frustrating! popuper.exe etc

[chrisratcliffe]

here is my hijackthis log. I have no wallpaper anymore and for some reason an old version of messanger starts up when I reboot my comp. I'm soooo frustrated, someone please help!

Code:

Logfile of HijackThis v1.99.1
Scan saved at 11:11:52 PM, on 14/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmonp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\intmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Ratcliffe\Desktop\New Folder\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hpCF0E.tmp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &RSDN Search - res://C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL/GoVM.dll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1108581111085
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

[Ruby]

Welcome to HijackThis.de @ Chrisratcliffe

Please post your Logfiles in vB Code!
Note: Announcement

Please read these instructions carefully and print them out!
Be sure to follow ALL instructions!

Follow the numbers.

1
Make sure you set windows to see the hidden files and folders.

2
Turn off System Restore.

3
Remember that Hijackthis must be run in an own folder.
Not so:
C:\Documents and Settings\Ratcliffe\Desktop\New Folder\HijackThis.exe
But:
C:\Program Files\HJT\HijackThis.exe of C:\HJT\HijackThis.exe
Only if Hijackthis runs in an own folder it will create backups!

4
Download and Instructions of Use

A. Download
popuper_remover.zip
safe it to your desktop, unzip it to your desktop, run it.
Reboot your system.
.
.
.
.
.
.
.
.
.
B. Download
msmsgs_remover.zip
safe it to your desktop, unzip it to your desktop, run it. Follow the instructions!
The possibly long waiting time during removal is wanted and needed, to remove the bot without a reboot
- if it doesn´t work, the remover will suggest a reboot and you should follow that advice.
Reboot your system.
.
.
.
.
.
.
.
.
.
C. Download
KillBox safe it to your desktop
D. Download
CWShredder.
E. Download
CleanUp312
F. Download
about:Buster,
unzip to C:\aboutbuster, run it, and then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip that.)
3. Click "Download Update", and wait for it to be installed.

G. Download
Registrar Lite install it to your desktop.


Don't use the programs C,D,E,F,G now.


5
Disconnect to the Internet.

6
Turn to safe mode. Stay in safe mode until you read that you may turn to normal mode!

7
Close down all windows including Internet Explorer.
Run Hijackthis, click scan, and put a checkmark next to each of these items.
Then click the Fix Checked button:

Code:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hzzp://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hzzp://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hzzp://www.startsearches.net/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hpCF0E.tmp
O8 - Extra context menu item: &RSDN Search - res://C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL/GoVM.dll.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - hzzp://a840.g.akamai.net/7/840/537/...all/xscan53.cab 

Click on Fix Checked and exit HijackThis.
.

8
Run CWShredder
press the *fix,* not the scan button
allow it to clean the infection.
Close all browser and explorer windows before hitting the fix button.

9
Run about:Buster
4. Click "Start".
(Wait for the initial ADS scan to complete.)
5. Click "Yes", to shutdown any IE session currently open.
(Wait for the about:blank scan to complete.)
6. Click "Ok", to scan once more.
7. Click "Yes", to shutdown any IE sessions currently open.
8. Click "Yes", to begin the second pass.
9. Click "Save log", and post this log back along with your new log.
10. Click "Exit".
11. Click "Exit".

10
Reboot your system into normal mode.

11
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

12
# Open Windows Task Manager.
» press CTRL+SHIFT+ESC, then click the Processes tab.
# In the list of running programs, locate this malware file.
# Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
# Do the same for all detected malware files in the list of running processes.
# To check if the malware process has been terminated, close Task Manager, and then open it again.
# Close Task Manager:

Security iGuard.exe

13
Run the Killbox

o browse/copy these files of every entry into the killbox,
if they are at your system:

C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\intmonp.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\hpCF0E.tmp
C:\WINDOWS\system32\msmsgs.exe

locate these files and kill them also:
if they are at your system:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\System32\helper.exe
C:\Windows\System32\ole32vbs.exe

o activate "Replace on Reboot"
o activate "Use dummy" - then click at the red X
o "YES"
o "NO" by the question if you want to reboot ...

(If one file isn't at all or anymore at your system go on with the next one.)

... reboot as you got the last file into the killbox.

14
Reboot your system into safe mode

15
Make sure you really set windows to see the hidden files and folders!

16
Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-This one!
C:\Program Files\Security IGuard

17
Reboot into normal mode.

18
Run Registrar Lite

*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

19
Reboot your computer again.

20
Run CleanUp

Go to the option -> Select ‘custom’ -> Put a checkmark to:

* Cookies
* Prefetch
* Temp
* All users.

Press the 'cleanup' button

21
Empty your "Recycle Bin"
Go to START > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.

22
Run a Full System Scan by Panda ActiveScan. It will last 2-3 hours.

23
Run HijackThis once more. Have it save a new Logfile.
Post that HJT-Logfile.

-----------------------
For the greatest safety, it is recommended that
you may not do online-banking, file-sharing, mailing, messaging,
up and downloads behalve to security sites until your system
will be of formatted and reinstalled or cleaned up.
Take a look to "Security Tips" in my signature.
-----------------------

Source 1 and Source 2

[Unregistered Fid]

Many thanks for helping remove this crap!
The only problem I have now is that I'm not able to do anything with my background.
I don't have the bkg tab in the properties box, so all I can do is right click on a picture on the web and choose "Add to background" (or similiar, I have a Czech version of Win98).
Thx

[Ruby]

Hi Unregistered Fid and welcome to HijackThis.de

You may want to try this tool. Perhaps it will help you: -> click.
If you don't have a zip-tool we suggest zipgenius (It is free).

[Fid]

Hi!
That didn't seem to help... it gave me an error when running the file.
Bad translation - unable to import: the file isn't a registry file. You can only import valid registry files.

But here's what I have in the registry:

HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > System

NoDispAppearancePage ... 0x00000001 (1)
NoDispBackgroundPage ... 0x00000001 (1)

and also:

HKEY_CURRENT_USER > Control Panel > Desktop

DragFullWindows ... "0"
FontSmoothing ... "0"
ForegroundLockTimeout ... 00 00 00 00
Pattern ... ""
ScreenSaveActive ... "0"
ScreenSaveLowPowerActive ... "1"
ScreenSavePowerOffActive ... "1"
ScreenSaveTimeOut ... "840"
ScreenSaveUsePassword ... 0x00000000 (0)
TileWallpaper ... "0"
UserPreferencemask ... be 00 00 00
Wallpaper ... C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Tapeta aplikace Internet Explorer.bmp
WallpaperStyle "0"

The wallpaper is one I chose by right click on a webpage. I know that if I change that line, I can choose any wallpaper on my HDD.

Thanks again for your help.

[Marc]

You should delete the following registry keys and restart afterwards:

HKEY_LOCAL_MACHINE "SOFTWARE\Microsoft\Internet Explorer\Desktop\General" "WallpaperFileTime"
HKEY_LOCAL_MACHINE "SOFTWARE\Microsoft\Internet Explorer\Desktop\General" "WallpaperLocalFileTime"
HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Syst em" "NoDispAppearancePage"
HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Syst em" "Wallpaper"
HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Syst em" "WallpaperStyle"
HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Syst em" "NoDispBackgroundPage"
HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer " "NoActiveDesktopChanges"
HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer " "ForceActiveDesktopOn"
HKEY_CURRENT_USER "Control Panel\Desktop" "Wallpaper"
HKEY_CURRENT_USER "Control Panel\Desktop" "WallpaperStyle"