pop-ups won't go away

[branthamel]

Hello,
I've got IE popups that keep appearing. I've tried the suggestions in the sticky, but they still are appearing after that. I was also getting a func.js script error when IE was opened similar to what jim532 described in a recent thread. Any help would be greatly appreciated

[jholland1964]

Was the AVG Anti-spy run in SAFE MODE?
You are still showing quite a bit of nasty items.
When did you run VundoFix?

[branthamel]

I did run the AVG in safe mode and also ran spybot search and destroy in safe mode. I was not able to install windows defender as I still have SP1 and it required SP2 to install. I ran the Vundofix in normal mode before I did the kaspersky scan. Any suggestions on what to do? I'm currently trying to run Trend Micro's housecall to see if it helps.

thanks,
Brant

[branthamel]

FWIW, the Housecall ran for about 3.5 hours and then at the very end (during when it was checking for active viruses) IE just closed w/o any error messages.

[jholland1964]

Enable Viewing of Hidden Files and Folders

Then Update your AVG Anti-spy.

I do NOT see an onboard anti-virus program on the machine. You must download, install and update one before proceeding.
You can find links for free anti-virus programs here
All noted there are good. Choose one and install it. You will need one in order to continue.

You also are not running a Firewall. At least enable the built in Windows Firewall.

Download the ATF-Cleaner from the link in the sticky if you have not all ready done so.

Disconnect from the internet and boot to SAFE MODE.

Items noted in the Kaspersky scan include at least 16 mails, maybe more, in the Thunderbird Inbox with the following;
[From Tim Healy <healyt@email.unc.edu>][Date Tue, 20 Mar 2007 13:36:43 -0400]/text/[From Del Snow <djdsnow@msn.com>][Date Sun, 25 Mar 2007 15:31:42 -0400]/UNNAMED/[From =?iso-8859-1?B?TmV3c3dlZWsuY29t?= <webexclusives@letters.newsweek.com>][Date Sun, 25 Mar 2007 16:48:43 -0400 (EDT)]/UNNAMED
All contain a Trojan. These mails are all dated March 20 to at least March 25 and all are infected with Trojan-Spy.HTML.Bankfraud
This Trojan program utilizes spoofing technology. It is made as a fake HTML page. It is made for stealing information about clients of Washington Mutual Bank. It is often sent as an important message by Washington Mutual Bank, though it is NOT truly from the bank.
This message contain a link to the fake page; this link exploits the Frame Spoof vulnerability in Internet Explorer.
Once a user visits the fake site, and enters account details or personal information, these details are sent to a malicious remote user, who will then have access to users' account.
You may want to change all your passwords and also check all your online accounts for any problems.

Delete these mails all the way out.

It truly is not a good idea to keep emails this long, especially since there could be an infection. If there is info that is needed in an email, print out a hard copy and get rid of the mail. Storing email with important info is also risky in case of a power failute or computer crash. Needed important info could be lost forever.

Next go to My computer. Double Click "C" drive.
Go to the following;
C:\Documents and Settings\Brant\Local Settings\Temporary Internet Files\Content.IE5\
When you open Content.IE5.
You should see several file folders in there with odd looking names something like this GQG1XWNL. There are probably four of these folders. Open each folder and delete the contents...do not delete the entire folder, just the contents.

Next go to;
C:\Documents and Settings\Brant\Local Settings\Temp\
Empty the CONTENTS of that Temp folder. Don't delete the folder itself, just the contents. Make sure the folder is empty. You may get a warning that you are deleting a file which will prevent you from installing or running something, ignore it or click yes, or ok and delete them.
Next

• Click Start » Control Panel » Add/Remove Programs

PuritySCAN By OIN
OIN
OuterInfo
poolsv
svhost
Yazzle or any listings with Yazzle in them.
If you don't find any of these, don't worry about it, go on to the next step;
Go to C:\Program Files\
Look for the following;
PuritySCAN By OIN
OIN
OuterInfo
poolsv
svhost
Yazzle
Delete any of these found.
Next go to C:\WINDOWS\SYSTEM32\
Look for and remove F2\mwspasrt83122.exe
and F3\626wr.exe

After that please run the ATF-Cleaner.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT
If you also use Firefox then select the Firefox button. Check Select All option. If you wish to save your Firefox passwords you may check No when asked if you want to delete those also.
Then click Empty Selected>Ok>Exit.

Next run a FULL SYSTEM scan with that new anti-virus program you downloaded. Have it fix everything found.
Please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop.

Once you have completed ALL of the above steps then reboot the computer to normal mode. Reconnect to the internet and with all browsers and unnecessary programs closed run a new HJT scan and save the log.
Post back here with the AVG log and the HJT log.
Judy

[branthamel]

Judy,
Thanks for your help and Happy 4th of July. I followed your instructions as best I could w/ the noted deviations below:

I installed AVG free antivirus and for firewall downloaded and installed Comodo.

In Safe mode:

I deleted the offending e-mails, all e-mails older than a few weeks from my trash, and all e-mails I could find from that two week period in march. I do save some old e-mails as records, but have a backup (likely w/ the infected e-mails) on CD.

On the contents.ie5 folder: I found it in local settings/temp/temporary internet files, NOT in local settings/temporary internet files (which also existed). I ended up deleting all the files from local settings/temporary internet files, all the files and folders in local settings/temp -EXCEPT the temporary internet files folder in that subdirectory.

I tried to delete all the files in the four subfolders of contents.ie5. There were 2 files in 3 out of 4 folders (6 total files) that would not move to trash or delete. They had very very long file names. You could not do anything by right clicking either.

I had to exit out of safe mode and download a program called "delete invalid file" I tried moveoneboot and killbox first, but neither seemed to work, perhaps because of the length of the file name? Anyways delete invalid file did delete the programs

I went back to safe mode, checked to make sure they were still delete, deleted poolsv and svhost from the program files folder

deleted the F2 and F3 folders

ran ATF cleaner

ran the AVG anti-virus (3 items which were all system restore)

ran the AVG anti-spy (nothing found, report attached)

back in normal mode ran kaspersky (attached)

please when you have a chance let me know if the logs look good or if there is more that I need to do.

thank you very much,
Brant

[jholland1964]

Hi Brant,
Happy 4th to you also. Just a few more steps...
First of all, reboot to SAFE MODE.

Once in Safe Mode go to Start, Control Panel, Administrative Tools, Services.
Scroll through and look for
DomainService. If it is Running click Stop. Then Double Click on Domain Service and set Start Up Type to Disabled. Click OK.

Then go to C:\WINDOWS\System32\
Look for gtndpsyt.exe
It says in the log that it is gone. But if you do find it, delete it.

Next go to Control Panel, Add/Remove and look for ZenoBrowserEnhancer or any programs labled Zeno.
Uninstall all of them that you find.

Next go to C:\WINDOWS\
look for this file itpb_11.exe SKY003
If you find it, remove it.

Reboot to normal mode.

Run HJT again and place a checkmark next to the following if still present;

O2 - BHO: (no name) - {48E5651B-2335-41FE-A71D-64332BB9ACDF} - C:\WINDOWS\System32\sstro.dll (file missing)
O2 - BHO: (no name) - {8C5DD480-BEB0-436A-A18C-16458422CCF8} - C:\Program Files\Internet Explorer\holenu83122.dll

O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\itpb_11.exe SKY003

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\gtndpsyt.exe (file missing)

Once you have placed the checkmarks click the FIX button.
Exit HJT.

Reboot again to Normal Mode.

Run one more Kaspersky Scan and save the log.
Run a new scan with HJT and save the log.
Post back here with both new logs.
Judy

[branthamel]

Judy,


I went to safe mode, and disabled the domain service.

I did not find gtndpsyt.exe in the system32 folder or any zeno programs in the control panel or the itpb_11.exe program in the windows folder.

I rebooted to normal mode and did fix all those items listed in hjt scan.

I rebooted again to normal mode and ran kaspersky and hjt whose logs are attached below.

I appreciate your help very much,


Brant

[jholland1964]

Well Brant, I have good news and bad news....
The good news is the HJT log looks much better, the items you removed don't show anymore...
The bad news...
Much of what you thought had been deleted shown in the earlier Kaspersky scan remain in this one too.
Then Download the Microsoft® Windows® Malicious Software Removal Tool

Next go here;
C:\Documents and Settings\Brant\.housecall6.6\Quarantine\
Get rid of the items in that Quarantine folder. These are viruses which HAVE been removed but are in Quarantine. You don't need to keep it and it does contain some of what Kaspersky notes so get rid of it so that Kaspersky won't note it anymore.

All those infected emails still show in the Kaspersky scan which means they have not been deleted

Please print out this information.

Shut down the computer. Physically UNPLUG the Internet Cable
Then boot to SAFE MODE again and try the manual removal once more;
Once you get to safe mode try this;
Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove. Make sure Temporary Internet Files and Temporary Files checked' and click OK.

The infected files show in these locations. Follow the instructions exactly;

C:\Documents and Settings\Brant\Application Data\Thunderbird\Profiles\vnise0n7.default\Mail\Local Folders\Inbox/
There are still 16 showing, same trojan, the Trojan-Spy.HTML.Bankfraud.ri

You have to follow the trail EXACTLY as shown. So these are found here; Don't just open the Thunderbird program do it this way;
C:\Documents and Settings\
Brant\
Application Data\
Thunderbird\
Profiles\
vnise0n7.default\
Mail\
Local Folders\
Inbox/
If you have more than one profile in the Thunderbird mail program the profile you have to go to is vnise0n7.default
That is where they are located, in that Inbox. Don't save them, don't put them on a disk, they are phishing mails which, if you follow the link given in them will take you to a site where the trojan will load to the computer. There are 16 of these, remove them ALL.

Trojans are still present here in the folder in bold;
C:\Documents and Settings\Brant\Local Settings\Temporary Internet Files\Content.IE5\UVQ9GHUD\

Again, you have to go exactly to the folders noted;
First go to C:\Documents and Settings\
then to \Brant\
then to \Local Settings\
then to \Temporary Internet Files\
then to \Content.IE5\
then to \UVQ9HUD
Empty that folder.

Open and run Microsoft Malicious Software Removal Tool and fix what it finds.

Reconnect your Internet Cable

Now reboot to Safe Mode with Networking and continue -->
(Use of Internet Explorer is required for this step)

Try two more online scans, this time try both Panda and TrendMicro.
If they allow you to fix items found, let them.
If they don't then just save the logs.
Run Kaspersky again AFTER running those two others. Save the log.
Reboot to Normal mode and post back here with logs of all the programs you have run.
We are going to get these!
Judy

[branthamel]

Just a partial update as scans are still running.

I removed the housecall folder

Went to safemode w/ no internet cable.

Tried to run cleanmgr, but the program locked up and I had to use task manager to cancel it. It did the same when I tried again. I used the ATF cleaner program to empty those folders.

I went via the folder system to vnise0n7.default\
Mail\
Local Folders\
Inbox

I deleted the inbox and also inbox.msf file as well ash trash and trash.msf files . I assume this will delete all the e-mails in those mailboxes (the inbox is supposedly empty if I open thunderbird and the trash I don't need)

Both \Brant \Local Settings\Temporary Internet Files\
and \Brant \Local Settings\Temp folders were empty.
I could not find a contents.ie5 folder

I'm running the microsoft program currently. Will continue w/ your instructions.

thanks,
Brant