My computer got nuked.

[UffDa]

I posted this on W&C and got some good answers, but so far none of them has fixed the problem. It was suggested that I post my problem here.

So I don't have to retype everything, here's the link.
http://www.bladeforums.com/forums/showthread.php?t=549742

I was hit with multiple malware. Downloaders, trojans, the works. I ran various virus scans and malware removers and right now the computer seems to be clean, but I still have a problem. Maybe the symptoms will tell someone what's going on.

If I run IE, it gets redirected to other websites. They are not malicious sites, stuff like sports and products for sale. If I run Firefox, IE will load by itself and popup over Firefox. I can usually just close IE and it goes away. I was going to try to delete IE, but Firefox told me not to. It's very annoying. Any ideas would be appreciated.

 

[bobofish]

It sounds like you do still have some kind of a dialer or other trojanie thing.

This may have been covered, but do you have the option to simply wipe the computer and reload windows?

If you have things backed up, I'd say this would be the absolute easiest thing to do; many computers have a complete "system restore" that wipes the entire harddrive and moves windows to a new location, thus making it very very difficult for badware to reappear.

Post a thread on Castlecops.com and the guys there will help you very thoroughly.

 

[zenheretic]

Uffda, did you try that link I posted in the Cove for the other guy who had unsafe internet encounters? It worked for him and me.

 

[jacktrades_nbk]

why dont you backup your important data, format the win partition, and make a clean install
sometimes windows gets so f&*(d up, that its not worth trying to repair it

if you dont want to do that, well, unninstall all tha programs that give you problems, run an adware scanner, like ad aware, some registry clean up tools, and install again your IE or mozzilla, whatever you choose
also delete everything in all your temporary dirs, like windows/temp, and documents and settings/user/local settings
do all the deleting while in safe mode
anyway, i would do a clean install, takes little time compared to trying to clean it yourself
good luck

 

[DEA]

http://www.spywareinfo.com/~merijn/programs.php

try downloading hijackthis, and post your log here
that'll give us a better idea what you're infected with

 

[UffDa]

I would love to be able to just format my disk and be done with it, but I don't have the Windows XP CD. My laptop is running XP professional. If I knew how, I would transfer the whole system to my desk top that's having the problem.

What I find interesting and frustrating is that running different scanners shows different results. I used AVG for about a year. It worked fine until a few days ago. I tried Kaspersky, but I couldn't get it to scan. I now have A-squared running and it shows my computer to be clean, but I'm still having the pop up problem. Just for the heck of it, I downloaded Stopzilla and did a complete scan. It shows 52 trojans, highjackers, downloaders and other nasty stuff. Of course, it won't delete them unless I buy the program.

At various times I tried Spybot. It sucked. So did PC Tools. I paid for PS Tools and started having problems. Their customer service is non-existant.

When I have a day to mess with it, I will go through all the procedures shown on the various geek sites.

 

[larry917]

A lot of times when malware / spyware / virus ... etc. get past your antivirus they disable anti-virus scanners (i.e. not allow accurate scanning) so while the anti-virus reports no virus / spyware / malware found it is still present. The fact that IE is popping up when you launch FireFox is an indication that you are still bugged. The best way to get rid of it is to format and reinstall Windows, as for the CD if you do not know someone with a CD you can borrow MicroSoft does offer replacement CD's for a price. http://support.microsoft.com/kb/326246

Good luck =)

 

[blade06]

I don't know if you've done this already:

1. Have you checked your list of installed programs? Control Panel>Add/Remove Programs. I'd go down the list and see if something is there that you didn't install or is not part of the operating system. Most of the time malicious programs can be uninstalled from here using safe mode.

2. May I suggest installing and running PrcView (Process Viewer). It will list everything that is running on your computer as well as its location.
http://www.download.com/PrcView/3000-2086_4-10025832.html?tag=lst-1
You will see the majority of the list are legitimate processes, but you may be able to pinpoint something malicious. If you don't know what the process/program is, typing the file name (i.e. wuauclt.exe) into Google usually brings up bits that let you know if the program is safe/ok.

As always, before you delete/modify anything I'd backup any important data. This is just what I would do. Hope this helped.

 

[UffDa]

Here's the Hijackthis log. Does it tell anyone anything?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:15 AM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Webshots\Webshots.scr
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://multi-pops.com/adsDirect.php?cid=6819502&id=adoffer&sid=70303
O2 - BHO: SITEguard BHO - {1827766b-9f49-4854-8034-f6ee26fcb1ec} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: STOPzilla Browser Helper Object - {e3215f20-3212-11d6-9f8b-00d0b743919d} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O11 - Options group: [international] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5128/mcfscan.cab
O23 - Service: a-squared Anti-Malware Service (a2antimalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8083 bytes

 

[roughedges]

merjin.org reccomends that you fix those "o10" entries using http://www.cexx.org/lspfix.htm Stopzilla is a legitimate anti-spyware program but apparently this sort of software doesn't play nice sometimes.

The solution above should work but personally I think I'd remove stopzilla entirely (the program, not just those O10 entries) and then run hijackthis again. This in itself will not fix your problem, however. I forget, have you found any virus/trojan with any a/v program other than AVG?


Other than the O10 entries, the list looks pretty good, really. You can go here , the hijackthis log tutorial, to make sure though. It is kind of a pita but you could perhaps find something that I missed.



edit: I'd delete that "multi-pops.com" R1 entry as well. That just might be the cause of your IE redirect issues and, even if not, it will not hurt anything to delete it.

 

[truthseeker]

I ran all manner of anti-malware stuff, but going through the ones on the site zen suggested is what fixed mine. Specifically, doing them exactly the way they tell you to. Each program found different parts of the bug and killed it. My problem was that the thing would go out on the internet and re-download itself. One step of the procedure involved killing the interwebz so that one particular cleaner could get rid of the auto-downloader thingy.

 

[DEA]

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://multi-pops.com/adsDirect.php?...ffer&sid=70303

is this one line here really suspicious, or is it just me?
i'd go through roughedge's tutorial... i can't remember what i did to get rid of my malware actually but i remember it was through merjin's homepage

 

[roughedges]

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://multi-pops.com/adsDirect.php?...ffer&sid=70303

is this one line here really suspicious, or is it just me?
i'd go through roughedge's tutorial... i can't remember what i did to get rid of my malware actually but i remember it was through merjin's homepage

yeah it is. that multi-pops.com link, in the internet start/search pages URLS category, leads me to believe that it is quite likely the cause of the redirect issues Uffda is still experiencing. Delete it and the problem just might disappear.

 

[martensite]

after you get this under control,
create a user account that does NOT have admin privileges.

use that account for web surfing.

also, try the portableapps version of firefox. http://portableapps.com/

 

[JTR357]

In all seriousness though,I'm sorry to hear about your current dilema.It's happened to me more times than I care to admit.

Good Luck

 

[Ottoshot]

Reformat once a year. Save your information to an external HD and obliterate the internal drive to factory order.