Pop ups galore

[jaycee]

Hi

I appear to be having problems with pop ups in my explorer window. Over the past few days I have been inundated with various poker ads, woolworths ads, etc.

I have undertaken the instructions in this forum to the letter (used to be trojan and pakes thread) to find and destroy spyware and malware.

AVG anti virus and AVG anti spyware is coming back clean.

I have attached HJT log.

Could you please please look at these for me?

Thankyou

Jaycee.

 

[howard_hopkinso]

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

Hi Howard,

Thanks for your reply - the log I attached on my first post was after I had followed the Viruses/Malware/Spyware preliminary removal thread. I just couldnt remember the name of the thread when I posted initially hence I kind of went a round about way of trying to get it across... sorry.

Regards Jaycee

Ps The AVG log I am having trouble in figuring how to save it to file so that I can attach it but is says my computer is safe - nothing found.

 

[howard_hopkinso]

Ok, no problem, I still need to see an AVG Antispyware log.

Regards Howard

Edit: Just seen your last post. Ignore the AVG Antispyware log then. I`ll look at your HJT log and get back to you.

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how HERE.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Messenger

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Great Bind.exe
namemeal.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [camp 32 deaf math] C:\Documents and Settings\All Users\Application Data\Pureownscamp32\Great Bind.exe

O4 - HKCU\..\Run: [Tool Bolt] C:\DOCUME~1\JILLCA~2\APPLIC~1\INTERN~1\namemeal.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBIniti alSetup1.0.0.15.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\DOCUME~1\JILLCA~2\APPLIC~1\INTERN~1\namemeal.exe
C:\Documents and Settings\All Users\Application Data\Pureownscamp32\Great Bind.exe

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

ta dah?!!

Thankyou, thankyou, thankyou!

Messenger was already disabled so I left it alone, none of the identified file extensions were running in processes, but I deleted the files in HJT and file paths using killbox? And I am further pleased with myself since this morning I sat staring at two of those baddies in the HJT wondering if they were my offenders! haha! They can run but they cant hide!:bounce:

All seems to be going fine, had a quick surf for a few minutes and I was unhindered. So I think you did it! AGAIN!

HAIL HOWARD!! :grinthumb

Forever in your debt!

Jaycee

HJT attached incase those eagle eyes of your spot another nastie I have overlooked.

 

[howard_hopkinso]

Well done, your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

I dont know whether to laugh or cry!

I logged out of here and shut down, I started up my computer and within minutes AVG found a trojun!!! detailed as follows;

filename 845734.exe
path C:\DOCUME~1\JILLCA~2\LOCALS~1\TEMP\

I will attach hjt log 4! Do I need to go through the preliminary steps again? and why am I so vulnerable to these nasties?

Thanks Howard

HJT LOG4 attached

Aaargh!

 

[howard_hopkinso]

Your HJT log is still clean.

Do the following.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how HERE.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run a full virus scan and delete whatever is found, this includes anything in the virus vault.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Run another full scan and see if anything is found.

If it is, please give me the full filepath to the trojan etc.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

Hi Howard

Ran the AVG and it appeared to disappear, but I am finding that it reappears every 20 mins or so!

The actual FILENAME changes eachtime it appears but the file paths are consitently the same. We have the following file paths;

C:\Documents and Settings\Jill Cartlidge\Local Settings\Temp\1ec51d.exe
C:\Documents and Settings\Jill Cartlidge\Local Settings\Temporary Internet Files\Content.IE5\8VUVYFGJ\upAYB[1].int (this file path is a new one, the one listed in my last post was consistently arising but now appears to have gone).


In desperation I have attempted to zap the file paths in Kill Box also but the file simply showed up in Kill Box in the AVG test! The AVG appears to have deleted this.

HELP!

It is such a good job you exist!!!

Thanks Jaycee

 

[howard_hopkinso]

When Killbox deletes a file it makes a backup, just in case you ever need the file again. That`s probably what AVG is detecting. Delete the Killbox backups and see if that helps.

Please let me know the results and any filepaths that AVG continues to find.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

I deleted the backup file as I accidentally stumbled across it. The file paths are as below with different filenames. I have just noticed that they hit my system every hour on the hour! I will go and write all of the paths down to put onto here for you.

thanks

Jaycee

 

[howard_hopkinso]

Unfortunately, you seem to have forgot to post the filepaths.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

Hi Howard Sorry! not enough sleep! I was up half the night trying to sort the computer!

The filepaths being thrown up on the hour are all as follows;

C:\DOCUME~1\JILLCA~2\LOCALS~1\TEMP\
with different filenames each time;

21d2ea.exe
68b319.exe
C56fdf.exe
10c7c89.exe

It is being identified as Swizzor.8.BK trojun horse

Hope this means something to you at least!

Regards

Jaycee

 

[howard_hopkinso]

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Turn off system restore.(XP/ME only) See how HERE.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

Attach the Report.txt as well as a fresh HJT log.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

Hi howard the reports are attached. It appears to have done the trick since no more hourly AVG warnings have occurred!

Thankyou so much

Jaycee

 

[howard_hopkinso]

Your HJT log is clean.

Hopefully, that`s an end to your problem.

If you have any further virus/spyware problems, please post in this thread.

Give it a few days and then delete the Sdfix backups, located in C:\SDFix\backups\backups.zip.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

:giddy: thanks you are a star!!

 

[jaycee]

Its back!!!

Can you believe the trojun has shown its ugly self yet again!! Same file path as those above (C:\DOCUME~1\JILLCA~2\LOCALS~1\TEMP\).

ran sdfix yet again
and enclosed report and hjt log

Sorry to be a pain!

Thankyou

Jaycee

 

[howard_hopkinso]

Damn, I thought we`d got it. You`re not being a pain at all, so don`t worry.

Download and run this TOOL. make sure you follow all the instructions on the page.

Let me know the results please.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

Hi Howard

Got there in the end, my virus vault is filling eachtime I log on! I am getting several backup files of this virus downloading regularly (hourly) using the same paths!


rdrivem, and AVGAS came back clean!

Do I need to wipe the disk?

And if so am I okay backing up music, photos and word files?

Regards

Jaycee

 

[howard_hopkinso]

Before you consider doing a format, I`d like you to try a couple of things if you don`t mind.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Zone Media
Netpumper
Messenger Plus

Don`t worry if none of the above are there.

Close control panel.

Click start run and type notepad into the runbox and press the enter key.

Copy and past the following into notepad and save it as look.bat

if exist %systemdrive%\look.txt del %systemdrive%\look.txt
cd\
cd %appdata%
dir /x >> %systemdrive%\look.txt
cd %allusersprofile%\Application Data
dir /x >> %systemdrive%\look.txt
dir %Windir%\tasks /a:h >> C:\look.txt
start notepad %systemdrive%\look.txt

Doubleclick look.bat and post the content of the txtfile you get in your next reply.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

logfile attached thanks Howard. Didnt we delete pureownscamp32? I may have it wrong but I thought we had.

Only MSN Plus uninstalled no others present.

Thanks Jaycee

 

[howard_hopkinso]

I don`t think we did delete the pureownscamp32, but we`re sure as hell going to delete it now.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how HERE.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\All Users\Application Data\Pureownscamp32

C:\WINDOWS\tasks\8126309E8369A426.job

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Download deljob.bat and save it on your desktop.
Doubleclick deljob.bat
Copy and paste the contents of the log it creates (logit.txt, present on your desktop) in your next reply.

Clean your Cache and Cookies in IE:

Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

Go to Tools > Options.
Click Privacy in the menu..
Click the Clear now button below.. A new window will popup what to clear.
Select all and click the Clear button again.
Click OK to close the Options window

Clean other Temporary files + Recycle bin

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Let me know how your system is running.


Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

Thanks Howard

Will get on with that and get back to you tomorrow - have to sleep tonight or else the teachers at my daughters school will be talking when I drop her off!

We did delete the pureownscamp32 - first HJT log showed it - milleniums ago now..it is now showing as an empty folder but I will delete the folder anyway. I just knew you hadnt overlooked it!

Night

jaycee