Ughh Pops...can't rid of them...

Hello all

I have been getting hit with alot of pop ups lately and have tried many scanners - adaware, spybot, avg and still keep getting pop ups. Any help would be appriciated.

Running Windows XP

Thanks
Jim

 

Hi mb12pk,
Welcome to Major Geeks!

Please go through the instructions in the READ & RUN ME FIRST and attach the requested logs with your next post. You will probably find some relief as you work and we can then check your logs to see what still remains to be fixed. Be sure to put your computer in normal startup mode as per the instructions.

Thanks.
abri

 

Hello abri

First off thanks for your reply.

I have taken the steps or have tried to take the steps given in the "read & run" link given. (Very easily read and to follow by the way)
I appear to be running alot smoother but not sure if all is clean.

I did have a problem with the combofix program. When I tried to copy and paste (and even manually typed in) "%userprofile%\desktop\cf.exe" /killall, I would get an error stating that the path for cf.exe could not be found, and I was wondering if it was due to changing the program name from combofix to cf.exe.

Attached is the results of the MGlogs.

Thanks,
Jim

 

Hi mbl12pk,

I appreciate your praise of Chaslang's procedures and will pass it on to him.

First a question. Can you tell me what the following two files are that were put in the Windows folder on April 15th? If you don't know, could you zip them and upload them here as an attachment with your next post?

C:\WINDOWS\BM5761772f.txt
C:\WINDOWS\BM5761772f.xml

And now, please do the following:

1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment, SE v1.4.2_15

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - (no file)
O2 - BHO: (no name) - {5E92CF68-28A4-4881-A20B-D8F19D77D876} - (no file)
O2 - BHO: (no name) - {731922B0-E2C6-4BD3-A48B-27AE034214F4} - (no file)
O2 - BHO: (no name) - {87D9A159-C2F7-4E59-AEDD-667BC85DF9F5} - (no file)
O2 - BHO: (no name) - {97352CFD-2D41-4E02-9457-272465792BFC} - (no file)
O2 - BHO: (no name) - {A806A78C-5EEC-4187-938B-E263A04DCD8D} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O2 - BHO: (no name) - {EA6FB231-3E1F-464B-82D0-2B4DDA3C4322} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: (no name) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After you click fix, just close hijackthis.


6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri

Sorry for the delay. For starters here are the 2 files you have requested. Interesting that you would like to look at these. If they put up a red flag to you, I am concerened as well.


Thanks,
Jim

 

Hi mbl12pk,

I don't think you want those. To see if there's any more information on them, you can upload C:\WINDOWS\BM5761772f.xml and if you can find it C:\WINDOWS\system32\bhldtgqn.dll to jotti or VirusTotal and attach or post the results.

If you have a particular reason for wanting to keep them, zip them first and then do the below.

If you already ran Avenger, please run it again (as in post 4, step 6) but use the contents of this box:

If you have not yet run Avenger, you can just add those two file names in the box above to the list of files under "Files to delete" when you copy them over to the Avenger box and remove them with the rest of the Avenger fix.

I'll wait to see your logs from post 4 and hear how things are going.
abri

 

Here are the results from the procedures you have listed to do.

Thanks
Jim

 

Hi mbl12pk,

Did you get a log for Avenger? If so, could you attach it?

In the original instructions I gave you to follow in post 2, there are several scans which you never ran: Spybot S&D, SuperAntiSpyware, and MalwareBytes. Did you have trouble with these or decide not to run them? Are you able to run cf.exe directly simply by double-clicking on it? Please try that and see if it works.

Thanks.
abri

 

Oooops sorry abri

Here is the avenger log. I did run antispyware and the others but did not post a log.

I will re-run spybot and the others to get a new log for you.

 

I have ran the programs you have asked for and here is the logs from each.

Thanks again,
Jim

 

Forgot one.

 

Hi mbl12pk,

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


2) Please go back to Post 4, Step 6 and run Avenger again, only this time use the contents of this box:

3) Now run CCleaner at the default setting with the Windows tab as the top one.

4) I would like for you to do a rootkit scan. Please go to the Alternate Scans and scroll about halfway down the page to the list of rootkit scans. Follow the instructions for GMER. Attach the results with the other logs when you post again.


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log and the GMER log.


Let me know how things are running now?

abri

 

Hi abri

I ran the messenger disable program that you requested but did have problems with the avenger. I had an error running it. I have attched a picture of the error that I keep getting.

Thanks
Jim

 

Hi mbl12pk,

The first time you tried to run Avenger it worked. Please go back to the Avenger instructions in Post 4, Step 6 and download it again. When it asks you if you want to install it over the already existing copy, say yes. Then try to run it again using the contents of the box in Post 12. If you're able to do this, then run either CCleaner or ATF Cleaner after it finishes. Let me know how this goes.

Also, can you run combofix without renaming it?

abri

 

Hi abri

Figured out why Avnger would not run properly. Forgot to add the words "Files to delete" when I pasted the contents from the box you posted.

Attached is the log from avenger.

I have ran ATF and CCleaner as well.


Thanks
Jim

 

Hi mbl12pk,

I'm glad you figured that out. Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

Thanks.
abri

 

Hello again abri

Attached is the MGlogs.

Thanks
Jim

 

Hi mbl12pk,

In step 4 of post 12, I asked you to run the rootkit scan called GMER. Did you by any chance run that? The reason I ask is because the files which Avenger was not able to delete are gone anyway. For the tmp files this makes sense, but the .exe files are also gone. I'm just curious where they went. In any case they're gone.

Please do the following which will make a back up of your registry and then change some policy settings back to what they were before you used Combofix.

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Let me know if you get a success message with this!


How is your computer working now? I don't see further evidence of malware. If the problems you originally came in with are resolved and you aren't getting any new symptoms, please go ahead with the instructions in the box:

abri

 

Hi abri

I did the following you requested below including the successful registry merge. Things seem to be running very well now. Thanks a million for your help. I will be sure to refer your site to all who may encounter problems in the future.


Thanks again
Jim

 

Thank you so much mbl12pk!

We appreciate your recommendations to others and when you have time, you may enjoy a look in some of the other technical forums.

Best of luck to you!
abri