MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 09-19-06, 07:44
Juan_M Juan_M is offline
Private E-2
 
Join Date: Sep 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Getting lots of pop-ups

Hello all!

I'm a bit desperate trying to figure out what's wrong with my PC. All of a sudden, I get a lot of pop-ups and no matter how many times I run adaware or ewido, it always finds something. I'm attaching the hijackthis log, would anyone please take a look at it and let me know what you see?

Thanks!
Attached Files
File Type: log hijackthis.log (8.0 KB, 3 views)
Reply With Quote
Sponsored links
  #2  
Old 09-19-06, 09:41
DavidGP's Avatar
DavidGP DavidGP is offline
MajorGeeks Forum Administrator - Grand Pooh-Bah
 
Join Date: Jan 2002
Location: UK
Posts: 38,654
Thanks: 2,862
Thanked 3,042 Times in 2,769 Posts
Default Re: Getting lots of pop-ups

Hi and Welcome

Do the popups have any names?

While Hijackthis is a good tool for locating browser hijacks and alike it will not find all malware or popups on your PC, also as some sneeky malware hides itself from Hijackthis scans the main executable of hijackthis needs to be re-named, so best option is to follow the guide below,

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
  • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
  • Make sure you check version numbers and get all updates.
  • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
  • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


  • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
    • CounterSpy - ONLY IF you were not able to run Windows Defender
    • Bitdefender - from step 6
    • Panda Scan - from step 6
    • runkeys.txt - the log from GetRunKey.bat
    • newfiles.txt - the log from ShowNew.bat
    • HijackThis
NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
Reply With Quote
  #3  
Old 09-19-06, 10:04
Juan_M Juan_M is offline
Private E-2
 
Join Date: Sep 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Getting lots of pop-ups

Thanks a lot! That's a lot stuff I have to do!!! I'll get to it when I get home tonight and will be back witht he results.

Thanks!
Reply With Quote
  #4  
Old 09-21-06, 21:26
Juan_M Juan_M is offline
Private E-2
 
Join Date: Sep 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Getting lots of pop-ups

Hello again!

Well, I followed all the directions and got all the reports. The post said I should report any exceptions to the whole process, so here I go:

When I ran Spy & Bot, it reported it couldn't delete some of what it found because it was "in memory" so I had to reboot in normal mode and let Spy Bot scan during startup. I did so.

Counter Spy, Windows Defender, Bit defender and Panda couldn't be run in Safe Mode, I didn't have internet connection even though I re-started with in safe mode with network.

At this point, I still get pop-ups, the most common is Disk Cleaner. Also Party Poker and stuff like that. AndI notice the show up when I click to more from one website to another.

The last thing I see is that right after my desktop shows up after I turn on the PC, Internet Explorer opens with this on the address field:

http://iesettingupdate/

It also shows it can't find that website.

Well, I'm going to attach the logs, please let me know what to do next.

Thank you,
Attached Files
File Type: txt CounterSpy.txt (8.4 KB, 1 views)
File Type: txt bdscan.txt (65.1 KB, 1 views)
File Type: txt Activescan.txt (3.2 KB, 1 views)
Reply With Quote
  #5  
Old 09-21-06, 21:26
Juan_M Juan_M is offline
Private E-2
 
Join Date: Sep 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Getting lots of pop-ups

the last two logs
Attached Files
File Type: txt runkeys.txt (14.2 KB, 1 views)
File Type: txt newfiles.txt (27.6 KB, 1 views)
Reply With Quote
Sponsored links
  #6  
Old 09-22-06, 01:40
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,223
Thanks: 61
Thanked 7,607 Times in 4,093 Posts
Default Re: Getting lots of pop-ups

You forgot to attach a new HJT log from after running the procedure. However before doing that, let's complete the below steps first.

Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"0mcamcap"=-
"Ropi"=-
"Bnlql"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"0mcamcap"=-
"fpvgjetA"=-
"adstart"=-
"MSConfig"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunServices]
"0mcamcap"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000000
Now reboot your PC into Safe Mode and run Windows Explorer to locate and delete the below:
C:\Documents and Settings\Juan\Application Data\asembl~1\winword.exe
C:\Documents and Settings\Juan\Application Data\a?sembly\winword.exe
C:\WINDOWS\fpvgjetA.exe
C:\WINDOWS\system32\0mcamcap.exe
C:\Program Files\Common Files\Yazzle1264OinAdmin(2).exe
C:\Program Files\Common Files\Yazzle1264OinAdmin.exe

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST)
.

Now reboot into normal mode

Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #7  
Old 09-22-06, 06:03
Juan_M Juan_M is offline
Private E-2
 
Join Date: Sep 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Getting lots of pop-ups

Thanks so much for your help, it's much appreciated. AndI'm sorry for forgetting to attach the log the first time.

Ok, I followed the steps you gave me but I coudn't find two of the files you asked me to delete:

C:\Documents and Settings\Juan\Application Data\asembl~1\winword.exe
C:\WINDOWS\system32\0mcamcap.exe

I did delete the others.

When I rebooted on normal again, the pop-up that always shows up after start up wasn't there and I've been surfing for a few minutes with both Explorer and SBC Yahoo browser and I haven't got pop-ups so far.

I'm attaching now the fresh logs you requested. Thanks again
Attached Files
File Type: log hijackthis.log (8.1 KB, 2 views)
File Type: txt newfiles.txt (27.1 KB, 2 views)
File Type: txt runkeys.txt (13.2 KB, 1 views)
Reply With Quote
  #8  
Old 09-22-06, 17:01
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,223
Thanks: 61
Thanked 7,607 Times in 4,093 Posts
Default Re: Getting lots of pop-ups

Quote:
Originally Posted by Juan_M
Ok, I followed the steps you gave me but I coudn't find two of the files you asked me to delete:
Okay but see if you can locate the ones below from your newfiles.txt log. The ones we are concerned with show ?? in the folder names and were created on Sept 19th. Ignore the other folder names. I'm just showing them so you can get a feel for what you are looing at. The ones you care about are "??stem" and the ?? characters could be anything but it may translate into "system". Let me know what you find. DON'T DO ANYTHING. There is supposed to a System folder in the C:\Program Files\Common Files\ folder but it probably has an older date. So you may see two folders that look like they have the same name but they really do not.
Code:
"C:\Program Files\"
2WIRE         Sep 17 2006              "2Wire"
AUDACITY      Jul 17 2006              "Audacity"
BROADJ~1      Sep 17 2006              "BroadJump"
CCLEANER      Sep 19 2006              "CCleaner"
EWIDOA~1.0    Sep 16 2006              "ewido anti-spyware 4.0"
FELLOWES      Aug 14 2006              "Fellowes"
FXPANS~1      Jun 29 2006              "FXpansion"
HIJACK~1      Sep 17 2006              "Hijackthis"
ILLUST~1      Jul 16 2006              "Illustrate"
LAVASOFT      Sep 21 2006              "Lavasoft"
SBC           Sep 17 2006              "SBC"
SPYBOT~1      Sep 19 2006              "Spybot - Search & Destroy"
SUNBEL~1      Sep 20 2006              "Sunbelt Software"
UNINST~1      Sep 18 2006              "Uninstall Information"
VOXENGO       Jul 17 2006              "Voxengo"
WINDOW~3      Aug 13 2006              "Windows Defender"
STEM~1        Sep 19 2006              "??stem"
 
"C:\Program Files\Common Files\"
YSTEM~1       Sep 19 2006              "?ystem"
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #9  
Old 09-22-06, 20:09
Juan_M Juan_M is offline
Private E-2
 
Join Date: Sep 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Getting lots of pop-ups

Thank you again for your help.

Well, there are two folders that look similar inside of the C:\Program Files\Common Files\ folder. On is called system, created on 9/19, but it's empty.
There's a second folder called System (with capital S), created on March/05 and has these files:

directdb.dll
wab32.dll
wab32res.dll

and these folders:

3YGLKwhbXag5
ado
AlWelVXM
gnADK0guCy
H2HiEMG2S2Km
Mapi
msadc
Ole DB
wVIG9kH3g3xcH


Let me know if I need to do anything else.

Thank you,
Reply With Quote
  #10  
Old 09-23-06, 03:24
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,223
Thanks: 61
Thanked 7,607 Times in 4,093 Posts
Default Re: Getting lots of pop-ups

Quote:
Originally Posted by Juan_M
Thank you again for your help.

Well, there are two folders that look similar inside of the C:\Program Files\Common Files\ folder. On is called system, created on 9/19, but it's empty.
There's a second folder called System (with capital S), created on March/05 and has these files:
Delete the one dated 9/19.

But what about the ??stem folder in C:\Program Files
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #11  
Old 09-23-06, 06:46
Juan_M Juan_M is offline
Private E-2
 
Join Date: Sep 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Getting lots of pop-ups

It looks like it's gone too! It's weird that all of a sudden all those files and folders are gone. I guess those scans deleted them?!
Reply With Quote
  #12  
Old 09-24-06, 00:10
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,223
Thanks: 61
Thanked 7,607 Times in 4,093 Posts
Default Re: Getting lots of pop-ups

Quote:
Originally Posted by Juan_M
It looks like it's gone too! It's weird that all of a sudden all those files and folders are gone. I guess those scans deleted them?!
Not according to your last ShowNew log. Attach a new log and also look at it yourself to see if the lines still show up.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #13  
Old 09-24-06, 07:56
Juan_M Juan_M is offline
Private E-2
 
Join Date: Sep 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Getting lots of pop-ups

Well, here I am posting a new log, and I don't see that file... of course, I'd never really looked at this kinf files before so I might have missed it.

Thanks!
Attached Files
File Type: txt newfiles.txt (29.1 KB, 3 views)
Reply With Quote
  #14  
Old 09-24-06, 21:06
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,223
Thanks: 61
Thanked 7,607 Times in 4,093 Posts
Default Re: Getting lots of pop-ups

Yes they are gone now!

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:17.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger