Get tons of random popups, even without explorer window open

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by GMXMan, Jul 10, 2004.

  1. GMXMan

    GMXMan Private E-2

    I constantly run Adaware and Spybot, but they can't seem to get rid of these random popups..

    Logfile of HijackThis v1.98.0
    Scan saved at 7:24:27 PM, on 7/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nrmwkff.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijack\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
    O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hzcyfoyflrmny] C:\WINDOWS\System32\nrmwkff.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe


    Thanks.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Open Task Manager (CTRL-ALT-DEL) see if you can find the below process running:
    C:\WINDOWS\System32\nrmwkff.exe

    if so, kill it.

    Shut down Internet Explorer and run HijaakThis again. Have it fix the following:

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll

    I'm not positive about these next two lines with IEService.dll but everything I see said to remove it. Unless you know what it is, I would remove it too.
    O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
    O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

    O4 - HKLM\..\Run: [hzcyfoyflrmny] C:\WINDOWS\System32\nrmwkff.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Now disable system restore: http://www.majorgeeks.com/vb/showthread.php?t=31668 but don't reboot until reading the next line because I want you to reboot in safe mode.

    Now boot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

    And delete the following:
    C:\Program Files\TV Media <--- the whole directory
    C:\WINDOWS\System32\nrmwkff.exe <--- just this file

    And if you decided to remove that IEService lines then delete the following directory:
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1

    And read this on that VoiceIP stuff (sounds bad to me). What are you doing making Internet phone calls?
    http://www.netrn.net/archives2/cat_transponder_gang.html


    When everything is cleaned up you can enable system restore again.
     
  3. GMXMan

    GMXMan Private E-2

    This all started when I was looking up some song lyrics, I went on this website, and one of those windows popped up.. "Do you want to play blah blah" or something.. so I just hit Yes real quick without paying attention, and it all started.

    Gonna do all that in the morning, Thanks much for the help.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Never ever do that!!!!! ;)
     
  5. GMXMan

    GMXMan Private E-2

    Hey, well I started doing this.. deleted all the things in hijack this that you said, including the ones you weren't sure about .. but..

    I can't get that link you posted to work.

    The one with the message board, it just sends me to majorgeeks.com.. I'm assuming it tells me how to turn off system restore?

    And quick question.... After you have those 2 that you weren't sure about, you posted 3 more of the things... Fix those too?

    Thanks.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The links to files on MG's are getting all messed up due to changes that have been made. The correct link is now: http://forums.majorgeeks.com/showthread.php?t=31668

    Yes, fix those other 3 lines too.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds