Inactive Automatic pop up ad at IE start up, even with pop-up disabled

[bahyi]

Where do I find the log?

I tried to scan it the 2nd time. This time the computer shutdown by itself half way through the scan!!! This is not going so well. It said 6 infections were detected before it shutdown on me. Now I have to start all over again. I saw some of the infections were rootkits.

 

[bahyi]

C:\Documents and Settings\camron\Application Data\Sun\Java\Deployment\cache\6.0\7\3c30cc87-1e8811cf multiple threats
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\P0V5NW98\main[1].htm JS/Kryptik.AI trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\defender.exe.vir a variant of Win32/Kryptik.NQD trojan
C:\Qoobox\Quarantine\C\Program Files\Common Files\WinSoftware\PrCheck.dll.vir Win32/Adware.WinAntiVirus application
C:\System Volume Information\_restore{23733152-DBC3-4AD1-A5A0-0A74BB0A9F11}\RP908\A0166133.exe a variant of Win32/Kryptik.NQD trojan
C:\System Volume Information\_restore{23733152-DBC3-4AD1-A5A0-0A74BB0A9F11}\RP908\A0166134.dll Win32/Adware.WinAntiVirus application
C:\WINDOWS\system32\drivers\dfd.sys a variant of Win32/Rootkit.Agent.AF trojan
D:\stevtemp\??.zip a variant of Win32/PSW.OnLineGames.NNM trojan

 

[Bobbye]

The 2 entries in 'Qoobox' were removed in Combofix. Qoobox is the name of the folder. They are no longer active in the system.

The 2 entries in 'System Volume' are restore points. These also are no longer active in the system. If you did a System Restore now and happened to choose these particular points, it could reinfect the system. But you should not be doing a System Restore during cleaning. I will have you remove the old restore points and set a new, clean one when we have finished.
======================================================
One of the entries is in the Java cache and needs to be emptied:
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  There are three options on this window to clear the cache.Check all.
• . Delete Files
• .View Applications
• .View Applets
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
=========================================================
The others are new:
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files  
  C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\P0V5NW98\main[1].htm
  C:\WINDOWS\system32\drivers\dfd.sys
  D:\stevtemp\??.zip
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===============================================
Before I give you some script to run in Combofix, I have 2 questions. Both are important.
1. Is Drive D a flash drive? If it is, it needs to be disinfected. Do not use for anything until it's disinfected.
2. Did you use or are you now using the O&O Defrag on the Workstation? I see O&O Defrag Server Edition installed.
It activates the hidden performance of your computer and packs file fragments efficiently and securely together. O&O Defrag gives you everything from fully automated defragmentation to a professional set up: everything a good defragmentation software should give you.But is sets up a hidden Registry key with multiple entries

 

[bahyi]

I'm not computer savvy. What is a flash drive? And I have not used the O&O Defrag, what is that? Should I be using it or not?

 

[bahyi]

By the way, the pop ups are still coming up.



All processes killed
========== FILES ==========
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\P0V5NW98\main[1].htm moved successfully.
C:\WINDOWS\system32\drivers\dfd.sys moved successfully.
D:\stevtemp\超棒.zip moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 36166 bytes

User: All Users

User: bootkit_remover

User: camron
->Temp folder emptied: 1117457446 bytes
->Temporary Internet Files folder emptied: 1039855727 bytes
->Java cache emptied: 15951 bytes
->Google Chrome cache emptied: 1642864 bytes
->Flash cache emptied: 72653 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 66427728 bytes
->Flash cache emptied: 41661 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 52405793 bytes
->Java cache emptied: 1 bytes
->Flash cache emptied: 58950 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 19363675 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 49040 bytes

Total Files Cleaned = 2,191.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 05202011_224157

Files moved on Reboot...
C:\windows\temp\fla61.tmp moved successfully.

Registry entries deleted on Reboot...

 

[bahyi]

New Problem after the ESET scan: Error window for 'Generic Window Process Win32'

Then an IE window pops up saying something about a 'blue screen error'. Then the computer becomes non-functional (freezes up) and has to be forced to shutdown.

We cannot close the error window either. The one that has the option to 'Send' or 'Don't send'. Everything freezes up.

HELP!!!!

 

[bahyi]

a program called 'XP Total Security' is popping up by itself and doing a scan. what is that?!!! and i cannot open IE when it's doing that.

 

[Bobbye]

If you are 'savvy' enough to use a computer, you are 'savvy' enough to search for information.

Do Google search for "flash drive."
Do Google search for "O&O Defrag."

By the way, the pop ups are still coming up.
Then an IE window pops up saying something about a 'blue screen error'

You aren't getting 'popups'- you are getting error messages.

When you ran OTM: Total Files Cleaned = 2,191.00 mb! This is a huge number of files. Do you ever do any maintenance on the system?

Did you remove Avira? I don't see any security other than Norton.

Is this your work computer? Is there an IT person available? I see the beginning of a multi-line registry entry:
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG06.00.00.01WORKSTATION"=.......................................
You have the O&O defragger running in the 'workstation':
c:\windows\System32\oodag.exe

You have multiple Worms and Backdoor trojans.
C:\windows\system32\wuauclt.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\wuauclt.exe
>>Added by the W32/Tilebot-JW network worm.
A variant of the IRCBot family of worms and IRC backdoor Trojans.

I believe the system has been compromised and will soon become unbootable. If you do not have an IT available, please take the system into a shop and have them reformat/reinstall. the operating system.

 

[bahyi]

I'm not sure what you mean by 'flash drive' since there are so many types. USB, Hard Drive...It's not an external drive if that's what you mean.
I defragment from time to time. but i'm not sure what the program is exactly. some sort of a disk defragmenter.

This is a personal computer, no IT support available. So you are not able to help me any further?

With the 'XP Total Security' issue, I ran Malwarebyte and it found many threats which I went ahead to remove, but that didn't solve the issue. 'XP Total Security' still pops up. I'll post the logs in the next post. If you cannot help me any further. Can you ask Bronie to look at it for me? He was able to help my friend before and cleaned her computer when this 'XP Total Security' messed up her computer. Thanks.

 

[Bobbye]

Flash Drive: A small electronic device containing flash memory that is used for storing data or transferring it to or from a computer, digital camera, etc

All removable drives: USB Removable Flash Memory, Flash Drives, USB Pen Drive, USB Jump .
USB: A USB flash drive consists of a flash memory data storage device integrated with a USB (Universal Serial Bus) interface.
====================================
The first I heard abour SP Total Security was 21 hours ago when you posted:

a program called 'XP Total Security' is popping up by itself and doing a scan. what is that?!!! and i cannot open IE when it's doing that.

====================================
I encouraged you to use Google searches to help you identify programs you weren't knowledgeable about:
1. O&O Defrag: http://www.oo-software.com/home/en/products/oodefrag/
It will embe useless information in the registry entry
This program is running on your computer. Did you install it? DOo you use it? If not, you should uninstall it.
2. 'XP Total Security' : http://www.2-spyware.com/remove-xp-total-security-2011.html
Summary:
• Changes browser settings
• Shows commercial adverts
• Connects itself to the internet
• Stays resident in background
Particulars:

• A rogue security program that is promoted through the use of Trojans.
• It will simulate a system scan and display a list of false system security threats.
• It blocks legitimate security software and hijack web browsers.
• In some cases it blocks all programs, not only anti-virus or anti-spyware software.
• It will detect many of well known and reputable websites as harmful and display fake security alert stating that you may infect your PC if you open a particular website.
  ==============================================
  I asked you to do an Error Check before running the scans. This was to try and determine how much of the problem might be system related rather than malware. But you said "on a side note the instructions for error checking did not work. it says unable to check for errors." but gave no explanation.
  ===============================================
  Malwarebytes alone isn't sufficient to remove the XP Total Security.
  =================================================
  Please rescan with Eset online virus scan
  ================================================
  Please run this Custom CFScript:
  
  • 
    [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

  File::
  c:\windows\System32\oodag.exe
  c:\windows\system32\cpnprt2.cid
  c:\windows\CouponPrinter.ocx
  Folder::
  c:\program files\Coupons
  DDS::
  uLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm
  uSearch Page =
  uSearch Bar =
  mLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm
  uInternet Settings,ProxyOverride = *.local
  mSearchAssistant =
  uURLSearchHooks: H - No File
  TB: JunoBar: {5854fac4-5bf0-47dd-b5a9-a5ea8cff3cf4} -
  TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
  TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
  EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
  StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\found.000\dir0023.chk\Plauto.exe
  IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
  DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
  DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
  
  FileLook:
  C:\windows\system32\wuauclt.exe
  DirLook::
  c:\program files\NJCWP500.EXE
  Registry::
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "AntiVirusOverride"=e
  RegNull:
  [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
  Driver::
  
  FCopy::

  Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
  Referring to the picture above, drag CFScript into ComboFix.exe
  
  When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
  ================
  The following can all be uninstalled as they are out of date:
  Java
  HijackThis 1.99.0 out of date
  Adobe Reader 7.0.9
  ===================
  The helpers in this forum are qualified to clean malware. They are not "interchangeable."

 

[bahyi]

ESET Scan. Is there a way to remove these infections?
There are so many error messages popping up now (hpgalry.exe, Generic Host Process for Win32 Services has encountered a problem and needs to close, etc...). On top of that, the ads that are still popping up in IE (e.g. Congratulations, you have won a Wal-mart giftcard, blahblahblah)


C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\19\3f337853-68255d90 Java/TrojanDownloader.OpenStream.NBV trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxi.exe a variant of Win32/Kryptik.ODD trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\fpv.exe a variant of Win32/Kryptik.OCD trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\otq.exe a variant of Win32/Kryptik.OCD trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\sjm.exe a variant of Win32/Kryptik.OBH trojan
C:\Qoobox\Quarantine\C\Program Files\Common Files\WinSoftware\PrCheck.dll.vir Win32/Adware.WinAntiVirus application
C:\System Volume Information\_restore{23733152-DBC3-4AD1-A5A0-0A74BB0A9F11}\RP908\A0166134.dll Win32/Adware.WinAntiVirus application
C:\WINDOWS\system32\charprep.dll a variant of Win32/Kryptik.EU trojan
C:\WINDOWS\temp\3.tmp a variant of Win32/Kryptik.ODB trojan
C:\WINDOWS\temp\3F.tmp a variant of Win32/Kryptik.ODB trojan
C:\WINDOWS\temp\_33.tmp a variant of Win32/Kryptik.NIV trojan
C:\_OTM\MovedFiles\05202011_224157\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\P0V5NW98\main[1].htm JS/Kryptik.AI trojan
C:\_OTM\MovedFiles\05202011_224157\C_WINDOWS\system32\drivers\dfd.sys a variant of Win32/Rootkit.Agent.AF trojan
C:\_OTM\MovedFiles\05202011_224157\D_stevtemp\??.zip a variant of Win32/PSW.OnLineGames.NNM trojan
Operating memory multiple threats

 

[bahyi]

I had to re-download ComboFix because when I tried to drag the CFScript.txt to it, it said the current ComboFix was out of date. Then I tried dragging it, but it appears ComboFix has to run itself again before I can drag things to it.

 

[bahyi]

When the newly downloaded ComboFix is running, this happened:

A ComboFix error message keeps popping up saying:

Error Opening file for writing:

C:\32788R22FWJFW\License\firefox.exe

Click Abort to stop the installation, Retry to try again, or Ignore to skip this file.


What should I do?

 

[bahyi]

I clicked 'Ignore to skip this file', I hope that was the right one, since it forced me to click on something before anything else happened.

 

[Bobbye]

I would appreciate it if you would use the Edit feature when you have a few words to add. When you make a new post, I get email notification for every one. I got 4 from your replies above.


Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxi.exe 
  C:\Documents and Settings\NetworkService\Local Settings\Application Data\fpv.exe 
  C:\Documents and Settings\NetworkService\Local Settings\Application Data\otq.exe 
  C:\Documents and Settings\NetworkService\Local Settings\Application Data\sjm.exe 
  C:\WINDOWS\system32\charprep.dll 
  C:\WINDOWS\temp\3.tmp 
  C:\WINDOWS\temp\3F.tmp 
  C:\WINDOWS\temp\_33.tmp 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================================
The Qoobox entries have been quarantined by Combofix. They are not active in the system and will moved later/.
The System Volume entries are restore points. They are not active in the system and will be removed later.
=================================================
One Esst entry is in the Java cache. It will need to be emptied:
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  There are three options on this window to clear the cache.Check all.
• . Delete Files
• .View Applications
• .View Applets
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
=============================================
1.NOTE: If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode.
2. Delete Combofix file, download fresh one, but rename combofix.exe to
bahyi.exe BEFORE saving it to your desktop.
Do NOT run it yet.
3. Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

• Rkill.com
• Rkill.scr
• Rkill.pif
• Rkill.exe
  
• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.

• Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
• A black window should pop up, press any key to close once the fix is completed.
• A log file called exehelperlog.txt will be created and should open at the end of the scan)
• A copy of that log will also be saved in the directory where you ran exeHelper.com
• Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Rkill instructions
*************************************
Once you've gotten one of them to run, immediately run

bahyi. exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

 

[bahyi]

When I did as instructed with OTM, after clicking 'Move It', a Application Error window showed up saying OTM encountered an error and needs to close. Then it froze my computer after that. I copy pasted EVERYTHING just as instructed. What does this mean? I can't run OTM.

And after forcing the computer to turn off and when it turned back on, there's a 'Malware Protection' program window that showed up. Looks fake. And it won't allow me to open anything, IE, Malwarebyte...saying something like this:

iexplore.exe can not start
File iexplore.exe is infected by Win32/Blaster.worm
Please activate Malware Protection to protect your computer.

Of course I did NOT do as it suggested. Why is this happening?

The computer was actually working better before OTM. what's wrong? I can't open anything now to even do any of the things you suggested. HELP!!!!!!

 

[Bobbye]

Your system is not secure. You continue to get new malware infections as quickly as we remove the old ones. The system has not been well maintained as evidenced by the over 2,000 files cleaning in OTM.

The computer was not working well before OTM.

At this point, my recommendation is to get help and reformat/reinstall the operating system.
You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

You will need the CD for the operating system for this.

I urge you to get some basic reference for caring for the system and the security you need.

 

[bahyi]

Can you at least help us to where this particular Malware can be removed so that I can actually click on something and have it open up? Now it's blocking all programs from opening. Thanks.

 

[Bobbye]

Can you at least help us to where this particular Malware can be removed so that I can actually click on something and have it open up? Now it's blocking all programs from opening. Thanks.

Please try to understand: There is not a particular malware on the system. As fast as malware entries are removed, more malware gets into the system. This is the first I've heard about programs being blocked from opening.

Do you have passwords set for some activities?
Do you have personal information on the system?
Do you have documents and pictures saved?
Do you have file on the computer that are private and/or important?
Do you do any financial transactions on the internet?
Buy anything?
Do banking?

All of this is at risk. Your computer has been compromised. The best help I can be to you is to say-again-that in my opinion, you need to reformat and reinstall the operating system.