iframe, object windows.. spyware?

Discussion in 'Malware Help (A Specialist Will Reply)' started by onlyfoaday, Mar 14, 2005.

  1. onlyfoaday

    onlyfoaday Private E-2

    just need some quick help with this. it started about 1 hour ago. some windows of "iframe" or "object" (both with ok buttons) pop-up on the screen, sometimes ads are loaded and the internet browser closes with no reason. i don't know if it belongs in the right forum, but i need some help. how to stop/remove this?
    thanks
     
    onlyfoaday, Mar 14, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENTto your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 14, 2005
    #2
  3. onlyfoaday

    onlyfoaday Private E-2

    right.. tried some thing from the previous post. still don't know what to do. used hijack this (along with 3 other ad remorval programs). here's the log file:
     
    Last edited by a moderator: Mar 14, 2005
    onlyfoaday, Mar 14, 2005
    #3
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please pay close attention to forum guidelines!

    First:

    Please update to Hijack This 1.99.1 and attach a new log using the new version.

    Second:

    Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

    To create a new folder:
    Click START > My Computer > Local Disc C: > Program Files
    Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

    To Extract HijackThis:
    Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
    (C:\Program Files\HJT) and click Next.

    Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

    Third:

    Please close ALL browsers when running HJT.

    Fourth:

    Please attach the new log to your post as an attachment. Use the Manage Attachments feature to do this.

    Chaslang will be back when time permits to check the new log, Hang in there:)
     
    bjgarrick, Mar 14, 2005
    #4
  5. onlyfoaday

    onlyfoaday Private E-2

    *sigh* i just wanted an answer, not tutorials of how the forums work.
    hjt complete file, uploaded the right way.
    c'mon guys, make my day
     

    Attached Files:

    onlyfoaday, Mar 14, 2005
    #5
  6. seaside

    seaside Corporal

    some sort of a nice guy you are my son. take it to a repair shop,with your all knowing attitude you should get well conned.cash, thug and the rest of this motley crew fix,problems for free
    just be nice dude
     
    seaside, Mar 14, 2005
    #6
  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    No one gave you anything about how the forum works, you recieved basic cleanup procedures that must be followed before we provide assistance. We have guidelines that MUST be followed in order to best assist you.

    You must update your version of Hijack This. Please download Hijack This 1.99.1 and attach a new log using this new version.

    Its very important that you follow our forum guidelines, they are here for your benefit.
     
    bjgarrick, Mar 14, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    What is it that you want an answer to?

    You have a bunch of problems that are apparent from the old version of HJT and even more would show in a new version.

    Do you want us to help you fix the problems?

    If so, run the clean up tutorial and then if still have a problem follow the steps on gettin the correct version of HJT installed correctly and post a log.
     
    chaslang, Mar 14, 2005
    #8
  9. onlyfoaday

    onlyfoaday Private E-2

    sorry about my attitude, just kinda stressed on this, so i'm not in my normal mood right now.
     

    Attached Files:

    onlyfoaday, Mar 14, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But have you run all steps of the READ ME FIRST. It does not look like it.

    Also browsers must be closed before running when using HJT.

    What is this
    C:\DOCUME~1\Daniel\CONFIG~1\Temp\iexplore.exe

    No valid iexplore.exe should be there.
     
    chaslang, Mar 14, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\mkovzf.exe
    C:\DOCUME~1\Daniel\CONFIG~1\Temp\iexplore.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2&b=xyz
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2&b=xyz
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: (no name) - {254B35AB-8CCF-C7CD-9940-11E9AF16193E} - C:\WINDOWS\System32\woqovau.dll
    O2 - BHO: (no name) - {BC295A8D-1054-ADD2-7921-4933BA265D3F} - C:\WINDOWS\System32\feuimu.dll
    O2 - BHO: (no name) - {E28F3C4D-D1F3-7C75-7D67-5249323C3D8E} - (no file)
    O4 - HKLM\..\Run: [wpncfjgu] C:\WINDOWS\System32\mkovzf.exe
    O4 - HKLM\..\Run: [ThreadMode] C:\DOCUME~1\Daniel\CONFIG~1\Temp\iexplore.exe
    O4 - HKLM\..\RunOnce: [C:\DOCUME~1\Daniel\CONFIG~1\Temp\br.exe] C:\WINDOWS\system32\cmd.exe /c del "C:\DOCUME~1\Daniel\CONFIG~1\Temp\br.exe" >nul
    O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\dhdhm.exe
    O9 - Extra button: ru-br - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\ru-br\0.html (file missing)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - file://c:\x.cab
    O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
    O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:

    C:\WINDOWS\System32\mkovzf.exe
    C:\DOCUME~1\Daniel\CONFIG~1\Temp\iexplore.exe
    C:\DOCUME~1\Daniel\CONFIG~1\Temp\br.exe
    C:\WINDOWS\dlmax.dll
    C:\WINDOWS\System32\woqovau.dll
    C:\WINDOWS\System32\feuimu.dll
    c:\ru-br\0.html

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


    Now Ccleaner downloaded while running the READ ME FIRST.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 14, 2005
    #11
  12. onlyfoaday

    onlyfoaday Private E-2

    problem solved. after deleting files pop-up windows stopped.
    thanks a lot for your support, patience and sorry about any inconvenience.
    bye
     
    onlyfoaday, Mar 14, 2005
    #12
  13. seaside

    seaside Corporal

    ah gratitude !!!!!!!!!!!!!! hee will be back lol
     
    seaside, Mar 14, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! You really should post the follow up HJT log so we can make sure everything is gone.
     
    chaslang, Mar 14, 2005
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds