Unwanted IE popups. Logs attached.

[JonTheIdealist]

Hello,

Yesterday I started getting a bunch of unwanted IE popups, maybe 1 every 30-60 seconds or so. This coincided with Spybot telling me a process wanted to try and change one of my registry values. So I found this forum and began following the 8 steps. (Though I didn't update Java because I don't have it in the first place.)

Anti-Malware was able to detect and remove some problem .dlls, but I still have the following 2 problems:

1. On bootup (and only on bootup), I get popups informing me that the .dlls Anti-Malware removed can't be found (so obviously there's something bad left on my computer).

2. I sometimes still get a popup, but not very often, and this time it's always the same one, asking me if I want to install and run Antivirus 2009. When I cancel, it sends me to a site where a fake virus scan is performed, to try and get to me click on something. I just close that window, and the popup doesn't come back for a few minutes.

I've already spotted lines in the HJT log that include the names of the bad .dlls, but I'm not sure what to do with them, or if any other lines in the log may be signs of problem.

Any help solving my 2 problems would be greatly appreciated. Thank you!

 

[rf6647]

Welcome to TS. Your logs are not presenting an expected view. I am trying to anticipate your needs.

- - ->> No action taken. – Observed in MBAM log. This suggests guide was not followed.

Malwarebytes' Anti-Malware - emphasis added
> select Perform full scan, > click Scan.
> When the scan is complete, click OK, then Show Results to view the results.
> Be sure that everything is checked, and click Remove Selected.

To have SAS remove the Tracking Cookies: Check the lower left image on this page- click to enlarge> check for removal as shown:
http://superantispyware.en.softonic.com/images


We will procede along a typical path. Update MBAB & SAS scanning tools.

Repeat scans with MBAM & SAS until achieving 0 results for infections/threats or no further reduction noted. Please inspect logs for wording ‘delete on reboot’. When found, restart the computer.


Restart the computer & then scan with HJT.

Posts logs. Report progress & what changes are observed

 

[JonTheIdealist]

Thanks,

I had actually run MBAM before you replied as a quick scan and properly dealt with the .dlls it found. Running MBAM again tonight as a full scan detected nothing. SAS (full scan) then only found tracking cookies. I got rid of them and then ran SAS (quick scan) again, which found nothing. I then reboot, ran HJT, and obtained the attached log.

Currently my computer no longer has any sysmptoms, but I see there are still problem lines in the HJT log.

 

[rf6647]

Other specialists are invited to assist with reviewing a ComboFix log to be requested

Jontheidealist, are these the HJT items you have identified?
O2 - BHO: (no name) - {8755c2ad-736c-4840-9451-6be03ecafd3a} - C:\WINDOWS\system32\fopihofu.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [gagokuhedu] Rundll32.exe "C:\WINDOWS\system32\biniyogi.dll",s (User 'LOCAL SERVICE')
O20 - AppInit_DLLs: …………… C:\WINDOWS\system32\foyuroke.dll

Points to this DNS server company
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D34A149-B431-4204-948E-FA9E7EEEA7E9}: NameServer = 24.200.241.37,24.201.245.77 << - - - Le Groupe Videotron Ltee -- - not blacklisted

Combofix will be used to gain additional diagostic data. Some cleaning does occur.
Link to instructions developed by Blind Dragon

Remember to conclude by scanning with HJT. As expected, posts logs. Report progress & what changes are observed.

 

[JonTheIdealist]

I apologize for taking this long to reply. I moved at the beginning fo the month, and with no symptoms, it's taken a while for this to become a priority.

The lines you mentioned were indeed the ones I was concerned. However, after running ComboFix and then HJT, they appear to be gone from the HJT log.

There were no more symptoms before running ComboFix, and everything appears to still be fine.

Attached are both logs. Thanks.

 

[rf6647]

Hi Jon, you dropped off my radar.

Do the following.

Scan with ComboFix.
Restart the computer.
Scan with HJT.

This checks if ComboFix cleans all that it is able to detect.

SDfix is similar to Combofix in its powerful cleaning. It lack diagnostic detail.

The following are unusual. Timestamps are after we began this case. I suspect they are leftover from installing or updating the computer:

2008-12-13 02:04 . 2008-12-13 02:04 <DIR> d-------- C:\60710da0fd12ad985e
2008-12-13 01:56 . 2008-12-13 02:03 <DIR> d-------- C:\c4a7af2ce33752ece4bf84abba
2008-12-03 01:10 . 2008-12-03 01:10 244 --ah----- C:\sqmnoopt02.sqm
2008-12-03 01:10 . 2008-12-03 01:10 232 --ah----- C:\sqmdata02.sqm

 

[JonTheIdealist]

Apparently, the .sqm files are Windows Messenger log files. I'd link to where I found this info, but my post count isn't high enough yet.

And after looking in the folders with the random letter-number names, they seemed to be filled with .Net 3.5 SP1 temporary files that for some reason hadn't been deleted. I deleted those folders to see what would happen. Nothing seems to have gone wrong, and they didn't come back.

Also, what happened to the message that suggested SDFix and my following reply?
Was it simply bad advice?

Anyway, attached are the requested ComboFix and HJT logs. My computer still displays no symptoms at this point. Thanks!

 

[rf6647]

...
Also, what happened to the message that suggested SDFix and my following reply?
Was it simply bad advice?
... My computer still displays no symptoms at this point. Thanks!

My one reply mentions SDfix, but my notes retained nothing from the "missing" reply. Who knows?

Yes, you are clean.

Some cleanup items: uninstall ComboFix & establish a clean restore point.

Uninstall Combofix

Cleanout Old System Restore Points

Disk Cleanup From the Taskbar

• Start > Programs > Accessories > System Tools > Disk Cleanup
• Click OK to accept C:
• Tick all Boxes
• Click More Options
• Click System Restore and OK to "Are you sure" and the OK to Run.
• Results -
  
  • Only the most recent Restore Point remains
  • Clears 'Shadow Copies' [ Volume Shadow Copy running is the default ]
    • used by specialized back up programs.
    • reclaims a huge amount of disk space.
    • removes infected files

Establish a clean System Restore point

• Start > Programs > System Tools > System Restore
• Left Pane > System Restore Settings
• Tick 'Turn off system restore on all drives', Click 'Apply'
• Wait for completion
• Untick ' 'Turn off system restore on all drives', Click 'Apply'
• Wait for completion. OK to end menu. Exit