PDA

View Full Version : what is the bane of pop ups?



Dorprod
11-06-2006, 08:35 AM
I got a problem. I just reinstalled Windows XP totally clean. I have spy bot sd and ad aware se. I just got rid of my internet explorer and use mozilla firefox. I have used adaware and spybot 10 times in the past 3 days and got pop ups and trojans and stuff. Now they wont recognize a different kind of pop up. Ill be playing world of warcraft or typing or surfing the web and all of a sudden a voice appears and congradulates me i have won. He lists off Xbox 360 cellphones, tvs , all this stuff. Now there is no window when I hear this voice. I close out all programs and hes still talking. I then use task manager and there is a list of sites made of gibberish characters and sites that i cannot access. They are invisible. But clearly there. Including creative.adsrevenue.net/default/partnerbudsinc and PlayO : Dozens of free online flash games. Fad-604. Consumerpromotioncenter.com Vacation specials. Its quite annoying. I did Hijackthis.exe and nothing appeared but then again what do i know. I hope someone can help cause i can tell you the internet sucks for that.

pcuser42
11-06-2006, 08:43 AM
Post the HijackThis log online here. I'm sure Speedy Gonzales (sorry if I spelt your name wrong) will fix it.

Jen
11-06-2006, 09:11 AM
With that much spyware and malware appearing, it suggests you are not using a properly configured firewall. What one are you using? Have you applied all the service packs and security updates to XP?

Welcome to PressF1 as well :)

drcspy
11-06-2006, 09:26 AM
yeh firewall not enabled ?......or it could be windows messenger goto www.grc.com and download and run 'shoot the messenger' then install msn7.5 if you need a chat prog...

Dorprod
12-06-2006, 12:33 AM
Logfile of HijackThis v1.99.1
Scan saved at 8:40:05 AM, on 6/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\LSASS.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\algetglesle.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\algetglesle.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\algetglesle.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex.POOPSCOO-N6UJ9H\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Http://www.vvfy.com/movie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Http://www.vvfy.com/movie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Http://www.vvfy.com/movie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = Http://www.vvfy.com/movie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Http://www.vvfy.com/movie
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ToP] C:\WINDOWS\LSASS.exe
O4 - HKLM\..\Run: [systwslyel] C:\WINDOWS\System32\algetglesle.exe
O4 - HKLM\..\Run: [SOUNDM] winsmd.exe
O4 - HKLM\..\Run: [dmaob.exe] C:\WINDOWS\System32\dmaob.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IEXPLORE.EXE] IEXPLORE.EXE Http://www.vvfy.com/movie
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149726331265
O17 - HKLM\System\CCS\Services\Tcpip\..\{174D9153-928F-432E-BA87-9ED5AC0FB89F}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{174D9153-928F-432E-BA87-9ED5AC0FB89F}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CS2\Services\Tcpip\..\{174D9153-928F-432E-BA87-9ED5AC0FB89F}: NameServer = 85.255.115.83,85.255.112.206
O20 - AppInit_DLLs: KB608769M.LOG
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe

Dorprod
12-06-2006, 12:37 AM
over the night under add/remove programs there have been 27 "Security Updates for Windows XP (KB 90####) Seems suspicious seeing that I do not have automatic update or anything to do with windows securtiy . Also a good firewall? I need one. Thanks so much for your help.

Greg
12-06-2006, 04:00 AM
a good firewall?Zonealarm is very popular and easy - a lot of people are quite happy with the free version. And Kerio is very good.

SurferJoe46
12-06-2006, 05:03 AM
Here's some results from your scan:

C:\WINDOWS\LSASS.exe running process. (LSASS.exe)

This entry is not running from the System32 folder, so it is probably nasty. According to Windows database this process runs normally in c:\windows\system32\! Check if you know this process and arrange a viruscheck where required.

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 To be fixed immediately! (see the space in the word "Policies"? That's a good clue!)

O4 - HKLM\..\Run: [dmaob.exe] C:\WINDOWS\System32\dmaob.exe (It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.)


Turn off system restore and reboot into safe mode again and click on the above entries, fix them/delete them and reboot and see if they return.

This list is possibly not complete, there may be other problems that you will need to fix in the future.

Speedy Gonzales
12-06-2006, 05:03 PM
Boot into safe mode, turn system restore off, run hijackthis again, tick these entries and tick fix checked.

C:\WINDOWS\LSASS.exe

C:\WINDOWS\System32\algetglesle.exe

C:\WINDOWS\System32\algetglesle.exe

C:\WINDOWS\System32\algetglesle.exe

O4 - HKLM\..\Run: [ToP] C:\WINDOWS\LSASS.exe

O4 - HKLM\..\Run: [systwslyel] C:\WINDOWS\System32\algetglesle.exe

O4 - HKLM\..\Run: [dmaob.exe] C:\WINDOWS\System32\dmaob.exe

O4 - HKCU\..\Run: [IEXPLORE.EXE] IEXPLORE.EXE Http://www.vvfy.com/movie

07 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

O20 - AppInit_DLLs: KB608769M.LOG

I would also install a AV and firewall program.

Dorprod
13-06-2006, 02:03 PM
[QUOTE=Speedy Gonzales]

C:\WINDOWS\LSASS.exe

O4 - HKLM\..\Run: [ToP] C:\WINDOWS\LSASS.exe


O20 - AppInit_DLLs: KB608769M.LOG


Its weird I go into safe mode then i have system restore off. I fix these problems and run hijack this and its back. Also the O20 cannot be fixed because of error #5 I these things. I also somehow ended up with about blank again?!? and every time i start up I have these black windows that go through process and close quickly. Thanks for help so far.

FoxyMX
13-06-2006, 02:16 PM
It mystifies me how your computer can get riddled with viruses, trojans and spyware so soon after a fresh reinstall. You did reformat first, didn't you?

It might be easier to start over again rather than keep going around in circles if none of the tools you are using is detecting anything.

SurferJoe46
13-06-2006, 04:15 PM
It mystifies me how your computer can get riddled with viruses, trojans and spyware so soon after a fresh reinstall. You did reformat first, didn't you?

It might be easier to start over again rather than keep going around in circles if none of the tools you are using is detecting anything.
Foxy.....

Look at the HJT header and see that this is only running SP-1.

I recommend that SP-2 get installed ASAP after a total burn-down and opsys install

FoxyMX
13-06-2006, 04:51 PM
Yes, Joe, but that doesn't automatically mean that a PC is going to be riddled with that sort of stuff that quick. I have seen several PCs with neither SP2 nor SP1 or just SP1 on them running quite happily for ages with no problems whatsoever.

Not saying it is a good idea to, and I am surprised they didn't get the Blaster worm, but it is possible.

Greg
14-06-2006, 02:14 AM
Yes, Joe, but that doesn't automatically mean that a PC is going to be riddled with that sort of stuff that quick. I have seen several PCs with neither SP2 nor SP1 or just SP1 on them running quite happily for ages with no problems whatsoever.
Have to agree. SP2? :yuck: Never seen the need for it - my SP1 runs like a dream. All it needs is a proper firewall and a decent enough anti-virus. I've only needed to apply a patch once because of the dumbass WMA exploit.