Bit of help possibly needed...

Hey
I had a problem with my computer with pop-ups opening in new tabs with the web address beginning with em.pc-on-internet, something like that anyway. I googled it and came across this site amongst many others. I followed the read this first thing and used all the tools and all the logs, but at the moment these pop-ups have stopped, does this mean the virus/trojan/malware/whatever was causing it has been fixed or is it still hiding in my system? Just wanted to ask if someone could look through the logs for me and check if it has actually been removed?
Thanks

 

Hi jd222,
Welcome to Major Geeks!

It means the procedures you followed helped. Many forms of malware leave files on your computer which enable them to start up again, so if you'd like us to check your logs to make sure they're clear, please attach them with your next two posts. There should be four of them: Combofix, MalwareBytes, SuperAntiSpyare and MGlogs.zip.

abri

 

Thanks
3 items should hopefully be attached.

 

Last item...

 

Hi jd222,

In fact, your logs look quite good. I recommend the following after which I'll post the final cleanup instructions:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:


O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

Do the need for the following programs to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

After you click fix, just close hijackthis.


2) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\Users\Charlotte Holdsworth\AppData\Local\Temp\tmp00005643
C:\Users\Charlotte Holdsworth\AppData\Local\Temp\CabBFE5.tmp
C:\Users\Charlotte Holdsworth\AppData\Local\Temp\TarBFE6.tmp

FOLDER::
C:\Users\Charlotte Holdsworth\AppData\Local\Temp\tmp00005643

REGISTRY::
[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.



After you finish the above, if everything seems to be working fine, please continue with the final cleanup instructions in the box: If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box. This will enable you to put any of the above startup items back into your computer if you decide you want those things to load at startup afterall.

abri