IE opens extra windows- how do I make it stop?

Hello everyone.

I am having problems with my sister's computer (it runs XP).
About a week ago, it got infected with Antivirus System Pro. While the instructions on this site failed to remove it (the "kill" program didn't work, and a lot of the files were named differently) I was able to remove it manually. (I can give some of the names of the files if it would help, but I didn't write them all down...)

However, I have either missed something or I did something wrong, because now it is giving me a new problem. When I am using IE and tell it to go to a new page, IE will automatically open 3 or 4 new windows. They are usually going to my homepage rather than being "hijacked" to some other website, but it is REALLY annoying. The window I am trying to use works correctly... it is just the extra ones that keep popping up that are problematic.

Does anyone know what I did wrong and how to fix it?

Thanks!
Mclinda

Welcome to BC


We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
    • Secondary Mirror
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
    
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
• Open on your desktop.
• Click the tab.
• Click the button.
• Check all seven boxes:
• Push Ok
• Check the box for your main system drive (Usually C:), and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

===========================


Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2

• This tool will create a diagnostic report
• Double-click on Win32kDiag.exe to run and let it finish.
• When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
• A file called Win32kDiag.txt should be created on your Desktop.
• Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

--------------------------------------


Go to > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

Sorry that took a while... I was not at my sister's computer until this weekend.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/13 11:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9C16A000 Size: 49152 File Visible: No Signed: -
Status: -

Name: uphcleanhlp.sys
Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Address: 0x9CF5E000 Size: 8960 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RootRepeal report 12-13-09 (11-43-03).txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\games\Cubis Gold\CUBISG~1.EXE:{E946BA92-FC81-0103-F8AB-DC56DE9D7B30}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{9BF7186B-B058-4A97-A90E-9052C52AB95E}\RP4\A0000606.exe:{E46DA982-DB3E-E860-A957-CA816569B878}
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\rebecca rogers\local settings\temp\me_imptnhmdkkluyey
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0x9cf5e6d0

==EOF==

Running from: C:\Documents and Settings\Rebecca Rogers\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Rebecca Rogers\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

Volume in drive C has no label.
Volume Serial Number is 4414-7101

Directory of C:\WINDOWS\system32

04/14/2008 04:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 04:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 04:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32\dllcache

04/14/2008 04:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

04/14/2008 04:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

04/14/2008 04:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
6 File(s) 1,289,216 bytes
0 Dir(s) 292,153,810,944 bytes free

This is going to take some time to fix


Now that you were successful in creating those logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/278696/previously-infected-with-antivirus-system-pro-probably-others/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom