The manual for your Router can be downloaded from this page.

To actually carry out the reset, you will need either a pin or say a paper clip. Look at the rear of the Router and between LAN port 4 and the power socket will be a recessed button. Depress this and hold for around 5-10 seconds then release. It will automatically reset itself.

I'll change the admin password, though, from my other PC in five minutes.
OK.

Thanks for sticking with me
You're welcome!

Host File Reset/Replace:

Please Download HostsXpert and unzip it to your computer, somewhere where you can find it.

The root of the system drive would be a ideal location EG: C:\

  • Double click on HostsXpert.exe to launch the programme.
  • Check to see if top button on left hand side says Make Writable?
    • If it does. click on it then proceed to next instruction.
    • If not, just proceed to next instruction
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition
  • When prompted to confirm, click OK.
  • Click on the Download button (lower left hand side)
    • Click on MVPs Hosts... button.
    • Click on Replace button.
    • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
  • When finished.
    • Click on File Handling button.
    • Click on Make Read Only? to secure it against infection.
  • Exit the programme.

When completed the above, please post back the following:

  • How is your computer performing now? Any problems encountered and or any further symptoms?
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby wojmur » December 22nd, 2009, 6:30 am

Hello,

I've now reset the router to factory defaults and reapplied all the necessary settings. Looks like I'm still on-line after that :D

I've done the hosts file as well. The only slight variation was that just after the program started it asked me if I wanted to remove "system" and "hidden" attribs, which I think one of the Mike's scripts put on it. I said "yes" to continue and all followed as per your instructions. Should we re-apply the "hidden/system" flags or leave as is?

Now, back to the problem at hand. Just after finishing up with the hosts file I could still see the popups. But I've rebooted the PC after that, and now the popups seem to have disappeared! Yay! I've tried both IE and FF on several pages that I remember producing the symptoms and this time nothing. Well, not exactly, IE is now reporting some javascript errors, eg on abc.com and majorgeeks. But no popups, and FF is completely fine.

Great!

Thank you so much.

-Wojtek.
wojmur
Regular Member
 
Posts: 41
Joined: December 1st, 2009, 6:38 am
Location: down the hill past police academy

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby Dakeyras » December 22nd, 2009, 7:06 am

Hi. :)

Thank you so much.
You're welcome!

I've done the hosts file as well. The only slight variation was that just after the program started it asked me if I wanted to remove "system" and "hidden" attribs, which I think one of the Mike's scripts put on it. I said "yes" to continue and all followed as per your instructions. Should we re-apply the "hidden/system" flags or leave as is?
The batch file used would have reset the Host File to the Microsoft default which in itself is fine but I suspect the actual Host File was compromised again. So I would leave HostsXpert in-place on your system and since you have used it per my instructions it is now secure.

I would periodically check here for any updates for the Host File and if any use HostsXpert to update it.

Now, back to the problem at hand. Just after finishing up with the hosts file I could still see the popups. But I've rebooted the PC after that, and now the popups seem to have disappeared! Yay! I've tried both IE and FF on several pages that I remember producing the symptoms and this time nothing. Well, not exactly, IE is now reporting some javascript errors, eg on abc.com and majorgeeks. But no popups, and FF is completely fine.
Well the version of Java you are currently using is up to date and even though we have reset it some of the core files with IE may be damaged due to malware so please carry out the following:-

Fix IE Utility:

Please download Fix IE Utility then unzip the file to your desktop.

  • Close all open windows, especially Internet Explorer.
  • Double click on Fix IE Utility to run the application.
  • Now click on the Run Utility button as shown in the image:-
    Image
  • Wait until the following message appears:-
    Image
  • Then click on OK.
  • Restart your machine to see if your Internet Explorer is now working correctly again.

Let myself know if any further issues please, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby wojmur » December 22nd, 2009, 7:31 am

Hi again,

I've now run the Fix IE Utility as instructed and restarted the PC. But the IE is still reporting errors on the same pages. It's the little yellow warning exclamation mark in bottom left of IE status bar.

The batch file used would have reset the Host File to the Microsoft default which in itself is fine but I suspect the actual Host File was compromised again.
HostsXpert did show me the file contents just after I started it and I remember it only having 127.0.0.1 entry. Which makes me think (I might be talking nonsense here) that if there was any malware on my PC then adding a list of bad addresses to the hosts file will stop the malware from "calling home" but will not have actually removed that malware. What's your take on this? Sorry, if I'm copletely off the mark here, I'm just sort of "thinking aloud".

Cheers,
-Wojtek
wojmur
Regular Member
 
Posts: 41
Joined: December 1st, 2009, 6:38 am
Location: down the hill past police academy

Re: FireFox and IE drown my PC with Bad URL popups

Unread postby Dakeyras » December 22nd, 2009, 8:11 am

Hi. :)

I've now run the Fix IE Utility as instructed and restarted the PC. But the IE is still reporting errors on the same pages. It's the little yellow warning exclamation mark in bottom left of IE status bar.
The only thing I can think of here is the possibility the actual webpage's being visited are not fully compatible with IE8. You could try adjusting the Compatibly View settings.

Via Tools >> Compatibility View Settings

A further explanation about this can be found on this Microsoft Page.

Apart from that the only other suggestion I have is because I only provide Anti-Malware support is to ask for specific assistance with this at the below forum:-

Browsers, Internet and email

I am a member of the above forum myself and they have outstanding IT Tech Support Staff.

HostsXpert did show me the file contents just after I started it and I remember it only having 127.0.0.1 entry. Which makes me think (I might be talking nonsense here) that if there was any malware on my PC then adding a list of bad addresses to the hosts file will stop the malware from "calling home" but will not have actually removed that malware. What's your take on this? Sorry, if I'm copletely off the mark here, I'm just sort of "thinking aloud".
If you ran HostsXpert as per my instructions you now have the actual MVPS Host File in place of the MS default and this will protect against malicious sites being visited by mistake and will have locked the Host File to prevent any type of malware from comprising it in the futre. So defacto this side of your computers security is now both safe and secure.

So basically a Host File is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the websites IP address before you can view the website.

A Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Any further issues before we remove the tools used and i provide some online safety advice?
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware