Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help with browser pop-up adds

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help with browser pop-up adds

Unread postby chessi69 » January 3rd, 2009, 10:11 pm

I downloaded a smiley program and got infected with some malware that is causing constant browser pop-up adds. I ran my AVG anti virus - no virus. I ran Spybot and fixed a couple of items. I ran Ad Aware but it did not find any problems. I downloaded and ran CWShredder and got rid of CoolWebSearch. I also found some instances of incredimail and deleted those from the registry. I then downloaded Malwarebyte's anti malware and first ran the quick scan and then the full scan. It quarantined five 'Rogue.XXX' items. However, it now finds no infection. I also installed Spyware Blaster and I replaced my hosts file with the generic Microsoft version. So, the pop-up adds have decreased, but they are still there using both IE and Firefox. I'm hoping someone can help. Here is my Hijack This Logfile.

Thank you for any assistance you can provide.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:52 PM, on 1/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Network Optimizer\1.1.0.1400\NPIEAddOn.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Search on TER - file:///C:\Program Files\Search On TER/search.html
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: USUEAKXAEQZ - Sysinternals - http://www.sysinternals.com - C:\Users\Tim\AppData\Local\Temp\USUEAKXAEQZ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 5461 bytes

Here are the Malwarebyte's logfiles.

Malwarebytes' Anti-Malware 1.31
Database version: 1596
Windows 6.0.6001 Service Pack 1

1/2/2009 12:15:31 PM
mbam-log-2009-01-02 (12-15-31).txt

Scan type: Quick Scan
Objects scanned: 50635
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

AND

Malwarebytes' Anti-Malware 1.31
Database version: 1596
Windows 6.0.6001 Service Pack 1

1/2/2009 5:17:22 PM
mbam-log-2009-01-02 (17-17-22).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 217018
Time elapsed: 1 hour(s), 26 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Tim\Downloads\Downloads\backup\Documents and Settings\Tim\My Documents\Downloads\Programs\ErrorNukerInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Tim\Downloads\Downloads\Programs\ErrorNukerInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.

AND THE FINAL ONE

Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 6.0.6001 Service Pack 1

1/3/2009 4:33:35 PM
mbam-log-2009-01-03 (16-33-35).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 214386
Time elapsed: 1 hour(s), 23 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
chessi69
Active Member
 
Posts: 9
Joined: January 2nd, 2009, 11:12 pm
Advertisement
Register to Remove

Re: Please help with browser pop-up adds

Unread postby Rodav » January 7th, 2009, 7:34 pm

Hello! :hello2: and welcome to the Malware Removal forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Please help with browser pop-up adds

Unread postby chessi69 » January 7th, 2009, 7:44 pm

Thank you for your offer to help. I will await your next instructions
chessi69
Active Member
 
Posts: 9
Joined: January 2nd, 2009, 11:12 pm

Re: Please help with browser pop-up adds

Unread postby Rodav » January 7th, 2009, 7:47 pm

Are you still receiving popups like you were before using malwarebytes?

Step 1:
  • Run HijackThis by right clicking it and selecting Run as Administartor
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Network Optimizer\1.1.0.1400\NPIEAddOn.dll

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application and Restart your computer.

Step 2:
Download to your desktop DDS from one of the links below:

Link1
Link2
Link3
  • Double click the tool to run it. If you receive a UAC prompt, please allow it
  • A black Screen will open, just read the contents and do nothing.
  • When the tool finish it will open 2 reports.
  • Copy/paste both reports back here and remove DDS from your desktop.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Please help with browser pop-up adds

Unread postby chessi69 » January 7th, 2009, 8:47 pm

Re: Question about Malwarebytes. Yes the popups did reduce but did not go away. They have slowly become more numerous again.

Ran Hijackthis, selected the appropriate BHO and clicked "Fix Checked"

Restarted computer

Downloaded and Ran DDS

Two reports pasted below

1st Report:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Tim at 19:32:45.32 on Wed 01/07/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1293 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Windows\system32\taskeng.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Tim\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {FE063DB9-4EC0-403E-8DD8-394C54984B2C} - No File
TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Search on TER - file:///c:\program files\Search On TER/search.html
Trusted Zone: turbotax.com
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\tim\appdata\roaming\mozilla\firefox\profiles\r23prflk.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\network optimizer\1.1.0.1400\ff\components\NPFFAddOn.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-30 97928]
R3 AvgWfpX;AVG8 Firewall Driver x86;c:\windows\system32\drivers\avgwfpx.sys [2008-5-30 69128]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-5-30 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-30 231704]
S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
S3 USUEAKXAEQZ;USUEAKXAEQZ;c:\users\tim\appdata\local\temp\USUEAKXAEQZ.exe [2009-1-2 555904]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2007-8-26 80744]
S4 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2008-12-4 464264]

=============== Created Last 30 ================

2009-01-02 14:50 <DIR> --d----- c:\program files\CCleaner
2009-01-02 14:29 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2009-01-02 14:29 <DIR> --d----- c:\program files\SpywareBlaster
2009-01-02 14:23 <DIR> --d----- c:\program files\Glary Utilities
2009-01-02 12:07 <DIR> --d----- c:\users\tim\appdata\roaming\Malwarebytes
2009-01-02 12:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 12:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 12:07 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-02 12:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 12:07 <DIR> --d----- c:\progra~2\Malwarebytes
2008-12-31 19:36 <DIR> --d----- c:\programdata\SITEguard
2008-12-31 19:36 <DIR> --d----- c:\progra~2\SITEguard
2008-12-31 19:32 <DIR> --d----- c:\programdata\STOPzilla!
2008-12-31 19:32 <DIR> --d----- c:\program files\common files\iS3
2008-12-31 19:32 <DIR> --d----- c:\progra~2\STOPzilla!
2008-12-31 08:59 24,872 a------- c:\windows\system32\drivers\ElbyCDIO.sys
2008-12-30 18:53 103,360 a------- c:\windows\system32\drivers\AnyDVD.sys
2008-12-25 20:14 <DIR> a-d----- c:\programdata\TEMP
2008-12-25 20:03 <DIR> --d----- c:\program files\Trend Micro
2008-12-12 08:43 2,048 a------- c:\windows\system32\tzres.dll
2008-12-08 20:38 <DIR> --d----- C:\vcs5BGEffects
2008-12-08 20:38 <DIR> --d----- C:\vcs5core
2008-12-08 20:38 <DIR> --d----- C:\AV_LOGS
2008-12-08 19:56 <DIR> --d----- c:\users\tim\appdata\roaming\Screaming Bee

==================== Find3M ====================

2009-01-07 19:29 348,371 a---h--- c:\windows\system32\drivers\vsconfig.xml
2008-12-08 19:55 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-08 19:55 86,016 a------- c:\windows\inf\infstor.dat
2008-12-08 19:55 51,200 a------- c:\windows\inf\infpub.dat
2008-12-05 20:21 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-30 18:18 1,570,816 a------- c:\users\tim\appdata\roaming\tsdnwin.dll
2008-11-28 15:45 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-28 15:45 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-28 15:45 116,472 -------- c:\windows\system32\pxcpyi64.exe
2008-11-28 15:45 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2008-11-19 12:21 93,128 a------- c:\windows\system32\ElbyCDIO.dll
2008-11-13 15:19 293,776 a------- c:\windows\system32\drivers\vsdatant.sys
2008-11-13 15:18 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-10-31 22:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 22:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 22:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 22:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 22:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-31 22:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-10-31 20:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 01:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-28 21:21 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-10-28 21:20 159,744 a------- c:\windows\system32\atitmmxx.dll
2008-10-28 21:20 331,776 a------- c:\windows\system32\atipdlxx.dll
2008-10-28 21:20 262,144 a------- c:\windows\system32\Oemdspif.dll
2008-10-28 21:19 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-10-28 21:19 274,432 a------- c:\windows\system32\Ati2evxx.dll
2008-10-28 21:18 712,704 a------- c:\windows\system32\Ati2evxx.exe
2008-10-28 21:03 3,955,712 a------- c:\windows\system32\atiumdag.dll
2008-10-28 20:47 10,629,120 a------- c:\windows\system32\atioglxx.dll
2008-10-28 20:41 4,730,880 a------- c:\windows\system32\atiumdva.dll
2008-10-28 20:27 50,688 a------- c:\windows\system32\amdpcom32.dll
2008-10-28 20:27 54,272 a------- c:\windows\system32\atiadlxx.dll
2008-10-21 22:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 12:51 118,784 a------- c:\windows\system32\atibrtmon.exe
2008-10-21 00:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-21 00:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 15:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 15:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-15 23:47 827,392 a------- c:\windows\system32\wininet.dll
2008-06-20 21:55 174 a--sh--- c:\program files\desktop.ini
2008-06-20 21:44 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-03-22 13:37 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-03-22 13:37 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-03-22 13:37 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-03-19 07:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031920080320\index.dat
2008-03-22 07:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032220080323\index.dat
2008-05-01 21:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008050120080502\index.dat
2008-03-22 07:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\internet explorer\userdata\index.dat

============= FINISH: 19:34:03.19 ===============

2nd Report


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 5/25/2007 3:55:33 AM
System Uptime: 1/7/2009 7:28:45 PM (0 hours ago)

Motherboard: Acer | | EM61SM/EM61PM
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ | Socket M2 | 2200/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 33.667 GiB free.
D: is FIXED (NTFS) - 144 GiB total, 131.02 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is FIXED (NTFS) - 466 GiB total, 409.447 GiB free.
L: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\3&2411E6FE&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\3&2411E6FE&0
Service: i8042prt

==== System Restore Points ===================


==== Installed Programs ======================

Sansa Media Converter
Acer Assist
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePerformance Management
Acer Picture Slide DVD
Acer Plug and Record
Acer ScreenSaver
Acer Zone Main Page
Ad-Aware
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Elements 7.0
Adobe Photoshop.com Inspiration Browser
Adobe Reader 8.1.1
Adobe® Photoshop® Album Starter Edition 3.2
AnyDVD
ATI AVIVO Codecs
AVG Free 8.0
Canon Inkjet Printer Driver Add-On Module
Canon MP730
Canon Utilities Easy-LayoutPrint
Canon Utilities Easy-PhotoPrint
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
CloneCD
Digital Media Reader
DVD Shrink 3.2
FW LiveUpdate
Glary Utilities 2.9.0.518
HijackThis 2.0.2
HydraVision
ImgBurn
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LightScribe System Software 1.14.32.1
LightScribeTemplateLabeler
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2005 Redistributable
Motorola SM56 Speakerphone Modem
Mozilla Firefox (3.0.5)
Mozilla Thunderbird (2.0.0.19)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
neroxml
Network Optimizer
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
Omron Health Management Software
OpenOffice.org 2.3
PC Wizard 2008.1.80
PhotoshopdotcomInspirationBrowser
Pinnacle PCTV MCE
Pinnacle TVCenter Pro
PrimoPDF
QuickTime
Realtek High Definition Audio Driver
Rhapsody Player Engine
Savings Bond Wizard
Search On TER 0.1
Security Update for CAPICOM (KB931906)
Singorama Bonus Software
Skins
Spybot - Search & Destroy
SpywareBlaster 4.1
TurboTax Deluxe 2007
VC 9.0 Runtime
Virtual Earth 3D (Beta)
Windows Driver Package - Philips Pinnacle Systems PCTV 3010ix, 7010ix (10/27/2006 1.0.3.3)
Windows Driver Package - Pinnacle Systems PCTV 100e/320e Audio (01/29/2007 5.7.0129.0)
Windows Driver Package - Pinnacle Systems PCTV 100i,110i,300i,310i, MCE (11/22/2006 1.3.3.5)
Windows Driver Package - Pinnacle Systems PCTV 70e/100e/160e/170e/320e/330e/800e (01/29/2007 5.7.0129.0)
Windows Driver Package - Pinnacle Systems PCTV 71e (09/28/2006 6.9.28.4)
Windows Driver Package - Pinnacle Systems Pinnacle Systems PCTV 310c (06/02/2006 3.0.1.1)
Windows Essentials Media Codec Pack 1.0
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Toolbar
ZoneAlarm
ZoneAlarm Spy Blocker Toolbar

==== End Of File ===========================
chessi69
Active Member
 
Posts: 9
Joined: January 2nd, 2009, 11:12 pm

Re: Please help with browser pop-up adds

Unread postby Rodav » January 7th, 2009, 10:25 pm

I don't see too much going on but if you are still getting popups it looks like you're still infected.

Step 1:
Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it (If you receive a UAC prompt, please allow it). It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

If you receive no notice, click on the Scan button.

  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.


Step 2:
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it. Please don't surf anywhere else on the internet while you are running your browser as Administrator

Go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Please help with browser pop-up adds

Unread postby chessi69 » January 7th, 2009, 11:19 pm

Re: I don't see much going on......

Since running HJT and the "fixed Check" option on the BHO per your earlier instructions, I haven't had any popups. Should I still run gmer.zip and the Kaspersky scan?
chessi69
Active Member
 
Posts: 9
Joined: January 2nd, 2009, 11:12 pm

Re: Please help with browser pop-up adds

Unread postby Rodav » January 8th, 2009, 7:00 am

I'm glad to hear, run the kaspersky scan just to see if there are any leftovers.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Please help with browser pop-up adds

Unread postby chessi69 » January 8th, 2009, 6:43 pm

Will due. I'll report the scan results when completed.
chessi69
Active Member
 
Posts: 9
Joined: January 2nd, 2009, 11:12 pm

Re: Please help with browser pop-up adds

Unread postby chessi69 » January 8th, 2009, 11:06 pm

Looks like Kaspersky found quite a lot of infections. What's next?

KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, January 8, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 08, 2009 20:45:19
Records in database: 1589015
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\

Scan statistics:
Files scanned: 190495
Threat name: 9
Infected objects: 28
Suspicious objects: 1
Duration of the scan: 03:46:18


File name / Threat name / Threats count
C:\Users\Tim\AppData\Local\Microsoft\Windows Mail\Local Folders\Imported Folder\Deleted Items\6010568B-000005EB.eml Infected: Trojan-Spy.HTML.Paylap.ev 1
C:\Users\Tim\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\737d53d5-7042a66e Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Users\Tim\AppData\Roaming\Thunderbird\Profiles\rx29y4ni.default\Mail\localhost-1\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Tim\Downloads\Downloads\backup\Documents and Settings\Tim\My Documents\Downloads\Programs\pgcedit.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k 1
C:\Users\Tim\Downloads\Downloads\backup\Documents and Settings\Tim\My Documents\Downloads\Programs\pgcedit_winexe.zip Infected: not-a-virus:RiskTool.Win32.PsKill.k 1
C:\Users\Tim\Downloads\Downloads\backup\Documents and Settings\Tim\My Documents\Downloads\Utilities\overnet0.52.exe Infected: not-a-virus:AdWare.Win32.Ucmore.e 1
C:\Users\Tim\Downloads\Downloads\Programs\pgcedit.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k 1
C:\Users\Tim\Downloads\Downloads\Programs\pgcedit_winexe.zip Infected: not-a-virus:RiskTool.Win32.PsKill.k 1
C:\Users\Tim\Downloads\Downloads\Utilities\Bootdisk\xpbootcd\XPBOOT.ISO Infected: Trojan.DOS.KillCMOS.k 1
C:\Users\Tim\Downloads\Downloads\Utilities\Bootdisk\xpbootcd\XPBOOT.ISO Infected: Trojan.DOS.KillCMOS.c 1
C:\Users\Tim\Downloads\Downloads\Utilities\Bootdisk\xpbootcd.zip Infected: Trojan.DOS.KillCMOS.k 1
C:\Users\Tim\Downloads\Downloads\Utilities\Bootdisk\xpbootcd.zip Infected: Trojan.DOS.KillCMOS.c 1
C:\Users\Tim\Downloads\Downloads\Utilities\Bootdisk\xpkeys.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Users\Tim\Downloads\Downloads\Utilities\Bootdisk\xpkeys.zip Infected: not-a-virus:PSWTool.Win32.NetPass.g 1
C:\Users\Tim\Downloads\Downloads\Utilities\kf141.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Users\Tim\Downloads\Downloads\Utilities\overnet0.52.exe Infected: not-a-virus:AdWare.Win32.Ucmore.e 1
C:\Users\Tim\Downloads\Utilities\Utilities\Bootdisk\xpbootcd\XPBOOT.ISO Infected: Trojan.DOS.KillCMOS.k 1
C:\Users\Tim\Downloads\Utilities\Utilities\Bootdisk\xpbootcd\XPBOOT.ISO Infected: Trojan.DOS.KillCMOS.c 1
C:\Users\Tim\Downloads\Utilities\Utilities\Bootdisk\xpbootcd.zip Infected: Trojan.DOS.KillCMOS.k 1
C:\Users\Tim\Downloads\Utilities\Utilities\Bootdisk\xpbootcd.zip Infected: Trojan.DOS.KillCMOS.c 1
C:\Users\Tim\Downloads\Utilities\Utilities\Bootdisk\xpkeys.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Users\Tim\Downloads\Utilities\Utilities\Bootdisk\xpkeys.zip Infected: not-a-virus:PSWTool.Win32.NetPass.g 1
C:\Users\Tim\Downloads\Utilities\Utilities\kf141.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Users\Tim\Downloads\Utilities\Utilities\overnet0.52.exe Infected: not-a-virus:AdWare.Win32.Ucmore.e 1
D:\OFFICE-PC\Backup Set 2007-12-02 213723\Backup Files 2007-12-02 213723\Backup files 6.zip Infected: Trojan-Spy.HTML.Paylap.ev 1

The selected area was scanned.
chessi69
Active Member
 
Posts: 9
Joined: January 2nd, 2009, 11:12 pm

Re: Please help with browser pop-up adds

Unread postby Rodav » January 9th, 2009, 10:13 am

It's not as bad as it seems, some of the items listed can be used for nefarious purposes but if you don't recognise these you should delete them:

Files:
C:\Users\Tim\Downloads\Downloads\backup\Documents and Settings\Tim\My Documents\Downloads\Programs\pgcedit.exe
C:\Users\Tim\Downloads\Downloads\backup\Documents and Settings\Tim\My Documents\Downloads\Programs\pgcedit_winexe.zip
C:\Users\Tim\Downloads\Downloads\Programs\pgcedit.exe
C:\Users\Tim\Downloads\Downloads\Programs\pgcedit_winexe.zip
C:\Users\Tim\Downloads\Downloads\Utilities\kf141.zip
C:\Users\Tim\Downloads\Utilities\Utilities\kf141.zip

Folders:
C:\Users\Tim\Downloads\Downloads\Utilities\Bootdisk
C:\Users\Tim\Downloads\Utilities\Utilities\Bootdisk

You have some infected emails, so you should empty your deleted items in Windows Mail and the Trash in Thunderbird. There is also an infected email ziped in this folder: D:\OFFICE-PC\Backup Set 2007-12-02 213723\Backup Files 2007-12-02 213723\Backup files 6.zip I can't tell what it is, but it looks to be dated from 2007 so if there is nothing important in it you can delete the whole folder.


Step 1:
Use Windows Explorer to navigate to and delete the following files and folders (if they are present): (if you need to show hidden files read this: http://www.bleepingcomputer.com/tutoria ... al130.html)

Files:
C:\Users\Tim\Downloads\Downloads\backup\Documents and Settings\Tim\My Documents\Downloads\Utilities\[b]overnet0.52.exe
C:\Users\Tim\Downloads\Downloads\Utilities\overnet0.52.exe[/b]

Now just exit Explorer and empty your Recycle Bin.


Step 2:
Please download ATF cleaner
Make sure that all browser windows are closed.
    Right-click ATF-Cleaner.exe and select Run as Administrator to run the program.
    Under Main choose: Select All
    Deselect Cookies
    Click the Empty Selected button.
    You can select cookies but you will have to re enter your login details to websites you frequent.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Deselect Firefox Cookies
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Deselect Opera Cookies
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program. You can also delete DDS and any other logs produced.


  1. Click on Start > Control Panel.
  2. Double click on Folder Options.
  3. Select the View tab.
  4. Under Hidden files and folders, select Do not show hidden files and folders.
  5. Check (tick) these two boxes:
      Hide extensions for known file types
      Hide protected operating system files (Recommended)
  6. Click Yes when Windows prompts.
  7. Click OK to apply the settings.

Create a new, clean System Restore point

  1. Click on Start > Control Panel.
  2. Double click on System.
  3. On the left, click on the System Protection link.
  4. At the bottom right hand corner, click on the Create... button.
  5. Give this System Restore point a descriptive name and click on Create.
  6. You should receive a prompt that a System Restore point is created successfully. Click OK to confirm.
  7. Click OK again to close the System Protection window. Then close Control Panel.

Warning: Do not clear infected System Restore points before creating a new System Restore point first!

Please read the above to create a new System Restore point first, then clear out the infected System Restore points.


Clear infected System Restore points

  1. Click on Start > All Programs > Accessories > System Tools.
  2. Right click on Disk Cleanup and select Run As Administrator to run it. UAC will prompt. Allow it.
  3. Select your C drive and click OK.
  4. Select the More Options tab.
  5. Under System Restore and Shadow Copies, click on the Clean up... button.
  6. You will receive a prompt. Click on Delete to delete the old System Restore points.
  7. When done, click OK. You will receive another prompt. Click Delete Files to confirm.
  8. When done, Disk Cleanup will automatically close.


Your logs are now clean. :D :D
If you still feel you are having any issues please let me know now, otherwise read through the following:


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you may like to follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install a Hosts File
    I recommend MVPS Hosts File
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  • Install Malwarebytes & update and scan with it regularly
    Malwarebytes is a free for personal use on demand scanner which is developed by active members of the Malware Removal community. It detects and removes many modern infections. The paid version offers realtime protection.
  • The last and most important thing I can tell you is UPDATE, UPDATE, UPDATE.
    If you don't update your security programs (Antivirus, Antispyware, even Windows) then you are at risk.
    Malware changes on a day to day basis. You should update every week at the very least.

Miekiemoes an expert in malware removal has a fantastic article on how to prevent Malware for further tips, it's well worth a read. http://users.telenet.be/bluepatchy/miek ... ntion.html

Please reply to this topic one more time so I know you have read through it or with any questions you may have.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Please help with browser pop-up adds

Unread postby chessi69 » January 9th, 2009, 10:51 pm

Hi!
I did all that you asked.
I deleted the 8 files and 2 folders
I deleted the backup
I used windows explorer and deleted the overnet0.52.exe files
I downloaded and ran ATF cleaner
I changed the files and folders back to hidden
I created a new, clean system restore point
I cleared infected system restore points
I read the balance of the email and:
made IE more secure;
installed the host file;
downloaded and installed the free version of WinPatrol;(does this interfere with SpyBlaster alredy installed, or is it the same?)
updated and reran Malwarebytes;
checked security of programs and updeated three programs;

Then I re-ran Kaspersky scan and came up with three infections

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 9, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 09, 2009 21:34:06
Records in database: 1595468
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\

Scan statistics:
Files scanned: 190087
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 03:22:05


File name / Threat name / Threats count
C:\Users\Tim\AppData\Local\Microsoft\Windows Mail\Local Folders\Imported Folder\Deleted Items\6010568B-000005EB.eml Infected: Trojan-Spy.HTML.Paylap.ev 1
C:\Users\Tim\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\737d53d5-7042a66e Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Users\Tim\Downloads\Utilities\Utilities\overnet0.52.exe Infected: not-a-virus:AdWare.Win32.Ucmore.e 1

The selected area was scanned.

I deleted the last one (overnet0.52)
Tried to access the to others in AppData but got an access denied error.
I un-hid system files and folders but I cannot access C:\users\Tim\AppData in order to delete the first two infections shown above.
chessi69
Active Member
 
Posts: 9
Joined: January 2nd, 2009, 11:12 pm

Re: Please help with browser pop-up adds

Unread postby Rodav » January 10th, 2009, 11:19 am

Hi,

C:\Users\Tim\AppData\Local\Microsoft\Windows Mail\Local Folders\Imported Folder\Deleted Items\6010568B-000005EB.eml Infected: Trojan-Spy.HTML.Paylap.ev 1
This is an email which is probably a phishing attempt to retrieve details for a PayPal account, if you open Windows Mail then access Local Folders > Imported Folder > Deleted Items you can clear all the emails out in it and it will be removed (I assume since the folder is called deleted items that there is nothing important in it).

C:\Users\Tim\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\737d53d5-7042a66e Infected: Trojan-Downloader.Java.OpenStream.ac 1
ATF cleaner should have removed this. The following link shows how to manually clear Javas cache. While your version of Java is different to the one shown and you are using Vista, some of the dialog boxes and fields names will be slightly different than those shown in the procedure on that page, it is still reasonably the same procedure. http://www.java.com/en/download/help/5000020300.xml

If you are having trouble doing any of this let me know and we can use a tool to remove them.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Please help with browser pop-up adds

Unread postby chessi69 » January 10th, 2009, 5:02 pm

Thank you, thank you, thank you!

I am very greatful for your assistance. I removed the last two infections (deleted all local folders in Windows mail - I don't use this program, and cleared the Java cache per your instructions. I then went back to your previous step 2 and and reran ATF Cleaner, reset the files and folders to not show hidden files/folders, created a new, clean restore point, deleted previous restore points and then reran the Kaspersky web scan and Malwarebytes anti malware program. Both programs came up clean and I am not getting any more pop up ads. I do have a couple of questions:

1. Should I use a different anti-virus program (using AVG Free)?
2. I installed WinPatrol. This seems similar to SpywareBlaster. Is there any conflict with running both of these? Do I need both?
3. I installed the Hosts file per instructions. Do I need to check periodically for updates to this file?

Thank you once again. Any final instructions?
chessi69
Active Member
 
Posts: 9
Joined: January 2nd, 2009, 11:12 pm

Re: Please help with browser pop-up adds

Unread postby Rodav » January 10th, 2009, 9:25 pm

Good job getting that done. :)

1. Should I use a different anti-virus program (using AVG Free)?
AVG is a decent antivirus, if you were to consider some alternatives would be:
Avast and Antivir which are both free for personal use or 2 paid programs are NOD32 and Kaspersky.
On any given day, one may outperform another but if you keep it updated and scan regularly there is not a huge difference between them. Only ever have 1 antivirus installed though, if you ever want a second opinion use an online scanner like you did with kaspersky.

2. I installed WinPatrol. This seems similar to SpywareBlaster. Is there any conflict with running both of these? Do I need both?
There should be no conflict using them both, SpywareBlaster will silently prevent a certain amount of malware from accessing your computer, while Winpatrol is more hands on it will alert you to numerous changes to your system both good and bad. While SpywareBlaster will offer another protective layer especially if you use Internet Explorer, I feel a good Hosts File will cover a lot of what it does. Which leads me on to your next questions.

3. I installed the Hosts file per instructions. Do I need to check periodically for updates to this file?
Yes, a new Hosts File is released every few weeks. You could subscribe for notifications as to when it is updated: http://www.mvps.org/winhelp2002/updates.htm


No more instructions from me, just safe surfing. :D
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 14 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware