Author Topic: Sites popup with login prompts, shouldnt be there (Read 9598 times)

Wormdundee · « **on:** January 26, 2007, 08:47:30 PM »

Recently I got several viruses through my own fault (running .exe's that I didn't know what they were, stupid me).

Anyways, I ran a deep scan using Kaspersky's Internet Security 6.0 and found them and got rid of most of them. However, one of the viruses created an icon in the taskbar that looked exactly like the Windows Security Shield icon. It said I was infected and to click on it to fix the problem. So I did that, and it installed some Registry Cleaner. After this happened, the radio in the taskbar for my wireless utility disappeared and I couldn't connect to the Internet at all. I managed to fix that problem using HijackThis, however there is still one little annoying thing.

There are now various sites, that when I try to go to them, will popup a login prompt that most definitely shouldn't be there. Since I don't know the username or password that I'm supposed to put in, I will always get the Not Authorized browser error. Quite annoying as Google is my favourite search engine. I couldn't find anything else in HijackThis that might be the cause of this, so I'll let you guys look through it.

--------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:45:47 PM, on 26/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\FaH\FAH504-Console.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\FaH\FahCore_78.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jdk1.6.0\bin\java.exe
C:\Documents and Settings\Kyle\My Documents\Misc\Alcohol 120%\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kyle\My Documents\Misc\Rainlendar\Rainlendar.exe
C:\Documents and Settings\Kyle\My Documents\Misc\Rainmeter\Rainmeter.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Litestep] "C:\Documents and Settings\Kyle\My Documents\Misc\LiteStep\LiteStep.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

Wormdundee · « **Reply #1 on:** January 26, 2007, 08:48:33 PM »

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Rainlendar.lnk = C:\Documents and Settings\Kyle\My Documents\Misc\Rainlendar\Rainlendar.exe
O4 - Startup: Rainmeter.lnk = C:\Documents and Settings\Kyle\My Documents\Misc\Rainmeter\Rainmeter.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151126695250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151133692140
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: FAH@C:+Program Files+FaH+FAH504-Console.exe - Stanford University - C:\Program Files\FaH\FAH504-Console.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OracleDBConsoleoraclass - Oracle Corporation - C:\oracle\product\10.2.0\db_2\bin\nmesrvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - C:\oracle\product\10.2.0\db_2\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - C:\oracle\product\10.2.0\db_2\BIN\TNSLSNR.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE

Wormdundee · « **Reply #2 on:** January 26, 2007, 08:49:32 PM »

O23 - Service: OracleServiceORACLASS - Oracle Corporation - c:\oracle\product\10.2.0\db_2\bin\ORACLE.EXE
O23 - Service: OracleServiceORACLE - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Documents and Settings\Kyle\My Documents\Misc\Alcohol 120%\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

GX1_Man · « **Reply #3 on:** January 27, 2007, 04:40:42 AM »

While we are waiting for a HJT analyzer, did you do all of your scans in safe mode with system restore turned off?

Wormdundee · « **Reply #4 on:** January 27, 2007, 11:07:35 AM »

O, I didn't do it with system restore turned off. I guess that means that the virus could've hidden itself in the restore eh?
I'll try that while I'm waiting.

GX1_Man · « **Reply #5 on:** January 27, 2007, 12:37:00 PM »

Let us know if anything new is found. Safe mode too.

Wormdundee · « **Reply #6 on:** January 27, 2007, 10:05:50 PM »

Right, well, I got the scan done, it didn't find anything when I ran it in Safe Mode with System Restore turned off. So I guess thats good.

However, I still can't get to google so I guess the problem is still there. I was trying a search around to see if anyone else had the same thing happen, and I couldn't find anyone that had the same problem except for one person. The solution that was given to him was apparently to use HijackThis, so I guess that's what I'll have to wait for.

dl65 · « **Reply #7 on:** January 28, 2007, 01:35:52 AM »

Wormdundee...... I had a quick look at your log file and didnt see anything that should cause that issue.......
Several things you might try ....
1..... open IE7 and go into tools/internet options and change whatever your currently using as a home page to google ...... and then see if you can get there that way.......
2 ..... You mentioned an icon appearing ....can you connect it to any sort of program ?
3...... Have you looked in control panel / add/remove programs to see if there is anything in there that you dont recall ...possibly some sort of spyware program ?

let us know if you fnd anything .

dl65

Wormdundee · « **Reply #8 on:** January 28, 2007, 03:24:44 PM »

1. Well I don't use IE7, I use Firefox 2. However, I still tried the idea of setting the home page and it didn't work out. I still got the login prompt.

2. The icon that was appearing that looked like the shield, I assume that's what you're referring to? I got rid of that using HijackThis at an earlier time, so it's gone and I can't really say what program was creating that icon.

3. This is where there might be something. I was looking through the add/remove programs list and I saw TrustIn Contextual, which is definitely not a good thing. I tried removing it using the button, but it didn't do anything. No uninstall window popping up or anything. So I'm not too sure what to do about that.

dl65 · « **Reply #9 on:** January 28, 2007, 05:07:21 PM »

Wormdundee..... ok ....will you go into the following location and see if you have any of these entries still in there.

C:\Program Files\[highlight]TrustIn Popups[/highlight]
C:\Program Files\[highlight]TrustIn Bar[/highlight]
C:\Program Files\[highlight]TrustIn Contextual[/highlight]
C:\Program Files\[highlight]TrustIn Popups[/highlight]
C:\Program Files\[highlight]TrustIn Search[/highlight]

let us know.

dl65

Wormdundee · « **Reply #10 on:** January 28, 2007, 11:25:21 PM »

Nope, don't have any of those. There used to be a TrustIn Contextual folder, which I deleted when I found a whole bunch of dll's related to TrustIn Contextual with HJT.

Pretty much the only thing that I can find to do with it is the entry in Add/Remove programs. Which just seems a little odd. It still doesn't make much sense to me that this login prompt thing would only appear with certain websites, but eh, I'm not the expert guess.

oddjob · « **Reply #11 on:** January 29, 2007, 04:40:45 AM »

Hi Wormdundee

I see one thing that immediately concerns me in your log. This entry ....

C:\Program Files\Java\jdk1.6.0\bin\java.exe

This is NOT the usual legit java.

Go to this site ....

http://www.virustotal.com/en/indexf.html

Browse to that suspect "java.exe" file and upload it for inspection.

Please post the results back wth a new HJT log and an update on how things are working now.

OJ

Wormdundee · « **Reply #12 on:** January 29, 2007, 09:43:37 AM »

Well, I'm in the queue for checking now, but in the meantime I've gotten a BSOD. Not sure if it's related but I think it could be.

It looks like this:

DRIVER_IRQL_NOT_LESS_OR_EQUAL

Then its got the standard stuff about if you've installed new hardware and such.

Technical Information
STOP: hex# (4 more hex numbers separated by ,'s)

Then theres a mention of NDIS.sys and an address in it

Wormdundee · « **Reply #13 on:** January 29, 2007, 09:54:01 AM »

When the computer booted up again after the BSOD I got something about how it had recovered from a serious error and that windows had started in Selective Startup, and that I could switch it to normal startup if I wanted to roll back over all changes made.

Finished scanning the java and it came up clean.

Logfile of HijackThis v1.99.1
Scan saved at 8:52:24 AM, on 29/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FaH\FAH504-Console.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\FaH\FahCore_78.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\oracle\product\10.2.0\db_2\bin\isqlplussvc.exe
C:\oracle\product\10.2.0\db_2\BIN\TNSLSNR.exe
c:\oracle\product\10.2.0\db_2\bin\ORACLE.EXE
C:\Program Files\Java\jdk1.6.0\bin\java.exe
C:\Documents and Settings\Kyle\My Documents\Misc\Alcohol 120%\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Kyle\My Documents\Misc\Rainlendar\Rainlendar.exe
C:\Documents and Settings\Kyle\My Documents\Misc\Rainmeter\Rainmeter.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

Wormdundee · « **Reply #14 on:** January 29, 2007, 09:54:19 AM »

O4 - Startup: Rainlendar.lnk = C:\Documents and Settings\Kyle\My Documents\Misc\Rainlendar\Rainlendar.exe
O4 - Startup: Rainmeter.lnk = C:\Documents and Settings\Kyle\My Documents\Misc\Rainmeter\Rainmeter.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151126695250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151133692140
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: FAH@C:+Program Files+FaH+FAH504-Console.exe - Stanford University - C:\Program Files\FaH\FAH504-Console.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OracleDBConsoleoraclass - Oracle Corporation - C:\oracle\product\10.2.0\db_2\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - C:\oracle\product\10.2.0\db_2\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - C:\oracle\product\10.2.0\db_2\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORACLASS - Oracle Corporation - c:\oracle\product\10.2.0\db_2\bin\ORACLE.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Documents and Settings\Kyle\My Documents\Misc\Alcohol 120%\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

oddjob · « **Reply #15 on:** January 29, 2007, 11:41:31 AM »

Hi

Your reply in post #12 indicates a problem with hardware, typically a network card or video card & driver but it may be difficult to track down.

Apart from the java issue I mentioned the log is OK. (I did notice your comment that the virustotal scan came up clean).

Have you updated any drivers recently? Are you still getting the same browsing pop up trouble you had in your first post?

OJ

Wormdundee · « **Reply #16 on:** January 29, 2007, 04:39:20 PM »

Nope, pretty sure I haven't done any driver updating or anything like that.

As for the browsing popup trouble, yeh, still got that stupid login prompt.

oddjob · « **Reply #17 on:** January 30, 2007, 03:09:37 AM »

Despite having already removed TrustIn Contextual it may still be causing a problem behind the scenes. Let's look at it.

Read through this fix and put it into action.......

http://www.bleepingcomputer.com/forums/topic54501.html#fix

If this fixes the pop up ... just let us know.

If NOT ... Download Ewido/AVG Anti Spyware from here ….

http://www.ewido.net/en/

It has a fully working 30 day trial period.

Install it and update it to the latest definitions.

Do NOT use it yet.

Now boot to safe mode. Here’s a “how to” if you’re not sure ..

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

When in safe mode run a full system scan with AVGAS and let it fix what it wants to.

REMEMBER TO SAVE THE SCAN REPORT and also remember where you saved it.

[FOOTNOTE > this is a good program to use as an “on demand” scanner even after the trial period is over. Keep it updated and use it to scan your computer from time to time].

Next post a fresh HJT log here with the AVGAS scan report and another update on how things are going.

OJ

Wormdundee · « **Reply #18 on:** January 31, 2007, 09:37:25 AM »

Well things have changed themselves a bit. I don't get the login prompt on any of the websites anymore. Now I just get a Problem Loading Page - Connection was Reset problem on those specific sites.

Unfortunately, bleepingcomputer is one of those websites that gets that error, so I can't really go and read the instructions.
Also, I now get the Blue Screen of Death everytime I come back from a hibernation.

I don't really want to do anything else until I try that bleepingcomputer thing that you mentioned. So I dunno, I guess you could repost it here or something.

oddjob · « **Reply #19 on:** January 31, 2007, 11:44:35 AM »

First follow these instructions (if possible)....

Print out these instructions as we will need to close every window that is open later in the fix.

Download SmitRem.exe from here to your Desktop …..

http://www.downloads.subratam.org/smitRem.exe

Double-click the smitRem.exe and it will extract the files to a smitRem folder on your Desktop. Do not run it yet.

Download FixTC.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.

http://download.bleepingcomputer.com/reg/FixTC.reg

Confirm that the file FixTC.reg now resides on your desktop as we will need it later.

Reboot to safe mode.

Log on to your user account.

Open the smitfraud folder then double click the RunThis.bat file to start the tool.
The scan log is saved here … log C:\smitfiles.txt

***************

Now the “copied” fix instructions from Bleeping Computer, as you suggested ….

1. Click on the Start Menu
2. Click on the Control Panel option.
3. Double-click on the Add or Remove Programs icon.
4. Look again for any/all of the following entries and double-click on each of them. Follow the prompts to uninstall the programs, but do not allow it to reboot the computer if it asks. If after you uninstall a particular entry below it still remains, double-click on the entry again to remove it.

Trust Cleaner
TrustIn Bar
TrustIn Contextual Ads
Trustin Popups
TrustIn Search Assistant
Trust Cleaner Promo

5. When it has completed uninstalling you can close Add or Remove Programs and your Control Panel.

6. Go to your desktop and double click on the FixTC.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button.

7. Delete the following files and folders (Do not be concerned if a folder or file does not exist):

C:\Program Files\TrustIn Popups
C:\Program Files\TrustIn Bar
C:\Program Files\TrustIn Contextual
C:\Program Files\TrustIn Popups
C:\Program Files\TrustIn Search
%Temp%\wschtm35.dll
%Temp%\srsvc.exe
C:\WINDOWS\local.html
C:\WINDOWS\SYSTEM32\tisa.dll
C:\WINDOWS\SYSTEM32\lut.dat
C:\WINDOWS\SYSTEM32\tisa.cnf
C:\WINDOWS\SYSTEM32\ticads.exe
C:\WINDOWS\SYSTEM32\tctool.exe
C:\WINDOWS\SYSTEM32\ticont.dll
C:\WINDOWS\SYSTEM32\tpopup.exe
C:\WINDOWS\SYSTEM32\tconini.dat
C:\WINDOWS\SYSTEM32\lcch.dat
C:\WINDOWS\onlineshopping.ico
C:\WINDOWS\removeadware.ico
C:\WINDOWS\sexpersonals.ico
C:\WINDOWS\local.html
C:\WINDOWS\SYSTEM32\tu.exe
C:\WINDOWS\SYSTEM32\ttu.exe
C:\WINDOWS\se_spoof.dll
C:\WINDOWS\inetloader.dll
C:\Windows\mxd.exe
C:\Windows\tse.exe
C:\Windows\trustinbar.exe
C:\Windows\ads.js
C:\WINDOWS\videoslots.ico

8. Delete these icons from your Desktop:

Online Shopping.url
Remove Adware.url
Sex Personals.url
Video Slots.url

9. Close all open Windows.
10. Reboot your computer back to normal mode.
11. Download the ATF-Cleaner to your desktop from the following link:

http://www.atribune.org/ccount/click.php?id=1

When it is download to your desktop, double-click on the program to run it. Select the box labeled Select All and then press the Empty Select button. When it is done you can close the program.

***************

Perform an onlinescan with Panda ......

http://www.pandasoftware.com/products/activescan.htm

1. Once you are on the Panda site click the Scan your PC button
2. A new window will open...click the Check Now button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It may take a few minutes)
10. When download is complete, click on Local Disks to start the scan

Your computer should now be free of the Trust Cleaner infection.

***************

Please "copy/paste" the contents of the log C:\smitfiles.txt and a fresh HijackThis log.

Please tell us how the computer is operating now.

OJ

Computer Hope Forum

News:

Author Topic: Sites popup with login prompts, shouldnt be there (Read 9598 times)

Wormdundee

Wormdundee

Wormdundee

GX1_Man

Wormdundee

GX1_Man

Wormdundee

dl65

Wormdundee

dl65

Wormdundee

oddjob

Wormdundee

Wormdundee

Wormdundee

oddjob

Wormdundee

oddjob

Wormdundee

oddjob