Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Up Ads, Please Help


  • Please log in to reply
9 replies to this topic

#1 Johnhazen

Johnhazen

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 24 May 2007 - 09:58 PM

cannot determine how to rid system of this recurring popup ad problem

Attached Files



BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 25 May 2007 - 04:08 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Johnhazen :thumbsup:

You've posted this log using Trend Micro HijackThis v2.0.0 (BETA).
As with any BETA software its not to be relied on.

Please delete:
C:\My Downloads\HijackThis

Download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default.
A desktop shortcut can be created during install under 'Select Additional Tasks'.

*************************

Click on Start>Control Panel>Add/Remove Programs.
Uninstall/remove any of the following programs if listed:
Netpumper
Bitroll
Bitgrabber
CiD Help / CiD Manager
Download Plugin for Internet Explorer
Zone Media

This is because they are often bundled with the malware you are dealing with.
Don't worry if none of them are present.
If you removed any of them please restart your pc.

******************************

Download NoLop.exe to your desktop.

* First close any other programs you have running as this will require a reboot.
* Double click NoLop.exe to run it.
* Then click the button labelled "Search and Destroy".
* When scanning is finished you will be prompted to reboot only if infected,click 'OK'.
* Now click the "REBOOT" Button.
* A Message should popup from NoLop, if not,double click the program again and it will finish.
Post the contents of C:\NoLop.log and a new Hijack This log into your next reply.

If you receive the error,that mscomctl.ocx or one of its dependencies are not correctly registered, please download this file to your 'System32' folder then rerun the program: http://www.boletrice.com/downloads/mscomctl.ocx

Also post a new Hijackthis log please.

*NOTE*
Please post all your replies directly into this topic,not as attachments,cheers.
Posted Image
Posted Image

#3 Johnhazen

Johnhazen
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 25 May 2007 - 03:14 PM

Here are the results. Thanks for your help.

Attached Files



#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 25 May 2007 - 04:25 PM

Please make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [Five Meet] C:\DOCUME~1\JOHNHA~1\APPLIC~1\UPLOAD~1\obj sixth mode.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Exit Hijackthis.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\DOCUMENTS AND SETTINGS\JOHNHA~1\APPLICATION DATA\UPLOAD<-Folder with name beginning with UPLOAD.....
Restart normally.

Post a new Hijackthis log in your next reply.
Let me know how your pc is running now.
Posted Image
Posted Image

#5 Johnhazen

Johnhazen
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 29 May 2007 - 07:15 PM

pop up ads seem to be gone. Thank you very much. Attached is new hijack log requested. I am not sure how I am getting this infection, but seems to be the same one I had a while back. Any ideas on how to avoid this?

Attached Files



#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 30 May 2007 - 03:47 AM

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.

Post all your replies directly into this topic,not as attachments,thankyou.
Posted Image
Posted Image

#7 Johnhazen

Johnhazen
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 30 May 2007 - 09:23 PM

combofix log

Attached Files



#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 31 May 2007 - 06:18 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Folders to delete:
C:\DOCUME~1\ALLUSE~1\APPLIC~1\coalamenjumpbody

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

******************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Five Meet"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Five Meet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jump body this pop]

Restart your pc.
Post the Avenger output.txt,and a new Hijackthis log into your next reply.
Let me know how your pc is running now.

Posted Image
Posted Image

#9 Johnhazen

Johnhazen
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 31 May 2007 - 07:49 PM

Could not find avenger log file but hijackthis log file is attached. Avenger seemed to run to completion, but did not create log file in location specified. I have uploaded the avenger.txt file for documentation.

Attached Files



#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 31 May 2007 - 08:07 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
NoLop.exe
Combofix
Avenger
fix.reg

C:\NoLop.log
C:\QooBox
C:\Avenger

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users