Getting lots of IE and chrome pop-ups

Discussion in 'Malware Help (A Specialist Will Reply)' started by sherp, May 1, 2009.

  1. sherp

    sherp Private E-2

    Hello Helpers,

    I have recently encountered a very annoying problem in my PC. The story started when I first got notices that a rootkit was found on my laptop. I searched for ways to fix the problem and that is where I encountered your READ AND RUN ME FIRST malware removal guide. I started running the scans but encountered some difficulty with combofix because I did not have admin rights to turn off norton antivirus. Anyway, I decided to worry about that later and start working with my seldom used desktop instead. Because I never really ran any scans on the desktop, I decided to also go through the READ AND RUN ME FIRST on that, just to clean up anything that might be there. When I started that process, I was not aware of any malware problems that my desktop had.

    I went through the steps and the scans proved to find what seemed to be a lot of bad stuff. One strange thing was that during one of the scans (I think it was SUPERAntiSpyware, but could have been Malwarebytes, I don't remember exactly), I left the room to let it run. When I came back about 30 minutes later, I had found a ton of new Internet Explorer and Google Chrome windows had opened, all various ads. That is the first time I'd seen that happen. I closed all the windows and let the scan finish. When it did, I continued with the rest of the procedures in the guide and thought that my computer was clean.

    Now (2 days after finishing the procedure in the guide), the same pop-up problem began happening. I had been working on my computer for a couple of hours without incident, when all of a sudden IE and Chrome windows started appearing with similar ads as before. I opened up the task manager and found a couple of suspicious processes, which I terminated after searching and finding out that they were malicious: twain.exe and XPRE.TMP. Once I killed those two, the pop-ups stopped appearing in such numbers, but now I still get one every few minutes. My system also seems to be running a lot slower than it has been in the last couple of hours. I attached all the desired logs. Any chance of rescue?
     

    Attached Files:

    sherp, May 1, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Please use add/remove programs to uninstall:
    Ad-Aware SE Personal --> This is a useless program.
    J2SE Runtime Environment 5.0 Update 6

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::


File::
c:\windows\system32\goyotobu
c:\windows\system32\kuyubuza.dll
c:\WINDOWS\system32\yhs783ijfo3fe.dll

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}\InProcServer32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\yhs783ijfo3fe.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\kuyubuza.dll"
"ThreadingModel"="Both"
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 4, 2009
    #2
  3. sherp

    sherp Private E-2

    Thanks a lot for helping. So I did everything you said but encountered a couple of problems:

    1. When I ran ComboFix, it insisted that my AVG scan was still enabled even though I'm sured I disabled it (following the directions from the ComboFix manual). I continued anyway since I followed the directions to turn it off and it seemed like it was off.

    2. The error message "Registry editing has been disabled by your administrator" came up twice during the process. Once towards the end of the ComboFix step, and once in the middle of the MGtools step.

    3. The error message "The application failed to initialize properly (0xc0000135). Click OK to terminate the application" came up towards the end of the MGtools scan, but after clicking OK it still finished the process.

    After doing that, I left the computer on for a while and came back to find 5-10 new IE pop-ups. The computer still seems to be moving very slowly.
     

    Attached Files:

    sherp, May 5, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disconnect your computer from the internet ( pull the plug ) until we are finished.
    You have managed to become more infected.


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
b4144c3b
d1e1713d
74ef9a37
139f0494
97550553
b05ed9a2
f3a8ce8a
ovfsthdvblrnmxjyixvqvogyurhrmuyyxtapjp

File::
C:\Documents and Settings\Ophir\Application Data\pidle\pidle.exe
c:\windows\system32\drivers\d1e1713d.sys
c:\windows\system32\reader_s.exe
c:\documents and settings\Ophir\reader_s.exe
C:\meplgps.exe
c:\windows\system32\bujusufe.exe
c:\windows\system32\sekapehu.exe
c:\windows\system32\tebudati.exe
c:\windows\system32\toyinoki.exe
c:\windows\system32\gijareyi.dll.tmp
c:\windows\system32\jesuvaya.dll.tmp
c:\windows\system32\juzuzoji.dll.vir
c:\windows\system32\sawekoba.dll.tmp
C:\\WINDOWS\\system32\\prnet.tmp
C:\Documents and Settings\Ophir\LOCALS SETTINGS\Temp\_A00F22224.exe
C:\Documents and Settings\Ophir\LOCALS SETTINGS\Temp\_A00F4DC62.exe
C:\Documents and Settings\Ophir\LOCALS SETTINGS\Temp\owmcfsdyq.exe
C:\Documents and Settings\Ophir\LOCALS SETTINGS\Temp\838744028.exe
C:\Documents and Settings\Ophir\LOCALS SETTINGS\Temp\_A00FEBA8DB.exe
C:\\WINDOWS\\System32\\reader_s.exe
c:\\windows\\ld08.exe
C:\\WINDOWS\\TEMP\\653616814.exe
C:\WINDOWS\system32\jkshfuiehi.dll
c:\windows\System32\drivers\97550553.sys
c:\windows\System32\drivers\b05ed9a2.sys
c:\windows\System32\drivers\f3a8ce8a.sys
c:\windows\system32\drivers\ovfsthdvblrnmxjyixvqvogyurhrmuyyxtapjp.sys 
c:\Documents and Settings\Ophir\LOCALS SETTINGS\Temp\ovfsthdcdwbkpuym.tmp 
c:\Documents and Settings\Ophir\LOCALS SETTINGS\Temp\ovfsthdgqximqyip.tmp 
c:\Documents and Settings\Ophir\LOCALS SETTINGS\Temp\ovfsthexegbwofra.tmp 
c:\Documents and Settings\Ophir\LOCALS SETTINGS\Temp\ovfsthx000 
c:\windows\system32\reader_s.exe 
c:\windows\system32\__c00A28D1.dat 
c:\windows\system32\ovfsthcofyretubabrsaoyhyoxjdqdptndfsdi.dat 
c:\windows\system32\ovfsthjdqvyppvkxtdqddoqfsfexivfqbpskpr.dll 
c:\windows\system32\ovfsthkalgrnwstqxdxgkjlkmeaahixlooaygh.dat
c:\windows\system32\ovfsthketksnppurijugkttyuxdloqtrhwlilp.dll 
c:\windows\system32\ovfsthvytvembhqaehbwkewmidvthmeblmjsye.dll
c:\windows\system32\reader_s.exe
c:\windows\ld08.exe
c:\Documents and Settings\Ophir\LOCALS~1\temp\413838472.exe
C:\poedmta.exe
C:\dopdnk.exe
c:\Documents and Settings\Ophir\LOCALS SETTINGS\temp\owmcfsdyq.exe
c:\Documents and Settings\Ophir\LOCALS SETTINGS\temp\owmcfsdyq.exe
c:\Documents and Settings\Ophir\LOCALS SETTINGS\temp\owmcfsdyq.exe
c:\windows\system32\__c00A28D1.dat
c:\windows\system32\drivers\139f0494.sys
c:\windows\system32\drivers\74ef9a37.sys
C:\tqrsiug.exe
C:\poedmta.exe
C:\nmutwl.exe
c:\windows\t55ft2692f44.dat
C:\ohkbrkoo.exe
C:\xmrgycj.exe
C:\okex.exe
C:\xipr.exe
c:\windows\system32\drivers\b4144c3b.sys
C:\wwmeoblk.exe
C:\pdtivk.exe
C:\celkadaa.exe
C:\kggi.exe

Folder::
c:\documents and settings\Ophir\Application Data\pidle
c:\windows\system32\796525


Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"prnet"=-
"pidle"=-61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139"
"12ZFG94-F641-2SF-K31P-5N1ER6H6L2"=-
"12CFG515-K641-55SF-N66P"=-
"DL32"=-
"SYS32DLL"=-
"A00F22224.exe"=-
"A00F4DC62.exe"=-
"uidenhiufgsduiazghs"=-
"reader_s"=-
"Diagnostic Manager"=-
"A00FEBA8DB.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"reader_s"=-
"sysLDtray"=-


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Manager"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00a28d1]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthaijbivwyxdlmrnmqgutupxmkabqrtgqj]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\139f0494]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\74ef9a37]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\97550553]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\b05ed9a2]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\b4144c3b]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\d1e1713d]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\f3a8ce8a]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2ba40a1-74f3-42bd-f434-12345a2c8953}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7f15ac4-e0a9-43f0-921b-70dfea621220}]

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler]
"{C2BA40A1-74F3-42BD-F434-12345A2C8953}"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now please run both SAS and MBAM.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
    SAS
    MBAM
     
    TimW, May 8, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds