Pop Ups Ads Served By Adssite

Can't get rid of AdsSite pop ups. Also had some trouble before with Firefox
locking up but this may have been solved by the scans.

S&D and AVG scans done in Safe Mode but AVG couldn't delete a lot of the files.

Windows Xp Pro & Firefox 2.0.0.11


Thanks

Neil

 

Hi flints!
Welcome to Major Geeks!

The cookies that AVG Antispyware wasn't able to delete appear to be in your backups for an earlier version of Firefox.

I'm looking at your logs, which can take awhile. Please be patient. There are some things that need to be gotten rid of.

abri

 

Hi flints!
so sorry, this has been finished. I may have had a question about it still.

1) Go to add/remove programs and uninstall the following:

- Java(TM) SE Runtime Environment 6 Update 1

2) Run HijackThis and select Do a system scan only. (HijackThis has been renamed to analyse.exe and can be found under C:\MGTools) Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: rightonads optimizer - {10F3E8BD-257A-4702-A2F5-DC02055B068C} - C:\WINDOWS\system32\gzmrt.dll (file missing)
O2 - BHO: Adssite Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\adssite_sidebar.dll

Does this have to be in your trusted zone?
O15 - Trusted Zone: *.stumbleupon.com

After you fix the above, just close the program.

3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Make sure you tell me how things are working now!


4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


5) Please post a fresh MGlogs.zip.

I ran across this which may or may not be relevant to your browser locking up. It seems to be a problem related to Sunbelt Kerio Firewall. I don't know if it's relevant to your system, but thought it might interest you. You have a fwdrv.err indicating an error with your firewall.

http://www.castlecops.com/p1032447-Sunbelt_PF_stalls_web_browsing.html

You could test this fairly easily by uninstalling your firewall and putting in another one for a short time. At the end of our post, we give you a link to our How to Protect Yourself From Malware thread which lists several free firewalls.


Let me know how things are running now?

abri

 

So far everything seems Ok
Will keep you posted

New Mglogs.zip attached
Will try new Firewall

Thanks

Neil

 

Hi flints!

I missed one file. Please go back to post 3 and run Avenger, only use the contents of the following box instead. Follow up with ATF Cleaner as before. Other than that your logs are clean. Check the Avenger log to make sure this one file is deleted and if so, please continue below with our final clean-up instructions. Here's the file for Avenger:

Remember to run ATF Cleaner after Avenger.

Here are the final clean-up instructions:

abri

 

Still getting Ads Served by Adssite pop ups.
They seemed to go away for a while but are back.
Spybot S&D keeps finding
CoolToolBar
HKEY_USERS\S-1-5-21-436374069-1935655697-725345543-1003\Software\Microsoft\adssite
and also Statcounter & Directtrack

Firefox seems to run fine now.

See Attached
New Combofix , AVG and MGlogs files

Thanks

Neil

 

Removed "Search Assistant Adssite"
and repeated instructions 3 & 5

Ran Spybot S&D and still have CoolToolBar and Directtrack
log attached

New Mgtools log attached

 

Followed instructions.
Afterwards I ran Spybot and it reported Cooltoolbar as still there and then fixed. Ran Spybot again and Cooltoolbar is still there.
Directtracker seems to be gone.

New MGlogs.zip attached

 

Yes, ran fixME.reg a few times and received success message each time.

I used regedit to look at the key. The key was gone then after a few minutes I refreshed the view and just the key name was there with no value, refreshed again a few minutes later and the key was back with about 25 entries.

Turned off Guest account

Tried fixMe.reg again. Maybe it's just coincidence but the key came back as soon as I rebooted Firefox.

Trouble with Major Geeks uploads right now

ocolaxkc.txt

Files to delete:

C:\WINDOWS\system32\rightonadz-uninst.exe


pstcmogi.bat
@ECHO OFF
cd %systemdrive%\
type %systemdrive%\avenger\*.reg >> %systemdrive%\backup.reg
del /q %systemdrive%\avenger\*.reg
if exist %systemdrive%\avenger\backup*.zip move /y %systemdrive%\avenger\backup*.zip %systemdrive%\
if exist %systemdrive%\backup.zip move /y %systemdrive%\backup.zip "%systemdrive%\backup-%date:/=.%-%time::=.%.zip"
move /y backup.reg %systemdrive%\avenger\
copy /y avenger.txt %systemdrive%\avenger\
for %%a in (c d e f g h i j k l m n o p q r s t u v w x y z) do if exist %%a:\avenger attrib -r -h -s %%a:\avenger\* /S /D & zip -r -u -m "%systemdrive%\backup.zip" %%a:\avenger\* & rmdir /q /s %%a:\avenger
mkdir %systemdrive%\avenger
move /y backup*.zip %systemdrive%\avenger\
del zip.exe
del avexport.bat
del reboot.exe
del reboot.bat

echo REGEDIT4 >> rem.reg
echo. >> rem.reg
echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] >> rem.reg


echo "skqopakg"=- >> rem.reg
regedit.exe /s rem.reg
del rem.reg
del C:\WINDOWS\system32\drivers\qbhesfrg.sys
start notepad.exe avenger.txt
del "C:\pstcmogi.bat"

 

Firefox started locking up and not shutting down properly again plus the adsite pop ups were getting worse. It was also a problem for all users.

Ran fixMe.reg and Tried running Firefox in Safe Mode same problem.

Then I uninstalled Firefox with the Control Panel Add/remove and ran fixMe.reg, reinstalled Firefox and still the same problem.

Then I uninstalled Firefox with the add/remove plus I deleted the "C:\Program Files\Mozilla Firefox" directory.
I left the "C:\Documents and Settings\XXXX\Application Data\Mozilla " directory in tact.

Then I searched and deleted all instances of adssite in the registry with regedit. There were 3.

I reinstalled Firefox.

This seemed to solve the Adssite pop-up problem plus the Firefox lockup and shutdown problem.

 

flints!
Thanks very much for reporting back on this one. As Firefox is getting more popular, it's starting to come under attack. For a homework assignment, you might try out Opera and see how you like it. At the moment, it has the best security rating of all the browsers, although... I'm still partial to Firefox. If you haven't visited the downloads page of MajorGeeks, it's at http:\\www.majorgeeks.com where you will find the button to the browsers over on the left side of the page.

Also, please complete all the final cleanup instructions in post # 9 so you end up with a clean restore point.

Good luck!

abri