pop-ups won't go away

[branthamel]

Judy,
Thanks for your help and Happy 4th of July. I followed your instructions as best I could w/ the noted deviations below:

I installed AVG free antivirus and for firewall downloaded and installed Comodo.

In Safe mode:

I deleted the offending e-mails, all e-mails older than a few weeks from my trash, and all e-mails I could find from that two week period in march. I do save some old e-mails as records, but have a backup (likely w/ the infected e-mails) on CD.

On the contents.ie5 folder: I found it in local settings/temp/temporary internet files, NOT in local settings/temporary internet files (which also existed). I ended up deleting all the files from local settings/temporary internet files, all the files and folders in local settings/temp -EXCEPT the temporary internet files folder in that subdirectory.

I tried to delete all the files in the four subfolders of contents.ie5. There were 2 files in 3 out of 4 folders (6 total files) that would not move to trash or delete. They had very very long file names. You could not do anything by right clicking either.

I had to exit out of safe mode and download a program called "delete invalid file" I tried moveoneboot and killbox first, but neither seemed to work, perhaps because of the length of the file name? Anyways delete invalid file did delete the programs

I went back to safe mode, checked to make sure they were still delete, deleted poolsv and svhost from the program files folder

deleted the F2 and F3 folders

ran ATF cleaner

ran the AVG anti-virus (3 items which were all system restore)

ran the AVG anti-spy (nothing found, report attached)

back in normal mode ran kaspersky (attached)

please when you have a chance let me know if the logs look good or if there is more that I need to do.

thank you very much,
Brant

[jholland1964]

Hi Brant,
Happy 4th to you also. Just a few more steps...
First of all, reboot to SAFE MODE.

Once in Safe Mode go to Start, Control Panel, Administrative Tools, Services.
Scroll through and look for
DomainService. If it is Running click Stop. Then Double Click on Domain Service and set Start Up Type to Disabled. Click OK.

Then go to C:\WINDOWS\System32\
Look for gtndpsyt.exe
It says in the log that it is gone. But if you do find it, delete it.

Next go to Control Panel, Add/Remove and look for ZenoBrowserEnhancer or any programs labled Zeno.
Uninstall all of them that you find.

Next go to C:\WINDOWS\
look for this file itpb_11.exe SKY003
If you find it, remove it.

Reboot to normal mode.

Run HJT again and place a checkmark next to the following if still present;

O2 - BHO: (no name) - {48E5651B-2335-41FE-A71D-64332BB9ACDF} - C:\WINDOWS\System32\sstro.dll (file missing)
O2 - BHO: (no name) - {8C5DD480-BEB0-436A-A18C-16458422CCF8} - C:\Program Files\Internet Explorer\holenu83122.dll

O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\itpb_11.exe SKY003

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\gtndpsyt.exe (file missing)

Once you have placed the checkmarks click the FIX button.
Exit HJT.

Reboot again to Normal Mode.

Run one more Kaspersky Scan and save the log.
Run a new scan with HJT and save the log.
Post back here with both new logs.
Judy

[branthamel]

Judy,


I went to safe mode, and disabled the domain service.

I did not find gtndpsyt.exe in the system32 folder or any zeno programs in the control panel or the itpb_11.exe program in the windows folder.

I rebooted to normal mode and did fix all those items listed in hjt scan.

I rebooted again to normal mode and ran kaspersky and hjt whose logs are attached below.

I appreciate your help very much,


Brant

[jholland1964]

Well Brant, I have good news and bad news....
The good news is the HJT log looks much better, the items you removed don't show anymore...
The bad news...
Much of what you thought had been deleted shown in the earlier Kaspersky scan remain in this one too.
Then Download the Microsoft® Windows® Malicious Software Removal Tool

Next go here;
C:\Documents and Settings\Brant\.housecall6.6\Quarantine\
Get rid of the items in that Quarantine folder. These are viruses which HAVE been removed but are in Quarantine. You don't need to keep it and it does contain some of what Kaspersky notes so get rid of it so that Kaspersky won't note it anymore.

All those infected emails still show in the Kaspersky scan which means they have not been deleted

Please print out this information.

Shut down the computer. Physically UNPLUG the Internet Cable
Then boot to SAFE MODE again and try the manual removal once more;
Once you get to safe mode try this;
Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove. Make sure Temporary Internet Files and Temporary Files checked' and click OK.

The infected files show in these locations. Follow the instructions exactly;

C:\Documents and Settings\Brant\Application Data\Thunderbird\Profiles\vnise0n7.default\Mail\Local Folders\Inbox/
There are still 16 showing, same trojan, the Trojan-Spy.HTML.Bankfraud.ri

You have to follow the trail EXACTLY as shown. So these are found here; Don't just open the Thunderbird program do it this way;
C:\Documents and Settings\
Brant\
Application Data\
Thunderbird\
Profiles\
vnise0n7.default\
Mail\
Local Folders\
Inbox/
If you have more than one profile in the Thunderbird mail program the profile you have to go to is vnise0n7.default
That is where they are located, in that Inbox. Don't save them, don't put them on a disk, they are phishing mails which, if you follow the link given in them will take you to a site where the trojan will load to the computer. There are 16 of these, remove them ALL.

Trojans are still present here in the folder in bold;
C:\Documents and Settings\Brant\Local Settings\Temporary Internet Files\Content.IE5\UVQ9GHUD\

Again, you have to go exactly to the folders noted;
First go to C:\Documents and Settings\
then to \Brant\
then to \Local Settings\
then to \Temporary Internet Files\
then to \Content.IE5\
then to \UVQ9HUD
Empty that folder.

Open and run Microsoft Malicious Software Removal Tool and fix what it finds.

Reconnect your Internet Cable

Now reboot to Safe Mode with Networking and continue -->
(Use of Internet Explorer is required for this step)

Try two more online scans, this time try both Panda and TrendMicro.
If they allow you to fix items found, let them.
If they don't then just save the logs.
Run Kaspersky again AFTER running those two others. Save the log.
Reboot to Normal mode and post back here with logs of all the programs you have run.
We are going to get these!
Judy

[branthamel]

Just a partial update as scans are still running.

I removed the housecall folder

Went to safemode w/ no internet cable.

Tried to run cleanmgr, but the program locked up and I had to use task manager to cancel it. It did the same when I tried again. I used the ATF cleaner program to empty those folders.

I went via the folder system to vnise0n7.default\
Mail\
Local Folders\
Inbox

I deleted the inbox and also inbox.msf file as well ash trash and trash.msf files . I assume this will delete all the e-mails in those mailboxes (the inbox is supposedly empty if I open thunderbird and the trash I don't need)

Both \Brant \Local Settings\Temporary Internet Files\
and \Brant \Local Settings\Temp folders were empty.
I could not find a contents.ie5 folder

I'm running the microsoft program currently. Will continue w/ your instructions.

thanks,
Brant

[jholland1964]

Try looking HERE Brant for those Content.IE5 folders;
C:\Documents and Settings\Local Service\Local Settings\Temporary Internet Files\Content.IE5
AND here
C:\Documents and Settings\Network Service\Local Settings\Temporary Internet Files\Content.IE5

Think it is odd Kaspersky scan says they are located here;
C:\Documents and Settings\Brant\Local Settings\Temporary Internet Files\Content.IE5\
and you did find them there before but now they are not there?
Checked on mine and mine are not located under my default name either but under the two I just gave you.
Anyway...if you find those files, and look both places, open all four oddly named folders and select all and delete all you find in the FOLDERS. Don't delete the folders themselves.

[branthamel]

I'll check again. But here are the log files. I also ran housecall, but did not see an option for a log file.

thank you,
Brant