Ergebnis 1 bis 6 von 6

Thema: frustrating! popuper.exe etc

  1. #1
    Einsteiger
    Registriert seit
    15.05.2005
    Beiträge
    1

    frustrating! popuper.exe etc

    here is my hijackthis log. I have no wallpaper anymore and for some reason an old version of messanger starts up when I reboot my comp. I'm soooo frustrated, someone please help!
    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 11:11:52 PM, on 14/05/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\popuper.exe
    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\system32\intmonp.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\intmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Documents and Settings\Ratcliffe\Desktop\New Folder\HijackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
    F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
    O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hpCF0E.tmp
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &RSDN Search - res://C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL/GoVM.dll.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1108581111085
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    Geändert von Ruby (15.05.2005 um 11:05 Uhr) Grund: BoardRules: [CODE] and [/CODE]

  2. #2
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: frustrating! popuper.exe etc

    Welcome to HijackThis.de @ Chrisratcliffe

    Please post your Logfiles in vB Code!
    Note: Announcement




    Please read these instructions carefully and print them out!
    Be sure to follow ALL instructions!

    Follow the numbers.

    1
    Make sure you set windows to see the hidden files and folders.

    2
    Turn off System Restore.

    3
    Remember that Hijackthis must be run in an own folder.
    Not so:
    C:\Documents and Settings\Ratcliffe\Desktop\New Folder\HijackThis.exe
    But:
    C:\Program Files\HJT\HijackThis.exe of C:\HJT\HijackThis.exe
    Only if Hijackthis runs in an own folder it will create backups!

    4
    Download and Instructions of Use

    A. Download
    popuper_remover.zip
    safe it to your desktop, unzip it to your desktop, run it.
    Reboot your system.
    .
    .
    .
    .
    .
    .
    .
    .
    .
    B. Download
    msmsgs_remover.zip
    safe it to your desktop, unzip it to your desktop, run it. Follow the instructions!
    The possibly long waiting time during removal is wanted and needed, to remove the bot without a reboot
    - if it doesn´t work, the remover will suggest a reboot and you should follow that advice.
    Reboot your system.
    .
    .
    .
    .
    .
    .
    .
    .
    .
    C. Download
    KillBox safe it to your desktop
    D. Download
    CWShredder.
    E. Download
    CleanUp312
    F. Download
    about:Buster,
    unzip to C:\aboutbuster, run it, and then:

    1. Click "Update".
    2. Click "Check For Update"

    (If no new version is available, skip that.)
    3. Click "Download Update", and wait for it to be installed.

    G. Download
    Registrar Lite install it to your desktop.


    Don't use the programs C,D,E,F,G now.


    5
    Disconnect to the Internet.

    6
    Turn to safe mode. Stay in safe mode until you read that you may turn to normal mode!

    7
    Close down all windows including Internet Explorer.
    Run Hijackthis, click scan, and put a checkmark next to each of these items.
    Then click the Fix Checked button:
    Code:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hzzp://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hzzp://www.startsearches.net/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hzzp://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hzzp://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hzzp://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hzzp://www.startsearches.net/search.php?qq=%1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hzzp://www.startsearches.net/
    F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
    O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hpCF0E.tmp
    O8 - Extra context menu item: &RSDN Search - res://C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL/GoVM.dll.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - hzzp://a840.g.akamai.net/7/840/537/...all/xscan53.cab 
    
    Click on Fix Checked and exit HijackThis.
    .
    8
    Run CWShredder
    press the *fix,* not the scan button
    allow it to clean the infection.
    Close all browser and explorer windows before hitting the fix button.

    9
    Run about:Buster
    4. Click "Start".
    (Wait for the initial ADS scan to complete.)
    5. Click "Yes", to shutdown any IE session currently open.
    (Wait for the about:blank scan to complete.)
    6. Click "Ok", to scan once more.
    7. Click "Yes", to shutdown any IE sessions currently open.
    8. Click "Yes", to begin the second pass.
    9. Click "Save log", and post this log back along with your new log.
    10. Click "Exit".
    11. Click "Exit".

    10
    Reboot your system into normal mode.

    11
    Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

    Security IGuard
    Virtual Maid
    Search Maid

    Exit Add/Remove Programs.

    12
    # Open Windows Task Manager.
    » press CTRL+SHIFT+ESC, then click the Processes tab.
    # In the list of running programs, locate this malware file.
    # Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    # Do the same for all detected malware files in the list of running processes.
    # To check if the malware process has been terminated, close Task Manager, and then open it again.
    # Close Task Manager:

    Security iGuard.exe

    13
    Run the Killbox

    o browse/copy these files of every entry into the killbox,
    if they are at your system:


    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\popuper.exe
    C:\WINDOWS\system32\intmonp.exe
    C:\WINDOWS\system32\intmon.exe
    C:\WINDOWS\system32\hpCF0E.tmp
    C:\WINDOWS\system32\msmsgs.exe

    locate these files and kill them also:
    if they are at your system:

    C:\wp.exe
    C:\wp.bmp
    C:\Windows\sites.ini
    C:\Windows\System32\helper.exe
    C:\Windows\System32\ole32vbs.exe

    o activate "Replace on Reboot"
    o activate "Use dummy" - then click at the red X
    o "YES"
    o "NO" by the question if you want to reboot ...


    (If one file isn't at all or anymore at your system go on with the next one.)

    ... reboot as you got the last file into the killbox.

    14
    Reboot your system into safe mode

    15
    Make sure you really set windows to see the hidden files and folders!

    16
    Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

    FOLDERS to delete (in bold) if found:

    C:\Program Files\Search Maid
    C:\Program Files\Virtual Maid
    C:\Windows\System32\Log Files <-This one!
    C:\Program Files\Security IGuard

    17
    Reboot into normal mode.

    18
    Run Registrar Lite

    *Double click the purple Registrar Lite icon on your desktop.
    *Copy the line below and paste it into the "Address" field (located at the top) of the program:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies

    *Click the "Go" button.
    *It will take you into the "Policies" folder.
    *Locate the "System" folder (in the right panel)
    *If found, right-click on the System folder and go to Delete
    *Be very careful that you only delete the System folder that is inside the Policies folder.

    19
    Reboot your computer again.

    20
    Run CleanUp

    Go to the option -> Select ‘custom’ -> Put a checkmark to:

    * Cookies
    * Prefetch
    * Temp
    * All users.

    Press the 'cleanup' button

    21
    Empty your "Recycle Bin"
    Go to START > run and type: cleanmgr and click ok.
    Let it scan your system for files to remove.

    22
    Run a Full System Scan by Panda ActiveScan. It will last 2-3 hours.

    23
    Run HijackThis once more. Have it save a new Logfile.
    Post that HJT-Logfile.

    -----------------------
    For the greatest safety, it is recommended that
    you may not do online-banking, file-sharing, mailing, messaging,
    up and downloads behalve to security sites until your system
    will be of formatted and reinstalled or cleaned up.
    Take a look to "Security Tips" in my signature.

    -----------------------

    Source 1 and Source 2

  3. #3
    Unregistered Fid
    Gast

    Re: frustrating! popuper.exe etc

    Many thanks for helping remove this crap!
    The only problem I have now is that I'm not able to do anything with my background.
    I don't have the bkg tab in the properties box, so all I can do is right click on a picture on the web and choose "Add to background" (or similiar, I have a Czech version of Win98).
    Thx

  4. #4
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: frustrating! popuper.exe etc

    Hi Unregistered Fid and welcome to HijackThis.de

    You may want to try this tool. Perhaps it will help you: -> click.
    If you don't have a zip-tool we suggest zipgenius (It is free).

  5. #5
    Fid
    Gast

    Re: frustrating! popuper.exe etc

    Hi!
    That didn't seem to help... it gave me an error when running the file.
    Bad translation - unable to import: the file isn't a registry file. You can only import valid registry files.

    But here's what I have in the registry:

    HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > System

    NoDispAppearancePage ... 0x00000001 (1)
    NoDispBackgroundPage ... 0x00000001 (1)

    and also:

    HKEY_CURRENT_USER > Control Panel > Desktop

    DragFullWindows ... "0"
    FontSmoothing ... "0"
    ForegroundLockTimeout ... 00 00 00 00
    Pattern ... ""
    ScreenSaveActive ... "0"
    ScreenSaveLowPowerActive ... "1"
    ScreenSavePowerOffActive ... "1"
    ScreenSaveTimeOut ... "840"
    ScreenSaveUsePassword ... 0x00000000 (0)
    TileWallpaper ... "0"
    UserPreferencemask ... be 00 00 00
    Wallpaper ... C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Tapeta aplikace Internet Explorer.bmp
    WallpaperStyle "0"

    The wallpaper is one I chose by right click on a webpage. I know that if I change that line, I can choose any wallpaper on my HDD.

    Thanks again for your help.

  6. #6
    Ehrenmitglied Avatar von Marc
    Registriert seit
    04.12.2004
    Beiträge
    1.980

    AW: frustrating! popuper.exe etc

    You should delete the following registry keys and restart afterwards:

    HKEY_LOCAL_MACHINE "SOFTWARE\Microsoft\Internet Explorer\Desktop\General" "WallpaperFileTime"
    HKEY_LOCAL_MACHINE "SOFTWARE\Microsoft\Internet Explorer\Desktop\General" "WallpaperLocalFileTime"
    HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Syst em" "NoDispAppearancePage"
    HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Syst em" "Wallpaper"
    HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Syst em" "WallpaperStyle"
    HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Syst em" "NoDispBackgroundPage"
    HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer " "NoActiveDesktopChanges"
    HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer " "ForceActiveDesktopOn"
    HKEY_CURRENT_USER "Control Panel\Desktop" "Wallpaper"
    HKEY_CURRENT_USER "Control Panel\Desktop" "WallpaperStyle"
    Freundlich grüßt
    Marc

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. Hilfe, kann popuper.exe nicht loswerden
    Von MrNiceGuy77 im Forum Archiv
    Antworten: 5
    Letzter Beitrag: 06.05.2005, 09:09

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •