Tech Support Forum - View Single Post - Website redirections, pop-ups...help please.

Vikesrock8411 · 12-01-2005, 11:33 AM

Hello and welcome to TSF

I would reccommend that you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads(make sure to save these in a permanent location)
Findlop by Metallica. Unzip it to your desktop.
smitRem.exe - Run it and extract it to it's own folder on the Desktop.

Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Ad-aware-Install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also download the VX2 plugin to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware as described on this page for better scan results.
Do not run it yet.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Add/Remove
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
Messenger Plus - this program contains a 'sponsor' program. Please uninstall Messenger Plus and reinstall it back but without the sponsor.

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hpADFA.tmp
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [DupeBaseFastMeow] C:\Documents and Settings\All Users.WINDOWS\Application Data\Bold keep dupe base\dale long.exe
O4 - HKCU\..\Run: [Soap byte] C:\DOCUME~1\Daryll\APPLIC~1\JUNKEG~1\dentaxis.exe

Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Bold keep dupe base
C:\DOCUME~1\Daryll\APPLIC~1\JUNKEG~1 <<<~1 means that it is the first folder alphabetically beginning with that string.

Tools
Open Ad-aware, run a scan and clean everything it finds

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present.

Double click findlop.bat. It will open a notepad file.
Copy the content of that file and past it here in your reply.

Reboot your system in Normal Mode.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post please include:

Findlop Log
Ewido Log
Smitfiles.txt
Panda Activescan Log
A new Hijackthis! Log

12-01-2005, 11:33 AM	#3 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Hello and welcome to TSF I would reccommend that you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads(make sure to save these in a permanent location) Findlop by Metallica. Unzip it to your desktop. smitRem.exe - Run it and extract it to it's own folder on the Desktop. Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Ad-aware-Install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also download the VX2 plugin to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware as described on this page for better scan results. Do not run it yet. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Add/Remove Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Messenger Plus - this program contains a 'sponsor' program. Please uninstall Messenger Plus and reinstall it back but without the sponsor. HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hpADFA.tmp O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [DupeBaseFastMeow] C:\Documents and Settings\All Users.WINDOWS\Application Data\Bold keep dupe base\dale long.exe O4 - HKCU\..\Run: [Soap byte] C:\DOCUME~1\Daryll\APPLIC~1\JUNKEG~1\dentaxis.exe *Please remember to close all other windows, including browsers then click Fix checked.* File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Documents and Settings\All Users.WINDOWS\Application Data\Bold keep dupe base C:\DOCUME~1\Daryll\APPLIC~1\JUNKEG~1 <<<~1 means that it is the first folder alphabetically beginning with that string. Tools Open Ad-aware, run a scan and clean everything it finds Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" .Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present. Double click findlop.bat. It will open a notepad file. Copy the content of that file and past it here in your reply. Reboot your system in Normal Mode. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include: Findlop Log Ewido Log Smitfiles.txt Panda Activescan Log A new Hijackthis! Log