Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop up virus when I turn computer on


  • Please log in to reply
22 replies to this topic

#1 Pmcm

Pmcm

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 17 January 2013 - 01:05 PM

Hi,
I have been having malware trouble with my computer from the beginning of December. I turned my computer on one day to find a lot of pop up messages telling me a suspicious files had been detected and I needed to scan now. I also received a bubble message in the task at saying that my c: drive had rejected and it was recommended I do a scan. I immediately realised this was suspicious and so went on google to see if anyone had similar problems. I couldn't find anything helpful so I tried a few scans myself.
I ran mcafee, MBAM, TDSSkiller, Spybot and Eset all of which came up clear. At a loss of what to do next I just stayed away from the computer for a while.

Recently I decided to give it another shot. The pop ups have got worse except now they are saying "pleaes remove all ity.im ads from your website" . My computer is very slow and the pop ups are even coming through when the computer is activated in safe mode.

Is there anything I can do to remove the virus/malware without having to wipe my computer?

It is a dell vostro 200 running windows XP

Many thanks for your help,
Paula

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:13 AM

Posted 17 January 2013 - 03:28 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 Marcel Brown

Marcel Brown

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 17 January 2013 - 11:22 PM

I've started a blog post to gather information on this particular malware. There does not appear to be much information about it at this time.

http://solotechpros.com/2013/01/17/pleaes-remove-all-ity-im-ads-from-your-website/

Anyone that finds anything out, please let me know.

Thanks!

#4 Tshirt_n_heans

Tshirt_n_heans

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 17 January 2013 - 11:59 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply


This doesn't seem to work. So far, the only thing I have tried that even recognizes there is a problem is Norton AV. ....but it does not fix it. Definitely associated with explorer.exe. Usually it is about 35K but if you close the popups associated with this malware, it will grow. Explorer.exe grew to 3.5GB.

Spent about an hour on Chat with Norton. They do not have any knowledge of this issue yet.

Do any of you who are experiencing this use Skype? Google Chrome?

Rob

#5 Woodsywine

Woodsywine

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 18 January 2013 - 02:49 AM

Hi Rob - I too have this blasted thing on my computer and noticed it around 4 days ago - I am not using Skype or Google Chrome as I notice with Chrome everytime I click on a website it is hijacked and seems to slow my computer down.

I have been using explorer and Mozilla.

Hope this helps in your quest to rid us of this pesky virus.

Cheers Amber

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:13 AM

Posted 18 January 2013 - 09:46 AM

Marcel Brown, Tshirt_n_heans, Woodsywine

Do not hijack thread started by others,If you have any issues start your own thread.

#7 Tshirt_n_heans

Tshirt_n_heans

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 18 January 2013 - 10:19 AM

Marcel Brown, Tshirt_n_heans, Woodsywine

Do not hijack thread started by others,If you have any issues start your own thread.


Sorry, but it is the same issue. There are very few people experiencing this so far. We all need to work together.

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:13 AM

Posted 18 January 2013 - 10:28 AM

Logs and removal procedures will differ for each one of them depending on nature of infections.There is nothing called WORKING TOGETHER in malware removal forums.Each one of them has to create their own topics.Do not hijack this topic again.

#9 Tshirt_n_heans

Tshirt_n_heans

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 18 January 2013 - 10:50 AM

Logs and removal procedures will differ for each one of them depending on nature of infections.There is nothing called WORKING TOGETHER in malware removal forums.Each one of them has to create their own topics.Do not hijack this topic again.



Fine. Deal with it on your own.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:13 AM

Posted 18 January 2013 - 11:21 AM

We will,we have and will continue too.... Each individual needs there own topic. It's better for them and us..
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,021 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:13 PM

Posted 18 January 2013 - 11:56 AM

Just to avoid any confusion, its fine to discuss the cause of an infection with each other. However, when it comes down to actual removal help we work one-to-one. The reason for this is simple, malware rarely comes alone, so all fixes or steps taken with a specific user are aimed at the situation of their machine only. Furthermore, if 5 people all post their logs in one topic it will become very confusing, both for the one's helping and for the users with the problem.

For that reason, lets keep this organized, this is PMCM's topic, so she will get help here. For everyone else with the same problem, follow the steps in this guide.

Because this ity.im problem appears to be something new, feel free to send me a PM with your topic link if you have this particular infection, I'd like the chance to look at this more in-depth. Be sure you post the requested logs in the requested forum beforehand though.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Marcel Brown

Marcel Brown

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 18 January 2013 - 03:43 PM

FYI, it appears this infection is an MBR rootkit, Rootkit.Boot.SST.b, also possibly known as Trojan.MBR.Alureon!IK. The apparent cure requires booting the machine from an external boot CD or USB drive (or pulling the drive out of the machine and connecting it to another machine) and running TDSSKiller or Hitman Pro (or perhaps another utility that can be run from an external drive). I will detail this on the earlier referenced blog link.

Note, I was not trying to hijack the thread, merely trying to gather information in a centralized place. This particular infection was extremely tricky and very little information about it was available, as the symptoms apparently only started appearing a few days ago. No attempt was made by myself to post any logs, solicit any help, nor post any removal instructions to the OP.

Edited by Marcel Brown, 18 January 2013 - 03:44 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,021 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:13 PM

Posted 18 January 2013 - 04:17 PM

If this proves to be TDSS/SST/Alureon then I much prefer an actual dump of the MBR instead of slaving/running TDSSkiller or similar; its a lot simpler and having the actual MBR gives us some additional information as well.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Woodsywine

Woodsywine

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 18 January 2013 - 08:16 PM

I too am new to this website and do not like being called a hijacker - narenxp - you are rude - no need to be so damn rude when everyone is freaking out with a new virus I was was only trying to find information myself on this topic.

Hijack is a strong word! - BTW - Ran HitmanPro and its gone - thanks - wont post here again - was only trying to help and find info.

Good luck to anyone else who has this pesky virus on their computer - have a great weekend!!

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:13 AM

Posted 18 January 2013 - 09:19 PM

Hello Woodsywine, Hijack is a strong word,but in the world of forums the the term means to jump a topic. It is a standard term in forums. So as you are new to these things I just wanted you to know it was not meant in a mean way. The first mention was polite"Do not hijack thread started by others,If you have any issues start your own thread."

You would have been assisted in your thread. As Elise stated.... . The reason for this is simple, malware rarely comes alone, so all fixes or steps taken with a specific user are aimed at the situation of their machine only. Furthermore, if 5 people all post their logs in one topic it will become very confusing, both for the one's helping and for the users with the problem. Fortunately yours was fixed easily. There are many posts here where the machine shut down as there were other variables.

Thanks for posting.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users