Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

I'm Infected With Adware, Pop Ups And Fake Security Messages Etc.


  • Please log in to reply
11 replies to this topic

#1 Guest_mattbronson_*

Guest_mattbronson_*

  • Guests
  • OFFLINE
  •  

Posted 26 March 2008 - 11:28 PM

Hi everyone, I've had a similar infection not that very ling ago and I tried to dig out the solution but couldn't find it in my old posts so sorry for going over this tedious nonsense again... :flowers:

I received an MSN instant message from a friend of mine while I was half asleep dumbo here clicked on the link thinking it was legitimate. I even made the cardinal sin of clicking on the run button when a program of all things appeared on the screen! It didn't seem to do anything at first but now (occasionally) I'm getting IE popups even while I'm working in Firefox.

Basically the messages are saying my machine is infected and click here to buy a fantastic product to fix it blah, blah, blah... x'ing out usually produces a new IE window with different crap each time.

It has been identified by AVG and Ad-Aware but doesn't seem to have gone (although it is less frequent than now).

Can anyone help again please?

So sorry for being such a numpty!!! :thumbsup:

Thanks in advance

Matt

PS. How do I attach a couple of screen dumps... I've saved them but can't find an attach link... do I have to upload them somewhere online? If so, where?
Thanks

Edited by mattbronson, 26 March 2008 - 11:39 PM.


BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 27 March 2008 - 12:48 PM

Hello, do these popups give you a product name to buy and is this an XP machine?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Guest_mattbronson_*

Guest_mattbronson_*

  • Guests
  • OFFLINE
  •  

Posted 28 March 2008 - 04:38 PM

Hi boopme, thanks for your response.

The product name changes but the one I have made a note of so far is AntiSpywareSuite. The other one it comes up with is something Malware remover??? I should say that this shows as a Windows popup message as supposed to an IE looking popup.

I have about 4 screens but don't know how to upload them (sorry for being a dunce but if someone can explain how that would be great!). I've tried uploading to a few free image hoster and they all time out on me (not sure if this is anything to do with the virus/malware?)

Today, I have again run Adaware 2007 free edition which picked up the malware called Virtumonde. I clicked on remove, rebooted my machine and have set Adaware going again (I will post the results when it finishes in about 2 hours time!)

AVG started running after the reboot and it has picked up 4 critical threats as follows:

Trojan Horse Generic 10.DSI (x1)
Trojan Horse Generic 10.DMY (x13)
Trojan Horse Generic 10.FPW (x1)
Virus Found Lop (x2)

I have now wiped them from the Virus Vault and will be running Ad Aware 2007 again as mentioned previously.

Thanks again in advance! :thumbsup:

Matt

#4 Guest_mattbronson_*

Guest_mattbronson_*

  • Guests
  • OFFLINE
  •  

Posted 28 March 2008 - 06:21 PM

OK.. Nothing appearing in Ad-Aware now

I've set Spybot going and it's found 21 "red" entries. It's found a load of red entries in RegistryFix, 1 item in Windows securiy and 2 instances of Virtumonde. When I tried removing them with Spybot, I had loads of pop up error messages one of which was saying my PC was out of memory (only firefox bleepingcomputer.com page and spybot open).

Now I am at a loss what else to try? :thumbsup:

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 PM

Posted 29 March 2008 - 09:52 AM

Hi,please use this scan and post back the log.I want you to temporarily turn off Spybot before the download and scan. Is this an XP machine?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Edited by boopme, 29 March 2008 - 09:53 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Guest_mattbronson_*

Guest_mattbronson_*

  • Guests
  • OFFLINE
  •  

Posted 29 March 2008 - 11:39 AM

Hi, this is an XP (Home Edition) laptop yes. I will post the results of the log asap... things are taking a little while longer to run since all this happened.

Thanks

Matt

Edited by mattbronson, 29 March 2008 - 11:46 AM.


#7 Guest_mattbronson_*

Guest_mattbronson_*

  • Guests
  • OFFLINE
  •  

Posted 29 March 2008 - 12:09 PM

Hi, here are results of the scan from the mbam log:

Malwarebytes' Anti-Malware 1.09
Database version: 564

Scan type: Quick Scan
Objects scanned: 28171
Time elapsed: 19 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 15

[/URL][/img].Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkijkl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnolll.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnoppo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnoonn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtqnkh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mljkhgg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Thanks

Matt

PS. After rebooting I received a RUNDLL error message saying "C:\WINDOWS\system32\rfdyuify.dll (The specified module could not be found)

Edited by mattbronson, 29 March 2008 - 12:45 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 29 March 2008 - 12:41 PM

Please print out and follow the instructions for using "Vundofix". -- If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • After running VundoFix, a text file named vundofix.txt will automatically be saved to the root of the system drive, usually at C:\vundofix.txt.
  • Please copy & paste the contents of that text file into your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Guest_mattbronson_*

Guest_mattbronson_*

  • Guests
  • OFFLINE
  •  

Posted 29 March 2008 - 01:25 PM

Hi, I've download and run the vundofix thank you and the contents of the vundofix.txt file are below:

VundoFix V7.0.3

Scan started at 13:48:58 29/03/2008

Listing files found while scanning....

C:\Program Files\PowerISO\PWRISOSH.DLL

Beginning removal...

Attempting to delete C:\Program Files\PowerISO\PWRISOSH.DLL
C:\Program Files\PowerISO\PWRISOSH.DLL Has been deleted!

Performing Repairs to the registry.
Done!

Many thanks

Matt

PS. Still received a RUNDLL error message saying "C:\WINDOWS\system32\rfdyuify.dll (The specified module could not be found)

Edited by mattbronson, 29 March 2008 - 01:26 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 29 March 2008 - 01:31 PM

Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

Edited by boopme, 28 May 2008 - 03:54 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Guest_mattbronson_*

Guest_mattbronson_*

  • Guests
  • OFFLINE
  •  

Posted 01 April 2008 - 05:21 PM

First of all, thanks to both of you for your help... it seems like the popups have stopped and I'm back to an almost decent processing speed again! :thumbsup:

Is there anything else I need to do to complete the job of getting rid of the malware etc?

Secondly, I can't find anything in the autoruns program that refers to rfdyuify.dll and I've Googled the filename without much luck. Is there any other way of getting rid of annoying errors when Windows starts up?

Thanks

Matt

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:42 PM

Posted 02 April 2008 - 08:00 AM

Do you see any entries with RunDLL32.exe? This is a legit Windows file that loads .dll files which too can be legit or malware related. Sometimes the bad .dll may show after it.

Did you look in MSConfig? Although, what's listed there should show in Autoruns.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users