• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
nando

Unwanted popup closing IE browser

6 posts in this topic

Each time when I close IE browser appears http://www.funcionamiento-con-la-tijera.com/go.php?|=0009.

That create 7 entries in the register(french version),detected and destroy by Spybot S&D

 

AdRoarPlugin: Type library (register key,nothing done)

HKEY_CLASSES_ROOT\TYPELib\{48E59290-9880-11CF-9754-00AA00C00908}

 

AdRoarPlugin:Class ID (register key,nothing done)

HKEY_CLASSES_ROOT\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}

 

AdRoarPlugin:Class ID (register key,nothing done)

HKEY_CLASSES_ROOT\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}

 

AdRoarPlugin:Class ID (register key,nothing done)

HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}

 

AdRoarPlugin:Interface (register key,nothing done)

HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}

 

AdRoarPlugin:Interface (register key,nothing done)

HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}

 

WinPup:Réglages (clé du registre,nothing done)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\current\Version\explorer\pup

 

Spybot delete that entries, but they come back each time I close IE.

Because this malware operate when IE close ,FindnFix.exe , HijackThis.exe didn't found anything vicious.

 

The Tweak pro popup blocker doesn't operate eficiently.

 

There is a variant running like the above mentionned.

 

"Warning,if your computer has been running slower, than normal,it may be infected with adware or spyware.To

scan your computer for such infections,click "YES" below."

 

When you click no it open a page http://www.spyware-Stormer.com

or a ad screen saver window.

 

If anyone has resolved the same problem and talk me about, I thank him.

Share this post


Link to post
Share on other sites

Hi,

WinPup:Réglages (clé du registre,nothing done)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\current\Version\explorer\pup

"nothing done" = not selected, you must select each item for removal.

 

 

The WinPup trojan runs silently from the Windows folder.

In most cases one or more of the "clones" in the "System32" folder will show up in a HijackThis log. These are usually "65,536" bytes.Note: the clones will generate a new filename on each restart, so a restart in Safe Mode won't catch all the files unless you kill them all.

 

Restart in Safe Mode [required step - see "How To" below]

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Open Windows Explorer locate and delete the following: (if exists)

 

Windows (folder)

 

24,576 bookmarks.exe

65,536 actulice.exe < new version

65,536 pup.exe

65,536 over.exe < old version

65,536 winpup.exe < old version

 

Then check the Windows\System32 folder:

Click "sort by size" (Date Modified) right pane

Delete the clones, they should all be grouped together. (65,536)

Note: right-click and select: Properties | Version

The culprit = "CompanyName : thunderdome" or totempole < older version

 

[Example]

CompanyName : thunderdome

InternalName : actulice

OriginalFilename : actulice.exe

 

Next run SpyBot in Safe mode, fix any items found and then ...

 

Restart normally and post a HijackThis log ...

 

Download icon11.gifHijackThis! 1.98

Share this post


Link to post
Share on other sites

Thank You for your answer.

I follow your informations and it results positively.

Here is the HijackThis:

 

Logfile of HijackThis v1.98.0

Scan saved at 15:17:41, on 2/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Downloads\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic Agent\Web\SearchBar.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.free.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freebox.free.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://freebox.free.fr/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [sigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Mail Direct] E:\sauvegardes D\maildirectpro1.7\MADYPRO.EXE

O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro\popup.exe"

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Fichiers communs\Autodesk Shared\acstart16.exe

O4 - Global Startup: Gestionnaire de APM.lnk = C:\Program Files\Namo\WebBoard Trial\Bin\APMTool.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PowerPanel.lnk = C:\Program Files\powerpanel\Program\PcfMgr.exe

O8 - Extra context menu item: Chercher avec Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL

O9 - Extra 'Tools' menuitem: Veille de la page avec Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL

O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE

O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE

O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O14 - IERESET.INF: START_PAGE_URL=http://freebox.free.fr/

 

Thank you very much..

Share this post


Link to post
Share on other sites

Hi,

Your log is clean now ... good job!

Just one minor item, have HijackThis "fix" the following: (and reboot)

 

R3 - Default URLSearchHook is missing

 

Last Step:

 

"Flush System Restore" (see "How To" below)

Basically turn off System Restore, reboot run a full AVG scan, reboot and turn System Restore back on and create a new Restore Point.

 

I would suggest adding some "Defense" to your system ...

How To: Prevent this from happening again? :wave:

Share this post


Link to post
Share on other sites

Thank you for your help. I read "How to prevent this from happening again?"

very interesting, a lot of things to know, to learn and to send to friends. :dumb::hyper:

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0