Pop-ups and Mozzilla not working

JohnnyVan · Apr 24, 2005

First off, I did read the DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal thread and did everything there.

Briefly, last week I got a popup message asking if I wanted to upgrade to the most current version of Ad-Aware. I have Ad-Aware and knowing that it was a very good program I clicked yes I wanted to get the most current. It's possible I mis-read the message but I know what I got was not a new version of Ad-Aware and among other things I got Ad-Destroyer (which doesn't destroy ad's btw, it invites them in.) I've spent the last week fighting spyware and at least one keylogger.

But it's not fixed and my current problems are:

1) I'm still getting popups. Much less than a few days ago but they are still there.

2) I still can't get Mozilla Firefox to work. (I've removed, scanned and reinstalled and still no luck.)

3) Anything I've mesed up while trying to fix the rest.

I've run through everything on the link above except for some reason I couldn't run RavAntivirus (I can't remember why at the moment).

Notable things:
Nortons anti-virus found:
pho_prob.exe
dlmax.dll

Delete failed

Trend Micro's Free Online Virus Scan:

EXPL IFRAMEDBO.A - Non Cleanable
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temorary Internet Files\Content.IE5\STQFSDEE3\Counter[1].js

TSPY DLOADER.D - Non Cleanable
c:WINDOWS\SYSTEM32\lypjcyf.exe

CC Cleaner:
Analyze found:
C:WINDOWS\TEMP\THI6311.tmp\dlmax.inf 407 bytes
C:WINDOWS\TEMP\THI6311.tmp\dlmax.dll 0.16 MB bytes
C:WINDOWS\TEMP\DrTemp\bho_prob.exe 69.00 KB

But when I choose "Run Cleaner" I get the message it was complete but 0 bytes removed.

BitDefender Online:
C:\WINDOWS\TEMP\DrTemp\bho_prob.exe Infected with: Trojan.Downloader.Agent.AF
C:\WINDOWS\TEMP\DrTemp\bho_prob.exe Disinfection failed
C:\WINDOWS\TEMP\DrTemp\bho_prob.exe Delete failed

And I keep running into recurring files in my attempts
IE Plugin: c:Windows\lu.dat
pho_prob.exe
dlmax.dll

Hopefully someone sees this and things "obviously <fill in the blank> is the problem just do this"

JohnnyVan · Apr 24, 2005

Update

I was able to manually remove:
C:WINDOWS\TEMP\THI6311.tmp\dlmax.inf 407 bytes
C:WINDOWS\TEMP\THI6311.tmp\dlmax.dll 0.16 MB bytes
C:WINDOWS\TEMP\DrTemp\bho_prob.exe 69.00 KB

So far (knock on wood) I haven't gotten any more pop-ups. But Mozilla Firefox still isn't working so I don't think I am clean yet.

Is there any registry work that goes along with removing those files?

chaslang · Apr 24, 2005

If you want us to double check to see if you are clean, follow the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

JohnnyVan · Apr 25, 2005

I definitely would like to make sure I'm clean. I'm pretty sure there were a couple others before ABetterInternet. I'm also wondering if there is something left that is interfering with Mozilla FireFox working

I've attached the log here.

chaslang · Apr 25, 2005

It is rather strange to have two of these Quicktime tasks loaded and running at startup. Note neither of them is really needed. At a minimum, you should at least add one of them to the list of things below for HijackThis to fix.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\QuickTime\qttask.exe" -atboottime

You should install HijackThis in a folder similar to what we requested. Install to the Desktop is not a good idea because HJT needs to created backups and the Desktop is not a safe place to store them. Also other user accounts will not be able to find the program and run it since it is not on their Desktop.
C:\Documents and Settings\Johnny.JOHNNYSLAPTOP.000\Desktop\Major Geek software\HijackThis.exe

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [NQBYENC] C:\WINDOWS\NQBYENC.EXE
O4 - HKLM\..\Run: [KNHTDLL] C:\WINDOWS\KNHTDLL.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.musicmatch.com <-- nothing belongs in the Trusted Zone
O15 - Trusted Zone: *.musicmatch.com (HKLM) <-- nothing belongs in the Trusted Zone
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/02e9bff5e1ff8db49900/netzip/RdxIE601.cab

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\NQBYENC.EXE
C:\WINDOWS\KNHTDLL.EXE

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

JohnnyVan · Apr 25, 2005

I did as you suggested. I choose to remove:
O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\QuickTime\qttask.exe" -atboottime

And checked and removed all the items in the list.

I had managed to remove these last night finally:
C:\WINDOWS\NQBYENC.EXE
C:\WINDOWS\KNHTDLL.EXE

After I removed those files last night things seem to be working. At least no pop-ups at all. Mozilla FireFox still does not work. Where should I post about it or do you think it is still related?

chaslang · Apr 25, 2005

Explain what you mean by FireFox does not work.

Exactly what happens when you run it?

Do you have a firewall installed? If so, did you allow firefox to access the internet thru the firewall?

JohnnyVan · Apr 25, 2005

First off it launches abnormally slow. Easily 5 or 6 times as long to open as it used to. Once it is open, absolutely nothing works. You can't open any of the menues or type in the URL field.

I have given it access through the firewall. I have tried temporarily disabling Nortons Internet Security firewall and it makes no difference. I've removed Firefox, rebooted, re-downloaded the installer and then reinstalled it. Still no difference.

chaslang · Apr 25, 2005

Did you try the uninstall, reboot, reinstall after the fixes we just made?

Also post a new HJT log! Let's make sure everything was fixed.

Also try running these online scans to see if the detect anything:

Bitdefender
RavAntivirus <-- select Auto Clean then click Scan My PC
TrojanScan

JohnnyVan · Apr 25, 2005

Oh how exciting!

I ran those three check. The first found something in Norton's quarantine, the second found something in Microsoft's AntiSpyware's quarantine and the third found nothing.

I thought I had tried what you suggested for Firefox but did it again just in case. This time when I rebooted I went into safe mode and did searches and deleted anything related to "Firefox" or "Mozilla". Now this message brought to you through FireFox!

So now I'm busy with the registry. I'm cleaning Registry Medic.

I assume you meant upload and not post my HJT file so I attached it here

BTW - my score on 3DMark2001se didn't change noticably. Should it have?

chaslang · Apr 26, 2005

JohnnyVan said:

I assume you meant upload and not post my HJT file so I attached it here

BTW - my score on 3DMark2001se didn't change noticably. Should it have?
Click to expand...

You're HJT log is clean.

Sorry but this is the Spyware Forum not the benchmarking forum. If you have questions about system bench marking you would be better off asking them in the Software or possible the Hardware Forums.

Log in or Sign up

Pop-ups and Mozzilla not working

JohnnyVan Private E-2

JohnnyVan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

JohnnyVan Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

JohnnyVan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

JohnnyVan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

JohnnyVan Private E-2

Attached Files:

hijackthisFIXED!!!.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member