Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups Galore: Errorprotector, Errorsafe


  • Please log in to reply
1 reply to this topic

#1 Dollfayce82

Dollfayce82

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 02 October 2007 - 10:11 PM

I started noticing that while surfing, I wouldn't always connect to a site on the first try...my internet connection was somehow being affected. These annoying popups...directing me to Errorprotector, errorsafe...first they would popup with IE (I use FF), but then they started opening up a new tab in FF.

I think I've got most everything removed that I can by following the preparation guide; however, I've run Spybot Search and Destroy several times and that same stupid errorprotector, errorsafe, etc... keep coming back!

Here's my HijackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:41 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TELEMA~1\teleblocker.exe
C:\Program

Files\Uniblue\ProcessLibrary\qaccess.exe
C:\Program Files\Microsoft

ActiveSync\wcescomm.exe
C:\Program Files\Gadwin

Systems\PrintScreen\PrintScreen.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Event Agent\bin\spoolsv

.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware

2007\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.slickdeals.net/
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://www.zpecialoffer.com/indexie.html
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no

file)
O3 - Toolbar: Morpheus Toolbar -

{119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - blank

(file missing)
O3 - Toolbar: ZeroBar -

{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} -

C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Zone Labs Client]

"C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TeleBlocker]

C:\PROGRA~1\TELEMA~1\teleblocker.exe
O4 - HKCU\..\Run: [Uniblue Quick Access]

"C:\Program

Files\Uniblue\ProcessLibrary\qaccess.exe"

/startup
O4 - HKCU\..\Run: [H/PC Connection Agent]

"C:\Program Files\Microsoft

ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1]

C:\Program Files\Gadwin

Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM]

C:\Program Files\MySpace\IM\MySpaceIM.exe

(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM]

C:\Program Files\MySpace\IM\MySpaceIM.exe

(User 'Default user')
O8 - Extra context menu item: &NeoTrace It! -

C:\PROGRA~1\NeoTrace\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/

3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console

- {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Morpheus Toolbar -

{119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - blank

(file missing)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar

- {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} -

blank (file missing)
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile

Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: @C:\Program

Files\IM2\Messenger2\im2_ie_plugin.dll,-4 -

{410C30C7-098A-4090-928E-F1D356D34C7F} -

C:\Program

Files\IM2\Messenger2\im2_ie_plugin.dll
O9 - Extra 'Tools' menuitem: Run IM2 Messenger

- {410C30C7-098A-4090-928E-F1D356D34C7F} -

C:\Program

Files\IM2\Messenger2\im2_ie_plugin.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Locate -

{B6F776D7-C231-11D4-8158-005004ADEFCA} -

C:\Program Files\Software River

Solutions\Visual WhoIs 2004\srstools.dll
O9 - Extra 'Tools' menuitem: Locate Using

Visual WhoIs 2004 -

{B6F776D7-C231-11D4-8158-005004ADEFCA} -

C:\Program Files\Software River

Solutions\Visual WhoIs 2004\srstools.dll
O9 - Extra button: MoneySide -

{E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

C:\Program Files\Microsoft

Money\System\mnyside.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger

- {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! -

{9885224C-1217-4c5f-83C2-00002E6CEF2B} -

C:\PROGRA~1\NeoTrace\NEOTRA~1\NTXtoolbar.htm

(HKCU)
O15 - Trusted Zone: www.dynamitelotu.com
O15 - Trusted Zone: *.smilebox.com
O16 - DPF: Photobucket Publisher -

http://s156.photobucket.com/csve/ie_plugin.php
O16 - DPF:

{01113300-3E00-11D2-8470-0060089874ED}

(Support.com Configuration Class) -

http://supportcenter.rr.com/sdccommon/download

/tgctlcm.cab
O16 - DPF:

{14B87622-7E19-4EA8-93B3-97215F77A6BC}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messenger

StatsPAClient.cab31267.cab
O16 - DPF:

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF:

{406B5949-7190-4245-91A9-30A17DE16AD0}

(Snapfish Activia) -

http://photos.walmart.com/WalmartActivia.cab
O16 - DPF:

{4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ

Technology Client) -

https://www.webiqonline.com/WebIQ/bin/WebIQ.ca

b
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V

5Controls/en/x86/client/wuweb_site.cab?1143947

270259
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6

/V5Controls/en/x86/client/muweb_site.cab?11439

49452859
O16 - DPF:

{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messenger

StatsClient.cab31267.cab
O16 - DPF:

{A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9}

(InetDownload Class) -

https://media.pineconeresearch.com/ActiveX/dow

nloadcontrol.cab
O16 - DPF:

{B8BE5E93-A60C-4D26-A2DC-220313175592}

(ZoneIntro Class) -

http://messenger.zone.msn.com/binary/ZIntro.ca

b32846.cab
O16 - DPF:

{DA758BB1-5F89-4465-975F-8D7179A4BCF3}

(WheelofFortune Object) -

http://messenger.zone.msn.com/binary/WoF.cab31

267.cab
O18 - Protocol: skype4com -

{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service

(aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Active Common Service - Unknown

owner - C:\WINDOWS\system32\actsrv.exe (file

missing)
O23 - Service: Adobe LM Service - Adobe

Systems - C:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5

(AdobeActiveFileMonitor5.0) - Unknown owner -

C:\Program Files\Adobe\Photoshop Elements

5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG7 Alert Manager Server

(Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service

(Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer

Associates International, Inc. -

C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: DirectX multi version - Unknown

owner - C:\WINDOWS\system32\dxcombin.exe (file

missing)
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation -

C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) -

Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG -

C:\Program Files\Nero\Nero 7\Nero

BackItUp\NBService.exe
O23 - Service: Net message Service - Unknown

owner - C:\WINDOWS\system32\netmsg.exe (file

missing)
O23 - Service: ODBC service - Unknown owner -

C:\WINDOWS\system32\odbc.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown

owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: System Event Agent - Unknown

owner - C:\WINDOWS\system32\Event

Agent\bin\spoolsv .exe
O23 - Service: TrueVector Internet Monitor

(vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Live Setup Service

(WLSetupSvc) - Unknown owner - C:\Program

Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 9376 bytes



BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 04 October 2007 - 01:33 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Dollfayce82 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

If you have previously downloaded ComboFix,please delete that version and download it again from below.
Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users