Computer pop-ups infection - help!

September 15, 2008 at 13:25:14
Specs: Windows XP SP2, ?
Hi everyone:


Well, I thought I was extra careful but eventually it happened to me too. Yesterday, out of the blue, a pop-up of the IE browser showed on the screen all by itself (no copies of IE were running at the time).

Here are the symptoms:

- When I'm online and open Internet Explorer, or even Firefox, some pop-up windows show up. They are set up to have "topmost" style, so that they cover the rest of the windows and are impossible to manipulate. Once you close them, they reopen again after some time;

- When I run msconfig to check the startup programs, I get this strange dll added there. It has the name, something like cb2761821.dll. When I uncheck it and reboot, it reappears again under some different random name after some while.

- I get a notification from the Windows Security Alerts that Automatic Updates are turned off. If I try to turn them on, nothing happens. If I go the Start -> Windows Update, the IE dispays this message:
"The site cannot continue because one or more of these Windows services is not running".

- All my previous Restore Points were erased, thus I cannot revert back to the previous working state.


The interesting thing is that I had this annoying COMODO firewall program, that was constantly blocking my "good" programs, but now when I got a real virus, it sat quietly like if nothing happened. I ripped it out right after that and downloaded Free AVG edition. I ran the scan couple times and every time it keeps finding a bunch of "something" - their description is quite misleading (it is mostly cookies, but cookies would not show pop-ups, right?). After each scan, I click a button to remove infected files, but it doesn't help much with the pop-up issue.

Once AVG reported that svchost.exe, or one of its processes was infected. If it was, then it explains why none of those would-be anti-virus programs could remove it.


What I also did, hoping to recover the state of the OS system files, I uninstalled Windows XP SP2 and later on installed it again. Unfortunately, it didn't totally solve the problem - there were less pop-ups after that, but they still show up once in awhile.


Now I don't trust any of those so-called anti-virus programs, and I want to rip this virus out myself. I know quite a bit about Windows programming, so all the technical stuff should not be an issue.

Can someone suggest me the right direction to go next?


Thank you!


See More: Computer pop-ups infection - help!

Report •


#1
September 15, 2008 at 13:57:16
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
September 15, 2008 at 18:12:33
Here is what I would do ( in addition to jabuck's response), first boot into safe mode w/networking. Then open Firefox and download these programs:

- Adaware se (*not Adaware 2008)
http://www.oldapps.com/adaware.htm

as well download the manual updates here -
http://www.lavasoft.com/suppor/secu...

- spybot S&D
http://www.safernetworking.org/en/i...

- A-squared (free):
http://www.emsisoft.com/en/software...

- CCleaner:
http://www.ccleaner.com/
also just as jabuck suggested download HijackThis:
http://majorgeeks.com/download3155....

For HijackThis program run it but DO NOT delete anything until pasting the log file here >>
http://www.hijackthis.de/en

Also note that if at the start of this procedure safe mode w/networking does not stop the "topmost" style, then you need to use another computer to download the recommended software to a usb stick or burn to a cd.

Keep us updated please!

Do you know how helpless you feel if you have a full cup of coffee in your hand and you start to sneeze?

~Jean Kerr~


Report •

#3
September 15, 2008 at 21:23:45
Thank you very much guys!

The MalwareBytes actually seemed to have solved the issue, or at least got rid of that worm. By the way, it was Vundo.H according to the MalwareBytes (whatever that thing is.) It definitely messed up my PC a big time, though. When I was trying to update Windows, it didn't work and would simply quit saying something stupid, like "Cannot install updates". Eventually I opted for installing the unwanted SP3, which fixed the problem.

I'm attaching my current snapshot from HJT. Could you please check it to make sure the virus is gone?

Thanks again.


[quote]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:11 PM, on 9/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O20 - AppInit_DLLs: uqolfx.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4717 bytes

[/quote]


Report •

Related Solutions


Ask Question