popups,adfarm,gad,casinos and other such horrors

Hello, I hope I get this post right, I've read the read thisses but am a self-confessed novice who needs some serious help. My computer gets used by several family members and inevitably picks up spyware from time to time. Usually I'm able to get rid of the nasties using spybot or adaware but not this time. I have been experiencing popups, mostly for casino sites, porn sites and various others. I've followed your "read and run me first" and both bitdefender and panda showed up some nasties, not all of which were resolved. I attach the logs for these and my hijack this log. Hope you can help me. Thanks in advance.

 

Oops, I forgot to post these.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:/WINDOWS/Downloaded Program Files/bdupd.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now, Copy and Paste C:/WINDOWS/Downloaded Program Files/bdcore.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you have completed this post and have reboot back to normal mode, let me know how things are running and what problems if any remain.

 

Hello, Thanks for your help. I followed your instructions but I still seem to have a problem. After I rebooted a Windows installer box came up with "preparing to install" in it. this was followed by another box which said something like Norton antivirus does not support the repair feature please uninstall and re-install. Not wanting to trust this I closed the boxes and continued. PC was very slow and within minutes of being online a full-page popup from musicjustfree.com reared its ugly head. Looking at the blue bar at the bottom of my screen no3w I can see that ~http : // adfarm.mediaplex. com - HTTP 404 - not found - Microsoft Internet Explorer has just appeared again. As I typed this another box titled "Automatic Updates" has popped up, saying "Updating your computer is almost complete. You must restart your computer for the updates to take effect. Do you want to restart your computer now?" I'm going to choose the restart later option, just in case. I'll do a hijackthis scan and post the log in a minute.

 

Here's the hijackthis log. While I'm typing this a Winfixer popup has appeared. The Automatic Install box keeps appearing every few minutes too.

 

Your HJT log looks good, let's run Spy Sweeper and see if it comes up with anything.

Running Spy Sweeper...

 

Hello again,

I tried what yousuggested but had problems. Spysweeper installed but there was a message that it was damaged - please re-install. I did that but on re-booting the Windows Installer box came up again (I think it is something to do with Norton Virus scan) and once again Spysweeper was damaged. When Spysweeper was opened anyway there was an error "Hosts file too large". I decided to take a break from wrestling with the problem and check my e-mails. Outlook would not do a send/receive at all. I exited Spysweeper completely and that allowed Outlook to function properly.

Attached is latest hjt log

 

You can uninstall Spy Sweeper, your HJT log looks good. Follow the below to clean up the HOSTS file.

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

Once you complete this, reboot and let me know if any problems remain.

 

All appears OK now. PC seems a bit quicker than it has been for a long time too. Many thanks BJ, you're a star.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!

 

Aaargh!! Less than a day later they're back twice as bad. Same rubbish, casinos, winantivirus, sex-explorer, etc, etc. No-one in the house claims to have visited any suspect sites but I did notice my daughter on miniclip games, which I suspect as a possible source. As usual Adaware andSpybot don't detect it. I've now installed Zonealarm as suggested. It is detecting and blocking intrusion attempts about every 30 seconds - a minute but obviously this scum is already inside. Sorry to bother you busy guys again but can you help?

I've posted an updates hjt log

 

Your HJT log looks ok, what problems are you having?

 

Hi BJ

I'm still getting popups, mostly the fake spyware warnings that point to winantivirus. Other ads are for sytemdoctor, sarah-freder.com, which is a psychic reading site, two different casino ads, Strike it up and another "dating" site.

Also ZoneAlarm seems to be blocking access to things trying to get in every few minutes. It also keeps telling me that Live Upate is trying to access the internet. I know that my Norton Antivirus has a feature called Live Update but I'm worried in case this is an imposter that allows whatever makes the ads pop up to update itself, so I've denied it access.

 

Let's start with a Panda Scan Log, GetRunKey and ShowNew log.

 

Here's those logs. Panda found 3 items of spyware but did not disinfect them.

 

I need the log so I can see what's being detected, that's why I requested it.

 

Sorry, I tried to post it but "manage attachments" won't let me. I get an error message saying I already posted this file in this thread. I tried renaming it but it still won't attach. should I post it in a new thread?

 

Just add a blank line to the end of the file and attach it.

 

OK Here goes........try try again!

 

Yippeeeeeeeeee! It's gone!

Thanks for the help so far. While I was waiting for a reply i noticed that the "Recommended download" box at the top of the MajorGeeks pages was being changed to flashing ads (including the infamous "Winantivirus 2006"). On the bottom of my screen I saw it was being done by em.gad-network. I did a google search and found a lot of French sites mentioning this problem. Fortunately I'm not too bad at French so was able to understand the advice to try F-Secure's Beta Blacklight. I did a Blacklight scan which turned up the following hidden files.

jimkzubrg.exe

jimkzubrg.dat

JIMKZUBRG>EXE-2C75F09B.pf

jimkzubrg_nav.dat

jimkzubrg_navps.dat

I used the rename function, rebooted and then deleted the files. Touch wood there has been no recurrence so far but only time will tell. I hope this informatiom might be of use to someone.

I've now bought my daughter her own computer and installed a D-Link wireless router which has its own firewall so have now turned off ZoneAlarm. I downloaded AVG free for her so I'm hoping I get no more crud on the "family" machine or hers.

 

Hi Chaslang,

No, I didn't notice that. Thanks for pointing that out. I'm certain you're right that SPD would have told me to delete them. I hope I've not offended anyone by trying a little self-help in the meantime. The help I've received here has been greatly appreciated and if, god forbid, I have these kind of problems again MajorGeeks will be my first stop. Keep up the good work you guys!