PCTurboPro hijack

[Skipjack]

My browser (Firefox) keeps getting unpredictably hijacked by PCTurboPro popup ad and a redirect to their website.

SpyScan has turned up nothing, nor AdAware nor TrendMicro antivirus.

This form won't accept the Kapersky and HijackThis logs because they're too long, so I'm going to add them as attachments.

[Mr_JAk3]

Hi and welcome to the Forums

OK let's do some research...

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply or attach the file if it is too big.

Warning ! Please, do not select the "Show all" checkbox during the scan.

[Skipjack]

GMER log attached, in 2 parts

[Mr_JAk3]

Hi

Ok nothing bad there...little more research..


To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

[Skipjack]

Once again, too large to post except as attachments.

Think I should call an exorcist? :-^)

[Mr_JAk3]

Hello

Are you still getting those popups?
Do those always appear on some specific site?
What version of FireFox are you using?

[Skipjack]

Yes, they're still happening, intermittently. Your question made me wonder "gee did they stop?" since I haven't seen one in a while, but I just managed to elicit one again.

There is only one site at which I recall having gotten them: Pogo.

(Why do I hear a "Doctor, it hurts when I do this" joke coming?)

I'm running Firefox 4.0.0.7.

[Mr_JAk3]

Hi again

There is only one site at which I recall having gotten them: Pogo.

Hmm ok it is possible that the site has by mistake allowed a suspicious program to advertise itself. This has happened at some sites. Also as you don't get them at any other sites and your pc looks clean - I don't think that you're infected.

We may run an additional scanner jsut to be sure.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, you should now mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found
• If so, click it and then click the next icon right below and select Move incurable
• After the scan, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot the computer in Normal Mode,
• Post the Cure-it report and a fresh HijackThis log

[Skipjack]

I did run the program on one my two drives, the system drive. It took hours! And what tagged included files that I'm pretty sure are not only harmless but necessary, like files for my printer.

With some hesitation I told the program to move them. But it didn't tell me where it moved them to! I had to search my hard drive to find them.

Here's the result of scanning the system drive. When I have a few more hours that I don't need my computer I can have it search my secondary drive and then do the Hijack scan as you requested.

BRFSend2.dll;C:\Program Files\Brother\BRAdmin Professional;Trojan.Proxy.origin;Incurable.Moved.;
_PREV_GoogleDesktopIndex.exe;C:\Program Files\Google\Google Desktop Search\temp;Probably DLOADER.Trojan;Moved.;
_PREV_GoogleDesktopSearchSetup.exe\data002;C:\Program Files\Google\Google Desktop Search\temp\_PREV_GoogleDesktopSearchSetup.exe;Probably DLOADER.Trojan;;
_PREV_GoogleDesktopSearchSetup.exe;C:\Program Files\Google\Google Desktop Search\temp;Archive contains infected objects;Moved.;
nppopcaploader.dll;C:\Program Files\Mozilla Firefox\plugins;Program.PopcapLoader.origin;Moved.;
nppopcaploader.dll;C:\Program Files\Netscape\Netscape\plugins;Program.PopcapLoader.origin;Moved.;
Uninstall.exe;C:\Program Files\PopCap Games\PopCap Browser Plugin;Program.PopcapLoader.origin;Moved.;
vncconfig.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin;Moved.;
vncviewer.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin;Moved.;
winvnc4.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin;Moved.;
wm_hooks.dll;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin;Moved.;
uninstall.exe;C:\Program Files\TrustWatch;Adware.Xbarre;Moved.;
popcaploader.dll;C:\WINNT\Downloaded Program Files;Program.PopcapLoader;Moved.;

[tashi]

How is it going Skipjack.