IExplore auto popup ads

[rockdale]

Hi, all:

I believe my computer affect with some virus, everytime I use IE to
surf internet, a new IE window is popup with some ads webpages. I
tried run Sophos and Norton Anti-virus, but both did not find any
virus. I also ran HIJackThis.exe, and with nothing been found. Anybody
can help. If you want the log file of HIJACKTHIS, I can post it here.

Thanks a lot
-rockdale

 

[Maybe Not]

Hi, all:

I believe my computer affect with some virus, everytime I use IE to
surf internet, a new IE window is popup with some ads webpages. I
tried run Sophos and Norton Anti-virus, but both did not find any
virus. I also ran HIJackThis.exe, and with nothing been found. Anybody
can help. If you want the log file of HIJACKTHIS, I can post it here.

Thanks a lot
-rockdale

You are far too stupid to own a computer. Throw it away.

 

[tneustaedter]

Hi, all:

I believe my computer affect with some virus, everytime I use IE to
surf internet, a new IE window is popup with some ads webpages. I
tried run Sophos and Norton Anti-virus, but both did not find any
virus. I also ran HIJackThis.exe, and with nothing been found. Anybody
can help. If you want the log file of HIJACKTHIS, I can post it here.

Thanks a lot
-rockdale

I've got two suggestions for you:

1. Go to the support sites for a couple different antivirus companies
and post them a message. You can usually upload the offending file
with your post. They'll let you know if it's infected with
anything.
2. While you're waiting for a response, you might want to try a few
other antivirus tools. Here's a list of a few different ones to try.
Some have trial software you can download, some don't.

<UL>
<LI><A onmouseover="window.status='http://
www.pandasecurity.com/';return true;" onmouseout="window.status='
';return true;" href="http://www.kqzyfj.com/
pc98xdmjdl03573849021498811" target=_blank>Panda Antivirus</A></LI>
<LI><A onmouseover="window.status='http://eset.com';return true;"
onmouseout="window.status=' ';return true;" href="http://
www.jdoqocy.com/51106efolfn25795A6B2437B6C43" target=_blank>NOD32
Antivirus System</A></LI>
<LI><A onmouseover="window.status='http://www.zonelabs.com';return
true;" onmouseout="window.status=' ';return true;" href="http://
www.jdoqocy.com/co115cy63y5LOQSOTPULNMQNNRSP" target=_blank>ZoneAlarm
Antivirus</A></LI>
<LI><A onmouseover="window.status='http://www.trendmicro.com';return
true;" onmouseout="window.status=' ';return true;" href="http://
www.kqzyfj.com/hj115lnwtnvADFHDIEJACBFDEDHH" target=_blank>PC-cillin
AntiVirus</A></LI>
<LI><A onmouseover="window.status='http://www.kaspersky.com';return
true;" onmouseout="window.status=' ';return true;" href="http://
www.jdoqocy.com/en98ft1zt0GJLNJOKPGIHLHHIHH" target=_blank>Kaspersky
Anti-Virus</A></LI>
<LI><A onmouseover="window.status='http://www.cogenmedia.com/ca/
products/security';return true;" onmouseout="window.status=' ';return
true;" href="http://www.kqzyfj.com/8p105r09608ORTVRWSXOQPTWSRYP"
target=_blank>CoGen AntiVirus</A></LI>
<LI><A onmouseover="window.status='http://www.ca.com';return true;"
onmouseout="window.status=' ';return true;" href="http://
www.jdoqocy.com/rl82dlurlt8BDFBGCH8A9D9BIEH" target=_blank>Computer
Associates Anti-Virus</A></LI>
<LI><A onmouseover="window.status='http://www.defender-pro.com';return
true;" onmouseout="window.status=' ';return true;" href="http://
www.jdoqocy.com/ng122y1A719PSUWSXTYPRQUTWYTQ"
target=_blank>DefenderPro Anti-Virus Software</A></LI>
</UL>

The above links are straight off of my <a href="http://
www.sookesoft.com/ProductReview.aspx?ID=5">anti virus</a> help page.

Hopefully one of these companies can lend some assistance.

In either case, let me know what you find out.

Good luck,

Ted Neustaedter
Sooke Software Source
http://www.sookesoft.com

 

[tneustaedter]

Whoops, sorry about that... didn't mean to get the HTML in there...
here's a cleaned up version:

I've got two suggestions for you:

1. Go to the support sites for a couple different antivirus companies
and post them a message. You can usually upload the offending file
with your post. They'll let you know if it's infected with
anything.
2. While you're waiting for a response, you might want to try a few
other antivirus tools. Here's a list of a few different ones to try.
Some have trial software you can download, some don't.


www.pandasecurity.com - Panda Antivirus
http://www.zonelabs.com - ZoneAlarm
http://www.trendmicro.com - PC-cillin
http://www.kaspersky.com - Kaspersky Anti-Virus
http://www.cogenmedia.com/ca/products/security - CoGen AntiVirus
http://www.ca.com - Computer Associates Anti-Virus
http://www.defender-pro.com - DefenderPro Anti-Virus Software

The above links are straight off of my anti virus help page:
http://www.sookesoft.com/ProductReview.aspx?ID=5

Hopefully one of these companies can lend some assistance.

In either case, let me know what you find out.


Good luck,


Ted Neustaedter
Sooke Software Source
http://www.sookesoft.com

 

[tneustaedter]

Hi, all:

I believe my computer affect with some virus, everytime I use IE to
surf internet, a new IE window is popup with some ads webpages. I
tried run Sophos and Norton Anti-virus, but both did not find any
virus. I also ran HIJackThis.exe, and with nothing been found. Anybody
can help. If you want the log file of HIJACKTHIS, I can post it here.

Thanks a lot
-rockdale

I've got two suggestions for you:

1. Go to the support sites for a couple different antivirus companies
and post them a message. You can usually upload the offending file
with your post. They'll let you know if it's infected with
anything.

2. While you're waiting for a response, you might want to try a few
other antivirus tools. Here's a list of a few different ones to try.
Some have trial software you can download, some don't.

http://free.grisoft.com - AVG Antivirus (Free version)
http://www.grisoft.com - AVG Antivirus
http://www.pandasecurity.com - Panda Antivirus
http://eset.com - NOD32 Antivirus System
http://www.zonelabs.com - ZoneAlarm Antivirus
http://www.trendmicro.com - PC-cillin AntiVirus
http://www.kaspersky.com - Kaspersky Anti-Virus
http://www.cogenmedia.com/ca/products/security - CoGen AntiVirus
http://www.ca.com - Computer Associates Anti-Virus
http://www.defender-pro.com - DefenderPro Anti-Virus Software

The above links are straight off of my anti virus help page -
http://www.sookesoft.com/ProductReview.aspx?ID=5.

Hopefully one of these companies can lend some assistance.

In either case, let me know what you find out.

Good luck,

Ted Neustaedter
Sooke Software Source
http://www.sookesoft.com

 

[tneustaedter]

Hi, all:

I believe my computer affect with some virus, everytime I use IE to
surf internet, a new IE window is popup with some ads webpages. I
tried run Sophos and Norton Anti-virus, but both did not find any
virus. I also ran HIJackThis.exe, and with nothing been found. Anybody
can help. If you want the log file of HIJACKTHIS, I can post it here.

Thanks a lot
-rockdale

I've got two suggestions for you:

1. Go to the support sites for a couple different antivirus companies
and post them a message. You can usually upload the offending file
with your post. They'll let you know if it's infected with
anything.

2. While you're waiting for a response, you might want to try a few
other antivirus tools. Here's a list of a few different ones to try.
Some have trial software you can download, some don't.

http://free.grisoft.com - AVG Antivirus (Free version)
http://www.grisoft.com - AVG Antivirus
http://www.pandasecurity.com - Panda Antivirus
http://www.zonelabs.com - ZoneAlarm
http://www.trendmicro.com - PC-cillin
http://www.kaspersky.com - Kaspersky Anti-Virus
http://www.cogenmedia.com/ca/products/security - CoGen AntiVirus
http://www.ca.com - Computer Associates Anti-Virus
http://www.defender-pro.com - DefenderPro Anti-Virus Software

If you have any other questions, you can follow this link to my anti
virus help page (that's where most of the above links come from):
http://www.sookesoft.com/ProductReview.aspx?ID=5

Hopefully one of these companies can lend some assistance.

In either case, let me know what you find out.

Good luck,


Ted Neustaedter
Sooke Software Source
http://www.sookesoft.com

 

[Maybe Not]

Piss off you spamming ****

 

[Beauregard T. Shagnasty]

I've got two suggestions for you:

That would be eight suggestions then?

 

[Duh_OZ]

Hi, all:

I believe my computer affect with some virus, everytime I use IE to
surf internet, a new IE window is popup with some ads webpages. I
tried run Sophos and Norton Anti-virus, but both did not find any
virus. I also ran HIJackThis.exe, and with nothing been found. Anybody
can help. If you want the log file of HIJACKTHIS, I can post it here.

Thanks a lot
-rockdale

========
Please DO NOT post the Hijackthis log here - this is not the forum for
it.

Please read this post on one of the many forums you can put the log:
http://tinyurl.com/yuv8tn

You can also try adaware and spybot (both free).

 

[Ant]

<LI><A onmouseover="window.status='http://
www.pandasecurity.com/';return true;" onmouseout="window.status='
';return true;" href="http://www.kqzyfj.com/
pc98xdmjdl03573849021498811" target=_blank>Panda Antivirus</A></LI>

The above links are straight off of my <a href="http://
www.sookesoft.com/ProductReview.aspx?ID=5">anti virus</a> help page.

And are deceptive, since what you see is not quite what you get. They
are not direct links to the AV companies listed but go to one of these
domains:

anrdoezrs.net
dpbolvw.net
jdoqocy.com
kqzyfj.com
tkqlhce.com

Which look like the kind of names that spammers, scammers and malware
distributors use. They are in fact used for Commission Junction
affiliate marketing purposes.

Best to not look suspicious when offering help with malware removal.

 

[David H. Lipman]

From: "rockdale" <[email protected]>

| Hi, all:
|
| I believe my computer affect with some virus, everytime I use IE to
| surf internet, a new IE window is popup with some ads webpages. I
| tried run Sophos and Norton Anti-virus, but both did not find any
| virus. I also ran HIJackThis.exe, and with nothing been found. Anybody
| can help. If you want the log file of HIJACKTHIS, I can post it here.
|
| Thanks a lot
| -rockdale

As noted, plaese do NOT poast a HJT log here. Duh_OZ posted a URL which provides oplaces
to properly do so.

Otherwise...


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE 2007
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Virus Guy]

For non-viral malware...
* Ad-aware SE 2007
* SpyBot Search and Destroy v1.4
* SuperAntiSpyware

Dave, do you not favor a comprehensive hosts file, such as:

http://www.mvps.org/winhelp2002/hosts.htm

?

 

[Leythos]

Dave, do you not favor a comprehensive hosts file, such as:

http://www.mvps.org/winhelp2002/hosts.htm

I'm not David, but:

A long time ago I used one, but we don't use them in corporate
environments and I don't personally use them. I'm very strict as to what
we allow access too, even in my home, so they don't do us much good.

--
Leythos - (e-mail address removed) (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.futurehardware.in/595578-2.htm all
exposed to children (the link I've include does not directly display his
filth). You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

 

[Virus Guy]

I'm not David, but:

A long time ago I used one, but we don't use them in corporate
environments and I don't personally use them.

Why not?

They are very efficient at blocking a lot of nuisance web-junk like
calls to tracking and advertizing domains as well as known
mal-domains. They can do that while not interferring with any
corporate stuff you have on your local, internal lan.

I'm very strict as to what we allow access too,
even in my home, so they don't do us much good.

If you're creating a "black-list" of domains yourself, there's no way
you're going to have as many entries as the hosts file I reference
above.

And just how do you go about allowing access? Messing with IE's
restricted zone? (that is so lame).

 

[Kayman]

Why not?

Because plethora of w/sites which, for some users, may interfere with
browsing. And, there are suitable alternatives available.

 

[Ant]

:

[host files]

They are very efficient at blocking a lot of nuisance web-junk

The host file was never intended for that purpose.

If you're creating a "black-list" of domains yourself, there's no way
you're going to have as many entries as the hosts file I reference
above.

A 500 kb host file with over 15000 entries is hardly likely to be
efficient, since it isn't optimised for such use. The entries apply
only to individual hosts, so you would need to discover all of them
in order to block an entire domain.

For example, if you wanted to block all access to 'badsite.tld' you
might need separate entries for:

a.b.badsite.tld
ad.badsite.tld
ads.badsite.tld
adv.badsite.tld
www.badsite.tld

and so on.

Software designed for the purpose of blocking access to sites and
domains would allow a wildcard entry like '*.badsite.tld', which is
not possible to do in the host file.

 

[Virus Guy]

:

[host files]

They are very efficient at blocking a lot of nuisance web-junk

The host file was never intended for that purpose.

Doesn't matter. It works very well at that purpose.

A 500 kb host file with over 15000 entries is hardly likely to be
efficient, since it isn't optimised for such use.

While it is claimed that a hosts file larger than approx. 135 kb can
slow down a machine (and specifically machines running windows
2K/XP/Vista and NOT windows-98), you can eliminate any slowdown by
setting the "DNS Client" service Startup-Type to Manual or Disabled
(which is typically recommended when optimizing the settings for the
irritatingly large and vulnerability-inducing inventory of services on
a typical 2K or XP system).

The entries apply only to individual hosts, so you would need
to discover all of them in order to block an entire domain.

For example, if you wanted to block all access to 'badsite.tld'
you might need separate entries for:

I'm pretty sure that a hosts entry like:

127.0.0.1 badsite.tld

would work for all hosts that are part of that domain. I've looked
for an authoritative source for information about host file entries
that would cover this particular issue but haven't found one yet.

 

[Ant]

I'm pretty sure that a hosts entry like:

127.0.0.1 badsite.tld

would work for all hosts that are part of that domain.

If you look at the mvps.org hosts file you will see this is not so.
For example, see the coolwebsearch entries where there is an entry for
the main domain (because it maps to a host) and some sub-domains.

I've looked
for an authoritative source for information about host file entries
that would cover this particular issue but haven't found one yet.

It'll probably be in some Unix or BSD documentation.

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


|
| Dave, do you not favor a comprehensive hosts file, such as:
|
| http://www.mvps.org/winhelp2002/hosts.htm
|

I don't advocate their use nor do I dissuade their use.

 

[rockdale]

Guys:

Thanks for all the replies.

I downloaded Download MULTI_AV.EXE and tried mcAfee found couple
virus:

C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe ... Found the Generic
Downloader.s trojan !!!
The file or process has been deleted.
C:\WINDOWS\system32\B1\wr730.exe\GenUnp\GenUnp ... Found the
Downloader-BCF trojan !!!
The file or process has been deleted.
C:\WINDOWS\system32\B2\sten2.exe ... Found the CoreNet trojan !!!
The file or process has been deleted.
C:\WINDOWS\system32\WinNB58.dll ... Found potentially unwanted program
Adware-Mirar.
The file or process has been deleted.

Trend found 2 virus totally
Success Clean [ TROJ_TINY.EN] (1) from C:\windows
\system32\ogpmkgyp.exe
Success Clean [ TROJ_TINY.EN] (1) from C:\windows
\system32\tmaxcebb.exe

But still get the same problem.

Then, downloaded SpyBot Search and Destroy v1.4m, found bounch other
errors. killed them, but could not kill core.sys
and core.cache.dsk. Run SpyBot on safe mode again, killed core.sys and
core.cache.dsk. and now seems the computer is working properly.

Again, thanks for those useful link, although some links do not work
anymore.....

-rockdale