Problems with Pop-Ups in Internet Explorer

Hey everyone,
I recently installed Windows XP and since then I've been having kind of big problems with pop-ups, especially when I'm actually using Internet Explorer. Even when I don't open up Explorer, I get pop-ups coming up every once in awhile. Sometimes I get so many that it slows down my computer or freezes it, etc. A lot of the pop-ups refer to Spyware and how to delete it, etc., I've also gotten easytickets.com (I think that's what it was?) and other various types. I've read and done everything in the Sticky threads you posted at the top (microtrend, search and destroy, ad-aware, and all the rest) and that didn't stop this. Then I ran Hijack This and had it fix some of the things that I could tell should be fixed, some of the more obvious things. But this still hasn't fixed my problem. I see you don't want us to post Hijack This logs without being asked, so I haven't, but I'd be happy to post it however you'd like if that could help someone figure this out for me, since I'm not able to. Thanks in advance for any help!

--Tim

 

Hey! Here's my HijackThis log, attached as a text file. Thanks in advance!

--Tim

 

Hey there,
So far things are working well, but it's only been 5 minutes. But then again, I'd get pop-ups as soon as I started Internet Explorer before, and nothing so far. So it looks good so far!
As for your instructions, I followed them all, except for these things:
After fixing the things with HijackThis and rebooting in safe mode, I went to look for the things you told me to delete. I was unable to find the following things to delete:

C:\Documents and Settings\Tim\Application Data\mcao.exe
C:\Documents and Settings\Tim\Application Data\rmsa.exe
C:\documents and settings\tim\local settings\temp\Faoeu.exe
C:\documents and settings\tim\local settings\temp\vb.exe
C:\WINDOWS\SYSTEM32\?ttrib.exe
C:\WINDOWS\System32\PalrgYwG.exe
C:\WINDOWS\System32\Tbx3gPf.exe

However, I did delete files called Faoeu.dll and vb.dll instead of the corresponding exe's. And I did manage to find these 2 items, which I deleted:
C:\WINDOWS\Prefetch\PALRGYWG.EXE-161DFC58.pf
C:\WINDOWS\Prefetch\TBX3GPF.EXE-1ADE68A2.pf

But I couldn't find anything like mcao.exe, rmsa.exe, or ?ttrib.exe after the reboot in safe mode.

But anyhow, I'll post the new HJT log, and I'll let you know if anything does go wrong in the next few days, or I'll at least post again tomorrow sometime if NOTHING goes wrong (hopefully!). So let me know what else I should do at this point, if you could. Thanks very much so far!

--Tim

 

Hi Tim,

This looks like a Peper trojan:
O4 - HKLM\..\Run: [47LJYSL3P9@4L3] C:\WINDOWS\System32\WuaT.exe

C:\WINDOWS\System32\KexvAC.exe
C:\WINDOWS\System32\SxbV5wGL.exe

Try running this tool: http://downloads.subratam.org/PeperFix.exe

Also try the Trojan Scan online scan and a-squared in the Additional Steps portion of the tutorial if the PeperFix doesn't work.

- - - Other than that, your log looks OK (Of course, it's late and I'm sleepwalking )

Best luck,

PP the Insomniac

 

OK, I did end up having a few troubles after my last post, but I just tried your advice about the Peper Trojan, etc., and again, so far so good. I fixed WuaT.exe, then I rebooted in safe but I couldn't find KexvAC.exe or SxbVSwGL.exe anywhere on my drive. I also ran the Peper Fix application, and it found and fixed some files, I ran it again after reboot and it didn't find anything....soooo....I'll just wait and see again, and for now, I'll post my latest HJT log so you can see if there's anything else wrong with it now. Thanks for your help so far, both of you!

--Tim

 

Hi Tim,

Sorry to say, it's still there:
O4 - HKLM\..\Run: [47LJYSL3P9@4L3] C:\WINDOWS\System32\Gwf524W7.exe

I suggest you try the online trojan scan and a-squared as I previously suggested. You could also try PeperFix again.

You could try this as well:http://www.memorywatcher.com/uninst.exe

I'm going to crash. Good luck

PP

 

Hey there,
Okay, I fixed that last thing you told me to fix, I ran the PeperFix again, I did a-squared (which found a few things) and the online trojan scan (which didn't find anything) and i ran that last program you told me to try. Sooooo....it really does look like it might be fixed now, I left the computer on with Internet Explorer open all last night, and I didn't see a single pop-up when i woke up this morning. I'll post my latest HJT log now, in case you guys might see anything left over. But it's looking pretty good!

--Tim

 

Hey Tim,

Your HJT log looks good. As long as those 016 entries (other than the online scans) are ones you want.

I imagine Chas will follow me on your log to doublecheck, but it looks like you guys got everything. Chas has pinned some excellent recommendations that you should look at:
http://forums.majorgeeks.com/showthread.php?t=44525

Best,

PP

 

Okay guys, it's been working perfectly for me today! Thanks so much for all your help! And I did go ahead and follow a couple of those other suggestions that I hadn't done yet, like installing the ZoneAlarm firewall. And I guess I have one final question, about that. Since I installed it earlier this afternoon (say, 7 hours ago or so?) it says that it's blocked 2066 intrusions since install, and 62 of those have been high-rated. Is that a normal number, or is it high enough that I might still have something on here that's just being blocked a lot? I use DSL, me and my roommate are both connected to a router, if that info helps at all.

But again, thanks a bunch! You guys have been great!!

 

Hey Tim,

You should be OK behind a router and ZA. Now, if ZoneAlarm starts to notify you that it is blocking STRANGE things trying to CALL OUT from your computer - then you might have a problem!

***Didn't see Chaslang (as usual)

PP

 

Hey,

Out of the high-rated intrusions, at least some of them had an IP address associated with them, but all those other ones, it never told me where they were from or if they were associated with anything. And all of these intrusions are listed under the "Inbound Protection" category....does that mean they were all in-coming, then? Let me know what you think. So other than that, everything's still working perfect! Thanks again!

--Tim