irritating random popup \tau.html

Discussion in 'Malware Help (A Specialist Will Reply)' started by pathofsodom, Apr 9, 2006.

  1. pathofsodom

    pathofsodom Private E-2

    im having problem with random popup websites which urls always ended with \tau.html. For instance, "http://www.inter-netsuggestions.com/tau.html" "http://www.hug-ediscounts.com/tau.html".
    i've done all possible scans with adaware,spybot search & destroy, counterspy and fixed all entries found. And Bitdefender stuck mid-scan.
    I have no idea what can i possibly do with HJT.
    Here i will attach my HJT log. please have a look and provide some advices for me.
    Any help would be appreciated
     

    Attached Files:

    pathofsodom, Apr 9, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You did not install Spybot exactly as requested in the READ & RUN ME. I do not see the SDHelper function loaded which is the default and what we requested. Also you did not run PandaActive Scan and attach the log. You also did not attach the log from CounterSpy.

    Please attach the requested logs and install Spybot exactly as requested.

    Also install HijackThis as instructed in step7. It should be in the folder we request. Do not put it in My Documents or any Temp folder.

    You also should uninstall MESSENGERPLUS! 3 . It is not to be trusted and can cause many porn adds to be served to your PC. Very bad idea for underaged PC users.

    Did you set your default pages to the about:blank setting as show below?
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank


    Did you install the below stuff? It really seems suspicious and I see most people removing this stuff!
    O8 - Extra context menu item: &ʹÓÃѸÀ×ÏÂÔØ - C:\PROGRAM FILES\THUNDER NETWORK\THUNDER\geturl.htm
    O8 - Extra context menu item: &ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\PROGRAM FILES\THUNDER NETWORK\THUNDER\getallurl.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\PROGRAM FILES\TENCENT\QQ\AddPanel.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\PROGRAM FILES\TENCENT\QQ\AddEmotion.htm
    O8 - Extra context menu item: ÉÏ´«µ½QQÍøÂçÓ²ÅÌ - C:\PROGRAM FILES\TENCENT\QQ\AddToNetDisk.htm
    O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\PROGRAM FILES\TENCENT\QQ\SendMMS.htm


    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://C:\nosuch.mht!http://iframebiz.biz/dl/adv433/x.chm::/load.exe
    O18 - Protocol hijack: http - {7¢YEA¢W9E5-¡±AF¢Y-11CE-8C82-00AA004BA90¢VT
    O18 - Protocol hijack: its - {9D148291-B9¢¯8-1¢¯D0-A4CC-0000F80¢¯49¢·6}

    After clicking Fix, exit HJT.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.
    er clicking Fix, exit HJT.[/b]:
     
    Last edited: Apr 10, 2006
    chaslang, Apr 10, 2006
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds