PDA

View Full Version : random IE browser windows


itsalllgoood
2006-06-13, 02:30
Random IE windows are popping up on my machine and I can't get rid of them. Things like: wild-savings.com/muon.html and prem-iumcertificate.com/muon.thml

Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:25:07 PM, on 6/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Documents and Settings\Tides Church\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149867605782
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\lvl6093se.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


Process list saved on 4:26:33 PM, on 6/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
332 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
412 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
456 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
468 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
608 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
696 C:\Program Files\Windows Defender\MsMpEng.exe 1.1.1347.0 Microsoft Corporation
740 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1008 C:\WINDOWS\system32\rundll32.exe 5.1.2600.2180 Microsoft Corporation
1128 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1264 C:\WINDOWS\System32\Atievxx.exe 5.1.2482.0 Microsoft Corporation
1364 C:\Program Files\Network Associates\Common Framework\FrameworkService.exe 3.5.0.412 Network Associates, Inc.
1444 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1452 C:\Program Files\Network Associates\VirusScan\Mcshield.exe 8.0.0.251 Network Associates, Inc.
1500 C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe 8.0.0.912 Network Associates, Inc.
1680 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
196 C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE 8.0.0.912 Network Associates, Inc.
1628 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe 3.5.0.412 Network Associates, Inc.
2084 C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe 2.0.0.275 Network Associates, Inc.
2132 C:\Program Files\Windows Defender\MSASCui.exe 1.1.1347.0 Microsoft Corporation
460 C:\WINDOWS\System32\macromed\flash\GetFlash.exe 7.0.19.0 Macromedia, Inc.
2016 C:\Program Files\SpywareBot\SpywareBot.exe 1.4.0.0 SpywareBot Company
3960 C:\Documents and Settings\Tides Church\Desktop\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.
2884 C:\Program Files\Internet Explorer\iexplore.exe 6.0.2900.2180 Microsoft Corporation
3480 C:\WINDOWS\system32\NOTEPAD.EXE 5.1.2600.2180 Microsoft Corporation
3448 C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 6.0.2900.2180 Microsoft Corporation


DLLs loaded by process C:\WINDOWS\System32\smss.exe:

[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
pskelley
2006-06-13, 04:14
Hello and welcome to the forum. Did you download this junk? C:\Program Files\SpywareBot\SpywareBot.exe
This is a rouge product, see this: http://www.spywarewarrior.com/rogue_anti-spyware.htm
exploits name "Spybot Search & Destroy"; same app as AdwareAlert [A: 5-14-06 / U: 5-14-06]
This IS NOT Spybot S&D and I suggest you look in Add Remove programs and uninstall it.

You also have the Look2me infection, follow these directions:

Thanks to Atribune and any others who helped with this fix

Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Thanks...pskelley
Safer Networking Forums
tashi
2006-06-19, 23:45
This topic is closed due to lack of a response to helper. :scratch:


If you need it re-opened please send me a pm and provide a link to the thread.

Applies only to the original topic starter.