Popup hell

[jzeb]

hello all, just followed the 8 step action that you recommend to do. below should hopefully be the three logs . any help would be extremely gratefull as i'm in pop up hell. it only seems to happen when switching the pc on at start up in internet explorer. also since scanning with the three applications the shift button doesn't work. anyone got any ideas

 

[Bobbye]

Sorry you had to wait two days! Lots of malware around!

Nice job on the logs. One Real Time process needs to be disable though:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Spybot S&D (Teatimer)

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

The Java needs to be updated to v7u10: Please do that here: http://java.com/en/download./manual.jsp

Please rerun HijackThis with TeaTimer disabled.

Question: Have you set a blank homepage? I need to know that before I check the new log.

Do you still have the \FISHER PRICE PET SHOP game on your desktop? If so, please do a right click> scan with the AV program. A Trojan was found on:

C:\USERS\JO\DESKTOP\FISHER PRICE PET SHOP......GRAFITTI\31INSTAL\XTRAS\SMKDSHLP.EXE

If they include any of the following, each needs to be scanned separately:

hurricane havoc
dollhouse
la maison des animaux
the king and i thinking adventure
i spy spooky mansion
any game with GRAFITTI

Please attach the new HijackThis log when through.

 

[almcneil]

I'd recommend Ad-Aware 2008 (see Downloads section at this site).

Repost with results.

Best,
-- Andy

 

[Bobbye]

I don't think it's necessary for you to run AdAware. It's not going to come up with anything the others programs didn't. Hopefully you will continue with what we have started.

 

[kimsland]

I have removed a number of posts debating which program(s) the thread starter should use.

We will wait for jzeb thoughts on which suggestion they would prefer to take

I note that Bobbye has successfully cured all Virused\Malware issues on individual users computers; on many threads.

 

[jzeb]

sorry for the slow reply, and for all the advise.
thanks bobbye for your help, disabled tea timer and attached is the new hijack file. Tried to update java, couldn't find v7u10 but was confirmed that i am running java v6u10. All home pages are set to google.co.uk. the fisher price folder is still on the desktop and i've scanned the file with both anti virus with no threats detected, i can delete whole file if needed.I did a search for grafitti and a load of files were found do you want me to scan each file. thanks for everyones help.

 

[Bobbye]

All home pages are set to google.co.uk.

You have the about:blank malware. All of the following processes should be checked for removal. An additional cleaning process may need to be run.

When you open Internet Explorer your browser will be redirected to a page called about:Blank, sp.html, or about:NavigationFailure. If you attempt to change your home page to another site, it will not work and continue opening about:blank."

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
C:\Windows\system32\SearchFilterHost.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Google\Google_BAE\BAE.dll
O4 - Global Startup: Exif Launcher 2.lnk = ?

IF you are not actively using this Remote Assist, the Service should be Disabled. It can be Enabled at any time it is needed

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe (see additional info about in separate post)
[/QUOTE]
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> type in 'msconfig' without quotes> eenter> Selective Startup> Startup tab>> the following processes do NOT need to start at boot. They can be started Manually as needed. If this is agreeable to you, UNCHECK EACH of the following:

Picasa Media Detector
QuickTime
Adobe Reader Speed Launcher
Windows Media Player
RoxWatchTray
iTunesHelper

.
Apply> OK. (the only processes that NEED to start on boot are the antivirus, firewall, touchpad for laptop and network process if on network.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Any version of Java EXCEPT v6u10
Google EULA Launcher
Any program you are not using

IF ou are not using the Support Soft: Start> Run> services,msc> right click on SupportSoft> Properties> Change Startup type to either MAnual or Disabled> Apply> OK.

Reboot into Normal Mode. You will get a nag message that you can close after checking 'don't show this message again'. Stay in Selective Startup.

Leave the game files for now. They were cleaned, but they were a source of infection so if you do future downloads, advise Save download to desktop> right click> scan wit AV before installing.

Run HijackThis again and attach new log.

 

[jzeb]

thanks bobbye for the fix and apologizes for the slow reply. Did everything asked except for ;
1. msconfig section could not find windows mediaplayer or rex watch tray
2. add/remove programs there was no google eula launcha
3. could not find or dont know how too find support start so no changes made.

Attached is the new hijack file, once again thanks for the help.

 

[Bobbye]

could not find or dont know how too find support start so no changes made.

Start> Run> services.msc> SupportSoft or SSRC.

I did further checking on the "RoxTray" (note corrected spelling).Roxio Media Manager (Easy Media Creator V9) : When it runs the first time, it leaves the RoxWatchTray. It is suppose to be a high resource user, so you would do better without it running in the background.

Using msconfig, uncheck any Roxio entries. If you can determine enough through the 'Command" column, widen it. Hold the left mouse button down on the cross hair next to 'Location' in this image. Move the mouse to the right to expand the column:
http://img116.imageshack.us/img116/5327/msconfigyd9.jpg

If the pop-up problem has been solved and the system is running well,we can remove the cleaning tools:
* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in *cleanmgr*
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

Let us know if you need any more help.

 

[jzeb]

thanks bobbye, i haven't done the last lot of instructions yet, i'll start that tomorrow.
As is stands now i still have the malware on start up. So if the last post is still to do with the clean up then please ignore this and i will let you know how i get on. If not are there any other instructions or logs that are needed, as i only get the opportunity once a week to visit my sister, and the infected pc. Thanks for your time.

 

[jzeb]

Just completed all the instructions you asked for in previous posts, and malware is still there on startup. attached is the new hijack file just incase you need it. doubled checked everything from the start just to make sure. thanks

 

[Bobbye]

Before I go through the log, please advise system status.
You refer to "pop-up" hell but at no time can I find where you described what those pop-ups were.
You state

i still have the malware on start up.

But don't tell us what it is.

You began this thread 2 weeks ago. It appeared that the malware had been handled and instructions were given to remove the cleaning tools and old restore points.

We need to know what we're looking at and I don't know what you're seeing and what you're considering malware.