Random Pop-ups when IE Browser Closed + Multiple Iexplore.exe in Taskbar

[chibikaz]

Hello,

I am in dire need of some guidance in removing malicious files and potential viruses from my system. Initially, I believed it only to be the iexplore issue with random pop ups, but in examining my start up and service areas in msconfig, I believe there are other embedded programs causing trouble, some of which I have not been able to disable or remove. I've been looking through my start up programs and attempting to disable some of the obvious malware programs (e.g. boob support, film ball mix, love axis, etc), but I cannot disable userinit, which according to detailed start up database listings is the direct result of a virus.

I finished steps 1-8 of the updated Malware removal instructions and have posted the three requested logs. I also ran Lavasoft Adware, Spybot, and several full scans with Corporate Symantec Antivirus before beginning the 8 step removal process.

As far as symptoms go, my main problem has been random pop-ups for things like Ebay, Xboxes, Stopzilla Adware Killer, etc using the IE browser, both when said browser is open and when it is not open. They are not rapid fire pop ups. It is a single pop up every so often. Also, there are multiple entries of iexplore, which are eating up memory and CPU usage. The number of iexplore tasks appears to have gone down after the 8 step process (I.e. two iexplore tasks are currently listed as opposed to three or four).

Also, during some of my restarts, my computer would tend to stop with just the backdrop up without the icons or task bar when I first boot up. If I go into task manager and fiddle around or open up a new task, it then loads. It has not done this with every restart, however.

Any guidance would be much obliged!

Thank you very much in advance for any and all help.

 

[Bobbye]

I'm working on your logs now. Sorry for the wait. Give me a little time to finish up. You have an Adware.Lop malware infection- that's what's causing the multiple popups and IE processes. This application injects itself into Internet Explorer, and launches Internet Explorer in the background. It then connects to various URLs to retrieve information for display.

 

[Bobbye]

You have an Adware-Lop infection:
Mbam found it here:
Adware.Lop
C:\DOCUMENTS AND SETTINGS\KRISTY WARREN\APPLICATION DATA\FILM BALL MIX\OPEN PROGRAM.EXE
HijackThis shows it here:
O4 - HKCU\..\Run: [Dvd loud] C:\DOCUME~1\KRISTY~1\APPLIC~1\FILMBA~1\Open Program.exe

Openprogram.exe runs from within the Python programming language, so wherever you went to get "FilmBallMix" or BallMix> you also downloaded the Adware.Lop.

From Symantec:
Behavior> Adware.Lop adds its own toolbar and search button to Internet Explorer.
Symptoms> Your Symantec program detects Adware.Lop.
Transmission> This adware component must be manually installed, or installed as a component of another program.

Symantec has a full removal program for Lop, so We're going to remove a few entries in HijackThis, then I'm going to refer you to so the cleanup. Something else you should be aware of. Infections were found in files you got from Bearshare. This is a P2P or file sharing program. As long as you continue to use it, you can expect to get malware. Same with BitComet you have installed.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\boob support.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.compu-gen.com
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/susqulibrary/support/plugins/ebraryRdr.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode
Start> Run> type in 'msconfig' without quotes> enter> Selective Startup> Startup tab> UNCHECK

everything EXCEPT any of these Symantec processes listed:
ccSetMgr.exe
ccEvtMgr.exe
SPBBCSvc.exe
DefWatch.exe
SavRoam.exe
Rtvscan.exe
LUCOMS~1.EXE
SNDSrvc.exe

Apply> OK

Start> Search> Files & Folders> Tools> Folder Options> View tab> CHECK 'show hidden files & Folders> put each of the following in search. IF found, do a right click> delete:

Bearshare
OPEN PROGRAM.EXE
FILM BALL MIX
FILMBA
compu-gen
BALL INTERNET.EXE

Go back into Folder Options> View tab> UNCHECK 'show hidden files & folders'

Control Panel> Add/Remove Programs> UNINSTALL Bit Comet and Bearshare.

Reboot into Normal Mode . You will get a nag message that you can ignore after checking 'don't show this message again'. Stay in Selective Startup.

Go on to the Symantec Adware Lop Removal Instructions here:
http://www.symantec.com/security_response/writeup.jsp?docid=2003-092919-5421-99&tabid=3

Follow the steps exactly.
When through, rescan with HijackThis and attach new log.
Advise of system status.

 

[chibikaz]

Thank you *so much* for this information. I will follow all the steps you directed and post a revised long as soon as possible. I really appreciate you taking the time to go through my logs and reply in such detail!

My computer tower is compu-gen, so is the "O14 - IERESET.INF: START_PAGE_URL" entry a malware or virus's way of trying to blend in with legit processes?

Yes, I did find the Adware Lop in one of the scans, and I selected it for removal, but I guess it added itself back in via registry or some start up a second time?

So wherever you went to get "FilmBallMix" or BallMix> you also downloaded the Adware.Lop.

I actually never downloaded anything like film ball mix, so I guess they were creations from some kind of malware/spyware. In addition to that strange folder, it created a folder called love axis.

Ah, I see. Thank you for bringing that to my attention. I was recommended to BitComet from someone as a more streamlined version of the typical Bitorrent. Did I download a defective version of BitComet, or are all Bitcomet programs now prone to Malware? Is it the same with Bear share?

 

[kimsland]

There was a similar question asked a couple of days ago:
Is Limewire full of viruses?
None of them are safe though!

Sorry I'll jump out now

 

[chibikaz]

There was a similar question asked a couple of days ago:
Is Limewire full of viruses?
None of them are safe though!

Sorry I'll jump out now

No, no, thank you so much for jumping in and linking me to that! I appreciate the input.

I have always tried to be very cautious in picking and choosing files in any program of that nature, and it's true, none of them are safe since people are often sharing something they don't even realize is infected! I was just concerned that I might have downloaded a flawed version of Bitcomet because I remembered after the fact that there were some bad versions out there.

So, would you recommend one as opposed to another? All P2P sharing programs have risks though, and it seems that the risks are getting higher and higher as more people take advantage of it for bad intentions.

 

[Bobbye]

Did I download a defective version of BitComet, or are all Bitcomet programs now prone to Malware? Is it the same with Bear share?

Defective? No
All prone to malware? Yes
Bearshare, Limeware, Gnutella- the same? Yes.
Add any of the utorrent sites to the list. File sharing is file sharing! 'They' will share what 'they' have and if it's malware, welcome to file sharing!

So, would you recommend one as opposed to another?

No.

My computer tower is compu-gen, so is the "O14 - IERESET.INF: START_PAGE_URL" entry a malware or virus's way of trying to blend in with legit processes?

The page is a legitimate site. But it is questionable why this entry to a page which advertises their product needs to be left in. It won't hurt your system to remove it.

Yes, I did find the Adware Lop in one of the scans, and I selected it for removal, but I guess it added itself back in via registry or some start up a second time?

When you do the full Symantec removal, you will be removing these Registry entries- hopefully all the entries, many of which you may not even be aware of. So go through the removal step by step.

Thanks Kim. I didn't read the Limewire post but I remember seeing it.

 

[chibikaz]

Thank you again for your detailed and thorough reply!

In interim between when we last spoke and when I was able to log back on here, our family computer technician came by to fix some things on my parents' computer. I had him look at mine as well. He went through knifing things out of the registry, and I believe he removed the problem with Adaware Lop, but in case there were certain things you identified that he might not have taken care of, I posted another Hijackthis log as you requested.

Thank you!

ETA: I realized that he didn't address at least one of the registry issues when I ran my Hijack this, so I am currently going through those steps and will post an updated Hijackthis log in a bit.

 

[kimsland]

Did he mention to remove Symantec (Norton) AntiVirus and use a far better one like the free Avira Antivirus?

Because I would have

 

[chibikaz]

Thank you for the tip on the Anti-Virus program! I have Corporate Symantec on this computer because it was a requirement for internet access at my university, and this was my computer while attending college.

My concern is that while I was removing the files and registry keys in the instructions above, my Symantec never found the Adaware Lop. Other programs did (Super Anti-Spyware and I believe also Malware Bytes), and as such, I don't have the random names to remove the registry keys listed in the Symantec instructions:

# Click Edit > Find.

# Enter the name of the files recorded in step 2a.

# Click Find Next.

You may be redirected to one of the following subkeys:

HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID]\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[RANDOM CLSID]\InprocServer32

containing one of the values:

"(Default)" = "%ProgramFiles%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]"
"(Default)" = "%UserProfile%\Application Data\[RANDOM CHARACTERS].dll"

# Record the [RANDOM CLSID] in the above subkeys.

# In the right pane, delete any of the values:

"(Default)" = "%ProgramFiles%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]"
"(Default)" = "%UserProfile%\Application Data\[RANDOM CHARACTERS].dll"

# Click Edit > Find.

# Enter the [RANDOM CLSID] that was recorded in step 4f.

# Delete any subkeys found.

Would the logs for those programs have that information?

Also, while doing a thorough scan in Safe Mode, it discovered three incidents of Suspicious FarFli: bis6CE.exe, ttmsdsxq.exe, and mapi settings internet.exe all of which I quarantined and removed. Are there additional registry keys for this that I should be hunting for?

I have screencaps of the locations where they were found as well if that would be of any help!

 

[Bobbye]

Please verify this location: F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
What is the userinit.exe location, where is it stored on my computer?
You will find this at C:\WINDOWS\system32\Userinit.exe It may also be listed at C:\WINDOWS\ServicePackFiles\i386
Right click on Start> Explore> Windows> System32.

Please have HijackThis remove.
O14 - IERESET.INF: START_PAGE_URL=http://www.compu-gen.com>>

Run SuperAntispyware one more time, then follow with HijackThis. Attach both logs.

 

[chibikaz]

You will find this at C:\WINDOWS\system32\Userinit.exe It may also be listed at C:\WINDOWS\ServicePackFiles\i386

I searched for that and found userinit.ex_ in Windows I386. I also found two entries in C:\WINDOWS\system32\Userinit.exe, one in system32, one in system32's dllcache. I deleted all three entries thinking that's what you wanted me to do, but realized as I did so maybe you only wanted me to verify where it was being found. A Windows File Protection message popped up that said it must restore the original versions of these files or it could affect Windows stability. It's asking me to put in my original XP disc, asking me if I'm sure I want to keep these unrecognized file versions. Should I do what it says?

I'll scan with both and reattach!

Also, I did not go through the Symantec Adaware Lop removal steps because I didn't know where to procure the random folder and file names. Symantec was never the one to catch it, so I didn't know what random file name to record (as it tells you to when Symantec catches it). Their examples included registry entries like this: "(Default)" = "%ProgramFiles%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]"). Would SuperAnti Spyware have those random names recorded from when it Id-ed and removed Adaware Lop?

If not, what should I do to identify those keys and subkeys for removal?

 

[chibikaz]

Here are the two pop-ups I'm being prompted with--I haven't clicked yes or no, I just tried to click out of it the first time. I also restored the two system32 files from the recycling bin, but don't know if that did any good.

I don't know what restoring those original files would do to my computer and do not want to lose any of my files. Please advise!

 

[kimsland]

In the immediate absense of Bobbye, I would say No, and then allow the missing files to be installed again from the Windows CD

 

[chibikaz]

Thank you so much for the reply!

I put in the disc, the retry menu disappeared, and clicked no as you suggested, but nothing seemed to happen after that. The menu that has popped up has the following options: Install XP, learn about the set up process, install optional components, perform additional tasks, and check for system compatibility. I checked browse this CD and found userinit.ex_, which is at least one of the files I had deleted.

Should I hunt around for those files and double click them?

 

[kimsland]

unaffected

But in saying that, it must always be advised to create backups, just in case!
In this case it's unlikely of any data loss

Sorry I should have said close any autorun of the Windows CD
As for extracting these files, sorry I haven't been following the thread
I just wanted the Windows CD to put the proper files back, probably done now, automatically

 

[chibikaz]

Thanks again for taking the time to reply! I cannot tell you how much I appreciate it. Both of you have been absolute life savers, well, technically computer savers. Agreed! I do have at least one back on an external hard drive, but really do need to purchase a new external hard drive with more space so that I can save the rest.

Oh, I see. So you think it automatically took the files it needed from the CD then when it first popped up, or did the autorun mess that up?

 

[kimsland]

Are you saying that it now works ok?

By the way, if userinit presently resides in your Windows system32 folder, then no need to worry.
Just use this tool: http://www.dougknox.com/xp/utils/XP_FixLogon.zip
This utility checks for the correct GINA value in the Registry and will allow you to restore it, if its incorrect.

 

[chibikaz]

Well, I had deleted three userinit files, and then restored them from my recycling bin the moment I realized it was going to make Windows unstable. I put in the Windows CD and the autorun came up, which made the initial "Insert Disc" with the "Retry / cancel" options dialogue box disappear right away, then, after I clicked no, the message about the file extensions just vanished and nothing else appeared to have happened.

I just went to do a search for userinit and this time, more files came up than when I was searching before. Attached is a screenshot of the userinits that came up, one of which says "Last good." Would that be the CD's doing?

Should I still run that tool you directed me to?

 

[kimsland]

The pic shows everything absolutely normal :grinthumb

The tool utility above cannot hurt your system, even if running well
ie I can run it right now, without any ill effect

After running it, and then re-starting, what is the current status, then ?

 

[chibikaz]

I ran the tool and it informed me that the default Gina was in use, given the MSGINA.dll (standard) as the dll in use. Then, I rebooted, everything came up without any trouble.

I just re-ran Hijack this as Bobbye requested, and will be running Super Antispyware again as well, but I did have some concerns over digging out Adaware Lop registry entries. You see, the Symantec instructions are based on if Symantec finds it, and in this case, it didn't. Super AntiSpyware did, and I believe MalwareBytes as well. The problem is, the directions call for recording the random file name that Symantec identifies as Adaware Lop files to then hunt them down in the registry. Our local computer tech was over here last Monday and took some things out of my registry, but I don't know if he removed the Adaware Lop since I realized some other things that needed to go were left in after his visit.

When I booted into Safe Mode and ran a full scan, Symantec picked up 3 entries of Suspicious Farfli. Are there registry keys associated with that as well that I need to remove?

 

[kimsland]

I don't know I don't like Symantec

What I'd is, if I were you
Run Malwarebytes, and remove any found issues (save the log too )
Then restart
Then run HJT log again

Then re-submit the logs
By the way, I'd also remove Symantec too

 

[chibikaz]

*laughs* I'm starting to understand why--I wanted to smack it around after it failed to notice some of the things I knew for a fact where malware and containing infections! I'll definitely check out the Avirus program you mentioned earlier as an alternative.

I will do that MalwareBytes scan as well and post the logs tomorrow when my computer has more time to run!

Thanks again for everything.

 

[Bobbye]

Yes, I think it would be a good idea to run all three program again, updating first and attaching the logs. I am not sure whether you're looking for something that no longer exists.

 

[chibikaz]

Great point and will do, Bobbye! I'm starting the first of the three programs again now that they are each updated, and I will post the logs so we can determine if the Adaware.lop registry keys are even still there.