Popups

Welcome to Majorgeeks!

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Microsoft Performance WMI Adapter AddOn ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

WMIPervAddOn

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CKVV2TSR\comhost[1].zip
c:\windows\keyboard1.dat
C:\Downloads\UnInstaller.exe
C:\WINDOWS\msnupdate.exe
C:\WINDOWS\S2VuIEFhbGFuZA\mZpRKHI1v3IRtE.vbs
C:\WINDOWS\SYSTEM32\removefunc.ram
C:\WINDOWS\wmiapsv.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Delete that whole folder! It is malware.


Is your copy of Ewido a paid version or a free trial version?

Run this Running Ewido Anti-Malware (obviously you can skip the parts on installing but make sure you check for updates) and attach the requested log from Ewido. Then if Ewido is a free trial version, uninstall it.

Also since you are using TrendMicro's Antispyware application, you should not uninstall Windows Defender.

Delete all files in the below folder after boot in safe mode:
C:\Documents and Settings\Ken Aaland\Local Settings\Temp

About 2 or 3 files Windows may be using and will block you from deleting.

 

That was a typo! Leave out the "not". It should have said:

you should uninstall Windows Defender.

The defender25.exe process was malware. It was not Windows Defender.

 

Sounds like this is due to place that you are surfing.

Did you do the below earlier as requested? Based on your HJT log you did not follow those directions exactly as written. If you did, your home page would be showing as www.majorgeeks.com Please do this again and do exactly what the directions say and use majorgeeks for your home page.

Now run the below to disable or remove Windows Messenger which can be a cause of popups:

Disable/Remove Windows Messenger


Now run PandaActiveScan and attach a new Panda log and then a new HJT log.

 

You just need to locate and delete the below files that Panda found:

C:\Documents and Settings\Ken Aaland\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-74b2599d-7237c776.zip
C:\Documents and Settings\Ken Aaland\Local Settings\Temporary Internet Files\Content.IE5\M7WV1Q7Q\sploit[1].anr
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OP234T67\comhost[1].zip
C:\WINDOWS\manager.exe

Other than that you are clean. Let me know if you are having any other problems. Miscellaneous warnings from Trend Micro are going to happen based upon where you surf and what you click on. As long as you have proper protection in place you should be okay. Also even with protection in place, you need to be careful. As the how to protect thread indicates, YOU are the first line of defense and can also be the weakest link in your security.

 

Okay let's try a couple other things. I have seen a few cases recently where certain infections where present but not showing. Try the below two tools and attach the two logs from them:

Look2Me VX2 Removal

Virtumonde aka Trojan Vundo Removal


If the popups are still occurring, tell me what is in the popups (URL to) and exactly when they occur.
Do you mean popup warnings from TrendMicro, or do you mean advertisements?
Do they only occur when a browser is open?
Do they occur only when connected to the internet?
Do you ever get popups in safe mode?