pop ups - tried everything I know

R

Richardh

New member
I use Windows XP home running on Virtual PC on Mac OSX. Last couple of weeks started getting popups and browser IE windows opening from nothing with adverts.
I've run Spybot which spotted a couple of things, MS Anti Spyware, and have installed and run AntiVir XP, but the pesky pop ups and new browser windows just won't go away. I've set IE to have maximum security as well. I'd migrate to another browser but I need IE for my banking and even when IE is closed, something is opening it up for me.

I did inadvertantly click on a registry clean pop up the a couple of weeks ago (I was in the middle of installing SP2 and was clicking 'yes' all over the shop) - maybe that did it?

I've run HJI and get the following. I've read a tutorial on reaqding HJI logs and I can't see anything that looks that bad, I've not got that many processes running anyway as my main machine is the Mac. Any thoughts please:

Logfile of HijackThis v1.99.1
Scan saved at 15:44:56, on 17/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VMADD\VMUSrvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\VMADD\VMSRVC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\VPCMap.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWIN.EXE
C:\Program Files\AV utilities\hijackthis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: (no name) - {023062E7-AD05-FB3C-39D7-E0ED28BE6894} - C:\DOCUME~1\RICHAR~1\APPLIC~1\INTERN~1\Mfcd Way.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {59F39741-30DB-FF64-6FEE-FB0BEC6BF058} - C:\DOCUME~1\RICHAR~1\APPLIC~1\INTERN~1\Mfcd Way.exe
O4 - HKLM\..\Run: [VPCUserServices] C:\WINDOWS\VMADD\VMUSrvc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [License Else] C:\DOCUME~1\RICHAR~1\APPLIC~1\ACIDNO~1\DEFYWMA.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.connectix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE


Or maybe I ned to look elsewhere? I'm stumped.

Many thanks.
 
Hello Richard and welcome to the forum. Work with me a little here and let's see if we can clean this up. You are running some strange stuff that does not identify and it may well be the source of you problems. You should know if you installed the stuff, and if not follow the directions and remove it with HJT when you come to it. If you know it is not bad, then of course do not delete it and complete all other instructions. We will see what we have accomplished once you have finished. Let's proceed like this:

1) Microsoft AntiSpyware will block what we have to do. Look ahead and download the tools you will be using, then go offline and turn off MAS. Turn your protection back on before returning online.

2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

3) Ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(these are the items in question. Even the CLSID numbers do not indentify)

O2 - BHO: (no name) - {023062E7-AD05-FB3C-39D7-E0ED28BE6894} - C:\DOCUME~1\RICHAR~1\APPLIC~1\INTERN~1\Mfcd Way.exe
O2 - BHO: (no name) - {59F39741-30DB-FF64-6FEE-FB0BEC6BF058} - C:\DOCUME~1\RICHAR~1\APPLIC~1\INTERN~1\Mfcd Way.exe
O4 - HKCU\..\Run: [License Else] C:\DOCUME~1\RICHAR~1\APPLIC~1\ACIDNO~1\DEFYWMA.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\DOCUME~1\RICHAR~1\APPLIC~1\ACIDNO~1\DEFYWMA.exe <<< I believe the folder in red needs to go, take a look.

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results and a new HJT log along with your comments. Has that fixed it?

Thanks...pskelley
Safer Networking Forums
 
thanks pskelly, what a fullsome reply to my post!

I'll do as you say and get back. But in fact meanwhile I think I may have solved it - if not completely cleaned my machine. I'd already run both Spybot and Adaware twice each, though probably not the latest versions. Both found a couple of files each that were suspicious but didn't solve the pop up problem. I'm a little nervous about using a new anti virus with the Virtual PC version of Win XP - both Norton and Panda failed to work - in fact Panda completely hosed my virtual drive - luckily I keep 2 system mirrors on Firewire external so could recover from that. I went for AntiVir XP as it I was assured it worked on VPC by an MS newsgroup forum. But I guess I'll try Ewido as you recommend it.

I was suspicious about those three lines:

O2 - BHO: (no name) - {023062E7-AD05-FB3C-39D7-E0ED28BE6894} - C:\DOCUME~1\RICHAR~1\APPLIC~1\INTERN~1\Mfcd Way.exe
O2 - BHO: (no name) - {59F39741-30DB-FF64-6FEE-FB0BEC6BF058} - C:\DOCUME~1\RICHAR~1\APPLIC~1\INTERN~1\Mfcd Way.exe
O4 - HKCU\..\Run: [License Else] C:\DOCUME~1\RICHAR~1\APPLIC~1\ACIDNO~1\DEFYWMA.exe

I disabled both Mfcd-Way.exe instances in IE tools.

I tried manually deleting the ACIDNO~1 folder but it wouldn't go in the trash - so copied the folder across to my Mac desktop as a back up and checked the line in HJI - this removed DEFYWMA.exe, though on reboot it returned - is it being generated from the system registry? I know nothing! However, since then, touch wood no pop ups and Win XP, always a bit slugguish undet VPC almost flies now.
I'm not 100% ssure it's sorted so will get back when I've followed your instructions.


Thanks again
 
OK Richard:bigthumb: I was about 99.9% sure those items were bad. Keep in mind that HJT is also a process manager. when you delete items like this, it kills the process so it can be deleted if you go right to it. Has to be done before a reboot. If you have issues, use safe mode: http://www.bleepingcomputer.com/forums/tutorial61.html
If it really makes you mad, look at this link: http://forum.malwareremoval.com/viewtopic.php?t=320

I will also say quickly that we use the ewido free trial a lot, it is a great tool. They stop the realtime protection after the trial unless you purchase, but allow you to keep, update and use the scanner for as long as you wish.

Thanks...Phil
 
Phil, you're a star.

Even though I thought I'd got rid of DEFYWMA.exe when I rebooted it reappeared and had another IE pop up. So I ran your routine. Logs to follow. HJI log looking a lot better to my untrained eye.

EWIDO is cool - apologies I misunderstood and thought it was an alternative anti-virus app which it's not - it found some remnants of NewDotNet files which I thought I'd got rid of earlier.

But I couldn't delete DEFYWMA even after HJI. Tried Killbox - wouldn't delete with this with. Finally Safe mode did the trick.
I've run CCleaner - it identified DEFYWMA as being a start up item which I guess was why it kept reappearing? - now removed!

Fingers crossed it's now running mean and clean (well as mean as VCP can ever be). No pop ups after IE being open for about half an hour now which is a hopeful sign. The only IE helpers are now for Acrobat, Messenger and Spybot.


Many thanks for you help. May all your fish be large ones.

LOGS:

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 07:13:53, 18/01/2006
+ Report-Checksum: 8ACFEB50

+ Scan result:

C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{BE810CF3-9A6E-41CB-B9C2-5F0721EC3C11}\RP201\A0047295.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{BE810CF3-9A6E-41CB-B9C2-5F0721EC3C11}\RP201\A0047299.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{BE810CF3-9A6E-41CB-B9C2-5F0721EC3C11}\RP202\A0047322.exe -> Adware.NewDotNet : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 08:44:19, on 18/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VMADD\VMUSrvc.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\VMADD\VMSRVC.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\VPCMap.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AV utilities\hijackthis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [VPCUserServices] C:\WINDOWS\VMADD\VMUSrvc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.connectix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
 
Hello Richard, Thanks again for the kind words, the New.Net junk was in System Restore, no problem unless you used it. We will clean those files.

Your HJT log is clean this morning:bigthumb: and you are good to go. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html

This information will get you clean System Restore files:
http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

ewido does offer realtime protection and you are getting it for the trial period. Once the trial is over, unless you purchase the program, turn it off but do update and run the scanner as part of routine maintenance. You should not see it in the HJT log unless you are running it manually when you create a logfile.

Since all is well, I will wish you safe surfing...Phil

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please pm me.

Glad we could help. :)
 
You must log in or register to reply here.
Back
Top