Please Help - Annoying Popups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Hyperknight, Mar 12, 2006.

  1. Hyperknight

    Hyperknight Private E-2

    Hi Fellow Geeks,

    I came home to a malware-ridden computer this weekend and I've spent the whole day trying to destroy all the spyware in my system :mad: . Overall, I've managed to clean "most" of the stuff out but I think I still may have some lingering pests because I do get a few pop ups once in awhile when I open my internet explorer. Also, I can't help but think that my computer is somewhat slower than before...

    I ran all the steps to your READ & RUN ME FIRST post so here are the resulting attached logs. Please help!

    Thanks!
     

    Attached Files:

  2. Hyperknight

    Hyperknight Private E-2

    OK, I think I narrowed the pop ups to be generated from some "www.click2begin.com" URL. Any idea how to get rid of this? I know I've got some sort of stubborn rogue spyware that I won't stop downloading stuff.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    It is a very bad idea to run without an antivirus and with out a firewall like you are running!

    You have a tricky infection in there and I want you to run another scanning tool which we have good success with on removing this problem. Run the steps in the below and attach the spysweeper.txt log when finished.

    Running Spy Sweeper

    Then also attach a new HijackThis log.
     
  4. Hyperknight

    Hyperknight Private E-2

    Thanks Chaslang for the warm welcome and helping me with this issue!

    I didn't have my virus scanner installed nor my firewall application when I reformatted my computer - hence this issue!

    Anyhow, I ran SpySweeper and it did find some adware but I don't think it got rid of this pesky spyware downloader because I'm still seeing that "click2begin" pop up after I open IE every time. I've attached the relevant SpySweeper log and the HJT log after I ran the scan.

    Thanks!
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like Spy Sweeper would not let you update the definitions. Did you have a version of Spy Sweeper installed on this PC at some other time?

    We are going to have to do this the old manual way. First let's start by uninstalling Spy Sweeper since you cannot update it anyway.

    Now run the steps in the below link and attach the three requested logs. (Note it asks for an HJT log too but we don't need that right now).

    Qoologic/Winsync/Kavsvc

    These are scans to look for hidden bad process. They will not fix anything. They just give us information so we can workup a fix.
     
    Last edited: Mar 14, 2006
  6. Hyperknight

    Hyperknight Private E-2

    Hmmm, that's weird - Spy Sweeper successfully updated my definitions though, it never gave me that message I see in the log. I don't recall if I had a previous version before.

    Anyhow, I'll run those three scans later on after work and post the logs.

    THanks!!
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well you could try updating SpySweeper one more time to see if you really can get the current definitions. I forget the current definitions number but it is either well into the 6 hundreds or it may have cross 700 now. Newer defintions used to fix some of the problems you have.
     
  8. Hyperknight

    Hyperknight Private E-2

    Yep, so I re-scanned with SpySweeper and attached the log. It is updated to the most recent definitions (v633). Unfortunately, it only found cookies and did not get rid of the downloader.

    I've also ran the following three scans as instructed: Qoologic / RKTool / WinPFind. Please see the attached logs as well.

    I only ran the RKTool in safe mode as instructed, the rest of the scans I did with my normal computer settings...hope that is ok.

    Thanks!
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not true! Your scan with V632 fix a load of stuff that your 1st scan (previously posted log) did not. Then your scan with V633 only found minor issues.

    I'll check you logs out later. In a rush right now and gotta run. But since SpySweeper did fix a bunch of things now, please attach a new HJT log.
     
  10. Hyperknight

    Hyperknight Private E-2

    Ok, here's the HJT log after I ran the SpySweeper for the second time. I took a quick glance and it looked pretty much identical to the HJT log I ran previously after the first SpySweeper run.

    I've also been noticing that my IE has been bombarded with "quick links" to every web site I visit. This adware randomly select keywords on any given web site and associates a quick link to them... annoying :(
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later. Do not run it yet.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nst20.dll
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\s4slkd.exe reg_run
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\PartyPoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\PartyPoker\IEExtension.dll

    After clicking Fix, exit HJT.

    Now run Pocket Killbox by double clicking on killbox.exe

    Place a check next to [x]delete on reboot
    Copy the whole below list into the windows clipboard, all the Bolded below.
    C:\WINDOWS\NLQVBP.DAT
    C:\WINDOWS\system32\nst20.dll
    C:\WINDOWS\soft.exe
    C:\WINDOWS\system32\s4slkd.exe

    Back in Killbox, Click > File > paste from clipboard,
    Click the all files button > Click the red highlighted X button and say yes to the prompt to restart the pc.

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.


    After that restart Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now attach a new HJT log.

    Make sure you tell me how these steps went and how things are working now!
     
  12. Hyperknight

    Hyperknight Private E-2

    Thanks! All the explicit steps you listed worked like a charm, no hiccups :)

    I've attached the subsequent HJT log right after merging the registry update and rebooting. Right away, I notice that the "friendly green links" that would attach itself to text on web sites have disappeared in IE.

    Unfortunately, I am still getting the annoying pop up window that appears when I first open IE and when I navigate to other web sites. Any ideas about this stubborn pop up?
     

    Attached Files:

  13. Hyperknight

    Hyperknight Private E-2

    On second reboot - I've found out that I'm back to square one. I'm now still seeing the "green links" on text to web sites and this time, new shortcuts on my desktop linking to "Free Gas" / "Virus Hunter" / etc. Not to mention my stubborn pop-up...

    I did an Adaware scan and found out that I've got Begin2Search adware and few other possible browser hijackers. This is some super tricky infection I've got :mad:
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's because you did not get the items fixed completely and you picked up some new problems too.

    Uninstall Spy Sweeper & MS Windows Defender (they could be getting in the way of fixes now). Then goto the below link and refer to step 3 and install ZoneAlarmFree firewall and disable the Windows XP firewall. You need a real firewall to help block some of this crud.

    How to Protect yourself from malware!

    Now after installing the firewall reboot (if it did not already ask you to reboot). Then run the steps below.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nspF.dll
    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmrsip.dll
    O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsm6.dll
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe


    After clicking Fix, exit HJT.

    Now run Pocket Killbox by double clicking on killbox.exe

    Place a check next to [x]delete on reboot
    Copy the whole below list into the windows clipboard, all the Bolded below.
    C:\WINDOWS\system32\nspF.dll
    C:\WINDOWS\system32\irsmrsip.dll

    C:\WINDOWS\system32\nsm6.dll
    C:\WINDOWS\system32\irssyncd.exe

    Back in Killbox, Click > File > paste from clipboard,
    Click the all files button > Click the red highlighted X button and say yes to the prompt to restart the pc.

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now attach a new HJT log.

    Make sure you tell me how these steps went and how things are working now!
     
    Last edited: Mar 17, 2006
  15. Hyperknight

    Hyperknight Private E-2

    Ok, downloaded ZoneAlarm and it protected me from "irssyncd.exe" accessing the Internet immediately.

    Ran HJT and deleted the following:
    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmrsip.dll
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe

    HJT did not find the following though:
    O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nspF.dll
    O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsm6.dll

    Please see the attached HJT after this fix. I am still seeing pop ups but in a lesser degree than before. Green "sponsored" links are still appearing when I visit web sites.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's because it is change names all the time. You have to watch for it.

    Have HijackThis fix the below two lines (make sure browsers are closed before fixing):

    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nspC.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing).exe

    Then exit HJT:
    If the O2 BHO line is not there, look for a similar one!

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\nspC.dll

    Then empty your Recycle Bin.

    Now reboot in normal mode and attach a new HJT log. Also tell me how things are working. At this point DO NOT power down or reboot. If you are still infected it may be renaming itself thus making may directions wrong each time you come back to read them.
     
  17. Hyperknight

    Hyperknight Private E-2

    OK, I think we've finally nailed it *crosses fingers*

    Did what you instructed and fixed the following two files in HJT:
    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nspC.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing).exe

    Rebooted into safemode but couldn't find nspC.dll to delete. HJT may have deleted the file?

    Rebooted back into normal mode and everything looks good so far. I will continue to monitor and I've attached the current HJT log.
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
  19. Hyperknight

    Hyperknight Private E-2

    Thanks Chalang! I guess we can officially close this thread, I have not had any issues since - appreciate all the assistance!
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds