Pop-Ups and Slowness

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by theruleofthree, Mar 1, 2006.

  1. theruleofthree

    theruleofthree Private E-2

    Hey Guys. I'm new here and was directed by a friend who spoke very highly of the expertise here. I'm hoping you can help me out.

    My computer has been odd lately. I play a lot of Counter Strike: Source. My friend has a laptop that is basically a lot lower quality than mine, yet he manages to get higher pings, better FPS, etc. I have random pop-ups constantly on my computer, sometimes just a blank "This Page Cannot Be Displayed," othertimes with random advertisements for everything from horoscopes to groceries. My computer is laggy and slow at times, and even though its a laptop, it should be much faster with an AMD64 Athlon, ATI Mobility Radeon 9600, Windows XP and 512 RAM.

    So I went through and did all the CCleaner, Adaware, Spybot, BDScan stuff. Attached are my BDScan log and my HijackThis Log file. Please let me know any suggestions or answers you have. When I ran HJ, I didn't have it fix anything... figured I would wait to see what you all thought.

    Thanks again. Let me know if you need any other info!
     

    Attached Files:

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

  3. theruleofthree

    theruleofthree Private E-2

    Alright. Well I did everything, but I'm still getting popups. For the record, they say stuff like "Search Inquire" and other crap. Anyway, attached are the Ewido and HJT logs.

    Please let me know what else you want me to do!
     

    Attached Files:

  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    You skipped the "Uninstall Malware via Add/Remove Programs" thread so this fix is going to be long.

    Please look in Add/Remove Programs for the following and uninstall them if found:

    Ewido

    ICOO Loader

    Wild Tangent

    Viewpoint

    SurfAccuracy

    ISTsvc

    Internet Optimizer

    WinFixer2005

    WeatherBug

    eZula

    GAIN


    Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp

    R3 - Default URLSearchHook is missing

    O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll
    O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll

    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [Search Bar] C:\WINDOWS\searchbar.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [IqFn8O] C:\WINDOWS\frsns.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [Client Update] C:\WINDOWS\wup.exe
    O4 - HKCU\..\Run: [WinFixer2005] C:\Program Files\WinFixer2005\uwfx5.exe /scan
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-ac tivex-2.0.3.1.cab
    O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} (Installer Class) - http://downloads.shopathomeselect.com/godspeed/grinstall_gsm1009_sp2.cab
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c9.cab

    Again, make sure ALL browser windows are closed when you click FIX.

    Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

    Manually locate and delete each of the folders below!

    C:\WINDOWS\wt
    C:\Program Files\ISTsvc
    C:\Program Files\AWS
    C:\Program Files\eZula
    C:\Program Files\Viewpoint
    C:\Program Files\ICOO Loader
    C:\Program Files\SurfAccuracy
    C:\WINDOWS\system32\nsvsvc
    C:\Program Files\WinFixer2005
    C:\Program Files\Internet Optimizer
    C:\Program Files\Common Files\GMT
    C:\Program Files\Common Files\CMEII

    C:\WINDOWS\wup.exe

    C:\WINDOWS\frsns.exe

    C:\WINDOWS\searchbar.exe

    Next, run CCleaner to clean up cookies and temp files.

    Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:


    • Disable and Re-enable System Restore

    • Turn OFF System Restore to flush any bad Restore Points.

    • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.
    After you complete the above reboot once more and then scan with HijackThis and attach the new log.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
  5. theruleofthree

    theruleofthree Private E-2

    Alright.. Well I'm going through and doing this now. I just wanted to post that the only programs on my program list were

    Ewido
    ICOO Loader

    And anytime I've EVER tried to uninstall Weatherbug, I get an error that says "Could not load INSTALL.LOG."

    Anyway, I'm gonna do everything else now.
     
  6. theruleofthree

    theruleofthree Private E-2

    I just went through in safe mode to manually delete the files and folders as directed, and the only ones there were the following:

    AWS
    VIEWPOINT
    ICOO LOADER


    So I deleted those.

    Ok, going onto the next step...
     
  7. theruleofthree

    theruleofthree Private E-2

    Alright. Well it seems like it's alright now, but I just now got this popup... maybe you know what it is? Something about "You may have been infected by the Blackworm Virus. Click OK to prevent any further MalWare infection."

    I don't know... anyway, here is the HJT log. Thanks!
     

    Attached Files:

  8. theruleofthree

    theruleofthree Private E-2

    For what its worth, I'm still getting popups, although they are not as frequent. They really only occur when I have a browser open, although I use Firefox as my browser and the popups are always IE.

    Any other ideas?
     
  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your HJT log looks good, let's get a little deeper to see if anything is hiding.

    Please see the below thread on how to run WinPfind and attach the log.
     
  10. theruleofthree

    theruleofthree Private E-2

    Attached is the WinPFind Log.

    *crosses fingers*
     

    Attached Files:

  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download AproposFix© by Swandog46

    Save it to your desktop or to another folder of its own, but do NOT run it yet!

    Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

    Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

    When the tool is finished, reboot back into normal mode, and post a the entire contents of the log.txt file that has been created in the aproposfix folder.
     
  12. theruleofthree

    theruleofthree Private E-2

    Here is the Apropos log... I wasn't sure how long it was supposed to run, it seemed rather quick... anyway, here ya go.

    Log of AproposFix v1.1

    ************

    Running from directory:
    C:\Documents and Settings\Brock Aun\Desktop\aproposfix

    ************



    Registry entries found:

    [HKEY_LOCAL_MACHINE\Software\CpXe6AE9hX95]
    @="hs58v 2EFFEFFGFmvx:7w5EFFEUHFoafVgokF6C67w0LKFv5 9w56F010 36wuG6C6"
    "Device"="\\\\.\\Udflter"
    "DriverPath"="C:\\WINDOWS\\system32\\drivers\\mnmipsec.sys"
    "DriverName"="Parudio"
    "HideUninstallerName"="C:\\Program Files\\Mire k++\\cfgils.exe"
    "UninstallerPath"="C:\\WINDOWS\\system32\\ctlship6.exe"
    "UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{872DB474-11B1-431F-A173-10F02591C61D}"
    "UninstallerParams"="/CTUN"
    "HDll"="C:\\WINDOWS\\system32\\ifmicdll.dll"
    "ServerAddress"="adchannel.contextplus.net"
    "LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
    "PartnerId"="CP.IST2"
    "InstallationId"="{Xbfe402a-a8a2-6084-b30f-c2cd6dbd357d}"
    "PageFiltering"=dword:00000001
    "CrMnTmt"=dword:0036ee80

    ************

    Removing hidden service:
    Service Parudio removed.

    Removing hidden folder:






    That's all. Did I close it too early or was that all it runs?
     
  13. theruleofthree

    theruleofthree Private E-2

    Ok, ignore that previous post. I went ahead and did it again and got the full log of the full scan, as well as a new HijackThis log.

    Attached are both.

    Let me know what else I need to do next!
     

    Attached Files:

  14. theruleofthree

    theruleofthree Private E-2

    Anyone? Haha.
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    BJ may not be around for a couple days!

    Are you still having problems? It looks like AproposFix worked. This time.
     
  16. theruleofthree

    theruleofthree Private E-2

    I think things are better... I haven't had any popups since the fix. Although I'm wondering if there is anything else I can do to check, since throughout this whole process I was made aware of several things on my computer that I didn't even know were hiding back there.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It should not be necessary at this point but there are other tools to use to look for more. Each tool can typically find a few things (even though some items foud are minor) that the others do not. But I don't think it is really necessary unless you are having problems. What you should now do since you are clean is the below:

    It is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds