Advertising pop ups / temp internet files

[footloose]

For the last week I have been having problems with advertising pop ups appearing all the time and my temporary internet file clogged with items and cookies when I am online. These pop ups appear even when the computer is lying dormant - the titles on these pages usually start CiD???????????.
I have completed all necessary cleaning, spyware programs, etc as per your instructions in the "Read Me" section. Although they have found several different viruses, trojans,(inc. downloader.swizzor, trojan.generic.25658) the problem persists. I have attached Kaspersky report, BitDefender report and Hijackthis report.

Any help gratefully received, many thanks

[PhilliePhan]

Hello Footloose,

Please do the following:

• Download combofix.exe by sUBs to the infested computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post the log for us and we'll go from there.

Please hang in there until Judy can have a look at the logs - I don't work with malware too often these days due to other commitments.

Best Luck
PP

[footloose]

Thanks for your prompt reply.

I have done the combofix and have attached the log.

Regards
Footloose

[jholland1964]

One thing I notice right away in your HJT log and in Combofix logs is this program...MessengerPlus3;

third party MSN Messenger extension that adds a number of useful features. Bundles the hard to remove C2Media LOP adware....detected as Swizzor Trojan

With time frame you note I think this is at least one of your problems as MessengerPlus3 was downloaded and installed on 1/25/2008.

First thing you need to do is this; Enable Viewing of Hidden Files and Folders

Next update Spybot S & D, Avg Anti-spyware. Then close them, you will use them later.

Next step will be to try to uninstall Messenger Plus! via ADD/Remove.

However a key thing here BEFORE uninstalling is it is essential that all other programs be shut down during uninstall, especially Internet Explorer along with all your anti-spy programs, anti-virus and firewall.
You show multiple anti-spy programs running on the computer...too many for my tastes really. Too many can actually interfere with each other and therefore lessen the protection you are trying to achieve.

Because you want none of those programs running in the background you should do removal by disconnecting from the internet, actually remove the cable from the computer and then boot to SAFE MODE and then to be safe check the Task Manager to be absolutely certain that NONE of the following programs are running in the background;

Windows Defender
Sygate Firewall
Ad-Aware 2007
AVG Anti-Spyware 7.5
AVGFREE Anti-virus
ewido anti-spyware 4.0 (this is way, way out of date by the way. AVG Anti-spyware 7.5 is the current version and therefore you have TWO copies of essentially the same program running on this machine.) UNINSTALL EWIDO Completely
Spyware Doctor
Spyware Terminator
Spybot Search & Destroy
ccleaner (you don't need this running in the background anyway)
SUPERAntiSpyware
8 Anti-spyware programs running all the time are entirely too many anyway. I really would like to see you uninstall all programs noted above in bold letters and all the other anti-spy programs should remain TURNED OFF until you are either told to run the program OR until the computer is clean. They CAN interfere with removal of some infections.

Once you have booted to SAFE MODE then do a default scan with CCleaner to remove all temp files.

Next go to the Control Panel, Add/Remove
Look for the following and uninstall if found;
Messenger Plus!
CiD Help / CiD Manager
Download Plugin for Internet Explorer
Zone Media
Win32.Swizzor

Once you have done the above steps then, still in Safe Mode please do a file search by going to Start, Search, Files and Folders and search for the following and if found delete the FILE noted in RED; Do NOT delete the folder it is in, just the file.

C:\WINDOWS\pack.epk
C:\Program Files\Messenger Plus! Live

If you don't find them, don't worry about it.

After your search then, STILL in SAFE MODE...run a full scan with Spybot Search & Destroy. Fix everything found.
Then run a Full Scan with AVG Anti-spy and fix everything found. Please save the AVG Anti-spy log for posting here later.

Now shut down the computer. Reconnect the Internet Cable.
Reboot the computer to normal mode.
Go to the Task Manager and make sure NONE of those Anti-spy programs are running if you find them then end the process.

When you have done that then do the following;

Please download NoLop to your desktop

Close any other programs you have running as this will require a reboot.

• Double click NoLop.exe to run it
• Now click the button labelled "Search and Destroy"
  
  <<your computer will now be scanned for infected files>>
• When scanning is finished you will be prompted to reboot only if infected. Click OK.
• Now click the "REBOOT" Button.
• A Message should popup from NoLop. If not, double click the program again and it will finish.
• Please Post the contents of C:\NoLop.log along with a fresh HijackThis log and the AVG anti-spy log in your next post.

Judy

[footloose]

Have done everything requested and now attach NoLop / Hijackthis / AVG reports

Thanks

[jholland1964]

Sorry it took me awhile to get back to you. Things look better. I need you to Enable Viewing of Hidden Files and Folders.

Once you have done this please reboot to Safe Mode.

Then go to Start, Search, Files and Folders.
Search for this on "C" drive
Test Army Book.exe

If you find it, Delete it.

If not, don't worry about it. Stay in Safe Mode. Uninstall ComboFix, go to to Start > Run & type in ComboFix /u

Reboot the computer to Normal Mode.

• Download combofix.exe by sUBs to the infested computer's Desktop.
• Alternate Download

• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post the log for us and we'll go from there.

[jholland1964]

I have asked PP to take a look at the newest ComboFix log to see if we have the same opinion.

[jholland1964]

It looks to us like things have been cleaned up.

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u

Next there are a few entries in the HJT log that you need to clean up and a few auto-start items which are completely unnecessary and can easily be run manually if needed, which will save on the possible excessive use of system resources.
The first of these is ctfmon.exe. CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features.
If you DO NOT use alternate languages with the Office Programs then do the following;
Go to Start. Control Panel. Regional and Language Options. Languages TAB. Details BUTTON. Advanced TAB. "Turn off advanced text services" CHECK BOX."
Next I recommend that you download and install Mike Lin's StartUp Contol Panel
to disable unnecessary start ups. Many folks use msconfig but this really is not the recommended way to do this since it is really suggested for use only for trouble shooting purposes.
Download and install this little StartUp Control Panel. Once installed you will then find it in Start, Control Panel. It will show as a little computer icon and named Start Up. Just double click to open it. Then go through each TAB and remove the checkmark from the items I will list here. None of these are required for the running of the computer or for that specific program. All can be run manually when you need them;

ISUSPM Startup>>>InstallShield Update Service Scheduler. Automatically searches for and performs any updates to the software so you’re always working with the most current version. Totally unnecessary.
ISUSScheduler>>>InstallShield Update Service Scheduler. Automatically searches for and performs any updates to the software so you’re always working with the most current version
REGSHAVE>>>Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers, erasing all entries from the registry. Only required BEFORE attempting to uninstall the Fuji software or the uninstall may not work correctly
SunJavaUpdateSched>>>Checks with Sun's Java updates site to see if newer Java versions are available. Visit Sun's Java page or just run the Java Plug-In Control Panel. Doesn't work half the time anyway.
Sony Ericsson PC Suite>>> for the Sony Ericsson P910 phone. This program can be used to synchronize your data between your PC and phone. You can start this program as necessary.
QuickTime Task >>>System Tray access to Apple's "Quick Time" viewer from version 5 onwards. Not required.
STManager>>>Dr. SpeedTouch is some sort of diagnostics software which sends out information to a server which then relays the information back to the program to test the network to see if the SpeedTouch ADSL modem connection is working properly. Not required if connected via Ethernet (and probably USB).
ctfmon.exe>>>This will still show with a checkmark in it right now, even if you have followed my other step above so you will need to take the checkmark out of it in the StartUp Control Panel too.
ccleaner>>>Definitely NOT required to run at start up. Can easily be run manually when you feel you need to do so.
Adobe Reader Speed Launch>>>Supposedly speeds up the time it takes to load the Adobe Reader application, though only by a short and pretty much unnoticable time. Your choice, but not required for Adobe Reader to function properly.
Exif Launcher>>>USB mass storage driver used by some digital cameras such as the Fuji Finepix. Only required if you use it regularly
Google Updater>>> Installed with various Google applications to download and alert you when there is a new update available.
Microsoft Office>>>Application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog, and some users claim there's no difference with or without it but it usually isn't required. Note - if you make use of the Microsoft Office Shortcut Bar outside an office program this application will need to be enabled for it to show

Once you have removed the checkmarks in those noted above...remember these are all your choices, if you wish to leave any running at Start that is ok too, this will just reduce start times and keep these things from running all the time in the background...
then run HJT again and place checkmarks next to the following entries;
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - blank (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
Once you have placed the checkmarks next to those entries then click the Fix Checked button.
Exit HJT.
Reboot the computer and run one more HJT scan and place the log here.

[footloose]

Have attached the new hijackthis log as requested.

Can't thank you enough for all of your help

Kind regards
Footloose

[jholland1964]

Looks pretty good, just a few suggestions; you are running four anti-spy applications in the background all the time. I would suggest cutting it down to just two. Turn off the AdAware 2007 and the AVG Anti-spyware guard. Just use those two for weekly scans and let the other two...Windows Defender and Superantispyware be the residents. Get too many running and it really defeats the purpose of these programs because they often time fight against each other and allow something to come in by accident.

I would also recommend that you download, install and update and then enable (including the Restricted Sites Section) Spyware Blaster
It is highly recommended at nearly every malware fighting forum. It is free and it doesn't run in the background. Just manually update each week. As PP notes in his Protect Yourself Sticky

A Must Have Tool! Blocks malicious ActiveX installs by implementing a “kill bit” to prevent those ActiveX programs with known CLSIDs from being executed.
And unlike many other anti-spy apps, SpywareBlaster does not have to remain running in the background. Very highly recommended! From Javacool Software.

I also note that you now have MSN Messenger now set to run at Start Up and it was running in the background in this latest scan. It was listed in auto start in the first HJT scan but not the second. The choice is yours of course but if you don't use MSN Messenger often, this can be annoying. Available via Start -> Programs. Go to MS Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts.

Finally, now that the computer is clean you need to set a new, clean System Restore point. To do this, Right Click My Computer. Choose Properties. When System Properties opens click the System Restore Tab. When that opens put a dot or checkmark in Turn Off System Restore and click OK. You may get a warning that System Restore is turning off, just click ok. Let it turn off. Wait a moment and then do the reverse and turn it back on. You will be left with a new, clean System Restore point.

I hope you are no longer getting the pop-ups or excessive temp files...be sure that your Internet Explorer is set to receive cookies only when you visit the website. You can do this by going up to Tools, Internet Options, Browsing History Settings. Also while there reduce the disk space to use to no larger than 50MB...I actually have mine set at 10MB and it works fine. Also be sure that you have the Privacy Section set to Medium.
Hope all the problems are corrected and you are surfing happy
Judy