I still have Popup Problems

malwarebyte · October 26, 2009

I keep getting these pop ups, on internet explorer (but i use firefox). I thought i had a virus so i scanned my computer with MBAM but found nothing.

I took note of some of the pop ups:

hxxp://skill2thrill.com/pages/Default.aspx...filiateid=afunz

hxxp://www.skill2thrill.com/pages/Default....filiateid=afunz

hxxp://www.webperspectives.ca/index.php?id...mp;partner=8543

hxxp://www.cotedazurpalace.com/

MALWAREBYTES ANTI-MALWARE LOG

Malwarebytes' Anti-Malware 1.41

Database version: 3037

Windows 5.1.2600 Service Pack 3

10/26/2009 5:21:18 PM

mbam-log-2009-10-26 (17-21-18).txt

Scan type: Quick Scan

Objects scanned: 109731

Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

TREND MICRO HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:27:29 PM, on 10/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\MessengerPlus! 3\MsgPlus.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Orbitdownloader\orbitdm.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Orbitdownloader\orbitnet.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\PLATFORM POP.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [clockjump] C:\DOCUME~1\LOCALS~1\APPLIC~1\stopfind\Ace Flap.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--

End of file - 9822 bytes

miekiemoes · October 27, 2009

Hi,

It's your Messenger plus responsible here.... you have installed it with the sponsor, which is responsible for these popups.

Go to start > controlpanel > software > add/remove programs and look if you have one or more of next programs installed and uninstall them:

Messenger Plus! Live & Sponsor (CiD)

Messenger Plus or Messenger Plus and Client

This because they are bundled with the malware you are dealing with (swizzor aka lop).

This will uninstall the malware application.

In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.

In case it says that the file was not found, doublecheck again if you entered the exact command. If still the same, proceed with next steps.

In case you can't find them,

* Go to start > run and copy and paste next command below in the field:

(Please make sure you copy and paste it exactly as you'll find below)

"C:\DOCUME~1\LOCALS~1\APPLIC~1\stopfind\Ace Flap.exe" -uninstall

Hit enter.

Then reboot. Important!

After reboot,

* Download Deljob.exe and save it on your desktop.

Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop

Post the contents of the logfile in your next reply together with a new Hijackthislog.

Extra note, please don't reinstall Messenger Plus in a meanwhile again. If you want to install it again, please make sure that, during install you UNCHECK to install the sponsor.

But please wait to install till we are done here.

malwarebyte · October 28, 2009

Thank You For Your Help

LOGIT.TXT

--------------------------------------------------------

Backups created in C:\deljob

AA8FA25A91205D5E.job

--------------------------------------------------------

Files in Windows Tasks folder

1-Click Maintenance.job

AppleSoftwareUpdate.job

Malwarebytes' Scheduled Update for User.job

--------------------------------------------------------

Export App Data folders

--------------------------------------------------------

Volume in drive C has no label.

Volume Serial Number is 2480-FAEC

Directory of C:\Documents and Settings\User\Application Data

10/23/2009 07:47 AM <DIR> .

10/23/2009 07:47 AM <DIR> ..

08/15/2009 06:39 PM <DIR> Adobe

09/26/2009 06:24 PM <DIR> APPLEC~1 Apple Computer

08/17/2009 07:47 AM <DIR> DivX

08/17/2009 06:59 AM <DIR> FROSTW~1 FrostWire

10/20/2009 07:09 PM <DIR> GrabPro

10/11/2009 11:18 PM <DIR> HP

08/12/2009 11:36 AM <DIR> IDENTI~1 Identities

10/20/2009 09:45 PM <DIR> LimeWire

08/14/2009 02:52 PM <DIR> MACROM~1 Macromedia

10/01/2009 09:43 PM <DIR> MALWAR~1 Malwarebytes

10/20/2009 06:49 PM <DIR> MICROS~1 Microsoft

09/03/2009 05:05 AM <DIR> Mozilla

08/17/2009 06:49 AM <DIR> Nero

10/26/2009 05:38 PM <DIR> Orbit

10/17/2009 09:47 PM <DIR> Real

10/20/2009 06:39 PM <DIR> stopfind

08/11/2009 11:30 PM <DIR> Sun

10/18/2009 12:11 PM <DIR> SYSTEM~1 SystemRequirementsLab

08/26/2009 01:50 PM <DIR> TUNEUP~1 TuneUp Software

10/24/2009 11:43 PM <DIR> uTorrent

08/27/2009 05:02 PM <DIR> Vso

0 File(s) 0 bytes

23 Dir(s) 47,766,388,736 bytes free

Volume in drive C has no label.

Volume Serial Number is 2480-FAEC

Directory of C:\Documents and Settings\All Users\Application Data

10/23/2009 07:43 AM <DIR> .

10/23/2009 07:43 AM <DIR> ..

08/17/2009 12:07 AM <DIR> Adobe

09/26/2009 06:19 PM <DIR> Apple

09/26/2009 06:21 PM <DIR> APPLEC~1 Apple Computer

10/24/2009 09:00 PM <DIR> Avira

10/01/2009 09:43 PM <DIR> MALWAR~1 Malwarebytes

10/23/2009 04:20 AM <DIR> McAfee

10/20/2009 06:47 PM <DIR> MICROS~1 Microsoft

10/22/2009 04:29 PM <DIR> MICROS~2 Microsoft Help

08/16/2009 10:00 PM <DIR> Nero

10/10/2009 12:53 AM <DIR> Norton

10/10/2009 12:44 AM <DIR> NORTON~1 NortonInstaller

10/18/2009 12:20 PM <DIR> NVIDIA~1 NVIDIA Corporation

10/20/2009 06:39 PM <DIR> PARTDE~1 part dead amok eggs

08/11/2009 11:31 PM <DIR> Real

09/10/2009 07:48 PM <DIR> Sonic

10/10/2009 12:44 AM <DIR> Symantec

08/16/2009 10:31 PM <DIR> TUNEUP~1 TuneUp Software

08/27/2009 04:54 PM <DIR> vsosdk

08/12/2009 08:12 PM <DIR> WINDOW~1 Windows Genuine Advantage

09/26/2009 06:22 PM <DIR> {755AC~1 {755AC846-7372-4AC8-8550-C52491DAA8BD}

0 File(s) 0 bytes

22 Dir(s) 47,766,388,736 bytes free

--------------------------------------------------------

All User Accounts

--------------------------------------------------------

Admin

All Users

Parent

User

--------------------------------------------------------

TREND MICRO HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:52:40 PM, on 10/27/2009