Continual Popups in IE - help please

[Chris Homewood]

Thanks in advance.
Problem:
Continual Popups in Internet Explorer. Have installed Firefox now and the popups continue in the background in Internet Explorer while Firefox still runs in the foreground.
Have followed your links and performed most of the tasks you mention. Had some problems with a few of the exe files you suggested running. Here is a brief account of the findings. I have also attached the HijackThis file (latest version).
Ran TrendMicro, Kaspersky and Ewido with no errors.
Followed your "websearch-removal.txt" procedures:
Rebooted in Safe Mode
"show all files and folders" - done
SmitFraudfix - nothing found
Look2me - wouldn't reload after prompt so left it
AboutBuster - nothing found (although I got a run time error)
CWShredder - nothing found
Vundofix - nothing found
Adaware - got a runtime 9.0 service Pack 1 error - tried Windows update as it suggested, but nothing happened
Spybot - nothing found
Rebooted again in Safe Mode and ran HijackThis
Saved the file and attached h/w
I didn't do any more because I didn't want to make any errors. Your suggestions looked quite involved and I was scared what damage I could do. Hope that's ok.
Again, thanks for looking and I await your advice.
Chris

 

[Chris Homewood]

I'm not sure what to do now. My thread seems to be just hanging around. Do I need to do something else?
All the best
Chris

 

[Chris Homewood]

It's been a little while now. Doesn't look like my thread is going anywhere. I'll look elsewhere to try to fix my problem.
Chris

 

[kritius]

Very sorry that your thread was overlooked.

If you want to post a fresh HJT log from normal mode then I'll take a look.

 

[Chris Homewood]

OK Thanks. I take it Normal Mode is not Safe Mode?
Hold on and I'll do it now.
Chris

 

[kritius]

Yes,

Normal mode is not safe mode.

 

[Chris Homewood]

OK - here's the hijackthis file. Normal mode. Had problems initially, but had to "run as Administrator" for it to work.
Thanks
Chris

 

[kritius]

Please Download NoLop to your desktop from the links below...
Link 2

• First close any other programs you have running as this will require a reboot
• Double click NoLop.exe to run it
• Now click the button labelled "Search and Destroy"
  <<your computer will now be scanned for infected files>>
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the "REBOOT" Button.
• A Message should popup from NoLop. If not, double click the program again and it will finish Please attach the C:\NoLop.log

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [AxisIso] "C:\ProgramData\readmeinternetinternet.sht1a7"
O4 - HKCU\..\Run: [1 mags 16 more] "C:\ProgramData\File Itch Support.7bymf"
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - [ame]http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=h[/ame] ome (file missing)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Delete the follwing files and folders if still present,

C:\ProgramData\File Itch Support.7bymf
C:\ProgramData\readmeinternetinternet.sht1a7

Download and Run ComboFix

• Download this file to your desktop from either of the two below listed places, and rename it Homewood.exe
  
  
  
  HERE or HERE
  
  
  
• Then double click Homewood.exe & follow the prompts.
  
• When finished, it shall produce a log for you. Attach that log in your next reply
  

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post a fresh HijackThis log as well.

 

[Chris Homewood]

Thanks. Great. I'll get on it straight away.
Cheers
Chris

 

[Chris Homewood]

OK.
Normal Mode.
NoLop didn't find anything. Didn't produce log file. Didn't prompt for REBOOT.

Checked and Fixed the 5 entries suggested inside HijackThis.

Couldn't find the 2 files in C:\Program Data (couldn't even find the folder?).

Changed ComboFix to Homewood and ran it as Administrator. Gave a prompt about my CA security. I disabled the Virus and Firewall temporarily.
I attach the log file for ComboFix and a new HijackThis log.

I noticed that the "09-Extrabutton:ebay.co.uk" entry has re-appeared in it. I definitely fixed it previously.

Thanks for your time on this.
Chris

 

[kritius]

P2P Warning!

• IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
  
  uTorrent
  
  Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
  Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
  
  I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  
  References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
  http://www.techweb.com/wire/160500554
  http://www.internetworldstats.com/articles/art053.htm
  See Clean/Infected P2P Programs here
  
  I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
  
  If you wish to keep it, please do not use it until your computer is cleaned.

Not too worried about the O9, it was just not needed, this section corresponds to having buttons on main Internet Explorer toolbar or items in the Internet Explorer 'Tools' menu that are not part of the default installation.

If you do not need these buttons or menu items you can remove them safely.

When you fix these types of entries, HijackThis not delete the offending file listed. It is recommended that you reboot into safe mode and delete the offending file.

How is the computer running now?

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  o Extended (If available, otherwise use standard)
  o Scan Options:
  o Scan Archives
  o Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
• In the Save as... prompt, select Desktop
• In the File name box, name the file
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
• Include the report in your next post.

 

[Chris Homewood]

OK. Utorrent deleted.
No popups yet (fingers crossed).
Will do the Kaspersky online scan and report back.

Thanks again
Chris

 

[kritius]

No problem.

Kaspersky takes a while so just be patient and let it do it's thing. It won't remove anything, just let me know where it is.

 

[Chris Homewood]

Here's the Kaspersky file.
It found something ... sorry ... I'll never use uTorrent again
Please let me know what to do.
I never cleaned the file, just saved the log.
Still no popups. It's been on for a few hours now and nothing's popped up.
Thanks
Chris

 

[kritius]

OTMoveit3 by OldTimer
Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  explorer.exe
  
  :Files
  C:\Users\Homewood\Downloads\Winzip 12.0 incl key
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Post a fresh HijackThis log as well.

Nearly there.

 

[Chris Homewood]

I'm straight on it. Thanks

 

[Chris Homewood]

All done.
Moveit Log and HijackThis attached.
Still no popups.
Thanks
Chris

 

[Chris Homewood]

Sorry -I'll cut and paste the Move it file in a minute.
Chris

 

[Chris Homewood]

Move it file cut and pasted below:
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Users\Homewood\Downloads\Winzip 12.0 incl key moved successfully.
========== COMMANDS ==========
File delete failed. C:\Users\Homewood\AppData\Local\Temp\etilqs_DarTNgmgEvnV3G7jZVCL scheduled to be deleted on reboot.
File delete failed. C:\Users\Homewood\AppData\Local\Temp\~DF1470.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Homewood\AppData\Local\Temp\~DF1AF3.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Homewood\AppData\Local\Temp\~DF397E.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Homewood\AppData\Local\Temp\~DFC483.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Homewood\AppData\Local\Temp\~DFCFBF.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03172009_172908

Files moved on Reboot...
File C:\Users\Homewood\AppData\Local\Temp\etilqs_DarTNgmgEvnV3G7jZVCL not found!
C:\Users\Homewood\AppData\Local\Temp\~DF1470.tmp moved successfully.
C:\Users\Homewood\AppData\Local\Temp\~DF1AF3.tmp moved successfully.
C:\Users\Homewood\AppData\Local\Temp\~DF397E.tmp moved successfully.
C:\Users\Homewood\AppData\Local\Temp\~DFC483.tmp moved successfully.
C:\Users\Homewood\AppData\Local\Temp\~DFCFBF.tmp moved successfully.
C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\Cache\_CACHE_001_ moved successfully.
C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\Cache\_CACHE_002_ moved successfully.
C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\Cache\_CACHE_003_ moved successfully.
C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\urlclassifier3.sqlite moved successfully.
C:\Users\Homewood\AppData\Local\Mozilla\Firefox\Profiles\qzekzfd0.default\XUL.mfl moved successfully.

Thanks
Chris

 

[kritius]

Looks good to me, still clear of problems?

Please download the OTMoveIt2 by OldTimer.

• Double-click OTMoveIt3.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

• Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  
  
  You can find instructions on how to enable and re-enable system restore here:
  
  
  
  Windows XP System Restore Guide
  
  
  
  or
  
  
  
  Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
  
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
  
  
  
  This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
  
  
  
  Instructions for Spybot S & D
  
  
  
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  
  
  A tutorial on installing & using this product can be found here:
  
  
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
  
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  

Follow this list and your potential for being infected again will reduce dramatically.



Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  
• Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!



The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.



Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

 

[Chris Homewood]

Thanks ever so much.
I'm very grateful for your help.
I'll read your last post thoroughly and implement.

P.S. I notice that you're using Ubuntu 8.10. I have an old XP laptop. I might download it and give it a go.

Thanks again.

Chris

 

[kritius]

Thanks ever so much.
I'm very grateful for your help.
I'll read your last post thoroughly and implement.

P.S. I notice that you're using Ubuntu 8.10. I have an old XP laptop. I might download it and give it a go.

Thanks again.

Chris

I would recommend that, you'll love linux. No viruses to speak of. lol.

And you're very welcome. Sorry it took so long to get round to you.

 

[Chris Homewood]

I'm just relieved to be free of those pop-ups. You've given me invaluable advice for nothing.
No-one can argue with that.
... it was free wasn't it? lol

 

[kritius]

All it will cost you is good karmic vibes sent my way.

And that you stick around and maybe offer advise to other people if you can.

 

[oak2112]

You may also find this utility helpful for identifying some files which may be a security risk.
It shows the filenames, directories, and offers a link to patch them.

http://www.secunia.com