| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 137450 | 2014-07-10 03:25:00 | Plagued by Pop-up ads and unwanted webpage redirects | Bob Kessler (9895) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1378888 | 2014-07-10 03:25:00 | For the past few weeks I have been experiencing numerous pop-up ads as well as being transferred to advertising web pages I did not click on. This has been happening on a wide variety of websites – including this one - but I have never noted it while on secure sites. I use Mozilla Firefox (at latest level 30), Windows XP (at latest/final level) Microsoft Security Essentials (updated daily), and a D-Link ‘wired’ router. I have examined my Startup list using Windows ‘Msconfig’ and the free program Starter.exe and see nothing obviously wrong. I have run MalwareBytes and SpyBot S&D; and removed/quarantined the few files each recommended – and no improvement has resulted. I have tried to run Ad-Aware (2009 Anniversary Edition) but get a message saying ‘Failed to connect to service’ I have now run HiJack This; and examined the results, but am afraid to ‘repair/delete any of the long list of entries it provides. Most seem valid but there are quite a few I don’t understand. The program advises against removing files without knowing what they are and suggests turning to experts for help. So this is that call for Help! I hope someone will respond with advice and assistance. I will provide the resulting Logfile if told how to attach it to this thread. |
Bob Kessler (9895) | ||
| 1378889 | 2014-07-10 03:34:00 | Post the hijackthis log here. And we'll see whats in it. Just copy and paste the log. No need to attach it | Speedy Gonzales (78) | ||
| 1378890 | 2014-07-10 03:47:00 | You'll find there are infections deep in the reg, some will be hiding. Some wont be seen by Hijackthis either. Download and run roguekiller (www.bleepingcomputer.com) - while at that site, scroll down and download/Run AdwCleaner, while at it, get Junkware Removal tool . The download Links are Dark Blue, Eg: Download Now@ Authors Site ( some may be worded differently) but they will be the dark blue buttons. |
wainuitech (129) | ||
| 1378891 | 2014-07-10 04:05:00 | Hi Speedy! Following is the logfile - hope you get it as I tried copy/pasting it to an earlier attempt to input a new thread - but it never appeared in the F1 listing??? So here goes. PS: I've deleted/quarantined one suspect since this logfile was created - it's the one titled 'realdEaal' in the 02 - BHO section - but it didn't help. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:06:47 a.m., on 9/07/2014 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.21376) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Security Client\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\rundll32.exe C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Outlook Express\MSIMN.EXE C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = search.findwide.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com O2 - BHO: SoFtCoUp - {26AF35F3-63F5-9636-BC0A-449B61692878} - C:\Documents and Settings\All Users\Application Data\SoFtCoUp\lnY8.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O2 - BHO: realdEaal - {BF72EE88-5961-26A9-7A44-E8B421137F56} - C:\Documents and Settings\All Users\Application Data\realdEaal\QnNc3.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start www.avg.com BWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBX ADkANwA"&"inst=NwA3AC0ANAAxADcANgA0ADAAMAAxADQALQBUADIALQBCA EEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAEIAQQBSADk ARwArADEALQBUAEIAOQArADIALQBGAEwAKwA5AC0ARgA5AE0AK wAxAC0ARgA5AE0ANwBCACsANQAtAFgATwAzADYAKwAxAA"&"prod=90"&"ver=9.0.872 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1 O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Google Update] "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - housecall65.trendmicro.com O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - support.microsoft.com O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - picasaweb.google.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - www.update.microsoft.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - www-secure.symantec.com O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - www-secure.symantec.com O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: c:\docume~1\alluse~1\applic~1\perfor~1\perfor~1.dl l O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe -- End of file - 10323 bytes |
Bob Kessler (9895) | ||
| 1378892 | 2014-07-10 04:09:00 | Hi again Speedy, I just 'Quick replied' the logfile to you but wonder if you'll get it as I received the same response - something like 'has to await a moderator' I got last week on the entry I made that never showed up!! |
Bob Kessler (9895) | ||
| 1378893 | 2014-07-10 04:16:00 | ?? Cant see anything here. quick reply should end up in here. Not to me. Umm what you can do, altho you cant send me a PM until you're up to 10 posts. Get teamviewer (http://www.teamviewer.com) install or run it / select personal underneath It'll give you an ID and password. Since you cant send PM's yet. Give me the ID and password in a reply. And I can check your system from here. Dont worry, you'll see what I"m doing |
Speedy Gonzales (78) | ||
| 1378894 | 2014-07-10 05:12:00 | Forums anti-spam picked it up coz of the links, and coz you have under X amount of posts. I've approved the post now though :) | Chilling_Silence (9) | ||
| 1378895 | 2014-07-10 05:32:00 | Hmm I see it now You can run hijackthis again then tick these then tick fix checked. Or with the startup entries, get ccleaner (http://www.ccleaner.com) run it / click on advanced to opt out of Google chrome. Then go to tools / startup. Highlight the startup entries then either disable or delete them O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start www.avg.com BWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBX ADkANwA"&"inst=NwA3AC0ANAAxADcANgA0ADAAMAAxADQALQB UADIALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtA EIAQQBSADkARwArADEALQBUAEIAOQArADIALQBGAEwAKwA5AC0 ARgA5AE0AKwAxAC0ARgA5AE0ANwBCACsANQAtAFgATwAzADYAK wAxAA"&"prod=90"&"ver=9.0.872 If AVG has been uninstalled get the removal tool (www.avg.com)and it'll remove the rest of it O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user') This may have something to do with it O20 - AppInit_DLLs: c:\docume~1\alluse~1\applic~1\perfor~1\perfor~1.dl l After you do the above close browsers then run ccleaner again. So it'll remove temp files etc See if a file called sprotector.exe is running. If it is kill it |
Speedy Gonzales (78) | ||
| 1378896 | 2014-07-10 06:55:00 | Hi Speedy, Thanks very much for your 'speedy' - and thorough response. I followed your advice: 1 Reran highjack this and fixed the 10 entries you listed 2 Downloaded and ran the AVG removal program - it took 3 Restarts to complete 3 Ran ccleaner - removed 430MB of stuff 4 Checked for sprotector.exe using Task Manager - no sign of it running Not sure what you mean by 'startup entries' but assume you mean it as an alternative to using highjack this - so did not pursue Then tried Firefox again. Connected to the CNET downloads page (one that has been failing in the past) And, unfortunately it still does! It opens correctly, but within a minute or so it is overloaded by other sites, this time a sports page, but it has been different pages on other occasions. Do you want to see an updated hijackthis log - or (hopefully) do you have more tricks up your sleeve?? Cheers, Bob Kessler l |
Bob Kessler (9895) | ||
| 1378897 | 2014-07-10 07:02:00 | Thank you for your suggestions wainutech - I'll give them a go along with the advice from Speedy Gonzales and will reply with outcomes asap. | Bob Kessler (9895) | ||
| 1 2 | |||||