Unable to remove Malware causing web popups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by emzyme, Feb 11, 2006.

  1. emzyme

    emzyme Private E-2

    Hi,

    I would be grateful if someone could assist me in finally ridding my PC of annoying malware that launches web browsers with adverts and popups.

    I have followed all the directions in the sticky post at the top of this forum. I ran them all in the order that was detailed and most of them continually found threats and evil programs and I was told they were deleted too. I still seem to have this elusive one that refuses to go away and I am not sure what it is called either.

    As well as the removal programs mentioned I also ran spy sweeper to see if that found it and it didn't. I ran all these programs in safe mode on my PC which is running Windows 2000.

    I successfully ran the online scan with bitdefender which also found things but for some reason the panda scan wouldn't run because of some object not found script errors in internet explorer.

    I've got the result of the bit defender scan and the hyjack this attached and I was wondering if someone could tell me what is causing the popups and how I can get rid of it.

    Many thanks,

    Emma
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MGs Emma!

    You have several problems. One of which is a Look 2 Me infection. Let's try to fix it first.

    Run the steps in Look2Me VX2 Removal and attach the two requested logs. Afterwards also attach a new HJT log.

    Question: Are you a paid subscriber to SpySweeper and do you keep it up to date? What version of the software are you run and what is the detections file version?
     
  3. emzyme

    emzyme Private E-2

    Hi thanks for the response. The look 2 me instructions - are they for XP only? I can't find secondary logon in the services msc on my 2000 PC?

    As to your question on spy sweeper, I only downloaded the trial in an attempt to fix the problems.

    The look2me.bat ran successfully with option 1 and produced a log file. When I ran it the second time with option 2, it asked me to reboot and then never loaded up notepad with a log file.... What else could I try to get that to run?

    Here's the two log files I have for you.

    Thanks,

    Emma
     

    Attached Files:

  4. emzyme

    emzyme Private E-2

    I managed to get it to run a second time (I was connected to the internet this time) it produced a log file this time, I'll attach it to this message. I have also re-ran hijack this.

    thanks

    Emma
     

    Attached Files:

  5. emzyme

    emzyme Private E-2

    *touch wood* I've had firefox open for a good 20 minutes or so and no popups or changing webpages yet... Was it the look 2 me that was causing this?

    thanks,

    Emma
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your Look 2 Me problems are still there and we need to get them fixed. L2MeFix did not do anything to fix them. Option 1 just gets a report. Option 2 tries to fix problems but since it did not run for you, it did not fix anything.

    Let's try a different tool for the Look 2 Me infection. Download and run the below:

    Look2Me Remover 1.2.0

    read the instructions for using it on the download page.
     
  7. emzyme

    emzyme Private E-2

    Hi again,

    I ran the other look 2 me fixer and it found some registry entries that it then deleted. I guess these were getting it to reinstall at boot time perhaps?

    I have attached a new log file to see if this has cured my look 2 me infection.

    Thanks

    Emma
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay your Look 2 Me problems seem to be fixed. Let's continue with your cleanup.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    O4 - HKCU\..\Run: [ntdll.dll] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete
    :
    C:\Program Files\Common Files\VCClient <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)
    .

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  9. emzyme

    emzyme Private E-2

    Hi,

    Thanks for the update. I successfully ran and fixed the problems you highlighted in the hijack this scan. I checked that I was viewing all the hidden files and I was. I then booted into safe mode but when I checked, the folder VCClient in the C:\program files\common files, did not exist.

    I continued, running ccleaner and then I reset my web settings and deleted all temporay files and offline content. (I don't use IE so there probably wasn't much there - firefox is my main browser and I couldn't see an option to clear that content out.)

    Here's the latest hijack this log, my bed is calling me now so I'll check back here tomorrow.

    Thanks again,

    Emma
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're log is clean! If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds