[Resolved] Ads popping up in new tabs in my browser

[zachL]

Hello,

I have some kind of spyware / malware infection and could use the group's help.  At random times, I've been getting ad windows popping up in new browser tabs.  They often are for the same couple of places-- fb-survey, redeemyourprize.com, and something that looks like a news site, complete with video that plays automatically.  Whatever I have also seems to affect the audio playback on my computer too--- most of these pop-up sites make noise of some kind (people saying something, telling me to buy something, etc...) which I hear fine, but when I go to Youtube e.g. I can't get any audio to play.  If I shut down and restart, I can get audio to play.

I've tried Malware Bytes, Windows Defender, and a couple of other scans, but they all say there are no infected files and everything is fine.  It is not....

Hijack This Log is below.

Any help would be great!  Thanks!

Zach

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:18:18 PM, on 10/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Ask and Record Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/scrabblecubes/scrabblecubes.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 5826 bytes

[kevinf80]

Hello ZachL and welcome to SpywareHammer,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

• Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
• Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
• Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
• Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
• If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
• If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
• If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows :-

Step 1

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important

Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection


Note:  Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*

• If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
• If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
• If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Step 2

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post the logs from Combofix and Security Checks in your reply, also any specific reason why you have not updated to SP3?

Kevin

[zachL]

Hi Kevin,

Thanks for your help!  I will start working on these things this afternoon and post again here when I have completed them.

As far as SP2 vs SP 3 goes, I don't really remember.  I think there might have been something I was doing at some point that needed SP2, but I honestly don't remember what or why.

Thanks and talk soon,

Zach

[kevinf80]

OK Zach, thanks for letting me know. Post the logs when you`re ready, i`ll be around...

Kevin

[zachL]

Hi Kevin,

I installed Combofix and started to run it.  However, it seems stopped on the screen that says "Scanning for infected files.... this typically doesn't take more than 10 minutes, etc...."

I have been on that screen for over an hour now, without anything else coming up.

Should I close the Autoscan window and re-launch?

Thanks,

Zach

[kevinf80]

Hiya Zach,

Yep abort that run. Make sure all security is turned off, that includes Windows Defender. Next,

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

"%userprofile%\desktop\combofix.exe" /killall

Let me know if you still have trouble running CF.

Kevin

[zachL]

Hi Kevin,

I just tried typing the line you have there into the run box and it says Windows can't find the file.  I did a search for the combofix.exe file and it does seem like the path is correct.

What should I do?

Sorry this is so complicated...

Thanks,

Zach

[kevinf80]

Hiya Zach,

OK lets try a different way, delete Combofix from your desktop and d/l again from either of the following links:

Link 1
Link 2

Before you save it to the Desktop re-name to Gotcha.exe as below:



Then run as previously instructed, if Combofix asks to install the Recovery Console please allow it.

Kevin

[zachL]

Hi Kevin,

Re-downloaded and re-launched ComboFix.exe (labeled Gotcha.exe) but it's hanging up in the same place ---  the "Scanning for infected files..." screen. 

The first go around it asked to install the recovery console, so I did that then.

Thanks,

Zach

[kevinf80]

Reboot into Safe mode and try again

[zachL]

Hi Kevin,

Just tried rebooting in Safe mode and re-launching Combofix and Combofix hangs in exactly the same place unfortunately...

Any ideas of what to do next?

Best,

Zach

[zachL]

Also... Can I use my computer for other things while I am trying to get rid of the malware?  For instance, my email client is on the infected computer and would like to use email from that computer if possible.

Thanks!

Zach

[kevinf80]

Hiya Zach,

I would not recommend using an infected system for other than replying here, proceed as follows please :-

Please download  Rkill[/b] by Grinler and save it to your desktop.

Link 2
Link 3
Link 4

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista, right-click on it and Run As Administrator.
  
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  
• If not, delete the file, then download and use the one provided in Link 2.
  
• A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.

If you get a successful run try CF again please,

Kevin[/list]

[zachL]

Hi Kevin,

Ok, so I downloaded and ran rkill.  Here is the log for that:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 10/26/2010 at 20:47:09.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Owner\My Documents\Downloads\rkill.scr


Rkill completed on 10/26/2010  at 20:47:12.


I will now try combofix again and let you know what happens with that.

Thanks,

Zach

[zachL]

Hi Kevin,

Tried ComboFix again after rkill and it still hangs in the same place and nothing seems to happen after the screen that says "Scanning for infected files...this doesn't typically take more than 10 minutes, etc...."

I have to go out now for a couple of hours, but will try again when I get back home.

Thanks, best,

Zach