IE throwing popups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by munish, Dec 20, 2007.

  1. munish

    munish Private E-2

    hi,

    I am facing this problem where my IE explorer (version 7.0) is throwing popups every now and them. Even when I quit out off IE and start Mozilla, I still get the IE popups. surely its some malware/spyware or something installed on my m/c. I found the following thread on Major Geeks and decided to join the group.
    http://forums.majorgeeks.com/showthread.php?t=145392

    I tried to do the initial step by logging in under safe mode and even have java 6 installed as advised on the thread. But per the step where the HJT needs to be executed I couldn't find most of the entries on my list.

    Attached is the logs (MGLogs.zip and Avenger.txt) which I got ultimately. Really appreciate your response in helping me resolve it.

    Thanks a bunch,
    Munish
     

    Attached Files:

    munish, Dec 20, 2007
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You did not attach the log from running ComboFix....and you should not be using fixes from other threads as they are meant for that persons computer ...not yours!

    Let's start:
    Use add/remove programs to uninstall:
    Viewpoint Media Player
    Zango

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Open notepad and copy and paste the following text in the quote box into the window:
    Save this as fix.bat
    Choose to save as all files.
    Doubleclick fix.bat and let the program run.
    A small black dos window will flash, this is normal.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 20, 2007
    #2
  3. munish

    munish Private E-2

    Tim,

    I am actually logged on under safe mode as administrator on my laptop and there are no Anti Virus or Anti-Spyware running.
    I had these observations during the execution steps outlined in your post.
    1) I didn't find any entries for the following (suspecting because you asked to uninstall these programs) in HJT

    O2 - BHO: Zango Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbHostIE.dll
    O3 - Toolbar: Zango Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbHostIE.dll

    2) The Avenger step actually gave some errors saying that it could not create a zip file.
    I am attaching the zip and the text file.

    I don't know where can I find th log file from the combo fix.

    Thanks for your time.
    Munish
     

    Attached Files:

    munish, Dec 20, 2007
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download DelCmdService, and save it to your Desktop.

    * Unzip the content to your Desktop (a folder named delcmdservice)
    * Double-click on the delcmdservice folder
    * Double-click on delreg.bat to launch the tool
    * When the tool has finished, please reboot your computer.

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Use windows explorer to find and delete:
    C:\Program Files\a?sembly ---> with a creation date of Dec 18 2007


    Go to start / run / type "services.msc" without qoutes and scroll down to:
    Command Service
    right click the entry, select Properties and press Stop Service.
    * When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    The do the same for:
    Network Monitor.
    * Click OK until you get back to Windows.

    Next, run C:\MGtools\analyse.exe by double clicking on it., but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    * At the lower right, click on the Config button
    * Then click the Misc tools button
    * Select Delete an NT Service
    * Copy/paste:
    cmdService
    Network Monitor
    into the box that opens, and press OK
    * If you receive any error messages just ignore them and continue.
    * Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 21, 2007
    #4
  5. munish

    munish Private E-2

    Tim,

    Attaching the log files along.

    1) However during the steps where you asked the services to be stopped, I didn't find 'Command Service' (i was logged in under 'safe mode with networking' and probably because of that)

    2) //ly in the Analyze.exe step, the tool didn't find the 'cmdService'

    * Select Delete an NT Service
    * Copy/paste:
    cmdService

    3) In HJT I didn't find the following 2 entries out of 3
    O4 - HKLM\..\Run: [twtolyyx] C:\coiqxomw.bat
    O4 - HKLM\..\RunOnce: [ZangoToolbar] cmd /c "rmdir "C:\Program Files\ZangoToolbar" /s /q"

    Please advise if I need to log back in using a different mode to be able to follow the steps accurately.
    Thanks much,
    Munish
     

    Attached Files:

    munish, Dec 21, 2007
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Were you able to find and delete:
    C:\Program Files\a?sembly ---> with a creation date of Dec 18 2007

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 21, 2007
    #6
  7. munish

    munish Private E-2

    Tim,

    There wasn't a folder 'C:\Program Files\a?sembly' but 'C:\Program Files\assembly' and it did have the creation date of Dec 18 2007. I deleted it and hope thats what you meant.

    The avenger.exe gave an error when I clicked on the traffic signal side saying 'it was unable to create the zip' and subsequent popup boxes were thrown too. But I accepted them and went ahead with the reboot.

    Attached are the log files.

    Thanks,
    Munish
     

    Attached Files:

    munish, Dec 21, 2007
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That was the one to delete.

    A few more items ...not sure why they keep popping up:
    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 21, 2007
    #8
  9. munish

    munish Private E-2

    Tim,

    Unable to attach the logs as I don't see the 'manage attachment' feature anymore. Any pointers?

    thanks,
    Munish
     
    munish, Dec 21, 2007
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Clear your cache in the browser...open back up and hit f5 a few times.
     
    TimW, Dec 21, 2007
    #10
  11. munish

    munish Private E-2

    Nevermind earlier reply. The Firefox gave me that problem and I believe the clean up did something.
    I see the option in IE. Attaching logs.

    Thanks,
    Munish
     

    Attached Files:

    munish, Dec 21, 2007
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    OK....Let's try to kill this once and for all.

    Use add/remove programs to uninstall:
    URL Assistant

    Then use windows explorer to find and delete:
    C:\WINDOWS\TXVuaXNoIEZhdXpkYXI
    C:\Program Files\Filseclab
    C:\WINDOWS\system32\drivers\rdpbjmix.sys

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.


    Now I want you to download and run:
    Download Dr.Web CureIt and save it to your desktop.
    • Doubleclick the cureit-beta.exe file and allow to run
    • If it prompts you about getting any updates, get the update and then rerun the cureit-beta.exe installation.
    • When it finishes you will have a green window with a Start and and Update selection. Click Start
    • the Express Scan of your PC window will come up. Click OK to scan main memory to detect infected process in memory.
    • If anything is found in memory, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • You may see a popup window to Buy or get a discount on the program. Just click the X at the top right to close this popup. The scan will continue.
    • Once the short scan is completed, click the Custom Scan radio button. Then Select each of your hard disk drives (that is if you have more than one). A red dot shows which drives have been chosen.
    • Click the green arrow at the right under the Dr.Web logo, and the scan will start.
    • Click 'Yes to all' if it finds any problems and asks if you want to cure or move the file.
    • When the scan has finished, look if you can click next icon next to the files found:
      [​IMG]
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      [​IMG]
    • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! This is necessary because there could be files in use that will be moved or deleted during reboot.
    • After reboot, attach the log from Dr.Web to your next reply
    run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and the DrWebLog
     
    TimW, Dec 22, 2007
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds