Malware causing popups on 2nd PC

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O24 - Desktop Component 0: (no name) - http://l.yimg.com/us.js.yimg.com/lib/pim/r/medici/16_11/mail/mailcommonlib.js

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You did not attach any logs!

However before you do, please download and run the current version of MGtools.exe and then attach the new MGlogs.zip file and the ComboFix.txt log that you got from running my last fix.


NOTE: Do you use a USB type flash drive or other removal type media. And do you use them on multiple PCs. If so, they all are probably infected. All of the files listed in my fix have to be cleaned up from ALL removable media and all hard disk partitions in all PCs where you used the removable media. So while I list things on just drives C and G. Any other partitions and drives have to be checked too.

 

Please run ComboFix one more time by simply double clicking on it. I should have asked you to run the fixME.reg patch before running ComboFix so I need to make sure the fix really worked.

You should have it plugged in while doing all these scans and should make sure that scans like SAS, MBAM, and your antivirus program have scanned it and other hard disk partitions. Also you should manually look for the files list in my ComboFix procedure and delete them from the USB drive and also from ALL other hard disk partitions if found.


Now click Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns
• Hit Enter
• Exit the command window

Now let's flush the Java Cache

• Click Start > Settings > Control Panel
• Double click the Java icon (be patient, it may take a while to open)
• Now click the General tab and under the Temporary Internet File area
• Click the Settings button and then click the Delete Files... button.
• In the next popup click OK.

If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.


Now let's flush the Internet Explorer Cache

To flush your Internet Explorer Cache:

• click Tools
• Internet Options
• Now on the General tab and click Delete Files and select Delete all Offline content too
• Click OK.
• When it finishes Click OK.

Now go here and download SysClean:
http://www.trendmicro.com/download/dcs.asp

You will need to download two additional files, one for viruses and the other for spyware. Instructions for which ones to download are found here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt

After running SysClean, attach the log from it.


Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Roberta\Local Settings\temp


Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.


NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• SysClean log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I'm not seeing anything in your logs. Let's try a rootkit scan and also a couple other things and get some additional questions answered.

1. What browser add-ons do you have?
2. Do you have a software firewall installed?
3. Is your copy of Spyware Doctor a paid version and is it only the antispyware program?
4. Do the popups occur if all of your Messenger programs are shutdown?

Now click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System Rile Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.


Run the below and attach the log from GMER.

Running GMER to detect rootkits