Pesky Pop-Ups such as 888.com, PartyPoker.com and AdultFriendFinder to name but a few

Discussion in 'Malware Help (A Specialist Will Reply)' started by adam_mcguigan, May 18, 2006.

  1. adam_mcguigan

    adam_mcguigan Private E-2

    Hi there, im currently having trouble with random pop-ups,which keep appearing every 15 mins or so. I looked at other people's threads with similar problems, but in the end i figured that I need your help.

    So I looked at the READ AND RUN ME FIRST post, and followed the instructions there. I uninstalled programs that seemed to be unusual, ad then continued to use the downloaded tools. These wre useful, and did find a few threats, but even after deleting these threats, the pop-ups are still there, and repeating scans usually finds a new threat. So, continuing on to use the online scanners, i found that when i used Bitdefender, my internet explorer would have to shut down, making it impossible to ge a full scan.
    So now I'm not really sure what I should do.

    If it's any help i noticed that when my internet connection was unplugged, every 15 mins or so it would try to connect.

    I used Hijack this, wondering if that is what you would want to look at, and this is what it came up with:


    Edit by chaslang: Inline log attached!


    Please help if you can, because 888.com pop-up is driving me crazy!!!
    Cheers
     

    Attached Files:

    Last edited by a moderator: May 19, 2006
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You must follow ALL the steps in the READ & RUN ME and you must follow the directions in it. No logs should be posted inline. They must be attachments to your message.

    You need to complete ALL of step 6 of the READ ME and you must attach the two logs from the online scanners. Then attach a new HJT log.

    Let's get an installed programs list from HijackThis too!
    • Run HijackThis, click Open the Misc Tools section
    • Click Open Uninstall Manager
    • Click Save List (generates uninstall_list.txt)
    • Click Save, to save it to a file where you can find it.
    • Attach the uninstall_list.txt file to your next message.
    Is the below your expected start page?
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lessthanjake.com/

    Did you install some kind of screen saver that the below is used for? It is not a required application and should be removed unless you rellay need it.
    C:\WINDOWS\NCLAUNCH.EXe
     
    Last edited: May 19, 2006
  3. adam_mcguigan

    adam_mcguigan Private E-2

    Hi,

    Sorry about the way I posted the log, I didn't really understand what I was doing.

    So I followed step 7 again, and once again, BitDefender caused my Internet Explorer to shut down, so that didnt work. However, Panda ActiveScan gave the following results.

    As for the homepage is concerned, that is my homepage but I have no idea what C:\WINDOWS\NCLAUNCH.EXe is, but when try to delete it it wont let mae and says the file is in use or write protected.

    Also attatched is a new Hijackthis log.

    Thanks.
     

    Attached Files:

  4. adam_mcguigan

    adam_mcguigan Private E-2

    Oh yeah, by the way here's the list of installed progams:

    Cheers
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First, Goto Add/Remove programs and uninstall this: ltj_screensaver

    Now make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINDOWS\NCLAUNCH.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {2FFD4FB5-F404-0AF6-822D-BB105FBCD829} - C:\DOCUME~1\ADAMMC~1\APPLIC~1\WINDOW~1\FILE SOAP.exe (file missing)
    O4 - HKLM\..\Run: [SignFlawRefLog] C:\Documents and Settings\All Users\Application Data\Two Wma Sign Flaw\aboutwait.exe
    O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
    O4 - HKCU\..\Run: [RoadBurn] C:\DOCUME~1\ADAMMC~1\APPLIC~1\CAMPSE~1\Hide Meal Ace.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Documents and Settings\Adam McGuigan\Application Data\campsendball <--- delete this campsendball folder
    C:\Documents and Settings\Adam McGuigan\Application Data\WINDOW~1 <--- delete this whole folder. You will have to determine to real fullname, BUT DO NOT delete a folder named Windows that is under Application Data. If not sure, just tell me what folders you find that begin with the letters Window
    c:\program files\MySearch <--- delete this MySearch folder
    C:\Documents and Settings\All Users\Application Data\Two Wma Sign Flaw <--- delete the whole folder
    c:\windows\NDNuninstall6_90.exe
    C:\WINDOWS\NCLAUNCH.EXe

    Additional step to delete files in the Downloaded Program Files folder :
    - Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
    - Enter the following command lines each followed by the enter key
    cd C:\WINDOWS\Downloaded Program Files\
    attrib -r -h -s activex.*
    del activex.inf
    del activex.ocx
    exit

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.
     
  6. adam_mcguigan

    adam_mcguigan Private E-2

    Hi again,

    Ok so I think I've done everything on the list, things are going OK so far.

    Here is the latest Hijackthis log:
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
  8. adam_mcguigan

    adam_mcguigan Private E-2

    THANK YOU!!!

    Everything seems to be in working order - and I havn't had any pop-ups for over an hour so I'm guessing it's done the trick!!!

    I really can't thank you enough, I can finally surf the net without the constant annoyance of thoe pop-ups!

    Thanks again,

    Adam.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds