Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups


  • Please log in to reply
7 replies to this topic

#1 AznSnzation

AznSnzation

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 21 February 2006 - 01:28 AM

Hi there, =(

Every few minutes, different pop-ups show up on my computer whenever I use Internet Explorer.

I've already tried AdAware, Ewido, CleanUp!, Spybot, CWShredder, AboutBuster, and HijackThis... and I've run these programs in safemode already.

I've looked at my Windows and System32 folders and these files seem suspicious...

C:WINDOWS\SYSTEM32\fpj0031me.dll
C:WINDOWS\SYSTEM32\p0r40a9qed.dll
C:WINDOWS\SYSTEM32\dulayx.dll
C:WINDOWS\SchedLgU
C:WINDOWS\wiaservc
C:WINDOWS\wiadebug
C:WINDOWS\WindowsUpdate

One of the many pop-ups is a "Windows Security Center" pop-up warning me about the Blackworm virus.

Can anyone help me out, please?
---Andrew =(

Oh yeah, and here's my log from HijackThis...


Logfile of HijackThis v1.99.1
Scan saved at 10:18:36 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.imdb.com/
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\fpj0031me.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 AznSnzation

AznSnzation
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 21 February 2006 - 03:08 AM

Hi there again,

Also...

I ran AdAware again and it recognized the pop-ups as being...
~CoolWebSearch (6 Objects Total)
~MRU List (12 Objects Total)
~Tracking Cookie (47 Objects Total)

I've seen these 3 things in AdAware many times and they just won't go away after deletion.


Afterwards, AdAware said that it could not delete...
C:\WINDOWS\system32\p0r40a9qed.dll


***ALSO, HERE ARE THE ADDRESSES THAT COME UP WITH SOME OF THE POP-UPS (if this helps)...***

http://www.onlineshopp-ing.com/normal/yyy65.html
http://www.uniqueoffer-s.com/normal/yyy65.html
http://www.intern-etadvertising.com/normal/yyy65.html
http://www.health-yshopping.com/normal/yyy65.html
http://www.buyer-shabit.com/normal/yyy65.html
http://www.inter-netsuggestions.com/normal/yyy65.html

http://ww.smableeps.com/vendare.html

http://z404.com/ad/az_landing_021806.php

http://www.mediapurchases.com/normal/XBDYUS.html


...and here's the "Windows Security Update" pop-up...
http://www.amaena.com/securityworm2/?aid=mgwav5&lid=net

...the "Windows Security Update" pop-up reads...
"There has been a security breach by the Blackworm Virus. We recommend you DOWNLOAD one of the security softwares to prevent further malware infections"

Yeah right! I'm not going to download whatever it wants me to download! Hehe. Anyways, thanks in advance to whomever can help please.

---Andrew =)

#3 Michael Giacchetti

Michael Giacchetti

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:12:53 PM

Posted 21 February 2006 - 03:10 AM

i saw this and was wondering if
C:\Program Files\Internet Explorer\iexplore.exe
is in a different place than
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE


I know its a dumb ques, but hey....

#4 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:53 PM

Posted 21 February 2006 - 03:20 AM

If you think you are infected submit a hijackthis log to the HJT Forum.

How to submit a hijackthis log

Download Hijackthis

Try running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.zip remember to extract the contents of the zip file into the same folder as Sysclean.com

or

DrWeb CureIT

or

KASFX which is powered by the Kaspersky AV engine, you will need internet access to update it. If you haven't got net access in safe mode, update it before you use it.

If your good with the command line also try Sophos Command Line scanner this command will scan all of your hdd's SAV32CLI.EXE -F -di -remove -dn -mbr -all -zip -p=avscanlog.txt and give you a log file to review afterwards.

Also try installing and running A2 Free and Ewido again run from safe mode.

I'd also run Spybot(Spybot Tutorial) and Adaware

If your using Win2K/XP run adaware/spybot from "safe mode with command prompt" If your using Win9x just run it from safe mode the command line options aren't needed..

At the C:\ prompt type the following:-

cd\
C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofix
cd\
C:\progra~1\lavasoft\ad-awa~1\ad-aware.exe

#5 Michael Giacchetti

Michael Giacchetti

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:12:53 PM

Posted 21 February 2006 - 03:37 AM

How to submit a hijackthis log


your link is broken

Edited by Michael Giacchetti, 21 February 2006 - 03:37 AM.


#6 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:12:53 PM

Posted 21 February 2006 - 03:41 AM

This one works.. How to submit a hijackthis log
"2007 & 2008 Windows Shell/User Award"

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:53 PM

Posted 21 February 2006 - 03:45 AM

You should definatley post a HijackThis log as you have a VX2 Look2Me infection which can be determined by the following line:

O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\fpj0031me.dll

David :thumbsup:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:53 PM

Posted 21 February 2006 - 01:56 PM

AznSnzation, it looks like you already tried to fix entries in hijackthis yourself.
Please don't and use the backup option in hijackthis to restore those entries you fixed before, because it looks like you also fixed legit entries.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users