Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Annoying Popup Ad Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Annoying Popup Ad Malware

Unread postby Happyqb » April 27th, 2011, 2:10 am

Good Evening,

I am writing to ask for some help on another one of those google redirect trojans or virus, I am not sure what they are called, that I have seen frequently on this board. I have read up on other people's posts and am confident that you will be able to help me.
My problem began about 3 weeks ago, when I noticed that my google searches were being redirected to some advertising websites. I thought nothing of it and just opened the links in a new tab allowing for the opening of the link in which I was interested. I kept the computer on and running for about two weeks this way with no problems other than the redirect. Then, about a week ago, I restarted my computer and right away noticed that this problem must have resulted from some type of malware. I am receiving pop up notifications in the form of "Internet Explorer Script Error" from random websites that I am not on. Also random radio ads or commercials will play audio out of no where in the background and I can not find where it is coming from to shut it down. I have run System Mechanic, Maleware Bytes and Ad-aware to try and get rid of the problem but all three can identify threats and tell me they have removed them, but when I restart the computer, the problems still persist. I have also tried a system restore but it keeps telling me that this action cannot be performed. Also I am pretty confident that my documents and external hard drive have been wiped clean.

DDS Log:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Compaq_Owner at 1:57:12.64 on Wed 04/27/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.196 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\My Documents\Downloads\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\compaq_owner.christopher\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Broadcom Wireless Manager] c:\windows\system32\wltray.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [<NO NAME>]
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dynexw~1.lnk - c:\program files\dynex enhanced g usb network adapter\DynexWCUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/ph ... NPUpld.cab
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-04-24 23:36:33 388096 ----a-r- c:\docume~1\compaq~1.chr\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-23 21:17:19 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-23 15:26:08 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-04-23 15:26:04 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-23 15:25:06 -------- d-----w- c:\docume~1\compaq~1.chr\locals~1\applic~1\Sunbelt Software
2011-04-23 15:23:54 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{AA5544E4-9BBC-419B-9204-40B5924D26AA}
2011-04-23 15:22:52 -------- d-----w- c:\program files\Lavasoft
2011-04-23 05:41:48 -------- d-----w- c:\docume~1\compaq~1.chr\locals~1\applic~1\Help
2011-04-22 23:43:46 -------- d-----w- c:\docume~1\compaq~1.chr\applic~1\Malwarebytes
2011-04-22 23:43:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-05 06:46:57 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-05 06:46:57 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-03 14:53:55 511328 ----a-w- c:\program files\common files\microsoft shared\capicom\CAPICOM.DLL
2011-04-03 14:53:54 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2011-04-03 14:53:54 2234552 ----a-w- c:\windows\system32\Incinerator.dll
2011-04-03 14:53:49 56200 ----a-w- c:\windows\system32\offreg.dll
2011-04-03 14:53:49 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-04-03 14:53:49 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-04-03 14:53:46 -------- d-----w- c:\program files\iolo
2011-04-03 14:52:01 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-04-03 14:51:50 -------- d-----w- C:\iolo
2011-04-03 14:51:22 -------- d-----w- c:\docume~1\compaq~1.chr\applic~1\iolo
2011-04-03 14:51:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\iolo
.
==================== Find3M ====================
.
.
============= FINISH: 2:00:56.37 ===============









Attach Log:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/5/2009 12:55:04 AM
System Uptime: 4/26/2011 3:08:25 PM (11 hours ago)
.
Motherboard: ASUSTek Computer INC. | | Salmon
Processor: AMD Sempron(tm) Processor 3100+ | Socket 754 | 1808/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 143 GiB total, 70.122 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 1.359 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP300: 1/27/2011 4:19:57 PM - System Checkpoint
RP301: 1/29/2011 7:19:57 AM - System Checkpoint
RP302: 1/30/2011 12:26:02 PM - System Checkpoint
RP303: 1/31/2011 12:27:35 PM - System Checkpoint
RP304: 2/1/2011 1:20:52 PM - System Checkpoint
RP305: 2/2/2011 3:47:54 PM - System Checkpoint
RP306: 2/3/2011 4:05:28 PM - System Checkpoint
RP307: 2/4/2011 4:12:37 PM - System Checkpoint
RP308: 2/6/2011 12:31:08 AM - System Checkpoint
RP309: 2/7/2011 2:26:26 AM - System Checkpoint
RP310: 2/8/2011 11:21:16 AM - System Checkpoint
RP311: 2/9/2011 3:00:42 AM - Software Distribution Service 3.0
RP312: 2/10/2011 3:57:14 AM - System Checkpoint
RP313: 2/11/2011 4:51:25 AM - System Checkpoint
RP314: 2/12/2011 5:46:42 AM - System Checkpoint
RP315: 2/13/2011 6:43:17 AM - System Checkpoint
RP316: 2/14/2011 7:43:18 AM - System Checkpoint
RP317: 2/15/2011 8:40:48 AM - System Checkpoint
RP318: 2/16/2011 9:38:25 AM - System Checkpoint
RP319: 2/17/2011 10:32:51 AM - System Checkpoint
RP320: 2/18/2011 11:43:36 AM - System Checkpoint
RP321: 2/19/2011 12:32:50 PM - System Checkpoint
RP322: 2/20/2011 1:16:04 PM - System Checkpoint
RP323: 2/21/2011 2:04:25 PM - System Checkpoint
RP324: 2/22/2011 2:07:48 PM - System Checkpoint
RP325: 2/23/2011 2:58:20 PM - System Checkpoint
RP326: 2/24/2011 3:51:42 PM - System Checkpoint
RP327: 2/25/2011 4:42:57 PM - System Checkpoint
RP328: 2/26/2011 5:40:37 PM - System Checkpoint
RP329: 2/27/2011 6:34:02 PM - System Checkpoint
RP330: 2/28/2011 7:30:15 PM - System Checkpoint
RP331: 3/1/2011 8:23:23 PM - System Checkpoint
RP332: 3/2/2011 9:16:56 PM - System Checkpoint
RP333: 3/3/2011 10:11:49 PM - System Checkpoint
RP334: 3/4/2011 11:02:59 PM - System Checkpoint
RP335: 3/5/2011 11:58:48 PM - System Checkpoint
RP336: 3/7/2011 12:55:40 AM - System Checkpoint
RP337: 3/8/2011 1:55:39 AM - System Checkpoint
RP338: 3/9/2011 1:12:26 PM - Software Distribution Service 3.0
RP339: 3/11/2011 11:34:23 AM - System Checkpoint
RP340: 3/13/2011 2:19:31 AM - System Checkpoint
RP341: 3/14/2011 3:11:42 AM - System Checkpoint
RP342: 3/15/2011 3:40:10 AM - System Checkpoint
RP343: 3/16/2011 11:50:38 AM - System Checkpoint
RP344: 3/17/2011 3:24:30 PM - System Checkpoint
RP345: 3/18/2011 3:26:39 PM - System Checkpoint
RP346: 3/19/2011 9:55:05 PM - System Checkpoint
RP347: 3/21/2011 11:29:23 PM - System Checkpoint
RP348: 3/22/2011 11:58:52 PM - System Checkpoint
RP349: 3/23/2011 9:53:29 PM - Restore Operation
RP350: 3/23/2011 9:55:46 PM - Restore Operation
RP351: 3/23/2011 11:19:41 PM - Restore Operation
RP352: 3/25/2011 3:16:04 PM - Restore Operation
RP353: 3/25/2011 9:14:20 PM - Restore Operation
RP354: 3/26/2011 8:35:06 AM - Installed Windows Internet Explorer 8.
RP355: 3/26/2011 8:35:58 AM - Software Distribution Service 3.0
RP356: 3/27/2011 8:08:57 PM - System Checkpoint
RP357: 3/28/2011 3:00:18 AM - Software Distribution Service 3.0
RP358: 3/29/2011 3:20:46 AM - System Checkpoint
RP359: 3/30/2011 4:10:39 AM - System Checkpoint
RP360: 3/31/2011 4:36:23 AM - System Checkpoint
RP361: 4/1/2011 10:18:50 PM - System Checkpoint
RP362: 4/3/2011 1:34:53 AM - System Checkpoint
RP363: 4/4/2011 8:42:23 PM - System Checkpoint
RP364: 4/5/2011 2:41:27 AM - Restore Operation
RP365: 4/10/2011 12:26:47 AM - System Checkpoint
RP366: 4/11/2011 9:44:18 PM - System Checkpoint
RP367: 4/12/2011 10:42:19 PM - System Checkpoint
RP368: 4/13/2011 11:07:41 PM - System Checkpoint
RP369: 4/14/2011 11:27:40 PM - System Checkpoint
RP370: 4/15/2011 3:01:07 AM - Software Distribution Service 3.0
RP371: 4/16/2011 3:30:28 AM - System Checkpoint
RP372: 4/17/2011 9:28:32 AM - System Checkpoint
RP373: 4/18/2011 10:06:36 AM - System Checkpoint
RP374: 4/19/2011 11:12:00 AM - System Checkpoint
RP375: 4/20/2011 12:06:36 PM - System Checkpoint
RP376: 4/21/2011 3:00:19 AM - Software Distribution Service 3.0
RP377: 4/22/2011 3:06:35 AM - System Checkpoint
RP378: 4/22/2011 11:39:43 PM - Restore Operation
RP379: 4/22/2011 11:56:19 PM - Restore Operation
RP380: 4/23/2011 1:43:43 AM - Restore Operation
RP381: 4/24/2011 7:36:30 PM - Installed HiJackThis
RP382: 4/25/2011 11:04:27 PM - System Checkpoint
.
==== Installed Programs ======================
.
Ad-Aware
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Reader 6.0.1
AIM 7
BlackBerry Desktop Software 5.0.1
BlackBerry® Media Sync
Blackhawk Striker 2 from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Blasterball 2 Holidays from Compaq (remove only)
Blasterball 2 Remix from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
CC_ccProxyExt
ccCommon
ccPxyCore
Compaq Connections
Compaq Organize
Crystal Maze from Compaq (remove only)
Data Fax SoftModem with SmartCP
DivX Setup
Download Updater (AOL LLC)
Dynex Enhanced Wireless G USB Network Adapter Setup
Easy Internet Sign-up
Final Drive Nitro from Compaq (remove only)
FrostWire 4.20.5
Google Chrome
GRE POWERPREP
Help and Support Additions
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB973442)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
hp LaserJet 1150 / 1300
HpSdpAppCoreApp
InterVideo WinDVD Player
iolo technologies' System Mechanic
iTunes
J2SE Runtime Environment 5.0
Java(TM) 6 Update 15
KBD
Lexibox Deluxe from Compaq (remove only)
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WinUsb 1.0
Microsoft Works
MSRedist
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Security Center
Norton WMI Update
Overball from Compaq (remove only)
PC-Doctor for Windows
Phoenix Assault from Compaq (remove only)
Polar Bowler from Compaq (remove only)
Polar Golfer from Compaq (remove only)
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Remove Adobe Photoshop Album 2.0 Starter Edition installer
Remove Microsoft Money 2005 installer
Remove Quicken New User Edition installer
Remove WeatherBug installer
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Shooting Stars Pool from Compaq (remove only)
SiS VGA Utilities
Slyder from Compaq (remove only)
Sonic Express Labeler
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SPBBC
Super Granny from Compaq (remove only)
SymNet
Tradewinds from Compaq (remove only)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
Veetle TV 0.9.18
Virtual DJ Home - Atomix Productions
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
vShare Plugin
WebFldrs XP
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)
.
==== Event Viewer Messages From Past Week ========
.
4/24/2011 7:37:36 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
4/24/2011 7:13:15 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/23/2011 10:29:03 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ZuneBusEnum service.
4/22/2011 11:16:38 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D.
4/22/2011 11:15:40 PM, error: Service Control Manager [7034] - The SymWMI Service service terminated unexpectedly. It has done this 1 time(s).
4/22/2011 11:15:38 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: fasttx2k
4/22/2011 11:15:35 PM, error: Service Control Manager [7024] - The Symantec Network Proxy service terminated with service-specific error 4294967295 (0xFFFFFFFF).
4/22/2011 11:13:13 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
4/20/2011 8:35:30 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer CAITLINGILMO-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{CCC292D2-EE4. The master browser is stopping or an election is being forced.
.
==== End Of File ===========================




I can also run a log from Hijack This and Adaware and screenshots of the script error are available.

Thank you for you help,
HappyQB
Happyqb
Active Member
 
Posts: 10
Joined: April 24th, 2011, 8:57 pm
Advertisement
Register to Remove

Re: Annoying Popup Ad Malware

Unread postby MWR 3 day Mod » April 30th, 2011, 3:18 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Annoying Popup Ad Malware

Unread postby Cypher » May 1st, 2011, 6:40 am

Hi.
Checking your logs now be right back.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Annoying Popup Ad Malware

Unread postby Cypher » May 1st, 2011, 6:53 am

Hi and welcome to Malware Removal Forum.
My name is Cypher, and I will be helping you with your malware problems.
This may or may not, solve other issues you have with your machine.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.
  • The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Absence of symptoms does not mean that everything is clear.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Backup your data - XP
Backup your data - Vista
Backup your data - windows 7



Remove P2P Programs

  • I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
    FrostWire 4.20.5
  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

While you are in add/remove programs uninstall the following also.
Ad-Aware
J2SE Runtime Environment 5.0
PC-Doctor for Windows

Next.

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Next.

Run CKScanner

  • Please download CKScanner from Here
  • Important: - Save it to your desktop.
  • Double-click CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Logs/Information to Post in your Next Reply

  • MGADiag log.
  • CKFiles.txt.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Annoying Popup Ad Malware

Unread postby Happyqb » May 2nd, 2011, 12:30 am

Hi Cypher,

Thank you for your response. I have completed the requested tasks and have posted the results below.

First is the MGAdiag log:


Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 76477-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.2.0.hom
ID: {FB009DC4-657E-49D5-8E93-6E062DFCBEF7}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{FB009DC4-657E-49D5-8E93-6E062DFCBEF7}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>76477-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-2102887391-893725168-3373610314</SID><SYSTEM><Manufacturer>Compaq Presario 061</Manufacturer><Model>EG664AA-ABA SR1514NX NA530</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version> 3.12</Version><SMBIOSVersion major="2" minor="4"/><Date>20050420000000.000000+000</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>32CD3CD70184406D</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard Company</name><model>Compaq Presario</model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>45830A31286AF0E</Val><Hash>5xbqXB2Zr9TUJHARMFvNATX4B2M=</Hash><Pid>81602-903-3377294-68325</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: E06B:Compaq Computer Corporation|1085F:Compaq Computer Corporation|E10D:Compaq Computer Corporation|108FD:Compaq Computer Corporation|108FD:Compaq Computer Corporation|E10D:Hewlett-Packard Company|1DA50:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: HP PAVILION

OEM Activation 2.0 Data-->
N/A








2nd is the ckfiles:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\compaq_owner\desktop\nero 6.0 package\nero 6 keygen.exe
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\for health & prosperity click here!.url
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\god's yellow pages.url
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\rct3plus.exe
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\read this first.txt
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\roller coaster tycoon 3 - soaked!.iso
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\roller coaster tycoon 3 - wild!.iso
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\roller coaster tycoon 3.iso
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\serial.txt
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\work from home!.url
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\keygen\haandi's multikeygen (9).exe
c:\documents and settings\compaq_owner\my documents\roller coaster tycoon 3 with soaked! & wild!, keygen, & nocd patch\keygen\keygen.nfo
c:\program files\wildtangent\apps\gamechannel\games\cccde323-c76d-44da-bb5b-b8abe767756e\data\full\art\actors\resources\asteroid3cracks.wsbm
scanner sequence 3.DI.11
----- EOF -----





Thank you for your continued assistance.

Happyqb
Happyqb
Active Member
 
Posts: 10
Joined: April 24th, 2011, 8:57 pm

Re: Annoying Popup Ad Malware

Unread postby Cypher » May 2nd, 2011, 5:34 am

Hi Happyqb.
Thank you for your response.

You're welcome.

  • Please visit This website using Internet Explorer.
  • Follow the instructions to Validate Windows, then run MGADiag.exe again and post the new log in your next reply.

Next.

Cracked/Keygen related software detected!!!

While going through your logs I found out that you have downloaded various keygen/cracked software and that you are actively using it.
Our forum policy Here says we will not help people who use cracked or pirated software.
You likely got infected by using cracked software or visiting crack sites.
Hence, i would like you to remove all the crack/keygen applications that are present on your system, then run CKScanner again and post the new log.

NOTE: If you give me advice that the software/Keygens have been removed & I find it has not (the tools we use can & will detect it) then I will have no choice but to closed this thread.


Logs/Information to Post in your Next Reply

  • New MGADiag log.
  • New CKScanner log.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Annoying Popup Ad Malware

Unread postby Happyqb » May 2nd, 2011, 11:50 am

Hi Cypher.

I have validated windows and have posted the MGAdiag log below.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 76477-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.2.0.hom
ID: {FB009DC4-657E-49D5-8E93-6E062DFCBEF7}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{FB009DC4-657E-49D5-8E93-6E062DFCBEF7}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>76477-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-2102887391-893725168-3373610314</SID><SYSTEM><Manufacturer>Compaq Presario 061</Manufacturer><Model>EG664AA-ABA SR1514NX NA530</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version> 3.12</Version><SMBIOSVersion major="2" minor="4"/><Date>20050420000000.000000+000</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>32CD3CD70184406D</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard Company</name><model>Compaq Presario</model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>45830A31286AF0E</Val><Hash>5xbqXB2Zr9TUJHARMFvNATX4B2M=</Hash><Pid>81602-903-3377294-68325</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: E06B:Compaq Computer Corporation|1085F:Compaq Computer Corporation|E10D:Compaq Computer Corporation|108FD:Compaq Computer Corporation|108FD:Compaq Computer Corporation|E10D:Hewlett-Packard Company|1DA50:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: HP PAVILION

OEM Activation 2.0 Data-->
N/A





Also I have deleted RollerCoaster Tycoon 3 which I believe is the only cracked software on my computer. The ckscanner logs are below. If any other programs need to be deleted as well, please assist and I will be happt to comply.

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\compaq_owner\desktop\nero 6.0 package\nero 6 keygen.exe
c:\program files\wildtangent\apps\gamechannel\games\cccde323-c76d-44da-bb5b-b8abe767756e\data\full\art\actors\resources\asteroid3cracks.wsbm
scanner sequence 3.AA.11
----- EOF -----


Thank you again.

Happyqb
Happyqb
Active Member
 
Posts: 10
Joined: April 24th, 2011, 8:57 pm

Re: Annoying Popup Ad Malware

Unread postby Cypher » May 2nd, 2011, 12:03 pm

Hi Happyqb.
If any other programs need to be deleted as well, please assist and I will be happt to comply.
Please delete the below also.
c:\documents and settings\compaq_owner\desktop\nero 6.0 package\nero 6 keygen.exe


Next.

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Logs/Information to Post in your Next Reply

  • ComboFix.txt.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Annoying Popup Ad Malware

Unread postby Happyqb » May 2nd, 2011, 8:18 pm

Good Evening Cypher,

I have deleted Nero and tried to run ComboFix but it said that it detected Norton, which may interfere. I then was not sure following the directions from the forum on how to disable the Norton so I deleted any Norton related files from my computer. I then proceded to run ComboFix.
First ComboFix detected a rootkit and restarted the computer. It then proceeded to search for infected files. The log is below.

ComboFix 11-05-02.03 - Compaq_Owner 05/02/2011 18:18:24.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.573 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner.CHRISTOPHER\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\dm_110219_bieber_feature_fixed.mp4.ddr
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\Post_Install_RB_HiQ_en.divx.ddr
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\dm_110214_sn_weirdweb.mp4(2).ddp
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\dm_110214_sn_weirdweb.mp4(3).ddp
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\dm_110214_sn_weirdweb.mp4(4).ddp
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\dm_110214_sn_weirdweb.mp4(5).ddp
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\dm_110214_sn_weirdweb.mp4(6).ddp
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\dm_110214_sn_weirdweb.mp4.ddp
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\dm_110219_bieber_feature_fixed.mp4
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Post_Install_RB_HiQ_en.divx
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\TVYTdunks2-Program Stream.mp4
c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Local\Temp\DDM\Settings\TVYTdunks2-Program Stream.mp4.ddr
c:\documents and settings\Compaq_Owner.CHRISTOPHER\WINDOWS
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-05-02 04:13 . 2011-05-02 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-05-02 03:55 . 2011-05-02 03:55 -------- d-----w- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Atari
2011-04-24 23:36 . 2011-04-24 23:36 388096 ----a-r- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-23 15:26 . 2011-05-02 03:59 -------- dc----w- c:\windows\system32\DRVSTORE
2011-04-23 15:26 . 2011-04-23 15:26 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-23 15:25 . 2011-04-23 15:25 -------- d-----w- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Sunbelt Software
2011-04-23 15:22 . 2011-05-02 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-04-23 05:41 . 2011-04-23 05:41 -------- d-----w- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Help
2011-04-23 05:41 . 2011-04-23 05:41 -------- d-----w- c:\documents and settings\COMPAQ~1~CHR
2011-04-22 23:43 . 2011-04-22 23:43 -------- d-----w- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Malwarebytes
2011-04-22 23:43 . 2011-04-22 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-17 23:52 . 2011-05-02 22:23 -------- d-----w- c:\documents and settings\Administrator
2011-04-05 06:46 . 2011-04-05 06:46 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-03 14:54 . 2011-04-03 14:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2011-04-03 14:53 . 2010-09-23 16:29 511328 ----a-w- c:\program files\Common Files\Microsoft Shared\CAPICOM\CAPICOM.DLL
2011-04-03 14:53 . 2011-03-11 05:54 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2011-04-03 14:53 . 2011-03-11 05:36 2234552 ----a-w- c:\windows\system32\Incinerator.dll
2011-04-03 14:53 . 2011-03-11 05:53 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-04-03 14:53 . 2011-03-11 05:53 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-04-03 14:53 . 2010-02-09 01:59 56200 ----a-w- c:\windows\system32\offreg.dll
2011-04-03 14:53 . 2011-04-03 14:53 -------- d-----w- c:\program files\iolo
2011-04-03 14:52 . 2011-04-03 14:52 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-04-03 14:51 . 2011-04-03 14:51 -------- d-----w- C:\iolo
2011-04-03 14:51 . 2011-05-02 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2011-04-03 14:51 . 2011-04-03 15:16 -------- d-----w- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\iolo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-05 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-07-13 180269]
"Broadcom Wireless Manager"="c:\windows\system32\wltray.exe" [2007-06-14 1282048]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-04-27 149280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-7-13 45056]
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe [2008-9-13 1458176]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/3/2011 10:53 AM 724152]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/3/2011 10:53 AM 724152]
R3 NdisWDM;Dynex Enhanced Wireless G USB Network Adapter Service;c:\windows\system32\drivers\NdisWDM.sys [11/24/2009 10:53 PM 198528]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2102887391-893725168-3373610314-1009Core.job
- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-27 00:16]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2102887391-893725168-3373610314-1009UA.job
- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-27 00:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 18:24
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-05-02 18:26:43
ComboFix-quarantined-files.txt 2011-05-02 22:26
.
Pre-Run: 78,997,311,488 bytes free
Post-Run: 83,025,084,416 bytes free
.
- - End Of File - - 7E0CD3557684C4ECC3BF9E006C44D990




Good News!
So far the computer seems to be back to normal. I have not heard any of the radio advertisements in the background as well as the script errors have disappeared. Also google seems to be working fine without redirecting me.
Just one quick question upon startup a popup appears that i thought started around the same time the virus did. The popup says that "Compaq Connnections is still engaged by user Compaq_Owner. Do you wish to proceed here, shutting down the other session?" but it wont shut down the other session. Sorry I wanted to copy and paste it but didn't know how. However if this popup box is the only thing I have to deal with than I am more than grateful for the work you have done in eradicating that annoying pest.



Thank you very much, you are a genius and if only you could help me with all life's problems, i.e acne? Lol, Thanks again and do you have any advice on what free antivirus I should be using to prevent any such attacks.

Sincerely,

Happyqb
Happyqb
Active Member
 
Posts: 10
Joined: April 24th, 2011, 8:57 pm

Re: Annoying Popup Ad Malware

Unread postby Cypher » May 3rd, 2011, 5:56 am

Hi Happyqb.
Thank you very much

You're welcome.
So far the computer seems to be back to normal.

Good but stay with me we still have work to do.
Just one quick question upon startup a popup appears that i thought started around the same time the virus did. The popup says that "Compaq Connnections is still engaged by user Compaq_Owner.
Lets be sure your computer if clean first then we can see about that problem.
do you have any advice on what free antivirus I should be using to prevent any such attacks.

Since you have deleted norton you should install another AV, we need to run ComboFix again once you have done so install Avira Personal FREE Antivirus, see instructions at the bottom of this post.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    Folder::
    c:\program files\Lavasoft\Ad-Aware
    
    DDS::
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
    mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
    BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    
    
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.

Next.

Download and install Avira Personal FREE Antivirus from Here.

Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Annoying Popup Ad Malware

Unread postby Happyqb » May 3rd, 2011, 11:20 am

Hi Cypher.

Thank you for your response again. I guess I jumped the gun a bit as soon as I noticed that the radio ads were gone.

ComboFix log:

ComboFix 11-05-02.04 - Compaq_Owner 05/03/2011 10:39:05.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.646 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner.CHRISTOPHER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner.CHRISTOPHER\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\vshare\vshare_toolbar.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_Lavasoft_Kernexplorer
-------\Service_Lavasoft Kernexplorer
.
.
((((((((((((((((((((((((( Files Created from 2011-04-03 to 2011-05-03 )))))))))))))))))))))))))))))))
.
.
2011-05-02 04:13 . 2011-05-02 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-05-02 03:55 . 2011-05-02 03:55 -------- d-----w- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Atari
2011-04-24 23:36 . 2011-04-24 23:36 388096 ----a-r- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-23 15:26 . 2011-05-02 03:59 -------- dc----w- c:\windows\system32\DRVSTORE
2011-04-23 15:26 . 2011-04-23 15:26 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-23 15:25 . 2011-04-23 15:25 -------- d-----w- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Sunbelt Software
2011-04-23 15:22 . 2011-05-02 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-04-23 05:41 . 2011-04-23 05:41 -------- d-----w- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Help
2011-04-23 05:41 . 2011-04-23 05:41 -------- d-----w- c:\documents and settings\COMPAQ~1~CHR
2011-04-22 23:43 . 2011-04-22 23:43 -------- d-----w- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\Malwarebytes
2011-04-22 23:43 . 2011-04-22 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-17 23:52 . 2011-05-02 22:23 -------- d-----w- c:\documents and settings\Administrator
2011-04-05 06:46 . 2011-04-05 06:46 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-03 14:54 . 2011-04-03 14:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2011-04-03 14:53 . 2010-09-23 16:29 511328 ----a-w- c:\program files\Common Files\Microsoft Shared\CAPICOM\CAPICOM.DLL
2011-04-03 14:53 . 2011-03-11 05:54 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2011-04-03 14:53 . 2011-03-11 05:36 2234552 ----a-w- c:\windows\system32\Incinerator.dll
2011-04-03 14:53 . 2011-03-11 05:53 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-04-03 14:53 . 2011-03-11 05:53 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-04-03 14:53 . 2010-02-09 01:59 56200 ----a-w- c:\windows\system32\offreg.dll
2011-04-03 14:53 . 2011-04-03 14:53 -------- d-----w- c:\program files\iolo
2011-04-03 14:52 . 2011-04-03 14:52 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-04-03 14:51 . 2011-04-03 14:51 -------- d-----w- C:\iolo
2011-04-03 14:51 . 2011-05-03 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2011-04-03 14:51 . 2011-04-03 15:16 -------- d-----w- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Application Data\iolo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-05 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-07-13 180269]
"Broadcom Wireless Manager"="c:\windows\system32\wltray.exe" [2007-06-14 1282048]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-7-13 45056]
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe [2008-9-13 1458176]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/3/2011 10:53 AM 724152]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/3/2011 10:53 AM 724152]
R3 NdisWDM;Dynex Enhanced Wireless G USB Network Adapter Service;c:\windows\system32\drivers\NdisWDM.sys [11/24/2009 10:53 PM 198528]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2102887391-893725168-3373610314-1009Core.job
- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-27 00:16]
.
2011-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2102887391-893725168-3373610314-1009UA.job
- c:\documents and settings\Compaq_Owner.CHRISTOPHER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-27 00:16]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-03 10:46
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(696)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
c:\windows\ALCXMNTR.EXE
c:\program files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
.
**************************************************************************
.
Completion time: 2011-05-03 10:51:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-03 14:51
ComboFix2.txt 2011-05-02 22:26
.
Pre-Run: 83,024,154,624 bytes free
Post-Run: 82,999,730,176 bytes free
.
- - End Of File - - CFA20B1B3DCA11E19F91DDC844ED5A51



I proceeded to download Avira Personal Free Antivirus but have not yet run a scan.

The computer seems to be working fine, the popup that says "Compaq Connnections is still engaged by user Compaq_Owner" is still popping up but does not seem to hinder any of my processes so far.

Please advise on the next step.

Sinerely,
Happyqb
Happyqb
Active Member
 
Posts: 10
Joined: April 24th, 2011, 8:57 pm

Re: Annoying Popup Ad Malware

Unread postby Cypher » May 3rd, 2011, 11:31 am

Hi Happyqb.
Your logs look good now but we need another scan to check for leftovers.
We need to do a couple of updates also, once done give me another update on your PC's performance.

Java SE Runtime Environment (JRE).

Please download from HERE
  • Find Java SE Runtime Environment (JRE) 6 Update 25.
  • Click the Download JRE button to the right.
  • Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click the Continue button.
  • Click on the filename under Windows Offline Installation and save it to your desktop.
  • Close all active windows.
  • Install the program.
  • Note: remember to Uncheck Free McAfee® Security Scan Plus (optional)

Next.

Update Adobe Reader

  • You should Download and Install the newest version of Adobe Reader for reading pdf files.
  • Older versions may have vulnerabilities that malware can use to infect your system.
  • Go Here to download and install Adobe Reader X (10.0.1).
  • Note: remember to Uncheck Free McAfee® Security Scan Plus (optional)

Next.

Please download ATF Cleaner to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner
  • Then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Logs/Information to Post in your Next Reply

  • ESET log.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Annoying Popup Ad Malware

Unread postby Happyqb » May 5th, 2011, 12:06 am

Hi Cypher,

Glad that the logs look good so far, but seems like the ESET scanner found some threats.
First I downloaded Java SE Runtime Environment (JRE) 6 Update 25, Adobe Reader X (10.0.1) and ATF Cleaner.
I then continued with the ESET scanner which took some time to run. The logs are posted below.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=a3c040dc91a0c448a4073e4c8882c494
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-04 07:29:45
# local_time=2011-05-04 03:29:45 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 710961 710961 0 0
# compatibility_mode=768 16777215 100 0 7729607 7729607 0 0
# compatibility_mode=1797 16775141 100 93 0 40078901 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=134839
# found=15
# cleaned=0
# scan_time=8635
C:\.quarantine\joysaver[1].cab.Vir multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Compaq_Owner\My Documents\FrostWire\Saved\millie remix rock city-HQ.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Compaq_Owner\Shared\get buck in here sexy girl has shaking orgasm during sex.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Application Data\Sun\Java\Deployment\cache\6.0\12\3cc664c-1849e6f3 Java/TrojanDownloader.OpenStream.NBS trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Application Data\Sun\Java\Deployment\cache\6.0\20\64104f54-6a43cd62 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Application Data\Sun\Java\Deployment\cache\6.0\22\72995bd6-446cf460 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Application Data\Sun\Java\Deployment\cache\6.0\30\7e81239e-2bd0170e multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Application Data\Sun\Java\Deployment\cache\6.0\31\47480b9f-2f1cbca6 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Application Data\Sun\Java\Deployment\cache\6.0\32\4e5c2020-62d83417 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Application Data\Sun\Java\Deployment\cache\6.0\52\1aadbb4-74816cbe multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP380\A0069017.exe Win32/PowerReg application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP380\A0069019.exe Win32/Adware.Toolbar.Shopper application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP392\A0071930.sys Win32/Olmasco.E trojan (unable to clean) 00000000000000000000000000000000 I
D:\I386\APPS\APP16572\src\SpyInstall_HPPre.exe probably a variant of Win32/Agent.HVEUCPZ trojan (unable to clean) 00000000000000000000000000000000 I
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP380\A0069021.exe a variant of Win32/AdInstaller application (unable to clean) 00000000000000000000000000000000 I


Although, the ESET Scanner found these threats, the computer seems to be performing at a normal capacity. So it seems that we are not yet clean, please advise on the next step.

Thank you for all your help so far.

Happyqb
Happyqb
Active Member
 
Posts: 10
Joined: April 24th, 2011, 8:57 pm

Re: Annoying Popup Ad Malware

Unread postby Cypher » May 5th, 2011, 5:05 am

Hi Happyqb.
Thank you for all your help so far.

You're welcome.

C:\Documents and Settings\Compaq_Owner\My Documents\FrostWire << Delete this folder.

The rest of what the ESET scan found will be taken care of by following the instructions below.
Then your latest set of logs appear to be clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Clear Java cache

  • Click on Start > Control Panel > Classic view then double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button.
  • There are two options in the window to clear the cache - Leave BOTH Checked.
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

Next.

Time for some housekeeping
  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the box and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    Image
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

Next

Download OTC by Old Timer and save it to your Desktop. This tool will remove all the tools we used to clean your pc.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You can now delete any tools we used if they remain on your Desktop.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpywareBlaster
Download and install Javacools SpywareBlaster from Here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE

MVPS Hosts

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer
You can do that HERE

Read some information HERE On how to prevent Malware

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Annoying Popup Ad Malware

Unread postby Happyqb » May 5th, 2011, 12:43 pm

Hi Cypher,

I have deleted the Frostwire folder.

I tried to delete the Java Temporary Files but a popup error appears that says
"Unable to uninstall applications"
when i click on details it shows a file
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\ApplicationData\Sun\Java\Deployment\cache\6.0\splash\splash.xml (Access is denied)

I have successfully uninstalled ComboFix.

I was unable to run the OTC program because it says
C:\Documents and Settings\Compaq_Owner.CHRISTOPHER\Desktop\OTC.exe is not a valid Win32 application.


Also, I am sorry to have not mentioned this to you before because my focus was on getting the computer cleaned, but when the virus attacked my computer, I had an external hard drive plugged into the computer. I believe all the files on the external drive were deleted, so I unplugged the unit. Shortly, thereafter I contacted you. I have not plugged the external hard drive into this computer or any other for fear of infections that me be on the external hard drive. Is there a way that we could scan the drive to make sure that it is safe for use?
Please advise on the next step.

Sincerely,

Happyqb
Happyqb
Active Member
 
Posts: 10
Joined: April 24th, 2011, 8:57 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 274 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware