LocostBuilders - powered by XMB

Webpages opening by themselves

omega 24 v6 - 31/7/09 at 05:12 PM

Hi all.
I have webpages opening by themselves ( usually ads or lonely hearts or porn) and no I ain't been on any dodgy sites ( well not this time).
They always open in new windows never on top of the one i'm reading. Also it does it in firefox and Ie exploder.
Avast finds nothing and neither does adaware.
I downloaded hijack this and there were a couple of BHO's I did not recognise so they've now gone and so have the programs linked to them ( I downloaded a couple of mp3 file converters last week and this has been on going since)
I also uninstalled the programs I downloaded. This has improved the problem by about 75% but i'm still getting the odd occurrence.
Any ideas?? will post my hijack log in a minute.

LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:06:02, on 31/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
Crogram FilesAlwil SoftwareAvast4aswUpdSv.exe
Crogram FilesAlwil SoftwareAvast4ashServ.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSOUNDMAN.EXE
Crogram FilesO2MicroAudioDJo2cd.exe
C:WINDOWSsystem32atiptaxx.exe
Crogram FilesMessenger Plus! 3MsgPlus.exe
Crogram FilesHPHP Software UpdateHPWuSchd2.exe
Crogram FilesLogitechMouseWaresystemem_exec.exe
CROGRA~1ALWILS~1Avast4ashDisp.exe
Crogram FilesJavajre6binjusched.exe
Crogram FilesLogitechDesktop Messenger8876480ProgramBackWeb-8876480.exe
CROGRA~1SonySONICS~1SsAAD.exe
Crogram FilesHPDigital Imagingbinhpqtra08.exe
Crogram FilesHPDigital ImagingbinhpqSTE08.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
Crogram FilesHPDigital ImagingProduct Assistantbinhprblog.exe
C:WINDOWSsystem32CTsvcCDA.EXE
Crogram FilesJavajre6binjqs.exe
Crogram FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:WINDOWSSystem32svchost.exe
Crogram FilesAlwil SoftwareAvast4ashMaiSv.exe
C:WINDOWSsystem32wscntfy.exe
Crogram FilesAlwil SoftwareAvast4ashWebSv.exe
Crogram FilesLogitechiTouchiTouch.exe
Crogram FilesMozilla Firefoxfirefox.exe
Crogram FilesOutlook Expressmsimn.exe
Crogram FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.co.uk/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.tesco.net
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by Tesco internet access
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - Crogram FilesInternet Saving Optimizer3.4.0.4340NPIEAddOn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - Crogram FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - Crogram FilesMSN AppsST1.03.0000.1005en-xustmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Crogram FilesMSN AppsMSN ToolbarMSN Toolbar1.02.5000.1021en-usmsntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - Crogram FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - Crogram FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Crogram FilesMSN AppsMSN ToolbarMSN Toolbar1.02.5000.1021en-usmsntb.dll
O4 - HKLM..Run: [zBrowser Launcher] Crogram FilesLogitechiTouchiTouch.exe
O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..Run: [o2cd] Crogram FilesO2MicroAudioDJo2cd.exe
O4 - HKLM..Run: [AtiPTA] atiptaxx.exe
O4 - HKLM..Run: [MessengerPlus3] "Crogram FilesMessenger Plus! 3MsgPlus.exe"
O4 - HKLM..Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..Run: [UserFaultCheck] %systemroot%system32dumprep 0 -u
O4 - HKLM..Run: [HP Software Update] Crogram FilesHPHP Software UpdateHPWuSchd2.exe
O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [REGSHAVE] Crogram FilesREGSHAVEREGSHAVE.EXE /AUTORUN
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "Crogram FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [avast!] CROGRA~1ALWILS~1Avast4ashDisp.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "Crogram FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [TrojanScanner] Crogram FilesTrojan RemoverTrjscan.exe /boot
O4 - HKCU..Run: [LDM] Crogram FilesLogitechDesktop Messenger8876480ProgramBackWeb-8876480.exe
O4 - HKCU..Run: [MoneyAgent] "Crogram FilesMicrosoft MoneySystemmnyexpr.exe"
O4 - HKCU..Run: [SsAAD.exe] CROGRA~1SonySONICS~1SsAAD.exe
O4 - HKCU..Run: [updateMgr] "Crogram FilesAdobeAcrobat 7.0ReaderAdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU..Run: [Uniblue RegistryBooster 2] Crogram FilesUniblueRegistryBooster 2RegistryBooster.exe /S
O4 - HKCU..Run: [AdobeUpdater] "Crogram FilesCommon FilesAdobeUpdater5AdobeUpdater.exe"
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'SYSTEM'
O4 - HKUSS-1-5-18..Run: [Symantec NetDriver Warning] CROGRA~1SYMNET~1SNDWarn.exe (User 'SYSTEM'
O4 - HKUSS-1-5-18..Run: [ALUAlert] Crogram FilesSymantecLiveUpdateALUNotify.exe (User 'SYSTEM'
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'Default user'
O4 - Global Startup: Microsoft Office.lnk = Crogram FilesMicrosoft OfficeOffice10OSA.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = Crogram FilesLogitechDesktop Messenger8876480ProgramLDMConf.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = Crogram FilesHPDigital Imagingbinhpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - ROGRA~1MI1933~1Office10EXCEL.EXE/3000" target="_blank">res://CROGRA~1MI1933~1Office10EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - Crogram FilesATI MultimediaTVEXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - Crogram FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:WINDOWSSystem32Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - Crogram FilesSymantecLiveUpdateALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - Crogram FilesAlwil SoftwareAvast4ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - Crogram FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - Crogram FilesAlwil SoftwareAvast4ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:WINDOWSsystem32CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - Crogram FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - Crogram FilesJavajre6binjqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - Crogram FilesCommon FilesSony SharedAVLibMSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - Crogram FilesCommon FilesSony SharedAVLibPACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - Crogram FilesCommon FilesSony SharedAVLibSPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - Crogram FilesCommon FilesSony SharedAVLibSSScsiSV.exe

--
End of file - 8727 bytes

[Edited on 31/7/09 by omega 24 v6]

Blackcab - 31/7/09 at 07:34 PM

You need a decent pop up blocker - I bet your computer runs pretty slow too with all that running

flibble - 31/7/09 at 07:42 PM

Microsofts own "windows defender" thingy is a basic but good start as to seeing what's running on your PC (just like Task manager) but also tells you a bit about what these things might be (in the tools/software exporer menu), worth a download if you havn't already discovered it
(I opted out of the spy network thingy it offers you).
Kev

Andi - 31/7/09 at 07:59 PM

If your running XP post your findings here

http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=microsoft.public.windowsxp.general&lang=en&cr=US

They also have a forum for vista

omega 24 v6 - 31/7/09 at 08:42 PM

quote:

You need a decent pop up blocker - I bet your computer runs pretty slow too with all that running

Yes it does run slow and has done for a while. Most of the time the windows idle process is showing 98% on the cpu (but your still waiting for something to happen.

They are not pop ups?? They are freshly opened windows and firefox's popup blocker works just fine.

Many of the hijack entries are showing stuff that ain't on my pc anymore (like symatec antivirus) but I'm not up on how to go about removing them.

bmseven - 31/7/09 at 08:57 PM

You have been hijacked, are your adaware definitions up todate? looks like you need
http://www.superantispyware.com/?tag=GOOGLE-SUPERANTISPYWARE

Close all browsers and remove with hijack
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://g.msn.com/0SEENUS/SAOS01

O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - Crogram FilesInternet Saving Optimizer3.4.0.4340NPIEAddOn.dll

Boot into safe mode and delete the contens of Crogram FilesInternet Saving Optimizer and your temp folder

[Edited on 31/7/09 by bmseven]

McLannahan - 31/7/09 at 09:01 PM

Vauxhall Omega - Try a Malware scan. This one's really quite good. Download, install and run. See what it picks up.

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htm%3Chr

mediabloke - 31/7/09 at 09:58 PM

quote:
Originally posted by McLannahan
Vauxhall Omega - Try a Malware scan. This one's really quite good. Download, install and run. See what it picks up.

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htm%3Chr

+1 for MalwareBytes. Fantastic piece of software. Picks up stuff that my old favourites Adaware & Spybot don't. Also taught me how poor AVG Free is...

omega 24 v6 - 1/8/09 at 11:41 AM

Thanks to all.
Downloaded superanti spyware which found around 200 causes for concern.
160 were cookies and there were a few malware/spyware issues and a trojan.
All of these were missed by avast and adaware(although adaware would not update to the latest software??)
so today all seems bright and rosy and so far after a couple of hours no more issues.
Thanks again
Gary

ETA I did the safe mode things as well as per bmsevens post. The files were created around the same time the problem started. I also went through hijack this's log and got rid of all the redundant entries about avg and norton in the registry .
So hopefully that'l be that.

[Edited on 1/8/09 by omega 24 v6]

bmseven - 1/8/09 at 06:44 PM

Good stuff avast, SAS & hijack work for me (most of the time)