IE Forced Pop-Ups/Rebooting Malware

Hi, I have followed the steps in the Read & Run Me First
and currently have reached a problem at Step 5, preventing me from proceeding.

Microsoft Windows Defender - After installing it it said my definitions haven't been updated in 254 days and need to be updated.

The problem here is that whatever malware I currently have is
rebooting my computer after about 10 minutes online.
I am on dialup, so when I try to update my defender definitions through the programs interface, it appears to be downloading the definitions (although there is no download status bar etc.) but after about ten minutes online my computer reboots and I am unable to complete the definitions update download.

I therefore did a Scan using defender in Safe Mode yet it apparently did not detect anything. However when I looked under Tools -> I saw the following startup obvious malware which I have disabled but not yet deleted:

See Attached Text File-



My problem history is as followed: I initially had the Red Pop-Up 'Phony' Virus task Bar warning Malware which stated how 'my computer is infected and I need to download Antimalware' etc. I ran SmitfraudFix and it seemed have to removed that.

Yet I still keep getting pop-ups and my computer keeps rebooting and constantly trys to connect to the internet.
I cannot update my definitions for defender or anything and will be unable to scan online because of this rebooting/popup/forced-connection malware issue.

Is there possibly a way to manually download and install the latest Defender definitions?
However since it didnt detect anything yet without them anyways I doubt it would find something new with them updated anyways.


I am just trying to look for help or advice as to which direction to possibly procede on with.

I currently have no anti-virus software - I used to have AVG free
but since recently upgrading to WIn XP I cannot run it. Therefore I am now going to re-download it again using another computer and save it to my external drive (hopefully along with any manually downloaded AVG Free updates) THEN install it on my infected computer.

At this point basically my issue is the popups and forced connections and the forced rebooting issue.
I am unable to stay online long enough to download any updates for virtually any scan software or also even attempt to scan online due to this.

Any advice is GREATLY appreciated.

Thank you very much everyone.

 

Hi again, I just wanted to update my issues:

I managed to remove several trojans and viruses using the AVG Malware scan software. These were not detected by anything until this software did so. It seems as though my system is stable now as the recurrent popups and forced connecting as well as forced rebooting, has appeared to stop for the time being. Therefore as per the instructions here I toggled Restore points and rebooted . I am now going to download the additional AVG FREE Anti-Virus software as well.

However, in searching the web for one of named trojans/viruses which the AVg Malware scanner found, I came across what sounds like a rather serious one found on my system among sevral other (no quarintined) : Hijacker.small

From reading the Mcaphee forum it appears as though this is whats known as a rootkit type of virus which apparently puts a driver in the device manager which allows the virus to return.

Perhaps if anyone may be familair with this one they may offer some information. On the Mcaphee forum they are suggesting that one needs to go into the device manager and remove or disable this driver which allows the virus to return on a timed basis each week.

So for me now my system appears to be stablizing, but I would like to keep this thread open just in case someone may reply or offer any further advice.


Thank you.

 

Hello again.

Although since my last post I removed several Trojans and Viruses using AVG Malware Remover and although upon startup the forced connection prompts to the Internet have seemed to have stopped, upon attemtping to go online I soon got a taskbar icon and popup leading me to some phony anti-spyware site.

Upon immediatley disconnecting from the internet I have discovered more malware. I have now also used SYSINTERNALS autoruns and process explorer and have found and currently disabled items such as ishost.exe which apparently is termed 'SpywareQuake'. However the previously used tool AVG Malware scanner: is not finding this. I also ran SmitFraud Fix and although it said it detected and removed ishost.exe and another similairly named imon.exe or something, ishost.exe appears still present as located by SYSINTERNALS autoruns and process explorer so I dont know if SmitFraud Fix actually has removed this aspect.

As I have mentioned in my last post I beleive that according to some of the initial items AVG Malware Scanner found such as 'Hijacker.small' that I most likely suspect I have some type of 'rootkit' virus here which is re-downloading more malware as soon as I go online.

Therefore I am now currently trying to use the instructions located here: http://forums.majorgeeks.com/showthread.php?t=88420 to hopefully remove this SpywareQuake aspect (ishost.exe) as i understand it.

Again if anyone may ever find a moment here to offer any advice I would greatly appreciate it.

Thank you.

 

HI, thank you for your help. l will follow the R&R steps and post the logs as asked. However I am concerned that when I go online to to do any definition updates of the various programs as well as the two online scans that whatever Malware possibly still on my system at that point will breed and download even more. This due to the fact that i am on dialup and everything takes a long time. A long time to download the ACtive x required for online scanning as well as any time it takes to do any aforementioned definition updates for the various programs. Initially my computer was rebooting after ten minutes online due to the Malware. However although I 'think' that symptom seems to have been removed from some of the previous scans.

But I appreciate the help sincerely and will follow the steps completely and post my logs hopefully soon or report of any problems I may have reached in attempting to complete them all.

Again, thank you.

 

Hi, I have followed the steps. Attached is:

1.) SAFE MODE SmitFraudFix Search
2.) Normal Mode SmitFraudFix Clean
3.) Bitdefender Online Scan

Notes: None of these really found anything. Bitdefender- Only found quarintined stuff from both my AVG FREE Antivirus & AVG Anti-Spyware.

However - Spysweeper reports:
Adware found: enbrowser
Adware found: ezula ilookup
Adware found: trafficsolution
Adware found: rx toolbar
Adware found: cydoor peer-to-peer dependency

Yet I have to purchase Spysweeper to have it remove these. Also AVG Anti-Spyware claimed to have already removed 'rx toolbar'.

Also- In my System32 folder I notice the following bad things:
awvtq.dll,awtss.dll,cd_clint.dll,ddccb.dll,jrs531b0.sys,mlnmp.ini
mllmj.dll,mllmm.dll,rqtss.ini,sttss.ini,sstts.dll,sstwa.ini,wrlzma.dll

I have tried two different versions of 'Vundo Fix' I believe, running these from C:WIndows/ -One simply has a button Stating 'Search for Vundo' - It removed a dlll named winn32.dll etc? The other Vundo Fix asks for you to enter the absoulute path to the bad System32 .dll then enter its file name again backwards then opens Hijack this- where you are to then see the dll entry mark it for fix -reboot then open Hijack This again and remove it?
I used this second Vundo tool to succesfully remove two dlls from the system32 folder named 'jkkjj.dll and jkkgg.dll' etc. Upon reboot they WERE removed yet i never saw any corresponding entry in Hijack this for them.

I also now have several programs loading for startup space: AVG antivirus, Avg Anti Spyware, Spyseeper, Windows Defender, Zonealarm.

My system appears extremly slow upon startup, with often times the flashlight icon searching as i even attempt to open START/Control Panel etc.

Each of these programs have a 'Resident shield' and I am wondering if they are collectively slowing startup down? Also When I click on the desktop icon for IE6 it takes nearly 30 seconds before loading very very slowly.

Also Defender had no new updates yet claiming they were 245 days old.
I scanned, it removed a 'Twain' Trojan.

In Defender under Startup Tools- It lists among other things -
Startup Value: RUNDLL32.EXE w007415c.dll,n 005531ab00000002007415c
Startup Value: C:\WINDOWS\win3206513940513.exe
Startup Value: "iexplore.exe" "http://iesettingsupdate"
Startup Value: C:\WINDOWS\elitepop06.exe
Startup Value: "C:\Program Files\Common Files\{380F18E9-063F-1033-0217-060314050001}\Update.exe" mc-110-12-0000272


Which I have disabled yet not delted in Defender/Startup. I think previous scans/fixs that i have already removed most of these- elitepop.exe,win32065 etc.

I also have sysinternals.com Autoruns-
It lists these startup items which i have also disabled-
ishost.exe File not found: ishost.exe
Power Policy Settings File not found: setupx.dll
Display Panning CPL Extension File not found: deskpan.dll
Tune-up Application Start.job File not found: walign
gel90xne File not found: C:\DOCUME~1\mutant\LOCALS~1\Temp\gel90xne.sys
viagfx File not found: system32\DRIVERS\vtmini.sys
rqrrqop File not found: rqrrqop.dll


Again, thank you very much for any help.


View attachment SAFEMODESCAN2CLEANMODErapport.txt

View attachment NORMALMODESCAN1rapport.txt

View attachment BITDEFENDER.txt

 

Here are the rest of my reports, I was unable to correctly load PandaScan as it came back with a browser error with ; Page cannot be loaded- interface/component-something' etc I enabled Active X and have Installed Java 5.0

Thank you