pop-ups won't go away

[branthamel]

Hello,
I've got IE popups that keep appearing. I've tried the suggestions in the sticky, but they still are appearing after that. I was also getting a func.js script error when IE was opened similar to what jim532 described in a recent thread. Any help would be greatly appreciated

[jholland1964]

Was the AVG Anti-spy run in SAFE MODE?
You are still showing quite a bit of nasty items.
When did you run VundoFix?

[branthamel]

I did run the AVG in safe mode and also ran spybot search and destroy in safe mode. I was not able to install windows defender as I still have SP1 and it required SP2 to install. I ran the Vundofix in normal mode before I did the kaspersky scan. Any suggestions on what to do? I'm currently trying to run Trend Micro's housecall to see if it helps.

thanks,
Brant

[jholland1964]

Enable Viewing of Hidden Files and Folders

Then Update your AVG Anti-spy.

I do NOT see an onboard anti-virus program on the machine. You must download, install and update one before proceeding.
You can find links for free anti-virus programs here
All noted there are good. Choose one and install it. You will need one in order to continue.

You also are not running a Firewall. At least enable the built in Windows Firewall.

Download the ATF-Cleaner from the link in the sticky if you have not all ready done so.

Disconnect from the internet and boot to SAFE MODE.

Items noted in the Kaspersky scan include at least 16 mails, maybe more, in the Thunderbird Inbox with the following;
[From Tim Healy <healyt@email.unc.edu>][Date Tue, 20 Mar 2007 13:36:43 -0400]/text/[From Del Snow <djdsnow@msn.com>][Date Sun, 25 Mar 2007 15:31:42 -0400]/UNNAMED/[From =?iso-8859-1?B?TmV3c3dlZWsuY29t?= <webexclusives@letters.newsweek.com>][Date Sun, 25 Mar 2007 16:48:43 -0400 (EDT)]/UNNAMED
All contain a Trojan. These mails are all dated March 20 to at least March 25 and all are infected with Trojan-Spy.HTML.Bankfraud
This Trojan program utilizes spoofing technology. It is made as a fake HTML page. It is made for stealing information about clients of Washington Mutual Bank. It is often sent as an important message by Washington Mutual Bank, though it is NOT truly from the bank.
This message contain a link to the fake page; this link exploits the Frame Spoof vulnerability in Internet Explorer.
Once a user visits the fake site, and enters account details or personal information, these details are sent to a malicious remote user, who will then have access to users' account.
You may want to change all your passwords and also check all your online accounts for any problems.

Delete these mails all the way out.

It truly is not a good idea to keep emails this long, especially since there could be an infection. If there is info that is needed in an email, print out a hard copy and get rid of the mail. Storing email with important info is also risky in case of a power failute or computer crash. Needed important info could be lost forever.

Next go to My computer. Double Click "C" drive.
Go to the following;
C:\Documents and Settings\Brant\Local Settings\Temporary Internet Files\Content.IE5\
When you open Content.IE5.
You should see several file folders in there with odd looking names something like this GQG1XWNL. There are probably four of these folders. Open each folder and delete the contents...do not delete the entire folder, just the contents.

Next go to;
C:\Documents and Settings\Brant\Local Settings\Temp\
Empty the CONTENTS of that Temp folder. Don't delete the folder itself, just the contents. Make sure the folder is empty. You may get a warning that you are deleting a file which will prevent you from installing or running something, ignore it or click yes, or ok and delete them.
Next

• Click Start » Control Panel » Add/Remove Programs

PuritySCAN By OIN
OIN
OuterInfo
poolsv
svhost
Yazzle or any listings with Yazzle in them.
If you don't find any of these, don't worry about it, go on to the next step;
Go to C:\Program Files\
Look for the following;
PuritySCAN By OIN
OIN
OuterInfo
poolsv
svhost
Yazzle
Delete any of these found.
Next go to C:\WINDOWS\SYSTEM32\
Look for and remove F2\mwspasrt83122.exe
and F3\626wr.exe

After that please run the ATF-Cleaner.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT
If you also use Firefox then select the Firefox button. Check Select All option. If you wish to save your Firefox passwords you may check No when asked if you want to delete those also.
Then click Empty Selected>Ok>Exit.

Next run a FULL SYSTEM scan with that new anti-virus program you downloaded. Have it fix everything found.
Please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop.

Once you have completed ALL of the above steps then reboot the computer to normal mode. Reconnect to the internet and with all browsers and unnecessary programs closed run a new HJT scan and save the log.
Post back here with the AVG log and the HJT log.
Judy

[branthamel]

Judy,
Thanks for your help and Happy 4th of July. I followed your instructions as best I could w/ the noted deviations below:

I installed AVG free antivirus and for firewall downloaded and installed Comodo.

In Safe mode:

I deleted the offending e-mails, all e-mails older than a few weeks from my trash, and all e-mails I could find from that two week period in march. I do save some old e-mails as records, but have a backup (likely w/ the infected e-mails) on CD.

On the contents.ie5 folder: I found it in local settings/temp/temporary internet files, NOT in local settings/temporary internet files (which also existed). I ended up deleting all the files from local settings/temporary internet files, all the files and folders in local settings/temp -EXCEPT the temporary internet files folder in that subdirectory.

I tried to delete all the files in the four subfolders of contents.ie5. There were 2 files in 3 out of 4 folders (6 total files) that would not move to trash or delete. They had very very long file names. You could not do anything by right clicking either.

I had to exit out of safe mode and download a program called "delete invalid file" I tried moveoneboot and killbox first, but neither seemed to work, perhaps because of the length of the file name? Anyways delete invalid file did delete the programs

I went back to safe mode, checked to make sure they were still delete, deleted poolsv and svhost from the program files folder

deleted the F2 and F3 folders

ran ATF cleaner

ran the AVG anti-virus (3 items which were all system restore)

ran the AVG anti-spy (nothing found, report attached)

back in normal mode ran kaspersky (attached)

please when you have a chance let me know if the logs look good or if there is more that I need to do.

thank you very much,
Brant

[jholland1964]

Hi Brant,
Happy 4th to you also. Just a few more steps...
First of all, reboot to SAFE MODE.

Once in Safe Mode go to Start, Control Panel, Administrative Tools, Services.
Scroll through and look for
DomainService. If it is Running click Stop. Then Double Click on Domain Service and set Start Up Type to Disabled. Click OK.

Then go to C:\WINDOWS\System32\
Look for gtndpsyt.exe
It says in the log that it is gone. But if you do find it, delete it.

Next go to Control Panel, Add/Remove and look for ZenoBrowserEnhancer or any programs labled Zeno.
Uninstall all of them that you find.

Next go to C:\WINDOWS\
look for this file itpb_11.exe SKY003
If you find it, remove it.

Reboot to normal mode.

Run HJT again and place a checkmark next to the following if still present;

O2 - BHO: (no name) - {48E5651B-2335-41FE-A71D-64332BB9ACDF} - C:\WINDOWS\System32\sstro.dll (file missing)
O2 - BHO: (no name) - {8C5DD480-BEB0-436A-A18C-16458422CCF8} - C:\Program Files\Internet Explorer\holenu83122.dll

O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\itpb_11.exe SKY003

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\gtndpsyt.exe (file missing)

Once you have placed the checkmarks click the FIX button.
Exit HJT.

Reboot again to Normal Mode.

Run one more Kaspersky Scan and save the log.
Run a new scan with HJT and save the log.
Post back here with both new logs.
Judy

[branthamel]

FWIW, the Housecall ran for about 3.5 hours and then at the very end (during when it was checking for active viruses) IE just closed w/o any error messages.

[jholland1964]

Hi Brant,
Have returned tanned and rested. Thanks to SPD for reading the logs.
Please follow ALL of his instructions to avoid further problems.