Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups, No Connection To Internet


  • Please log in to reply
9 replies to this topic

#1 lacurt1

lacurt1

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 PM

Posted 18 December 2007 - 11:53 PM

My cousin's computer is definetly infected. It keeps getting pop ups saying "Warning Potential Spyware Operation" and another saying "Warning: Free Viagra".... Not only that but it keeps on getting a pop-up closing the Internet Explorer not allowing the computer to bring up IE or even connect the Internet...

Please help!

Thanks in advance for any assistance...

BC AdBot (Login to Remove)

 


#2 katty

katty

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 19 December 2007 - 04:53 AM

TRy to install antivirus software.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:48 PM

Posted 19 December 2007 - 09:36 AM

Since your cousin cannot use your Internet, he is going to need access to another computer (family member, friend, etc) with an Internet connection. If your going to help, then do this:

Please download the following programs and save to a USB stick or CD:
ATF Cleaner
SmitfraudFix
RogueRemover
SUPERAntiSpyware Free
SUPERAntiSpyware Free Definition files - (Be sure to download both the Core and Trace Definitions)
WinSockFix.
Be sure to print out and save the instructions provided in the Winsock Repair Tutorial in case we need to use this tool.
HijackThis Installer. This is HijackThis 2.0.2 but it is an automatic setup version which will install HJT in the proper location if we need to use it. DO NOT fix anything with HijackThis unless advised.

Print out the Smitfraudfix Instructions so you can follow along when we get to that part of the fix.

Transfer all these programs directly to the Desktop of the infected computer <- (Important!)

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Double-click smitfraudfix.exe to start the tool.
  • Select option #2 - Clean by typing 2 and press Enter to delete infected files.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted: "Registry cleaning - Do you want to clean the registry?" Answer Yes by typing Y and press Enter.
  • The tool will now check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
  • Answer Yes to the question "Replace infected file?" by typing Y and press Enter.
  • A reboot may be needed to finish the cleaning process.
  • If your computer does not restart automatically, please do it yourself manually (restart normally).
  • A text file will appear onscreen with results from the cleaning process. It can also be found at the root of the system drive, C:\rapport.txt.
IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive and run it from there.

Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover and follow the prompts.
  • During installation an icon will automatically be created on your Desktop.
  • If the program does not open after installation, double-click on the RogueRemover icon to launch.
  • Select "Scan" and follow the onscreen directions to remove anything found.
  • If nothing is found, exit RogueRemover.
  • If RogueRemover finds something, it will present a list of detected items.
  • Click "Remove selected", then Yes at the prompt.
  • Wait for the removal to complete and then close RogueRemover.
If using Windows Vista, be sure to Run As Administrator.

Now double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Navigate to the SUPERAntiSpyware folder in C:\Program Files and unzip both the Core and Trace defintion files.
  • An icon will have been created on your desktop. Double-click that icon to launch the program.
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method.

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 clarky

clarky

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 19 December 2007 - 10:00 AM

If it is any consolation I had this problem on Friday but with perseverance I managed to get into the internet by right clicking on internet explorer & opening home page.

The "home page" however, whilst apparently looking OK has been hijacked. Internet use is though possible to download solutions as advised.

Using true sword I have at least been able to identify the problem altough not solve it & my hijack this log is currently being perused by more knowledgable folk.

#5 lacurt1

lacurt1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 PM

Posted 20 December 2007 - 01:51 AM

Thank-you for your assistance quietman... I downloaded the recommended programs, although while running smitifraud in safe mode it would not allow me to clean the registry stating that it has been disabled by my administrator.

So, how should I proceed?

Thanks

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:48 PM

Posted 20 December 2007 - 10:06 AM

This occurs if the DisableRegistryTools Policy is enabled by IT Administrators who place restrictions on using regedit to keep employees from making changes to their work computers. However viruses and other malware may also try to disable it.

Download the Remove Restrictions Tool (RRT). Log on as administrator or an account with administrative privileges and double-click on RRT.exe to run the tool.
This utility is used to fix/re-enable Task Manager, Regedit and Folder Options often disabled by malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 lacurt1

lacurt1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 PM

Posted 21 December 2007 - 12:47 AM

Okay, so I downloaded RRT and it allowed me to complete the SmitFraud check but it didn't find anything... So I tried to install SuperAntiSpyware but it tells me once again that the administrator has prevented me from installing it. I'm absolutely certain that the account has administrative privileges.

Also a side note: I can run regedit and task manager, but the control panel has been removed from the start menu and it won't allow me to launch it from the windows folder. Furthermore, I can't right click on the desktop and choose properties due to the same restrictions.

What can I do, if anything, to restore the administrative privileges?

Thanks...

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:48 PM

Posted 21 December 2007 - 09:11 AM

Please download MsnCleaner.zip and save to you Desktop.
  • Extract (unzip) the file to your desktop. (click here if your not sure how to do this) but DO NOT use it yet.
  • Reboot your computer in "Safe Mode" using the F8. To do this restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A boot menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Double-click MsnCleaner.exe to run the tool.
  • Click the "Analyze" button.
  • A report will be created after the scan and will be saved to C:\MsnCleaner.txt.
  • If it finds an infection, click the "Deleted" button.
  • Reboot normally when done and see if that helps.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 lacurt1

lacurt1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 PM

Posted 21 December 2007 - 11:28 AM

It didn't find anything and no changes...

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:48 PM

Posted 21 December 2007 - 01:18 PM

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users