Popup Pages a Plague!

[A320]

Hi there Malware experts!

In the last week, my laptop has been plagued with a Malware virus. The symptoms are continual opening of browser (IE) pages advertising all sorts of rubbish. I have downloaded your excellent product and have run a full scan twice. The first time the software showed a number (5) of infections that were cleaned. Unfortunately the problem continues.

I have today run another full scan, with a clean result. Again, the popups continue. I have run the latest anti virus programme (CA), and also adaware and spybot, all to no avail.

I'm now pleading for some assistance, so have run the software you request, and attached it for review.

I would be extremely pleased to be rid of this virus. Thanks for taking a look.

DDS (Ver_09-12-01.01) - NTFSx86

Run by Philip and Jacqui at 16:29:53.56 on Mon 25/01/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.293 [GMT 13:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\mHotkey.exe

C:\Program Files\Elantech\Ktp.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe

C:\Program Files\CA\CA Internet Security Suite\casc.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Documents and Settings\Philip and Jacqui\Application Data\Microsoft\Update.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Documents and Settings\Philip and Jacqui\Desktop\Defogger.exe

C:\Documents and Settings\Philip and Jacqui\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Philip and Jacqui\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Philip and Jacqui\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Philip and Jacqui\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Philip and Jacqui\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Philip and Jacqui\My Documents\Downloads\dds.scr

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://nz.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {C11483F7-D7D8-4804-98D8-6055470BB989} - No File

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Google Update] "c:\documents and settings\philip and jacqui\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe

mRun: [CHotkey] mHotkey.exe

mRun: [KTPWare] c:\program files\elantech\Ktp.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [intelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [EOUApp] c:\program files\intel\wireless\bin\EOUWiz.exe

mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe

mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [starUpdater]

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [update] c:\documents and settings\philip and jacqui\application data\microsoft\Update.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

LSP: c:\windows\system32\VetRedir.dll

DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab

DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-NZ/a-UNO1/GAME_UNO1.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128378621561

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140649777734

DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Notify: PFW - UmxWnp.Dll

Hosts: 127.0.0.1 www.spywareinfo.com

Hosts: 10.1.1.3 HP000D9D041787

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-1-5 107512]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-16 64160]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-11-18 72696]

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-4-23 26352]

R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-4-23 21104]

R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-4-23 739696]

R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-4-23 21488]

R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-4-23 161008]

R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2007-5-11 144696]

R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-4-23 128240]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-12-12 205304]

R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-4-23 133520]

S3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\sldrv\slazldrv.sys [2005-8-16 230448]

=============== Created Last 30 ================

2010-01-25 03:12:28 0 ----a-w- c:\documents and settings\philip and jacqui\defogger_reenable

2010-01-24 08:00:59 0 d-----w- c:\docume~1\philip~1\applic~1\Malwarebytes

2010-01-24 08:00:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-24 08:00:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-24 08:00:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-24 08:00:41 0 d-----w- C:\Malwarebytes' Anti-Malware

2010-01-24 04:24:39 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-01-10 07:25:25 0 dc-h--w- c:\windows\ie8

2010-01-09 21:45:51 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

==================== Find3M ====================

2009-12-28 02:27:01 39 ----a-w- c:\documents and settings\philip and jacqui\jagex_runescape_preferences.dat

2009-12-28 02:15:53 69 ----a-w- c:\documents and settings\philip and jacqui\jagex_runescape_preferences2.dat

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-08 21:26:54 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

2009-11-26 19:41:17 111856 ----a-w- c:\windows\system32\isafprod.dll

2009-11-04 07:10:55 36824 ---ha-w- c:\windows\system32\mlfcache.dat

2008-05-27 21:36:50 87400 ----a-w- c:\program files\UnHyCam2.exe

2008-05-27 21:36:48 882000 ----a-w- c:\program files\HyCam2.exe

2008-05-22 23:08:30 3271 ----a-w- c:\program files\agreement.txt

2007-12-19 01:46:57 114549 ----a-w- c:\program files\HyCam2.chm

2007-10-22 03:09:39 106496 ----a-w- c:\program files\CamRes2.dll

2007-09-27 02:31:44 5272 ----a-w- c:\program files\HyCam2.tlb

2007-08-11 06:15:12 57344 ----a-w- c:\program files\MClick2.dll

2004-05-05 00:57:28 2018 ----a-w- c:\program files\readme.txt

2004-04-16 02:07:26 675 ----a-w- c:\program files\HyCam2.cnt

1999-06-23 23:49:50 421 ----a-w- c:\program files\8-44100u.wav

1999-06-23 23:49:16 587 ----a-w- c:\program files\8-44100d.wav

1999-06-23 23:47:52 225 ----a-w- c:\program files\8-22050u.wav

1999-06-23 23:47:28 317 ----a-w- c:\program files\8-22050d.wav

1999-06-23 23:46:30 135 ----a-w- c:\program files\8-11025u.wav

1999-06-23 23:46:04 183 ----a-w- c:\program files\8-11025d.wav

1999-06-23 23:44:02 127 ----a-w- c:\program files\8-8000u.wav

1999-06-23 23:43:36 151 ----a-w- c:\program files\8-8000d.wav

1999-06-23 23:41:20 220 ----a-w- c:\program files\16-8000u.wav

1999-06-23 23:40:52 260 ----a-w- c:\program files\16-8000d.wav

1999-06-23 23:38:30 956 ----a-w- c:\program files\16-44100u.wav

1999-06-23 23:37:56 1186 ----a-w- c:\program files\16-44100d.wav

1999-06-23 23:34:48 442 ----a-w- c:\program files\16-22050u.wav

1999-06-23 23:34:12 652 ----a-w- c:\program files\16-22050d.wav

1999-06-23 22:54:34 340 ----a-w- c:\program files\16-11025d.wav

1999-06-23 22:50:14 326 ----a-w- c:\program files\16-11025u.wav

2008-10-29 19:35:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008103020081031\index.dat

============= FINISH: 16:33:50.67 ===============

Attach.zip

[miekiemoes]

Hi,

* Please download the Suspicious File Packer from here:

http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

c:\documents and settings\philip and jacqui\application data\microsoft\Update.exe

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.

The cab file will be called requested-files[*].cab (the * stands for the date and hour).

Then click the Send File button below.

Let me know once you've sent the file.

[A320]

Hi there

I have carried out the instructions you have passed. Thanks so much for following this one through.

Regards

Philip

[miekiemoes]

Hi,

Thank you for the file. A quick look at it looks like this file is indeed the cause of your problems since it's malware. I'll add detection for it, so a next update should remove it.

Anyway, no need to wait for the update, we can deal with it already.

To do so...

Since you already have malwarebytes installed, Open malwarebytes, select the tab: "More tools"

Click the "Run Tool" button under Fileassassin.

A new window will open. In the filename path, copy and paste:

c:\documents and settings\philip and jacqui\application data\microsoft\Update.exe

Click open next to it.

You should get a message that the file will be deleted and if you want to continue.

Click OK.

If the file is in use, malwarebytes will delete it on reboot, so allow malwarebytes to reboot if it asks to.

Then, Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Update"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

I see you have both Teatimer and Adwatch enabled. They may interfere with above registry change, so if it alerts, please ALLOW the change and don't tell to block, otherwise Teatimer and/or Adwatch will restore what we just removed.

Let me know afterwards if popups have stopped.

[miekiemoes]

Just a quick update. I had a good look at it now and it's the cause of your popups. What an annoying piece of malware that is, because popups just never stops.

Malwarebytes will detect this one as Trojan.LinkBucks in the next update. (I bet you recognise the linkbuck popups )

[A320]

Hi there Mieke

All done, and so far, no more popups. So good news. I'm pleased that you can add this virus to your base software, as it is a real headache. A quick question, do you have any idea how this virus found its way aboard the laptop. My kids are certainly all over it (this is a family laptop), and I'd love to be able to suggest to the family how we could stop this happening. I guess there is just so much of this stuff around, its inevitable that all the virus protection in the world will occasionally not stop this occurring.

Thanks goodness for companies and people like you!

I'm about to commission two new laptops here at home, so will ensure your software is aboard ASAP. How long before your next update occurs?

Thanks once again for your assistance Mieke!

Regards Philip

[miekiemoes]

Hi Philip,

I was actually planning to ask you the same if you knew how this one got installed, because this was an uncommon one you were dealing with.

I'm about to commission two new laptops here at home, so will ensure your software is aboard ASAP. How long before your next update occurs?

That update is already in. Malwarebytes updates around 8 times a day, so when I added detection for it, the update was in not even one hour later

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[A320]

Good Morning Mieke

I believe it may have been this website. We purchased a ticket via the website. It was around this time that the trouble began.

www.apieceofnz.co.nz/terms-and-conditions/

Take a look and let me know if you think this may have been the site!

Regards

Philip

[miekiemoes]

Hmm, nothing strange there, unless their site was compromised at the time you visited it and cleaned up already.

In either way, I'll track this infection and try to find out how common it is and how it's getting installed.

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.