stange popups randomly.. HJT log

[WutangFlu]

Logfile of HijackThis v1.99.1

 

Scan saved at 10:09:37 PM, on 7/6/2006

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

 

 

Running processes:

 

C:\WINDOWS\System32\smss[Caution: Executable File]

 

C:\WINDOWS\system32\winlogon[Caution: Executable File]

 

C:\WINDOWS\system32\services[Caution: Executable File]

 

C:\WINDOWS\system32\lsass[Caution: Executable File]

 

C:\WINDOWS\system32\svchost[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: Executable File]

 

C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: Executable File]

 

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: Executable File]

 

C:\WINDOWS\Explorer[Caution: Executable File]

 

C:\WINDOWS\system32\LEXBCES[Caution: Executable File]

 

C:\WINDOWS\system32\LEXPPS[Caution: Executable File]

 

C:\WINDOWS\system32\spoolsv[Caution: Executable File]

 

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\Program Files\Norton AntiVirus\navapsvc[Caution: Executable File]

 

C:\Program Files\Trillian Pro\trillian[Caution: Executable File]

 

C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: Executable File]

 

C:\WINDOWS\system32\svchost[Caution: Executable File]

 

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: Executable File]

 

C:\Program Files\Winamp\winamp[Caution: Executable File]

 

C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File]

 

C:\Documents and Settings\Pink Floyd\My Documents\Misc\Sys-tools\HijackThis[Caution: Executable File]

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/

 

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

 

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

 

O4 - Startup: Trillian.lnk = C:\Program Files\Trillian Pro\trillian[Caution: Executable File]

 

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

 

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

 

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

 

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

 

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

 

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

 

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

 

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

 

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc[Caution: Executable File]

 

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: Executable File]

 

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: Executable File]

 

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: Executable File]

 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: Executable File]

 

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES[Caution: Executable File]

 

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1[Caution: Executable File]

 

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: Executable File]

 

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: Executable File]

 

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan[Caution: Executable File]

 

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ[Caution: Executable File]

 

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: Executable File]

 

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: Executable File]

 

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: Executable File]

 

 

 

popup is random, usually i click on a folder and it comes up.. not always though

 

 

 

its something about system security, and it asks me to download something, then a message window pops up that says stuff about security and gives you a (ok) (cancel) option, then i click cancel, and another comes up, and it only has an (ok) option, then i just X out of it.

[Nadril]

Eek, I 'think' I know what you have. However, I can't read HiJack this logs so I'm not going to be able to offer much advise at all.

 

 

 

I got somethingl ike that before. I was trying to play a video and it asked me to download some codec for windows media player. Well, I figured it was normal because WMP never seems to work right online for me anyways. Downloaded it and all of the sudden I started getting random security popups (like you are).

 

 

 

Whatever you do don't accept some of that stuff, it will get you in even worse trouble. However, i'd wait until someone who knows how to fix it to fix it. :oops:

[WutangFlu]

i was going to block the URL from the popup in my hosts file, but i went into spybot and updated it, and messed with some stuff there, and i think i MAY have helped, but i doubt...

 

 

 

i had a crazy thing going before i did that, 50+ popups... and i press control-alt-delete, and they ALL disappear.. without me ending any processes, or anything.

 

 

 

(the 50+ popups came after one of the other adverts disappears from my task bar)

 

 

 

these popups were blank with a 404 error.

[Phil]

The hijackthis log looks clean.

 

 

 

Have you scanned with spybot, adaware and your virus scanner?

[WutangFlu]

The hijackthis log looks clean.

 

 

 

Have you scanned with spybot, adaware and your virus scanner?

 

 

 

yes for all three, but NOT in safe mode..

 

the popups seemed to have stopped since i blocked in the hosts file.

 

 

 

ill give it a few more days and see what happens, if it doesnt ill do a full system scan with everythin in safe mode, but right now im busy doing things :P

[zonda]

C:\Program Files\Trillian Pro\trillian.e3e (CAUTION - executable file)

 

 

 

It says you have trillian pro... did you actually pay for that or is it 3rd party warez stuff? If the latter, it could have come bundled with some unwanteds!!1111 :cry:

[megadedhed]

Eek, I 'think' I know what you have. However, I can't read HiJack this logs so I'm not going to be able to offer much advise at all.

 

 

 

I got somethingl ike that before. I was trying to play a video and it asked me to download some codec for windows media player. Well, I figured it was normal because WMP never seems to work right online for me anyways. Downloaded it and all of the sudden I started getting random security popups (like you are).

 

 

 

Whatever you do don't accept some of that stuff, it will get you in even worse trouble. However, i'd wait until someone who knows how to fix it to fix it. :oops:

 

 

 

he doesnt have ATMCLk, (i got the same thing and im still having trouble) it appears in hijack this, but hes having the same symptoms...

[WutangFlu]

C:\Program Files\Trillian Pro\trillian.e3e (CAUTION - executable file)

 

 

 

It says you have trillian pro... did you actually pay for that or is it 3rd party warez stuff? If the latter, it could have come bundled with some unwanteds!!1111 :cry:

 

 

 

all im gunna say to that is NO for the bolded part.

[coltm4carbine]

erm are those pop-ups from winantivirus pro 2006 or something like that?

 

 

 

if it is it's the new smitfraud varient.

 

 

 

I don't know why it appears randomly but you usually get pop-ups like those when you visit rapidshare without a pop-up blocker..

 

 

 

Just a few weeks ago, before i secured my laptop, i intentially got myself with as much junk as my laptop can handle...

 

 

 

 

 

If you want a ready made set of hosts files you can find a pretty good one here:

 

 

 

http://www.mvps.org/winhelp2002/hosts.htm

 

 

 

That one blocked out all the Ads plus all the other things on my desktop.

[WutangFlu]

erm are those pop-ups from winantivirus pro 2006 or something like that?

 

 

 

if it is it's the new smitfraud varient.

 

 

 

I don't know why it appears randomly but you usually get pop-ups like those when you visit rapidshare without a pop-up blocker..

 

 

 

Just a few weeks ago, before i secured my laptop, i intentially got myself with as much junk as my laptop can handle...

 

 

 

 

 

If you want a ready made set of hosts files you can find a pretty good one here:

 

 

 

http://www.mvps.org/winhelp2002/hosts.htm

 

 

 

That one blocked out all the Ads plus all the other things on my desktop.

 

 

 

Thanks, ill keep that website you gave me in mind if something happens again.

 

 

 

I think i fixed it. the popup was something similar to what you said "winantivirus", and i think my spy-bot update helped after locking my hosts file, and immunizing. And it happend in FF and IE, and my Adblock updated recently, and it hasnt happend since.