Jump to content

a website keeps popping up


Recommended Posts

:)

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

hi i have not attacched any scan results, and i don't know which to copy and paste (i didn't get you)

however i downloaded ATF cleaner and run it for Main and Firefox,

The PC will NOT slower to boot the first time or two, BUT the screen sort of snaps at the very beginning of the Boot.

and when i tried to open firefox the popping website reappeared again,

AND i got new problems now, Gmail is not opening in it's standard mode, it only opens in HTML mode, even youtube page shows open in basic html page (i have a high speed internet, but Google chrome is working properly) ,

this problem appeared immediately after i ran ATF cleaner, i don't know what went wrong after ATF cleaner ran

i did not proceed to DDS.scr or DDS.pif

what shall i do.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``

:welcome:

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

post-64306-1293946858_thumb.jpg

post-64306-1293946893_thumb.jpg

Link to post
Share on other sites

DDS (Ver_10-12-12.02) - NTFSx86

Run by Administrator at 9:58:46.98 on Mon 01/03/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.471 [GMT 5.5:30]

AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: avast! Internet Security *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\runservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\TUProgSt.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\WordWeb\wweb32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Administrator\Local Settings\Application

Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Administrator\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com

uSearch Page = ${URL_SEARCHPAGE}

mDefault_Page_URL = hxxp://www.yahoo.com

mSearch Page = ${URL_SEARCHPAGE}

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = 127.0.0.1

mWinlogon: Taskman=c:\documents and settings\administrator\gsyzq.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer:

{3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG

Safe Search

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\administrator\local settings\application

data\google\update\GoogleUpdate.exe" /c

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: {3CA3DBC5-54CB-4361-9F5E-EB59F7B2AD9D} = 218.248.255.141,218.248.255.139

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0cuetjsl.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/webhp

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\administrator\application

data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\administrator\application

data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\administrator\local settings\application

data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla

firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} -

c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\firefox\Ext

FF - Ext: Veoh Video Compass: searchrecs@veoh.com -

%profile%\extensions\searchrecs@veoh.com

FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} -

%profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} -

%profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys

[2010-9-15 12112]

R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys

[2010-9-15 188168]

R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2010-9-15

99280]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2010-9-15 312912]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-15 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-15 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe

[2010-9-15 40384]

R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2010-8-3 2560]

R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2010-6-30 20480]

R3

WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys

[2010-7-20 16640]

S2 avast! Firewall;avast! Firewall;c:\program files\alwil software\avast5\afwServ.exe

[2010-9-15 119200]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil

software\avast5\AvastSvc.exe [2010-9-15 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil

software\avast5\AvastSvc.exe [2010-9-15 40384]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-9-10 30104]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-9-10

30104]

=============== Created Last 30 ================

2011-01-02 04:28:40 -------- d-----w-

c:\docume~1\admini~1\applic~1\PriceGong

2010-12-31 13:31:12 -------- d-----w-

c:\docume~1\admini~1\locals~1\applic~1\Conduit

2010-12-31 07:37:39 204288 --sh--r- c:\documents and

settings\administrator\gsyzq.exe

2010-12-21 10:57:59 -------- d-----w-

c:\docume~1\admini~1\applic~1\Transcend

2010-12-21 06:57:07 757760 ----a-w- c:\program files\common

files\installshield\professional\runtime\11\50\intel32\iKernel.dll

2010-12-21 06:57:07 69715 ----a-w- c:\program files\common

files\installshield\professional\runtime\11\50\intel32\ctor.dll

2010-12-21 06:57:07 5632 ----a-w- c:\program files\common

files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe

2010-12-21 06:57:07 274432 ----a-w- c:\program files\common

files\installshield\professional\runtime\11\50\intel32\iscript.dll

2010-12-21 06:57:07 204800 ----a-w- c:\program files\common

files\installshield\professional\runtime\11\50\intel32\iuser.dll

2010-12-21 06:57:04 200836 ----a-w- c:\program files\common

files\installshield\professional\runtime\11\50\intel32\iGdi.dll

2010-12-21 06:57:03 331908 ----a-w- c:\program files\common

files\installshield\professional\runtime\11\50\intel32\setup.dll

2010-12-17 02:44:55 1409 ----a-w- c:\windows\QTFont.for

2010-12-16 19:52:43 -------- d-----w- c:\windows\system32\QuickTime

2010-12-12 06:21:12 -------- d-----w- C:\1

2010-12-10 02:00:34 -------- d-----w- c:\windows\cache-cache

2010-12-08 16:09:44 148776 ----a-w- c:\windows\system32\ImageDrive.cpl

==================== Find3M ====================

2011-01-03 04:00:39 865 --sha-w- c:\windows\system32\mmf.sys

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 9:59:31.12 ===============

Attach.rar

Link to post
Share on other sites

hi, excuse me

i couldn't find any way to find or to delete the mentioned file.

c:\documents and settings\administrator\gsyzq.exe

in my administrator folder that doesn't show up. plz tell me a method to find it & delete this file.

i have attached a snap shot of what appears.

post-64306-1294244784_thumb.jpg

Link to post
Share on other sites

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

I've been seeing some Java infections lately.

Go here and follow the instructions to clear your Java Cache

http://www.java.com/en/download/help/plugin_cache.xml

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAM.PNG
  • When the scan is complete, click OK, then Show Results to view the results.
  • mbam1.png
  • Then click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

i followed every procedure,

but in clearing java plug-in cache, i didn't find "java Plug-in" in control panel other then java icon (i have gone through java cache cleaning)

i was using Malwarebytes & it was not showing any virus before. but after when i removed and reinstalled it again, now it has shown 1 virus & i have removed it. but that website is popping from nowhere i have started to use Google Chrome and it have started to pop in that also.

that website will pop up by changing the last words of the website like

LINKS removed

and so on

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5468

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/6/2011 11:35:42 AM

mbam-log-2011-01-06 (11-35-42).txt

Scan type: Quick scan

Objects scanned: 130267

Time elapsed: 2 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Worm.Palevo) -> Value: Taskman -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5468

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/6/2011 1:32:04 PM

mbam-log-2011-01-06 (13-32-04).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|)

Objects scanned: 205628

Time elapsed: 32 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Worm.Palevo) -> Value: Shell -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Worm.Palevo) -> Value: Taskman -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

d:\english movie\nero 7.10.1.0 by m3zkal\nero 7.10.1.0 keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

g:\^^_software_files_^^\bittornt active {danger}\zone alarm pro 7.0.483 incl keygen\Keygen\zonelabs products keygen v2.exe (Riskware.Tool.CK) -> Quarantined and deleted successfully.

g:\^^_software_files_^^\bittornt active {danger}\zonealarm 8.0.2 plus keygen\Keygen.exe (Riskware.Tool.CK) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.