PeopleOnPage

Discussion in 'Malware Help (A Specialist Will Reply)' started by Deathtopopups, May 18, 2005.

  1. Deathtopopups

    Deathtopopups Private E-2

    Hi, D2P here again... This time with something a little more stealthy and harder to pinpoint with my cleaners... I've been getting several notifications about my trojanhunter finding PeopleOnPage, and any time I open up IE there are countless popups, spybot does find it, removes it, but it always finds its way back, I've looked through my add/remove programs list and haven't found anything strange there. I was just seeing if I could get any help from you guys, I've gone through the normal process of removing trojans and running scans, so, ready whenever you guys are!
     
    Deathtopopups, May 18, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure what you mean by
    so please follow the steps below.

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, May 18, 2005
    #2
  3. Deathtopopups

    Deathtopopups Private E-2

    Alright, sorry, I wasn't able to make it on yesterday, but what I meant by the normal running of scans, etc, was that I went through your instructions and it didn't come off, I'll have the hjt file attached. Thanks.
     

    Attached Files:

    Deathtopopups, May 21, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not run the TrendMicro and Symantec online scanners. See step 1 of the Scanning And Cleaning Steps in the READ ME FIRST.

    Please follow my directions for HijackThis
    - you have the wrong version
    - you did not exit ALL browser sessions ( C:\Program Files\Internet Explorer\iexplore.exe )

    Try again!

    Note: Ares is know to contain adware!

    To avoid any further delays and because I may not be around much tomorrow, after addressing the above, follow the steps below:

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

    C:\WINDOWS\system32\glmmp32.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
    O3 - Toolbar: (no name) - {ED46E61C-C391-49ED-82F8-A3DCAA44671F} - (no file)
    O4 - HKCU\..\Run: [I02FRSM3R] glmmp32.exe
    O9 - Extra button: mSpace Toolbar - {ED46E61C-C391-49ED-82F8-A3DCAA44671F} - (no file)
    O9 - Extra 'Tools' menuitem: mSpace Toolbar - {ED46E61C-C391-49ED-82F8-A3DCAA44671F} - (no file)
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c10.cab

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:

    C:\WINDOWS\system32\glmmp32.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    Last edited: May 21, 2005
    chaslang, May 21, 2005
    #4
  5. Deathtopopups

    Deathtopopups Private E-2

    Mk, I ran the online scans, I got 5 unfixable problems from Trend Micro's..
    I followed the rest of the instructions, but after the reboot, to run a new HJT scan I ran spybot and it found PeopleOnPage again, and here is the new logfile again. Hopefully it will work out this time if it didn't already.
     

    Attached Files:

    Deathtopopups, May 22, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please list any filenames and paths that Trend Mrco gave you for the items it could not fix.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

    C:\WINDOWS\system32\mseul1591.exe

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
    O4 - HKLM\..\Run: [33tP32g] mseul1591.exe
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\mseul1591.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, May 22, 2005
    #6
  7. Deathtopopups

    Deathtopopups Private E-2

    I'm not finding a way to transfer the files found from Trend Micro to here so you can see them, no copy/paste, nor can I see the 5 files, except for the beginning of the file name. And I followed your instructions again. Here is the new hijack this file. Thanks tons!
     

    Attached Files:

    Deathtopopups, May 26, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must remember to exit browsers ( C:\Program Files\Internet Explorer\iexplore.exe ) before running HijackThis.

    You have one item remaining to fix!


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\AutoUpdate <--- the whole folder
    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, May 27, 2005
    #8
  9. Deathtopopups

    Deathtopopups Private E-2

    Heh, I can't believe me.. I always forget to close IE for some reason.. Anyway, I got everything done, haven't had a pop up as of yet. But here is the, hopefully, last HJT log I'll have to post, thanks tons Chaslang!
     

    Attached Files:

    Deathtopopups, May 28, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, May 29, 2005
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds