Getting lots of pop-ups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Juan_M, Sep 19, 2006.

  1. Juan_M

    Juan_M Private E-2

    Hello all!

    I'm a bit desperate trying to figure out what's wrong with my PC. All of a sudden, I get a lot of pop-ups and no matter how many times I run adaware or ewido, it always finds something. I'm attaching the hijackthis log, would anyone please take a look at it and let me know what you see?

    Thanks!
     

    Attached Files:

  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi and Welcome

    Do the popups have any names?

    While Hijackthis is a good tool for locating browser hijacks and alike it will not find all malware or popups on your PC, also as some sneeky malware hides itself from Hijackthis scans the main executable of hijackthis needs to be re-named, so best option is to follow the guide below,

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - ONLY IF you were not able to run Windows Defender
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
  3. Juan_M

    Juan_M Private E-2

    Thanks a lot! That's a lot stuff I have to do!!! I'll get to it when I get home tonight and will be back witht he results.

    Thanks!
     
  4. Juan_M

    Juan_M Private E-2

    Hello again!

    Well, I followed all the directions and got all the reports. The post said I should report any exceptions to the whole process, so here I go:

    When I ran Spy & Bot, it reported it couldn't delete some of what it found because it was "in memory" so I had to reboot in normal mode and let Spy Bot scan during startup. I did so.

    Counter Spy, Windows Defender, Bit defender and Panda couldn't be run in Safe Mode, I didn't have internet connection even though I re-started with in safe mode with network.

    At this point, I still get pop-ups, the most common is Disk Cleaner. Also Party Poker and stuff like that. AndI notice the show up when I click to more from one website to another.

    The last thing I see is that right after my desktop shows up after I turn on the PC, Internet Explorer opens with this on the address field:

    http://iesettingupdate/

    It also shows it can't find that website.

    Well, I'm going to attach the logs, please let me know what to do next.

    Thank you,
     

    Attached Files:

  5. Juan_M

    Juan_M Private E-2

    the last two logs
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to attach a new HJT log from after running the procedure. However before doing that, let's complete the below steps first.

    Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now reboot your PC into Safe Mode and run Windows Explorer to locate and delete the below:
    C:\Documents and Settings\Juan\Application Data\asembl~1\winword.exe
    C:\Documents and Settings\Juan\Application Data\a?sembly\winword.exe
    C:\WINDOWS\fpvgjetA.exe
    C:\WINDOWS\system32\0mcamcap.exe
    C:\Program Files\Common Files\Yazzle1264OinAdmin(2).exe
    C:\Program Files\Common Files\Yazzle1264OinAdmin.exe

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)
    .

    Now reboot into normal mode

    Now attach a new HJT log and tell me how the steps went.

    Also attach a new log from ShowNew and a new log from GetRunKey.

    Make sure you tell me how things are working now!
     
  7. Juan_M

    Juan_M Private E-2

    Thanks so much for your help, it's much appreciated. AndI'm sorry for forgetting to attach the log the first time.

    Ok, I followed the steps you gave me but I coudn't find two of the files you asked me to delete:

    C:\Documents and Settings\Juan\Application Data\asembl~1\winword.exe
    C:\WINDOWS\system32\0mcamcap.exe

    I did delete the others.

    When I rebooted on normal again, the pop-up that always shows up after start up wasn't there and I've been surfing for a few minutes with both Explorer and SBC Yahoo browser and I haven't got pop-ups so far.

    I'm attaching now the fresh logs you requested. Thanks again
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay but see if you can locate the ones below from your newfiles.txt log. The ones we are concerned with show ?? in the folder names and were created on Sept 19th. Ignore the other folder names. I'm just showing them so you can get a feel for what you are looing at. The ones you care about are "??stem" and the ?? characters could be anything but it may translate into "system". Let me know what you find. DON'T DO ANYTHING. There is supposed to a System folder in the C:\Program Files\Common Files\ folder but it probably has an older date. So you may see two folders that look like they have the same name but they really do not.
    Code:
    "C:\Program Files\"
    2WIRE         Sep 17 2006              "2Wire"
    AUDACITY      Jul 17 2006              "Audacity"
    BROADJ~1      Sep 17 2006              "BroadJump"
    CCLEANER      Sep 19 2006              "CCleaner"
    EWIDOA~1.0    Sep 16 2006              "ewido anti-spyware 4.0"
    FELLOWES      Aug 14 2006              "Fellowes"
    FXPANS~1      Jun 29 2006              "FXpansion"
    HIJACK~1      Sep 17 2006              "Hijackthis"
    ILLUST~1      Jul 16 2006              "Illustrate"
    LAVASOFT      Sep 21 2006              "Lavasoft"
    SBC           Sep 17 2006              "SBC"
    SPYBOT~1      Sep 19 2006              "Spybot - Search & Destroy"
    SUNBEL~1      Sep 20 2006              "Sunbelt Software"
    UNINST~1      Sep 18 2006              "Uninstall Information"
    VOXENGO       Jul 17 2006              "Voxengo"
    WINDOW~3      Aug 13 2006              "Windows Defender"
    STEM~1        Sep 19 2006              "??stem"
     
    "C:\Program Files\Common Files\"
    YSTEM~1       Sep 19 2006              "?ystem"
    
     
  9. Juan_M

    Juan_M Private E-2

    Thank you again for your help.

    Well, there are two folders that look similar inside of the C:\Program Files\Common Files\ folder. On is called system, created on 9/19, but it's empty.
    There's a second folder called System (with capital S), created on March/05 and has these files:

    directdb.dll
    wab32.dll
    wab32res.dll

    and these folders:

    3YGLKwhbXag5
    ado
    AlWelVXM
    gnADK0guCy
    H2HiEMG2S2Km
    Mapi
    msadc
    Ole DB
    wVIG9kH3g3xcH


    Let me know if I need to do anything else.

    Thank you,
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete the one dated 9/19.

    But what about the ??stem folder in C:\Program Files
     
  11. Juan_M

    Juan_M Private E-2

    It looks like it's gone too! It's weird that all of a sudden all those files and folders are gone. I guess those scans deleted them?!
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not according to your last ShowNew log. Attach a new log and also look at it yourself to see if the lines still show up.
     
  13. Juan_M

    Juan_M Private E-2

    Well, here I am posting a new log, and I don't see that file... of course, I'd never really looked at this kinf files before so I might have missed it.

    Thanks!
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes they are gone now!

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds