Window Pop up remains...

Discussion in 'Malware Help (A Specialist Will Reply)' started by sssteve72, Jan 9, 2008.

  1. sssteve72

    sssteve72 Private E-2

    I wish I could give you a good description of what I was doing. but it was late last night and to be honest I don't remember. I remember it kept popping up message after message that it was trying to change my registry (this was a message from spybot). All I remember for sure is I was on the internet.

    Anyway I followed the Windows XP Cleaning Procedure under the malware removal read my first guide(hopefully I got it all correct).

    I ran Combo, Spybot, AVG, and MGtools and the logs are attached. All it is doing at this point is a IE window pops up (shortly after I open IE and then again about every 5 minutes or more) and says connecting.... and it just sits there. Maybe because I uninstalled Java it can't connect?? I have no idea. I was on Java 1.4.2 I think it was.. not for sure.. but it didnt look like the most recent version.

    If anyone could look at these logs and let me know if there is a problem that would be great.

    Well it is late for me and I better go to bed. (there is that window popping up again.) This is my home computer. Unfortunately I work all day :(

    Ok update it just popped up again but this time it was an ad for Mccafee and I closed it and it immediately popped up or opened again but just said connecting this time.
    Also I am running Win XP PRO with SP2.

    Any help would be appreciated. Thank you.

    Steve
     

    Attached Files:

    sssteve72, Jan 9, 2008
    #1
  2. sssteve72

    sssteve72 Private E-2

    sssteve72, Jan 10, 2008
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download and install:
    Java Runtime 6

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Jan 10, 2008
    #3
  4. sssteve72

    sssteve72 Private E-2

    The following items were not in the HJT list so I couldnt remove them.

    O15 - Trusted Zone: *.amaena.com
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.safetydownload.com
    O15 - Trusted Zone: *.storageguardsoft.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O15 - Trusted Zone: *.amaena.com (HKLM)
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.safetydownload.com (HKLM)
    O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)

    I completed everything else as you noted. but I have noticed that the popup window still remains. It has only popped up once in the past 5 minutes...make that twice.

    I got the setthetrend. com popup again just now.

    Maybe the attached logs will show something else..
     

    Attached Files:

    sssteve72, Jan 10, 2008
    #4
  5. sssteve72

    sssteve72 Private E-2

    One other thing I noticed is that the windows only seem to pop up when I already have IE open.
     
    sssteve72, Jan 10, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Clear out everything that may be listed in your "trusted zones" ....

    What is this:
    C:\Documents and Settings\Steve Weichel\Desktop\zork1.zip?

    Find and delete:
    C:\WINDOWS\system32\drivers\core.cache.dsk

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now re-run ComboFix and attach the log.
     
    TimW, Jan 11, 2008
    #6
  7. sssteve72

    sssteve72 Private E-2

    zork1.zip is a old game from the days of the commodore 64. It is a text game that runs in a DOS window. I don't think there is anything wrong with it but should I delete it and the other 2 as well ?

    I tried to delete the C:\WINDOWS\system32\drivers\core.cache.dsk
    But it won't let me it said the file was in use and I couldn't delete it. What is that file for? Can I boot to safe mode or a dos prompt and delete it ?

    I ran the fixme.reg and it worked fine. However the popup remains. I left my computer on all day today and there were no pop ups so the only time I am getting this is when I already have a session of IE open.

    The combo log is attached.

    Any chance uninstalling IE7 amd then reinstalling would solve the problem?
     

    Attached Files:

    sssteve72, Jan 11, 2008
    #7
  8. sssteve72

    sssteve72 Private E-2

    Ok I think I got the core.cache.dsk deleted.. finally... I rebooted so many times I can't count. I deleted it from safe mode once but when I rebooted it was there again. So then I downloaded and used spydoctor to find things and went thru the registry and manually deleted items it listed (I didnt buy spydoctor so I couldnt use it to delete). I noticed spydoctor was finding things that the other programs were not. Anyway, I disabled system restore then booted into safemode then I did a search and deleted the core.cache.dsk. I emptied my recycle bin and then booted back to normal. It seems to be gone now. I think the first couple of times it was in the recycle bin but I am not sure. I'm not sure if it can reinstall from there or not.
    What a nasty rootkit.
    I will let you know if I keep having problems.


     
    sssteve72, Jan 12, 2008
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do let me know before we do the final clean up ...we may need to run smitfraud as a check.
    It would also behove you run an online scan with Bitdefender:
    Bitdefender agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
     
    TimW, Jan 12, 2008
    #9
  10. sssteve72

    sssteve72 Private E-2

    I ran the Bitdefender as you suggested and the log is attached. I ran spydoctor again just to see if it found anything. It did find a couple of cookies and a few registry entries. I deleted cookies using delete cookies in IE7 and i edited the registry to remove the registry entries.

    I went ahead and attached the log from spydoctor if its of any use. It is a .txt but you can change it to .htm to view it.

    Please let me know if you think I need to run another scan or do anything. I left my IE browser open for the past few hours but I haven't seen a pop up yet.

    If you think we are done, many thanks to you.
     
    sssteve72, Jan 12, 2008
    #10
  11. sssteve72

    sssteve72 Private E-2

    Oops i forgot the files.. here they are.
     

    Attached Files:

    sssteve72, Jan 12, 2008
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Jan 13, 2008
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds