Ad Pop-Ups on FireFox and Explorer

March 22, 2009 at 14:30:48
Specs: Microsoft Windows XP Home Edition, 2.797 GHz / 510 MB
I tried downloading music; when I think it all started yesterday. Now when I open any website via FireFox or Internet Explorer; unnecessary pop ups show up even though I have a pop-up blocker and is enabled. Eventually number of explorer windows open up if you try to close the first one and the computer shows "low on virtual memory" and everything hangs up or slows down. Please help to fix this... I will really appreciate it!!!

See More: Ad Pop-Ups on FireFox and Explorer

Report •


#1
March 22, 2009 at 14:54:23
Try to scan with Malwarebytes' Anti-Malware
http://www.malwaresupport.com/mbam/...

or Scan with eset online Scanner
http://download.eset.com/special/eo...


Report •

#2
March 22, 2009 at 19:25:01
Log after running Malware and removing affected files -

Malwarebytes' Anti-Malware 1.34
Database version: 1887
Windows 5.1.2600 Service Pack 3

3/22/2009 9:09:32 PM
mbam-log-2009-03-22 (21-09-32).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 169536
Time elapsed: 1 hour(s), 25 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 9
Registry Keys Infected: 12
Registry Values Infected: 6
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\givubowa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\revudahe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hozutoza.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nitukito.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bemubuse.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\heyovoki.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lbryvo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\subalavi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nukavuso.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dd6d02be-697c-4cbd-b4e8-0eeb2d19c21c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dd6d02be-697c-4cbd-b4e8-0eeb2d19c21c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2524bf80-2df2-4ee7-9110-4045a31a3550} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2524bf80-2df2-4ee7-9110-4045a31a3550} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2524bf80-2df2-4ee7-9110-4045a31a3550} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{dd6d02be-697c-4cbd-b4e8-0eeb2d19c21c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c2584ac (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6f16b730 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gatulesafe (Trojan.Vundo.H) -> Delete on reboot.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gatulesafe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\heyovoki.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\revudahe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\revudahe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\heyovoki.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\revudahe.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lbryvo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\givubowa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nukavuso.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\subalavi.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\heyovoki.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bemubuse.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\revudahe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nitukito.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\temp\UACc601.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{84F2CF0F-B74A-4119-8E77-185CADB63906}\RP63\A0008241.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{84F2CF0F-B74A-4119-8E77-185CADB63906}\RP64\A0008321.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{84F2CF0F-B74A-4119-8E77-185CADB63906}\RP64\A0008323.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hozutoza.dll (Trojan.Vundo) -> Delete on reboot.
C:\System Volume Information\_restore{84F2CF0F-B74A-4119-8E77-185CADB63906}\RP64\A0008320.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{84F2CF0F-B74A-4119-8E77-185CADB63906}\RP64\A0008322.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACbufcnqva.dat (Trojan.Agent) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------------
Do I need to run anything else ... or am I safe now?


Report •

#3
March 23, 2009 at 00:06:38
as the malwarebytes log shows, you pc has got VUNDO trojan, there are two ways to gett ride of VUNDO trojan.
1: go to http://darfuns.com/remove-vundo-tro... and follow manual removal instructions and remove Vundo trojan
: go to http://darfuns.com/download-super-a... and download the super anti spyware program (FREE) to remove Vundo trojan automatically from ur pc by using this tool

Report •

Related Solutions

#4
March 23, 2009 at 10:13:44
UPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/23/2009 at 11:17 AM

Application Version : 4.25.1014

Core Rules Database Version : 3809
Trace Rules Database Version: 1763

Scan type : Complete Scan
Total Scan Time : 02:11:21

Memory items scanned : 539
Memory threats detected : 1
Registry items scanned : 6604
Registry threats detected : 6
File items scanned : 85112
File threats detected : 61

Adware.Vundo/Variant-PEC2
C:\WINDOWS\SYSTEM32\GZROWR.DLL
C:\WINDOWS\SYSTEM32\GZROWR.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@traffic-go[1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[3].txt
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[3].txt
C:\Documents and Settings\Owner\Cookies\owner@dynamic.media.adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[1].txt
C:\Documents and Settings\Owner\Cookies\owner@stopzilla[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[3].txt
C:\Documents and Settings\Owner\Cookies\owner@evenmorestats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.stopzilla[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@richmedia.yahoo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@at.atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[3].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hypertracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[3].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[3].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[3].txt
eas.apm.emediate.eu [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
www.accountonline.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
media.hotels.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.indiads.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\hu0cp5ph.default\cookies.txt ]
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
C:\QooBox\Quarantine\C\Documents and Settings\Owner\Cookies\owner@insightexpressai[2].txt.vir
C:\WINDOWS\system32\config\systemprofile\Cookies\system@crackle[2].txt

Adware.180solutions/ZangoSearch
HKCR\CLSID\{D676F999-4608-4dc5-A135-4F51F4212739}
HKCR\CLSID\{D676F999-4608-4dc5-A135-4F51F4212739}#rsp

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Shows

Rogue.Component/Trace
HKU\S-1-5-21-1547161642-1078145449-1343024091-1003\Software\Microsoft\FIAS4051

Trace.Known Threat Sources
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WJ1V1YQC\favicon[1].ico
--------------------------------------------------------------------------------------

Completed running super anti spyware; can you guide me to the next step.


Report •


Ask Question