Internet Explorer popups (www.888.com, winfixer etc) & LOW vitual memory

Hi Geeks

I know what the first thing is you will say "Use Firefox," but hear me out

I use Internet Explorer and the wife uses firefox it keeps all our bookmarks and history seperate, I know you can create multiple profiles with Firefox, but I don't mind IE

I have recently been having problems with popups even after running:

AVG, Adaware, spybot search & destroy and HiJack This - I also use the sygate firewall and have popup blocker enabled in IE

The sites popup even when I just load the google homepage and it's usually www.888.com, winfixer, sky etc

I searched all over the internet for a solution and none of the methods worked until I stumbled upon aproposfix.exe

http://swandog46.geekstogo.com/

AproposFix – this tool removes all known variants of the Apropos rootkit infection which is not otherwise identifiable or removable by normal means. It MUST be run in Safe Mode or it will not work!

I ran it in safemode and it worked and the popups have never been back since!

I don't know how I got infected in the first place with all the security software I have?

I now have another problem this has been happening way before the popups -I keep getting a message saying "Windows Virtual Memory Low" even though I have at least 10gb hard drive space free on my windows partition at all times and have increased my virtual memory size to the maximum

Sometimes when I close this box AVG detection pops up saying it's found an infection in windows/temp and I always heal it - If i google the name of the trojan it never brings back any results it here is a screen shot of my virus vault:

http://www.heypresto.pwp.blueyonder.co.uk/Virus.jpg

It is very irritating any suggestions on how I can prevent these attacks and stop the system telling me I have low virtual memory when I clearly don't - As an example I have 1 gig of ram and have barely no progs running in the background and I can get the message when I open outlook or internet explorer, yet when I am running photoshop and microsoft word at the same time - NO problem!

Thanks in advance

 

Hi MZPRESTO!

Welcome to Major Geeks!

If you're still having issues that could be related to malware, we will be best able to help you by looking at the logs produced from the READ & RUN ME FIRST

Thanks.
abri

 

Thanks...

..but not off to a good start - Combofix wouldn't run at all until 3rd attempt and when it did run it crashed at the deleting folders/files stage

any suggestions?

 

Try running this and then see if you are able to download and run the MGTools.exe afterwards so we can check your logs.

Download and Install RogueRemover Free

Run RogueRemover and select Scan and the program will walk you through the remaining steps.

abri

 

Ok thanks I've attached the log files

Let me know what you think

Thanks

 

Hi MZPRESTO

1) You need to uninstall the below:

- J2SE Runtime Environment 5.0 Update 7
- J2SE Runtime Environment 5.0 Update 9
- Java(TM) 6 Update 2
- Java(TM) SE Runtime Environment 6 Update 1

2) Reboot

3) Run HijackThis (now called analyse.exe and located in the MGTools folder under C:\ ) and select Do a system scan only. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

After clicking Fix, exit HJT.

4) Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

5) Your newfiles text did not appear to have run correctly and I'm not sure about the runkeys, so I would like to find out more about why and come back to you about this.

6) I would like to ask you if the memory problems you've been having might have started when you installed Autodesk and MagicDisc? (Dec.1)

7) What is in the following two folders?
C:\Program Files\Common Files\DAZ
C:\AF

8) Please scan the following file(s) at either
jotti or VirusTotal and let me know the results.

C:\WINDOWS\system32\3tX5mc2S.exe
C:\Documents and Settings\Presto\Local Settings\Temp\lsj2E.tmp
C:\Documents and Settings\Presto\Local Settings\Temp\888AFB86.TMP

9) After having the above three files scanned, please delete the contents of the below folder. You will not be able to delete anything with the current date.

C:\Documents and Settings\Presto\Local Settings\TEMP

abri

 

Hi

Thanks for your response:

1-4) completed

5) These log files are quite indepth and give people a lot of information about your system I wasn't comfortable with a few lines in the new files log being available for all to see on the net, so I deleted a few entries - I only edited the following section:

Locating all files created in C:\Documents and Settings\Presto\Desktop within the last 90 days.

I had some confidential word documents on the desktop with clients names on that I didn't want publicising

With regards to the runkeys log I didn't touch it

6) The problem was happening before the 1st December, I have removed these 2 pieces of software now anyway as have no use for them

7) C:\Program Files\Common Files\DAZ - This was installed with a trial version of Bryce 3D which I have since uninstalled so should not be still on my system (I have now removed it)

C:\AF is a folder I created to extract AproposFix as mentioned in my first post

8) Scanned with Jotti:

C:\WINDOWS\system32\3tX5mc2S.exe

AntiVir Found TR/Crypt.ULPM.Gen
Panda Antivirus Found Trj/Agent.HAY
Sophos Antivirus Found Mal/HckPk-A

C:\Documents and Settings\Presto\Local Settings\Temp\lsj2E.tmp

File no longer exists (ran ccleaner yesterday)

C:\Documents and Settings\Presto\Local Settings\Temp\888AFB86.TMP

File returned but scanned clean

Should I delete C:\WINDOWS\system32\3tX5mc2S.exe ?

 

1) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Make sure you tell me how things are working now!


2) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


3) Please post a fresh MGlogs.zip. Let me know if this changes any of your symptoms. I would like to see the logs to make sure nothing as mutated. The files you took out were fine. Simply keep your eyes open for anything on your desktop that you don't remember putting there yourself.

abri

 

Ok thanks

I have completed both these steps and attached a fresh set of logs

so far I haven't seen a single popup or seen the low virtual memory window but it's very early days yet so I'll let you know how I get on

Thanks for all the time you have put into helping me thus far

 

Hi MZPRESTO!
It all looks good. I recommend that you use CCleaner at the default setting to keep your logs, temp files, temporary internet files, etc. cleaned out. I'll post a set of instructions now for you to clear our tools back out of your system.

abri