Adware Problem

[Chaz]

I've found myself infected with adware. I ran full Kaspersky and Ad-Aware scans but they don't detect anything, I also ran both scans in safe mode.

When using Internet Explorer full screen popups pop up once every 10 minutes or so, and every so often explorer closes and then re-opens, at least thats what it looks like because the start bar and desktop disappear and then reappear a few seconds later.

Does anyone have any suggestions?

[danrok]

Have you looked through the folders on your disk? See if there are any programs there which you didn't install.

Also, check what processes are running. Google the names to find out more about any suspicious looking processes.

Run Hijackthis:
http://files.aoaforums.com/I1842-hijackthis.zip.html

See what that throws up.

[Samuknow]

I have had to restore to a point before it all started in XP before. Ran cleaner after cleaner and it would not stop. Restored back a day or two and all was well.

[Gizmo]

It sounds like you've got a browser hijacker that has installed a Browser Helper Object. Try running Spybot Search and Destroy. I've had good luck with it. You can download it here.

[Necorum]

Also try these more than one program should always be used. Each one detects different ones.

Online based one X-Cleaner
http://www.spywareguide.com/onlinescan.php

Ewido - 30 day trial but finds things others dont.
http://www.ewido.net/en/

CounterSpy - 30 day trial also but meh free at first
http://www.sunbelt-software.com/

and just in case run this Anti_virus online scan
http://www.bitdefender.com/scan8/ie.html

System performance scan if you want (we need to get something like this on AOA)
http://www.pcpitstop.com/pcpitstop/default.asp

I have found that the online scans usually find things more often than software based ones (my opinion).Also BEFORE you remove any spyware or virus turn off your system restore. System restore can keep the spyware on your system. So system restore isnt always a good idea.

Here are a few good sites to read.
http://www.spywarewarrior.com/
http://www.spywareguide.com

And just in case test your firewall here
http://www.grc.com/intro.htm

[Chaz]

I tried Spybot S&D, it only found a few 'tracker cookies', removing them hasn't helped.

I tried system restore three times, and each time it told me after rebooting it could not restore, didn't give a reason.

Here's my hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 21:01:52, on 01/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\General Utilities\Daemon Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\General Utilities\Netmeter\NetMeter.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\General Utilities\Daemon Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [C:\General Utilities\Netmeter\NetMeter.exe] C:\General Utilities\Netmeter\NetMeter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162152894882
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

[Samuknow]

Look for things running under msconfig.

Look for new things installed in ADD/Remove programs....

[danrok]

I can't see anything bad in your hijackthis log.

Sounds like the malware has screwed with your system restore. Unfortunately alot of malware does this.

Tried repairing or uninstalling IE6?
http://www.techspot.com/tweaks/ie6/index.shtml

You may need to disable the system restore to prevent the malware from reappearing when you reboot.

[Necorum]

Try upgrading to IE7 lol? Man glad I never get any bugs,but tracking cookies.

[Chernobyl]

Do the popups only happen when running messenger or other apps?
ie if you boot and do nothing do they appear?
If you load only IE do they appear?

Check what loads on startup, msconfig tells you only part of the story.
Goto http://www.sysinternals.com/Utilities/Autoruns.html
and download Autoruns (its free).

This will show you many more places where things autoload on startup.
Go careful disabling stuff as you can bork Windows!

If you see a blank entry, disable it.
Same with an entry that has a funny name.
Use common sense to disable anything you dont like the look of.

[Chaz]

I only get the popups if internet explorer is running. Just using firefox solves the problem entirely but I'd rather not leave this thing on my machine. I'll try what danrok said.

[danrok]

Trouble with having a broken IE, is that you have to use it for Windows Update. Firefox is no good for that.

[Necorum]

Hey here is a plugin to use windows update in firefox

http://windowsupdate.62nds.com/

[Samuknow]

Dude...that is totally sweet....using it now....