Pop ups galore

By jaycee
Dec 5, 2006
Topic Status:
Not open for further replies.
  1. Hi

    I appear to be having problems with pop ups in my explorer window. Over the past few days I have been inundated with various poker ads, woolworths ads, etc.

    I have undertaken the instructions in this forum to the letter (used to be trojan and pakes thread) to find and destroy spyware and malware.

    AVG anti virus and AVG anti spyware is coming back clean.

    I have attached HJT log.

    Could you please please look at these for me?

    Thankyou

    Jaycee.
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:


    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    Hi Howard,

    Thanks for your reply - the log I attached on my first post was after I had followed the Viruses/Malware/Spyware preliminary removal thread. I just couldnt remember the name of the thread when I posted initially :D hence I kind of went a round about way of trying to get it across... sorry.

    Regards Jaycee

    Ps The AVG log I am having trouble in figuring how to save it to file so that I can attach it but is says my computer is safe - nothing found.
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Ok, no problem, I still need to see an AVG Antispyware log.

    Regards Howard :)

    Edit: Just seen your last post. Ignore the AVG Antispyware log then. I`ll look at your HJT log and get back to you.

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how HERE.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Messenger

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Great Bind.exe
    namemeal.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [camp 32 deaf math] C:\Documents and Settings\All Users\Application Data\Pureownscamp32\Great Bind.exe

    O4 - HKCU\..\Run: [Tool Bolt] C:\DOCUME~1\JILLCA~2\APPLIC~1\INTERN~1\namemeal.exe

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBIniti alSetup1.0.0.15.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\DOCUME~1\JILLCA~2\APPLIC~1\INTERN~1\namemeal.exe
    C:\Documents and Settings\All Users\Application Data\Pureownscamp32\Great Bind.exe

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    ta dah?!!

    Thankyou, thankyou, thankyou!

    Messenger was already disabled so I left it alone, none of the identified file extensions were running in processes, but I deleted the files in HJT and file paths using killbox? And I am further pleased with myself since this morning I sat staring at two of those baddies in the HJT wondering if they were my offenders! haha! They can run but they cant hide!:bounce:

    All seems to be going fine, had a quick surf for a few minutes and I was unhindered. So I think you did it! AGAIN!

    HAIL HOWARD!! :grinthumb

    Forever in your debt!

    Jaycee

    HJT attached incase those eagle eyes of your spot another nastie I have overlooked.
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Well done, your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    I dont know whether to laugh or cry!

    I logged out of here and shut down, I started up my computer and within minutes AVG found a trojun!!! detailed as follows;

    filename 845734.exe
    path C:\DOCUME~1\JILLCA~2\LOCALS~1\TEMP\

    I will attach hjt log 4! Do I need to go through the preliminary steps again? and why am I so vulnerable to these nasties?

    Thanks Howard

    HJT LOG4 attached

    Aaargh!
  9. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your HJT log is still clean.

    Do the following.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how HERE.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run a full virus scan and delete whatever is found, this includes anything in the virus vault.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Run another full scan and see if anything is found.

    If it is, please give me the full filepath to the trojan etc.

    Regards Howard :)

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    Hi Howard

    Ran the AVG and it appeared to disappear, but I am finding that it reappears every 20 mins or so!

    The actual FILENAME changes eachtime it appears but the file paths are consitently the same. We have the following file paths;

    C:\Documents and Settings\Jill Cartlidge\Local Settings\Temp\1ec51d.exe
    C:\Documents and Settings\Jill Cartlidge\Local Settings\Temporary Internet Files\Content.IE5\8VUVYFGJ\upAYB[1].int (this file path is a new one, the one listed in my last post was consistently arising but now appears to have gone).


    In desperation I have attempted to zap the file paths in Kill Box also but the file simply showed up in Kill Box in the AVG test! The AVG appears to have deleted this.

    HELP!

    It is such a good job you exist!!!

    Thanks Jaycee
  11. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    When Killbox deletes a file it makes a backup, just in case you ever need the file again. That`s probably what AVG is detecting. Delete the Killbox backups and see if that helps.

    Please let me know the results and any filepaths that AVG continues to find.

    Regards Howard :)

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  12. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    I deleted the backup file as I accidentally stumbled across it. The file paths are as below with different filenames. I have just noticed that they hit my system every hour on the hour! I will go and write all of the paths down to put onto here for you.

    thanks

    Jaycee
  13. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Unfortunately, you seem to have forgot to post the filepaths.

    Regards Howard :)

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    Hi Howard Sorry! not enough sleep! I was up half the night trying to sort the computer!

    The filepaths being thrown up on the hour are all as follows;

    C:\DOCUME~1\JILLCA~2\LOCALS~1\TEMP\
    with different filenames each time;

    21d2ea.exe
    68b319.exe
    C56fdf.exe
    10c7c89.exe

    It is being identified as Swizzor.8.BK trojun horse

    Hope this means something to you at least!

    Regards

    Jaycee
  15. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Turn off system restore.(XP/ME only) See how HERE.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open the extracted SDFix folder and double click RunThis.bat to start the script.

    Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    Press any Key and it will restart the PC.

    When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

    Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    Attach the Report.txt as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  16. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    Hi howard the reports are attached. It appears to have done the trick since no more hourly AVG warnings have occurred!

    Thankyou so much

    Jaycee
  17. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your HJT log is clean.

    Hopefully, that`s an end to your problem.

    If you have any further virus/spyware problems, please post in this thread.

    Give it a few days and then delete the Sdfix backups, located in C:\SDFix\backups\backups.zip.

    Regards Howard :)

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  18. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    :giddy: thanks you are a star!!
  19. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    Its back!!!

    Can you believe the trojun has shown its ugly self yet again!! Same file path as those above (C:\DOCUME~1\JILLCA~2\LOCALS~1\TEMP\).

    ran sdfix yet again
    and enclosed report and hjt log

    Sorry to be a pain!

    Thankyou

    Jaycee
  20. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Damn, I thought we`d got it. You`re not being a pain at all, so don`t worry.

    Download and run this TOOL. make sure you follow all the instructions on the page.

    Let me know the results please.

    Regards Howard :)

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  21. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    Hi Howard

    Got there in the end, my virus vault is filling eachtime I log on! I am getting several backup files of this virus downloading regularly (hourly) using the same paths!


    rdrivem, and AVGAS came back clean! :confused:

    Do I need to wipe the disk?

    And if so am I okay backing up music, photos and word files?

    Regards

    Jaycee
  22. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Before you consider doing a format, I`d like you to try a couple of things if you don`t mind.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Zone Media
    Netpumper
    Messenger Plus

    Don`t worry if none of the above are there.

    Close control panel.

    Click start run and type notepad into the runbox and press the enter key.

    Copy and past the following into notepad and save it as look.bat

    if exist %systemdrive%\look.txt del %systemdrive%\look.txt
    cd\
    cd %appdata%
    dir /x >> %systemdrive%\look.txt
    cd %allusersprofile%\Application Data
    dir /x >> %systemdrive%\look.txt
    dir %Windir%\tasks /a:h >> C:\look.txt
    start notepad %systemdrive%\look.txt


    Doubleclick look.bat and post the content of the txtfile you get in your next reply.

    Regards Howard :)

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  23. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    logfile attached thanks Howard. Didnt we delete pureownscamp32? I may have it wrong but I thought we had.

    Only MSN Plus uninstalled no others present.

    Thanks Jaycee
  24. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    I don`t think we did delete the pureownscamp32, but we`re sure as hell going to delete it now.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how HERE.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\All Users\Application Data\Pureownscamp32

    C:\WINDOWS\tasks\8126309E8369A426.job

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Download deljob.bat and save it on your desktop.
    Doubleclick deljob.bat
    Copy and paste the contents of the log it creates (logit.txt, present on your desktop) in your next reply.

    Clean your Cache and Cookies in IE:

    Close all instances of Outlook Express and Internet Explorer
    Go to Control Panel > Internet Options > General tab
    Click the "Delete Cookies" button
    Next to it, Click the "Delete Files" button
    When prompted, place a check in: "Delete all offline content", click OK

    Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

    Go to Tools > Options.
    Click Privacy in the menu..
    Click the Clear now button below.. A new window will popup what to clear.
    Select all and click the Clear button again.
    Click OK to close the Options window

    Clean other Temporary files + Recycle bin

    Go to start > run and type: cleanmgr and click ok.
    Let it scan your system for files to remove.
    Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    Press OK to remove them.

    Let me know how your system is running.


    Regards Howard :)

    This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  25. jaycee

    jaycee Newcomer, in training Topic Starter Posts: 23

    Thanks Howard

    Will get on with that and get back to you tomorrow - have to sleep tonight or else the teachers at my daughters school will be talking when I drop her off!

    We did delete the pureownscamp32 - first HJT log showed it - milleniums ago now..it is now showing as an empty folder but I will delete the folder anyway. I just knew you hadnt overlooked it!

    Night

    jaycee
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.