Annoying "security warning" pop ups

[jmo07]

If someone can please help it would be very much appreciated.
Basically I keep geting "security warning" pop ups that say

Current Site: http;//ad.doubleclick.net (this varies to different current sites)
res://ieframe.dll

and also from time to time I get "script error" pop ups even after going to my internet options and make sure the box is NOT selected to notify me of script errors.

The "security warning" pop ups seem to happen mostly when I'm opening,deleting, or doing anything withmy yahoo e-mail messages. Also when I go to certain websites like www.espn.com, or other sites as well. It does not do it for every site I go to but it does pop up A LOT.

I have ran both McAfee as well as Webroot Spyweeper with Antivirus and nothing comes up.

I've ran ccleaner twice then ran Hijack This, Malwarebytes' Anti-Malware, SUPERAntiSpyware. I have included the logs from those 3 programs.

Hope someone can help getting rid of those annoying pop ups.

Thanks in advance.

 

[Tmagic650]

Update XP to Service Pack 3, and include any additional critical or hardware updates. You have some "suspicious" stuff in the hijackthis log, but lets do the Windows updates first

 

[jmo07]

Ok I've updated to Service Pack 3 and have installed critical updates. So far I'm still experiencing the same problem.

 

[Bobbye]

jmo07 , you do have malware. If you still need help, please let me know. I see at least two different infections in these logs.

 

[jmo07]

Hi Bobbye, thank u for all your help. Yes, I still need help. I've ran McAfee, Webroot Spysweeper, Malwarebytes' Anti-Malware, and SUPERAntiSpyware Free Edition. The last couple of times I've ran those programs everything came out clean saying no infections found. What can I do to remove the malware that you found in the logs I provided?

 

[WinXPert]

My general rule in cleaning an infected PC is to perform a scan on a clean boot not safe mode. If you can borrow a BartPE bootable from a friend and an updated copy of any portable virus scanner do a full scan. If you no longer need your System Restore Points delete them all. Also manually delete all temp files. If you have a hidden directory named RECYCLER delete that too. Reboot and clean your registry program choise is up to you.

 

[Bobbye]

Do you remember we worked on this same malware issue 07-01-2009? It does not show it was ever resolved, so I'm going to refer you back to that thread. Most of it will be the same for the currrent situation. It appears that you never resolved it.

https://www.techspot.com/vb/all/windows/t-130294-CwindownsSystem32shdoclcdll.html

Did you just quit then?

 

[Tmagic650]

I wonder if this is the same system

 

[Bobbye]

If you look at the logs, you will understand that it is the same problem- that when the first help was given in July, the thread was abandoned and the user now shows almost the identical entries. So not recurrence but rather 'same.'

 

[Tmagic650]

Maybe jmo07, just wants company... or post counts

 

[jmo07]

Hi Bobbye,
It's the same problems as back in July. I first did the 3 steps suggestions that was made which was to run cccleaner followed by Malwarebytes' Anti-Malware, SUPERAntiSpyware Free Edition, and HighjackThis. It seemed to remove alot of stuff that McAfee and my antispywear system didnt find before. It worked better then before after running them, So I was ok with it being that my system was working better. The first few times I ran the programs recommended it seemed to find more and more stuff. So I figure, as long as I run them a few more times i'd would eventually get rid of everything. Well to make a long story short it did work much better. Was still getting pop ups but no where near as bad as it was it first. Now it seems like its getting just as bad again. Only this time everytime I run the programs recommended everything comes up clean.

lol @ Tmagic. no, not looking for post counts but company...maybe, just the kind of company that could help with advise on how to get rid of this pop ups permenatly. I do appreciate all the help you both (Bobbye and Tmagic) have provided so far.

 

[Tmagic650]

Your Hijackthis log shows XP Service Pack 2. You are missing some critical Windows Updates including Service Pack 3 and most likely some critical and hardware updates too

 

[Bobbye]

jmo07, getting the Windows updates isn't going to get rid of the malware. I believe this is a continuation of the problem in July and that although some unctions might have improved, the infection was still on the system.

Since the logs are now a week old, please update Malwarebytes and Superantispyware and attach new logs in your next reply. Then rescan with HijackThis and paste (Ctrl V) the log in your next reply.

We will go from there- but only if you stick with it.

 

[jmo07]

Hi Bobbye/Tmagic650,
I'm attaching current logs that I ran today. Since the first reply I've update and installed Service Pack 3 and have installed all critical updates as current as of today Oct 14. Let me know if there is anything else I need to provide to see what I can do to fix the problem. Thanks for all the help.

 

[Bobbye]

Thank you. Now let's see if we can find and remove all the malware:

First, uninstall the My Web Search option from Add/Remove Programs

• 
  [1] Click on Start, Settings, Control Panel
  [2] Double click on Add/Remove Programs
  [3] Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.
  
• My Web Search (Smiley Central or FWP product as applicable)
• My Way Speedbar (Smiley Central or other FWP as applicable)
• My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
• My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
• Search Assistant - My Way
  [4] Reboot your Computer into Safe Mode:
  [5] Using Windows Explorer (right click on Taskbar> Explore)> open My Computer> Drive C> double-click on the Program Files folder
  [7] Right-click and delete the folders for:
  
• FunWebProducts
• MyWebSearch
  8) MyWebSearch should now be completely uninstalled from your computer.

I'll have you remove some orphan entries later.

Remove 024 Desktop from HijackThis:

• 
  [1] Click on Start> Control Panel> Display> Desktop tab
  [2] Click on Customize Desktop> Web tab
  [3] Uncheck and delete everything you find in there (except for "My current home page")
  [4] Uncheck "Lock Desktop Items" box if it is checked
  [5] Apply> OK> Close.

Question: Is Spysewwper just the anti-malware program or is it the version including antivirus? IF Yes, you need to remove either Spysweeper or McAfee. IF No, no problem.

But you do have left over Norton entries. Please run the following according to the instructions given:
[*] Download the Norton Removal Tool HERE and save to the desktop.

• Double-click the Norton Removal Tool icon.
• Follow the on-screen instructions.
• Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

When you have finished the above:
Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Please run an on-line virus scan at Kaspersky OnLine Scan (Please post the results of the scan(s) in your next reply)

Follow with new scan from HJT. Paste the HJT log and attach report from SDFix and Kaspersky.

 

[jmo07]

Hey Bobbye,
I ran into a problem right from the beginning steps. I did not see "My Web Search" on my programs list. The only thing I found that I tried to delete was "Web Savings from Ebates'.

When I tried to delete it I got an error message that said the following:

"WJ View Error"
"Error: Could not execute Main:
System cannot find the file specified"

Should I continue forward with the next steps after the first 8 you mentioned or is this something I need to take care of first?

 

[Bobbye]

Go ahead and run SDFix first. If it doesn't delete the entries, I'll have you do it manually. The error is due to the malware.

 

[jmo07]

Hey Bobbye,
I did what you asked me to do.
I ran SDFix in SafeMode. After it was done I tried going to Control Panel then Add/Remove Programs and I tried one more time to delete "Web Savings from Ebates". It gave me the same error message.

SDFix found and deleted 2 trojans. I'm attaching a copy of the SDFix Report.

I tried to run the on-line virus scan at Kaspersky OnLine Scan but was unable to. They posted the following message on their site: "The current Kaspersky Online Scanner is unavailable"

 

[Bobbye]

I should have caught this sooner, but missed it:

McAfee as well as Webroot Spyweeper with Antivirus

It is suggested that only one antivirus program be run.You should decide which you want to keep and remove the others for the following reasons:

• Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
• Multiple antivirus programs can also slow down the system.

Since both of the programs are paid prograsms, I will leave it up to you as to which one to uninstall. Here are tools that will help with the removal:

First, disable this program- it can be temporary if you decide to keep this program, but any Real Time program can affect the scans:
Spy Sweeper Shields

• Right click on the SpySweeper icon in the system tray.
  
• Click on 'Shields'
• Choose the Windows System tab and uncheck Critical Shields, Memory Shield, and Spy Installation Shield.
• Exit the program.
• (Once you are clean, you can re-enable the Shields)

Here are the removal tools: McAfee Removal

Webroot Spysweeper is known to be difficult to uninstall, but try this first: Exit the program first:
Start> All Programs> Spysweeper> double-click on "uninstall spysweeper'
If you can't find that, use Windows Explorer:
Right click on start> Explore> Local Drive> Programs, click on the + sign to expand Spysweeper> double-click on unins000.exe.

If that still doesn't work and you want to remove it, let me know and I will give you the directions for the zipped uninstaller tool.

Spysweeper is also know to clutter up the system with files it has found. If you look in the SDFix log, you will see dozens of tmp files jut for 10/16.

Here is another good online scanner:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Then reescan with HJT. Paste a new log in your next reply.
Attach the Nod32 AV scan results.

 

[Bobbye]

Additional Post:

You have some very old entries still showing up. Please check what they are for- if you no longer want/need/use them, right click> delete on each file:
Fri 19 Apr 2002 4,348 ...H. --- "C:\Documents and Settings\Jesus\My Documents\My Music\License Backup\drmv1key.bak"
Wed 25 Sep 2002 19,456 ...H. --- "C:\Documents and Settings\Jesus\Application Data\Microsoft\Word\~WRL3195.tmp"
Wed 23 Apr 2003 21,504 ...H. --- "C:\Documents and Settings\Jesus\Application Data\Microsoft\Word\~WRL0041.tmp"
Wed 23 Apr 2003 22,016 ...H. --- "C:\Documents and Settings\Jesus\Application Data\Microsoft\Word\~WRL3719.tmp"
Sat 27 Jul 2002 23,552 ...H. --- "C:\Documents and Settings\Jesus\Application Data\Microsoft\Word\~WRL0004.tmp"
Wed 23 Apr 2003 22,528 ...H. --- "C:\Documents and Settings\Jesus\Application Data\Microsoft\Word\~WRL3172.tmp"
Mon 16 Feb 2004 212,992 A..H. --- "C:\Documents and Settings\Jesus\My Documents\My Music\License Backup\drmv2lic.bak"
Thu 1 Jan 2004 400 ...H. --- "C:\Documents and Settings\Jesus\My Documents\My Music\License Backup\drmv2key.bak"

Any time you have a document open Word creates a temp copy of it- when you finish your document and close word the temp files will disappear..To find the file do this:
Open the search screen> Files and Folders> Tools> Folder Options> view tab> check 'show hidden files and folders'> Apply> OK.

Make sure the search location is the Local (C usually) Drive. Search for each file. Deal with it- finish and close or delete.
Go back and rehide the files and folders.

 

[jmo07]

OK, I've deleted all the old entries you mentioned.
I ran Eset NOD32 Online AntiVirus while I disabled McAfee.
I'm including the log that it created.

I shut down Webroot Spy Sweeper so it is no longer running in the computer.
I'm thinking if I have to delete either McAfee or Webroot Spysweeper, I'll delete Webroot.
Webroot Spysweeper was only anti-mailware program. If you wanted a virus protection it had to be purchased separetely. Webroot just recently just over a month ago included a virus protection with the program. However I never turned on the virus protection on since I have McAfee. The reason I kept Spy Sweeper is because it found and got rid of a lot of spyware the McAfee did not find and afterwards my computer ran better. However McAfee found more virus than Webroot. Plus it also includes a firewall which Spy Sweeper doesn't. Since I shut down the program to no longer be runnning should I still delete it? If so what will happen with all the spyware that it found and it put on its quarentine? I'm including a pic of just o few options that Spy Sweeper had so you can see.

 

[Bobbye]

jmo, thanks for clarifying the Spysweeper issue. You can keep it as an anti-malware program if you like. There is a part of it that runs in Real Time though, which is best temporarily disabled for the scans when cleaning. If you do decide to remove Spysweeper though, you should go in and delete whatever it has put in quarantine first.

It appears that you might have Smiley Central installed:

This program and other Fun Web programs bring MyWebSearch with them. This is described as Adware:

• Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used.
• Some types of adware are also spyware and can be classified as privacy-invasive software.

To remove My Web Search:

• 
  [1] Click on Start> Settings> Control Panel
  [2] Double click on Add/Remove Programs
  [3] Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.
• My Web Search (Smiley Central or FWP product as applicable)
• My Way Speedbar (Smiley Central or other FWP as applicable)
• My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
• My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
• Search Assistant - My Way
  
  [4] Reboot your Computer and run HijackThis

With HijackThis, scan for and Check the following if present:
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZSYYYYYYYYUS
Close all Windows except for HJT and click on "Fix Checked".

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

• [5]Using Windows Explorer> open My Computer> Drive C> and double-click on the Program Files folder.
  [6] Right-click and delete the folders for:
  • FunWebProducts
  • MyWebSearch
  MyWebSearch should now be uninstalled from your computer.
  
  You also have an entry with the potential for adware and spyware:
  O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/013483.exe
  This is an Adult Content Dialer- A program that can secretly change your dialup connection setting so that instead of calling your local internet provider, your PC calls are routed to an expensive 0900 or international phone number.
  
  If you were not aware that you had it or want to remove it, disable this way:
  Open IE> Tools> Manage Add ons> Look for Dialer> click to highlight> Disable.
  
  When done, run SDFix to remove any remaining entries:
  
  Download SDFix HERE and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)
    
    Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    
    Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Attach Report.txt back here
  
  Please rescan with HijackThis when finished and paste in new log.
  Attach the SDFix report.
  
  Hopefully we are coming to an end of the cleaning. Has there been any improvement in the original problems?

 

[jmo07]

Hi Bobbye,
I have seen a HUGE improvement so far. I used to get the "security warning" everytime I went into a new page of certain websites like espn, myspace, facebook, other websites as well but most commonly yahoo. Especially yahoo. EVERYTIME I would open my e-mail, deleted a message or went to either a previous or next message I would get that pop each and every single time. Since your last instructions for the past 2 days now I dont get them at all when I browse thru my messages or I am in yahoo. When I go to the sites it used to give me problems. That pop up no longer comes up. I went from getting it almost everytime to maybe only twice the the whole day now. What I do get once or twice now is a "IE Script Error". I've gone to my internet options and made sure the box is uncheck to make sure I dont get those script errors but I still get it. It's not annoying because I get it only initially once or twice but then that's it.

OK, so I've followed your most recent instructions. I'm surprised about that Smiley Central or that dialer that you mentioned because I never installed that. I remember I got an IM that had a smiley central thing and it prompted me to install Smiley Central a long time ago but I never went thru with installing it.

I got rid of the following with HJT: "O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZSYYYYYYYYUS"

I was not able to find the following:
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/013483.exe

I went to disable it by doing the following:
Open IE> Tools> Manage Add ons> Look for Dialer> click to highlight> Disable.

It was not on my IE, Tools Add Ons. I'm attaching a picture of the add ons that I have so you can see. There was one add on, which is highlighted that I did not know what it was. Since I was not able to disable it can I delete it thru HJT instead?

The one that I'm really stomped in is My Web Search. It's not on my add/remove programs list. I've gone thru my Windows Explorer> open My Computer> Drive C> Program Files folder

I deleted it a long time ago even before I started getting help from you so it's still not showing on my Program Files Folder.

There's no Fun Wen Products that I can find on neither my programs folder or add/remove programs such as:

My Web Search (Smiley Central or FWP product as applicable)
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way

I beleive you are right and we are almost done with the cleaning process. As I mentioned I've gone from getting those pop ups almost everytime I clicked on a page, opened or deleted a new e-mail message to only getting it about twice or so a day.

I'm also attaching the 2 new logs you requested (HJT and SDFix Report).

I am really please with the improvements so far. I can't thank you enough. I've learned a lot of trouble shooting tips from you. My sister has been having problems with her laptop as far. The performance has slowed down that I will be applying some of the trouble shooting tips I've learned so far to see if she has malware also.

Let me know if all you need is those 2 new logs you requested or if I forgot something. I'm pasting the HJT report and attaching the SD Fix Report.

 

[Bobbye]

Good job!

I still see this entry: It bothers me-
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/013483.exe

The IP 64.157.10.150 is listed for the following providers:

Level 3 Communications, Inc. >> in Colorado
Neucom, Inc. >> Tampa
CandidHosting Inc.
City: Tampa,FL but is actually listed out of Vancouver, BC

If you are using thik services, don't worry about it. but if you are not, you need to find out what 013483.exe is.
I'd like you to search your system fieles and folders for this> first set to show hidden files and folders:
Tools> Folder options> View tab> Check 'show hidden files and folders'> Apply> OK

Then search the C drive for 01383.exe. DO NOT left click on the file if found. Do a RIGHT click> Delete.

Go back and rehide the files and folders.

Other than that, If you have no other problems and if the original problem has been resolved, we can clean up:
Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

You need to go into Spysweeper and delete what it has quarantined. When that is through, run the following:
TFC (Temp File Cleaner)
Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Empty the Recycle Bin

Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention back to the thread.