Popups in IE

steplee · May 1, 2006

I have ad popups for WinAntiSpyWare, WinAntiVirus, FavouriteSearch or sometimes, the ad was related somehow to the web page I happened to be browsing at the time.

Some of the popups had these URL’s:

http://www.amaena.com/securityworm5/?aid=vm_pk_scwaskw_7&lid=sym

http://url.cpvfeed.com/cpv.jsp?p=11...ine bingo,&default=http://www.alljackpots.com

http://www.passion.com/search/p205229.subdate_search_&show=f&age=18-30&override=1&ip=auto__
http://scanner.sysprotect.com/pages/scanner/?ed=2&ex=1&ax=2&aid=vm_pk_spt6h_3&lid=keyin

http://www.amaena.com/securityworm5/?aid=vm_pk_scwaskw_7&lid=secure

http://www.amaena.com/securityworm5/?aid=amr2&lid=alllids&h=4

~ ~ ~ ~ ~ ~

No WinAntiSpyWare or WinAntiVirus in Add/Remove Programs, nor any of the other items listed on your Malware list, except "My Way Search Assistant" (with a space between "my" and "way"), but when I highlight it, there are no options for me to remove it.

~ ~ ~ ~ ~ ~

I can boot in Safe Mode, but once I log into my User Profile, I cannot access my desktop or files or Start Menu. I am running all the tools in normal mode wih my wireless adapter disabled.

~ ~ ~ ~ ~ ~

SpyBot – Search & Destroy found 2 items:
Windows Security Center.AntivirusDisableNotify
Windows Security Center.FirewallDisableNotify

I’ve never used either of these. Should I enable them when I’m using Norton Internet Security?

~ ~ ~ ~ ~ ~

BitDefender detected no problems. I assume that’s why I did not see the Detected Problems tab.

This is the report it wanted to send to the BitDefender Labs. I didn’t send it.

BitDefender Online Scanner - Real Time Virus Report
Generated at: Sat, Apr 29, 2006 - 09:49:49

Scan Info
Scanned Files 407754
Infected Files 0

Virus Detected
No virus found.

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

~ ~ ~ ~ ~ ~

After doing all the scans and fixes, I turned off System Restore, restarted the computer, then turned on System Restore again. Then I browsed around a bit and not long after, this popped up again:

http://myfavouritesearch.com/search...0014&rand=626468260&friendid=171425830&acnt=1

This one popped up a couple times while I was browsing MajorGeeks.com:

http://www.amaena.com/securityworm5/?aid=am2&lid=google-com

~ ~ ~ ~ ~ ~

I still cannot do anything in Safe Mode.

~ ~ ~ ~ ~ ~

I sure hope I did everything right and that you can help me!

Thanks,

Stephanie

2 Attachments:

ActiveScan.txt
highjackthis.log

chaslang · May 1, 2006

Welcome to Majorgeeks!

Is the below a game demo?
C:\Downloads\'GAMES\MysteryCaseFiles\MysteryCaseFilesSetup-dm.exe

You may want to delete it if not needed.

You have a Virtumonde infection which is mention in our READ ME along with WinFixer.

Run this Virtumonde aka Trojan Vundo Removal and attach the VundoFix log and a new HJT log.

Also tell me how things are working now.

steplee · May 2, 2006

Wow, how do you know what it is?!?!?

I deleted the following:
C:\Downloads\'GAMES\MysteryCaseFiles\MysteryCaseFilesSetup-dm.exe

I ran VundoFix-- its log and a new HJT log attached.

chaslang · May 2, 2006

steplee said:

Wow, how do you know what it is?!?!?
Click to expand...

Experience!
The below were signs of Virtumonde:
O2 - BHO: InfoDocReader Object - {295BA105-3506-4D25-B0DD-54346320BDC5} - C:\WINDOWS\system32\efcyy.dll
O20 - Winlogon Notify: efcyy - C:\WINDOWS\system32\efcyy.dll

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
After clicking Fix, exit HJT.:

Now we need to Reset Web Settings:

If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode.

Make sure you tell me how things are working now.

steplee · May 4, 2006

Everything's been good-- no popups at all!!! You're the best!

chaslang · May 4, 2006

You're welcome.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Popups in IE

steplee Private E-2

Attached Files:

Activescan.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

steplee Private E-2

Attached Files:

VundoFix.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

steplee Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member