IE opens windows in front with random websites

#1 Technex


  Members
  • 2 posts
  • Local time:04:53 AM

Posted 28 December 2008 - 07:59 AM


I am helping my cousin out, she has a problem with her new laptop although it didn't have this problem when new.

I have installed Spybot and AVG (from official websites) and updated to latest version and scanned, nothing found. Only a few little tracking cookies but nothing major, it removed them with no hassle.

I also got her to reinstall "MSN plus!" without the sponsor program.

I have told her to use Firefox but even when using Firefox IE windows pop up in front, spyware I should have thought...

It sometimes comes up with pop-ups saying "CiD" before them. One of them had the URL "http://www.filmon.com/indexOld/" but this one had no "CiD" in front of it.

Please help me help her. :thumbsup:

Thank you so much!

DDS (Version 1.1.0) - NTFSx86  
Run by Rachi at 12:44:45.48 on 28/12/2008
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft Windows Vista€ššž Home Premium   6.0.6001.1.1252.44.1033.18.2037.823 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\AVG\AVG8\avgui.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.google.co.uk
mDefault_Page_URL = hxxp://www.google.co.uk
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [1 mags 16 more] "c:\programdata\Software Flap Build.gql35"
uRun: [AxisIso] "c:\programdata\readmeinternetinternet.g25u1ty"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
StartupFolder: c:\users\rachi\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - [url=http://rover.ebay.com/rover/1/710-44557-9400-3/4]http://rover.ebay.com/rover/1/710-44557-9400-3/4[/url]
IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - [url=http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home]http://www.amazon.co.uk/exec/obidos/redire...1&site=home[/url]
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\rachi\appdata\roaming\mozilla\firefox\profiles\4a4vy5v9.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2008-12-27 21:05	410,984	a-------	c:\windows\system32\deploytk.dll
2008-12-27 21:02	<DIR>	--d-----	c:\programdata\Spybot - Search & Destroy
2008-12-27 21:02	<DIR>	--d-----	c:\program files\Spybot - Search & Destroy
2008-12-27 21:02	<DIR>	--d-----	c:\progra~2\Spybot - Search & Destroy
2008-12-15 21:46	<DIR>	--d-----	c:\program files\Bonjour
2008-12-12 11:18	87,336	a-------	c:\windows\system32\dns-sd.exe
2008-12-12 11:11	61,440	a-------	c:\windows\system32\dnssd.dll
2008-12-11 21:33	2,048	a-------	c:\windows\system32\tzres.dll
2008-12-11 21:02	296,960	a-------	c:\windows\system32\gdi32.dll
2008-12-11 21:02	28,672	a-------	c:\windows\system32\Apphlpdm.dll
2008-12-11 21:02	4,240,384	a-------	c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-11 21:01	2,927,104	a-------	c:\windows\explorer.exe
2008-12-11 21:01	827,392	a-------	c:\windows\system32\wininet.dll
2008-12-11 21:00	2,868,736	a-------	c:\windows\system32\mf.dll
2008-12-11 21:00	996,352	a-------	c:\windows\system32\WMNetMgr.dll
2008-12-11 21:00	94,720	a-------	c:\windows\system32\logagent.exe
2008-12-10 07:39	<DIR>	--d-----	c:\windows\system32\IOSUBSYS

==================== Find3M  ====================

2008-11-17 20:04	2,306,113	a-------	c:\windows\system32\GPhotos.scr
2008-11-15 12:29	0	a---h---	c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-01 03:44	52,736	a-------	c:\windows\apppatch\iebrshim.dll
2008-11-01 03:44	2,154,496	a-------	c:\windows\apppatch\AcGenral.dll
2008-11-01 03:44	541,696	a-------	c:\windows\apppatch\AcLayers.dll
2008-11-01 03:44	460,288	a-------	c:\windows\apppatch\AcSpecfc.dll
2008-11-01 03:44	173,056	a-------	c:\windows\apppatch\AcXtrnal.dll
2008-10-29 17:40	86,016	a-------	c:\windows\inf\infstrng.dat
2008-10-29 17:40	51,200	a-------	c:\windows\inf\infpub.dat
2008-10-24 17:01	86,016	a-------	c:\windows\inf\infstor.dat
2008-10-24 06:49	10,520	a-------	c:\windows\system32\avgrsstx.dll
2008-10-23 17:45	665,600	a-------	c:\windows\inf\drvindex.dat
2008-10-22 03:57	241,152	a-------	c:\windows\system32\PortableDeviceApi.dll
2008-10-21 05:25	1,645,568	a-------	c:\windows\system32\connect.dll
2008-10-16 20:56	1,524,736	a-------	c:\windows\system32\wucltux.dll
2008-10-16 20:55	83,456	a-------	c:\windows\system32\wudriver.dll
2008-10-16 14:08	162,064	a-------	c:\windows\system32\wuwebv.dll
2008-10-16 13:56	31,232	a-------	c:\windows\system32\wuapp.exe
2008-09-30 16:43	1,286,152	a-------	c:\windows\system32\msxml4.dll
2008-01-21 02:43	174	a--sh---	c:\program files\desktop.ini
2006-11-02 12:42	287,440	a-------	c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42	287,440	a-------	c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42	30,674	a-------	c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42	30,674	a-------	c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20	287,440	a-------	c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20	287,440	a-------	c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20	30,674	a-------	c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20	30,674	a-------	c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:49:52.30 ===============

#2 teacup61


  Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:53 AM

Posted 08 January 2009 - 09:00 PM

Hello Technex,

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis here:

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

#3 Technex

  Topic Starter

  Members
  • 2 posts
  • Local time:04:53 AM

Posted 10 January 2009 - 10:19 AM

Thanks, but I have solved the problem. I went into safe mode and deleted a load of random named folders and files, wouldn't let me delete them in normal mode. Some were also hidden...

There was also a bad startup file which I have deleted using Spybot S&D.

No ads now, problem solved.

Thanks again anyway!

"uRun: [AxisIso] "c:\programdata\readmeinternetinternet.g25u1ty""

Lots of folders etc in C:\programdata that were bad.

#4 teacup61


  Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:53 AM

Posted 10 January 2009 - 08:27 PM


Thank you so much for letting me know. :thumbsup: Glad you're up and running again. :)

#5 teacup61


  Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:53 AM

Posted 23 January 2009 - 04:59 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
