Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


IE Pop-ups

  • This topic is locked This topic is locked
3 replies to this topic

#1 hungryhipp0s


  • Members
  • 2 posts
  • Local time:01:33 PM

Posted 23 December 2009 - 05:40 PM

A couple of days I ago, I was streaming a video off surfthechannel.com and I started getting random Windows Defenders notifications popping up about such and such infections. I immediately ran my free version of AVG and it tracked and deleted 3-5 infections. Everything seemed fine the rest of the night. The next morning as I was using Firefox, I noticed that it was almost as if I were getting pop-ups, and Firefox would not be the window that was focused anymore. I tried to run AVG again, but it gave me some errors with Watch Dog multiple times. I grew frustrated and decided to reinstall AVG, got a notice to cancel the following programs and saw that IE was running, but it wasn't shown on my task bar. It was saying that I was browsing some site "www.channelnetwork.cn" or something of that sort. I cancelled the program, and continued the installation, but it failed because of some programs with Watch Dog again. I then turned to this site, went through the preparation guide, ran DDS, but couldn't get RR to work. It gave me some error of "FOPS - DeviceIoControl Error! Error Code = 0xc0000024." And that's where I stand now. Please help!

-Got Windows Defender notifications when streaming video off of surfthechannel.com
-Immediately ran AVG and deleted 3-5 infections
-Next day, got hidden pop-ups, Firefox is always replaced by IE as default browser, tried to run AVG, problems with watchdog
-Tried to reinstall AVG, hidden IE window running (www.channelnetwork.cn), problems with watchdog, blue screen of death
-Ran DDS, couldn't run RR (FOPS - DeviceIoControl Error! Error Code = 0xc0000024)

DDS (Ver_09-12-01.01) - NTFSx86
Run by Alan at 14:11:43.96 on Wed 12/23/2009
Internet Explorer: 7.0.6000.16945
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.2037.1176 [GMT -8:00]

SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\Iexplore.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Steam]
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\alan\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SecurityProviders: credssp.dll, msansspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\alan\appdata\roaming\mozilla\firefox\profiles\hv9er5zw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - msn.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\alan\appdata\roaming\mozilla\firefox\profiles\hv9er5zw.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2009-12-23 24856]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-23 11608]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-23 55656]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-8-26 10640]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2009-4-21 5120]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-2-3 427192]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-23 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-23 185089]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [2006-3-9 1544704]

=============== Created Last 30 ================

2009-12-23 21:59:23 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-23 21:59:18 0 d-----w- c:\programdata\Avira
2009-12-23 21:59:18 0 d-----w- c:\program files\Avira
2009-12-23 21:56:31 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-12-23 21:46:51 0 d-----w- c:\users\alan\appdata\roaming\AVG8
2009-12-22 07:28:22 654 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-22 07:27:20 202 ----a-w- c:\windows\system32\srcr.dat
2009-12-10 11:07:47 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 11:07:41 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-10 11:07:41 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 11:01:58 0 d-----w- C:\7414ed3f22ddcd55d0044df71c
2009-12-09 02:02:29 274432 ----a-w- c:\windows\system32\raschap.dll
2009-12-09 02:02:29 232960 ----a-w- c:\windows\system32\rastls.dll
2009-11-25 21:27:59 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 06:07:31 1406464 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 06:07:30 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-11-25 06:07:30 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-11-25 06:07:30 1260032 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 06:07:03 713728 ----a-w- c:\windows\system32\timedate.cpl

==================== Find3M ====================

2009-12-23 21:56:35 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-23 21:56:35 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-23 21:56:35 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-10 21:05:50 130430 ----a-w- c:\windows\hpoins13.dat
2009-10-27 15:05:11 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 15:01:43 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-10-27 15:01:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 14:59:14 72704 ----a-w- c:\windows\system32\admparse.dll
2009-10-27 12:27:14 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-27 10:56:00 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-10-01 17:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2008-12-11 21:55:35 174 --sha-w- c:\program files\desktop.ini
2008-06-12 04:50:23 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:14:21.58 ===============

Attached Files

Edited by hungryhipp0s, 24 December 2009 - 04:33 AM.

BC AdBot (Login to Remove)


#2 Starbuck


    'r Brudiwr

  • Malware Response Team
  • 4,149 posts
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:33 PM

Posted 04 January 2010 - 03:54 PM

Hi hungryhipp0s and welcome to Bleeping Computer.

I apologize for the delay in response to your thread.
If you have since resolved the original problem you were having, I would appreciate you letting us know..
If not please follow these instructions:
  • Download OTL to your desktop.
    if you have problems, try this download link:
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check

Posted Image
  • Now copy the lines in the codebox below.
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

    Posted Image
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.



#3 hungryhipp0s

  • Topic Starter

  • Members
  • 2 posts
  • Local time:01:33 PM

Posted 04 January 2010 - 05:40 PM

Thanks for the reply, but I decided to just reformat the computer and upgrade to Windows 7. I just wanted to ask one more question though. If I fully reformat my C: drive, will the virus or whatever it was be gone? And will I have a healthy running computer again? Thanks for the help.

#4 Starbuck


    'r Brudiwr

  • Malware Response Team
  • 4,149 posts
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:33 PM

Posted 04 January 2010 - 06:02 PM

Hi hungryhipp0s

If I fully reformat my C: drive, will the virus or whatever it was be gone? And will I have a healthy running computer again? Thanks for the help.

Yep, with a reformat and re-install everything will be nice and clean.
Many thanks for letting us know.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users