Problems with pop-ups and adware/spyware on Windows XP

[ryansmith]

Hi everyone,

I found this great site while Googling the annoying "little green circle with red exclamation point" issue. I knew it was probably some type of adware/spyware/malware. This is my parents' computer and it probably needs to be cleaned up badly.

I followed the all of the instructions in this thread completely and the pop-ups and systray icons seem to have disappeared, but I still wanted to post the logs I saved for any further tips or advice that you may be able to offer. I'm not sure if I've effectively cleaned the system or not.

Oh, the Anti-rootkit came out clean and said there were no files found.

 

[almcneil]

AVG has some of the best anti-malware utilities on then planet. I use and recommend them. But I admit, the AVG Anti-Rootkit has yet to find anything anytime I've used it.

I recommend the following 3 anti-spyware utils:

• Ad-Aware 2007
• Spybot Search & Destroy
• AVG Anti-Spyware

All are free.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

6. Rehide your protected OS files.

Regards Howard :wave: :wave:

This thread is for the use of ryansmith only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Rolfman]

You know , i got to say , i've cleaned systems from adware and spyware before , and its just not the same, the CPU usage percentage dropps exponentialy . i am a big fan of speed wen it comes to OS's. and 85% of the times wen clean a spyware or adware at the end you'll always wind up formatting anyway.
With all do respect to previous solutions posted by other members , i recomend you to clean and backup your files , then format your hard drive.
And start Fresh.

 

[ryansmith]

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

Thanks for the reply. I followed all the steps in your post. Here are the logs for Avenger, Combofix, and HJT.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - {EC13EFF8-563E-24EA-41F7-05E29A7E2490} - C:\WINDOWS\system32\yuapnlru.dll (file missing)

O2 - BHO: (no name) - {3119A020-9D54-48BE-8A1B-2D35886BA8E6} - C:\WINDOWS\system32\vtsqn.dll (file missing)

O2 - BHO: (no name) - {CC358019-D328-40B4-8E2D-818CE142616C} - C:\WINDOWS\system32\qomkhih.dll (file missing)

O2 - BHO: (no name) - {EC13EFF8-563E-24EA-41F7-05E29A7E2490} - C:\WINDOWS\system32\yuapnlru.dll (file missing)

O16 - DPF: {30985566-E01F-11D2-85DB-EA44DE000000} (IRTHMapDisplay Control) - http://www2.callsunshine.com/irthinternet/IrthInternetLibrary/IRTHMapDisplay.cab

O20 - AppInit_DLLs:

O20 - Winlogon Notify: qomkhih - qomkhih.dll (file missing)

O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\yuapnlru.dll
C:\WINDOWS\system32\nqstv.bak2

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs and let me know how your system is running.

Regards Howard

This thread is for the use of ryansmith only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ryansmith]

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\yuapnlru.dll

Hello Howard,

This file didn't exist. Only the .bak2 file that you mentioned was there, which I deleted.

The computer boots a little faster and I haven't seen any pop-ups.

Here are the current ComboFix and HJT logs.

Thank you again,
Ryan

 

[howard_hopkinso]

Your log files are clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of ryansmith only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ryansmith]

Thank you so much. Everything seems to be running much more smoothly now.