IE malware

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Tuesday 3.2.2026 / 07:27

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > ie malware

Browse by topic

Forums

Start a new thread

IE malware

Jump to:

Posted

Message

krp1

Inactive

14. May 2007 @ 06:42

Link to this message

Hello

My IE6 pops up by itself and goes to some web pages (advertising)
I run Ad-Aware, but it did not help.

I also run HijackThis and here is results, can anybody help me to
check is there anything that normally should not be there?

Thanks4help!

Logfile of HijackThis v1.99.1
Scan saved at 17:34:46, on 14.5.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\Aclient.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\PROT_SRV.EXE
C:\WINNT\system32\pagents.exe
C:\WINNT\system32\PSTARTSR.EXE
C:\Program Files\TiFiC\TiFiC System Service\TiFiC System Service.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\stsystra.exe
C:\WINNT\system32\igfxsrvc.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Program Files\Power DVD Player\PowerDVDPlayer.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\WINNT\system32\proquota.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DATA\lataus\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PeregrineStart] wscript.exe "C:\WINNT\Script\PeregrineStart.vbs"
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [startup_local] C:\Program Files\Startup_Local\startup_local.vbs
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background
O4 - HKCU\..\Run: [Power DVD Player] "C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" hmw
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Highlight - C:\WINNT\Web\HIGHLI~1.HTM
O8 - Extra context menu item: &Web Search - C:\WINNT\Web\SELSEA~1.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\Web\frm2new.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINNT\Web\source.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.Microsoft.com

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - ...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tcad.telia.se
O17 - HKLM\Software\..\Telephony: DomainName = tcad.telia.se
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tcad.telia.se
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\Aclient.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TiFiC System Service - TiFiC AB - C:\Program Files\TiFiC\TiFiC System Service\TiFiC System Service.exe

[ + quote]

This message has been edited since posting. Last time this message was edited on 15. May 2007 @ 22:41

krj15489

Senior Member

14. May 2007 @ 11:26

Link to this message

try the windows virus and spyware section, they can help you more. also switch to Firefox, better for internet

[ + quote]

ddp

Moderator

14. May 2007 @ 14:45

Link to this message

moved to correct forum

[ + quote]

Fredil

Member

14. May 2007 @ 15:51

Link to this message

Thank you, ddp; I'll take it from here :)

In your HijackThis, do a scan only. Place checks beside the following:

O4 - HKLM\..\Run: [startup_local] C:\Program Files\Startup_Local\startup_local.vbs
O4 - HKCU\..\Run: [Power DVD Player] "C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" hmw
O8 - Extra context menu item: &Web Search - C:\WINNT\Web\SELSEA~1.HTM
O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\Web\frm2new.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINNT\Web\source.htm

Take a look at all the O15 entries and all the O17 entries. Did you add them/Do you know them? If not, place checks beside them as well.

Press "Fix Checked".

There's no known virus that uses these files, as all websites say that they are being identified:

C:\WINNT\system32\PROT_SRV.EXE
C:\WINNT\system32\pagents.exe
C:\WINNT\system32\PSTARTSR.EXE

If you use Pointsec Hard Disk Encryption, those should be safe.

[ + quote]

Geeks to Go - Trusted Helper

Please do not PM for help - please post on the forums.

krp1

Inactive

15. May 2007 @ 22:45

Link to this message

thanx 4 help.

My friend solved problem with Spybot search & destroy.

-krp-

[ + quote]

This message has been edited since posting. Last time this message was edited on 15. May 2007 @ 22:45

Start a new thread

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > ie malware


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.