TechSpot

Malware popups keep reinstalling after removal

By jcmussel
Nov 22, 2007
  1. Hi, folks,

    I am getting new windows opening opening up pages such as searchfeed.com, hornymatches.com, sethtrend.com, and buzznet.com, among others. I have tried various spyware removal programs including Ad-Aware, Spybot, AVG Anti-Spyware as well as fixit programs such as ComboFix and VundoFix, and they periodically pick up malware and I remove it. However, when I shut down the computer and restart then log onto the Internet, within a few pages opened, the problem starts all over again as the malware is reinstalled into my temporary folders and cookies.

    Can anyone help? I am truly at a loss.

    ps. Happy Thanksgiving to all the U.S. folks. Hope the turkey was good.

    My Hijackthis file is attached.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You`re running an outdated version of HJT and it needs to be renamed. See HERE.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. jcmussel

    jcmussel TS Rookie Topic Starter

    round 1

    Hello, Howard,

    I take it you've done this before? Thanks in advance for your assistance.

    Panda-Anti-Rootkit results: No rootkits have been found.

    I have also run CCleaner multiple times, and AVG Anti-Spyware which came up with only one cookie which was deleted.

    Combofix and Hijackthis logs are attached.

    jcmussel
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, I`ve done this one or twice before lol.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:

    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Please open notepad and and copy and paste next bold in it:
    (don't forget to copy and paste REGEDIT4)


    Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

    Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

    Regards Howard :)

    This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. jcmussel

    jcmussel TS Rookie Topic Starter

    round 2

    Hi, Howard,

    Yeah, just a "once or twice". 26,000 posts- you've been busy! Do you do this full time as your occupation? If not, you should. I'm a field zoologist (freshwater mussels if it wasn't obvious).

    I did what you asked (somewhat blindly- feeling a bit like a lemming! Hope there are no cliffs nearby). Attached are my ComboFix and Hijackthis logs.

    jcmussel
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    However, we still need to solve one or two problems in your Combofix log.

    Please open notepad and and copy and paste next bold in it:
    (don't forget to copy and paste REGEDIT4)

    Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

    Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

    Please post a fresh Combofix log.

    Regards Howard :)

    This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. jcmussel

    jcmussel TS Rookie Topic Starter

    round 3

    Hi, Howard,

    ... a bit sleepy. Got up in the middle of the night (it's 3 am across the pond here) for some water and found your post.

    My Combofix log is attached. Can it be we are almost done???

    jcmussel
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, we`re done mate.

    Click start/run and type combofix /u into the run box and hit the enter key. That should delete Combofix and all it`s folders etc.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. jcmussel

    jcmussel TS Rookie Topic Starter

    round 4

    Thanks so much, Howard,

    Quickly, before you leave me to fend for myself (SCARY), I downloaded quite a few programs in the course of trying to fix this problem plus I had some already. Can you tell me which I should remove outright, which to keep permanently, and which I should reinstall only if I have problems some time in the future? The reason I ask is that (1) some may be competing, (2) some may only be necessary to reinstall only if I have problems in the future, (3) some may not have a "check for updates" feature and become quickly out of date. I assume I should reactivate Teatimer in Spybot, turn Ad-Watch back on, and reactivate the Resident Shield in AVG Anti-Spyware?

    Programs:
    PAVARK
    Ad-Aware 2007
    Spybot Search and Destroy
    AVG Anti-Spyware
    CCleaner
    Hijackthis
    Look2Me-Destroyer
    SDFix
    VundoFix
    ATF-Cleaner

    Also, on shutdown, I get a hasty error message: regsvr32 [This is located in my windows/system32 folder on the C drive] The application failed to initialize because the windows station is shutting down.

    Thanks once again for all your assistance. Does TechSpot provide a means to offer positive feedback on your assistance? If so, just let me know and the glowing recommendations will rain down....

    jcmussel
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I suggest you uninstall all the tools/programmes we used during clean up, except for SS&D, Ad-Aware and Ccleaner.

    Can you give me the exact error message you`re receiving?

    Regards Howard :)

    This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. jcmussel

    jcmussel TS Rookie Topic Starter

    round 5

    Thanks,

    The error message at shutdown reads: [note: top line is header for error box, buttom line is actual error message]


    RegSVR32.exe - DLL initialization failed
    The application failed to initialize because the windows station is shutting down.

    I noted in other tech help forums that it may have to do with my Orb installation (http://forums.whatthetech.com/RegSVR32_exe_DLL_initialization_failed_t85121.html) Have you heard of this?

    Also, I assume I should reactivate Teatimer in Spybot, turn Ad-Watch back on, and reactivate the Resident Shield in AVG Anti-Spyware?

    jcmussel
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I actually suggest you uninstall AVG Antispyware to prevent resource drain.

    By all means re-activate SS&D Teatimer and ADwatch.

    I suggest uninstalling and reinstalling the Orb software and see if that helps and let me know.

    Regards Howard :)

    This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. jcmussel

    jcmussel TS Rookie Topic Starter

    round 6

    Yeah,

    That did the trick. Uninstalled then reinstalled Orb.

    So, I'll uninstall ComboFix, Hijackthis, and AVG Anti-Spyware (you sure about this last one? It's always popping up messages to tell me how many "potential" spyware it is constantly blocking for me).

    I also have SDFix and VundoFix. VundoFix has been helpful in the past. SDFix was a desperation install before I contacted you. I also have Look2Me-Destroyer. I assume this is just one of Spybot's competitors. I used it once without much luck.

    How about my old results log files from these programs. I am inclined to trash these, too.

    jcmussel
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s up to you mate. If you want to keep AVG Antispyware, then by all means do so. Vundofix can be kept if you feel the need.

    Yes, you can get rid of the old log files, we don`t need them.

    Regards Howard :)

    This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...