Hi,

Sorry in advance if this is the wrong place to post. Over the past few days I have started getting new windows opening up with the same 2-3 ads. Taking me, here:

http://www.winantivirus.com/index-pro.php?aid=mdwavtop&lid=virus

and to an Aer Lingus "flights" page.

I don't usually get pop-ups, and I was wondering how I can stop these particular new windows from opening up (and why it is happening).

Oddly, they seem to pop up mostly when I am using the mouse to scroll, and sometimes just when I click on a webpage.

If anyone has any idea how to stop them, I would be very grateful. I feel a bit silly, but they are very annoying.

Cheers.

Hi Iontach,

Welcome to CastleCops

What Operating System are you running?

The WinAntivirus website is suspicious - my security settings block access to this one. Try the following (free) scans to remove the adware causing the popups, and to make sure there is nothing else lurking on your system:

Download Adaware SE from /downloads-file-451.html . Run it, click Check for Updates Now. When you have updated click Scan Now and run a Full System Scan.

Run the free online scan at Trend - http://housecall.trendmicro.com/housecall/start_corp.asp

Run one of the online trojan scans here -
http://scan.sygatetech.com/pretrojanscan.html
http://windowsecurity.com/trojanscan

Download Spybot S&D from /downloads-file-108.html . Unzip it and run it, click Search for Updates, then click Search and Destroy.

Download a² Free from http://www.majorgeeks.com/download4281.html . Run it, click Search for Updates, then click Scan.

Download Ccleaner from http://www.ccleaner.com/ccdownload.php . Run it and click Search for Updates. Go to Options and click the Settings tab. Uncheck the box against Only Delete Files in Windows Temp Folders Older than 48 Hours, then click OK. Click Run Cleaner. Please note that running CCleaner will force you to enter passwords for any sites which require them - make sure you know them.

If any of these scans find files which can't be deleted then try running the scan in Safe Mode. Details of how to access Safe Mode can be found here - http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Are you running a firewall and an antivirus package? If not, I suggest trying this:

Firewall - Download and install either ZoneAlarm Free from www.zonelabs.com (I use the Pro version, but the free version is an excellent program too) or Sygate from here /downloads-file-380.html . Both are easy to use and run 'straight out of the box'. Only run one firewall on your system - if you are using Windows XP then turn off the Windows firewall.

Antivirus - Try AVG Free - http://free.grisoft.com/freeweb.php (I use this one) or AVPE - /downloads-file-347.html . Again, only run one antivirus program on your system.

Post back with results - there may be further steps we need to take to cure the problem. We could also replace one of your system files which blocks access to suspicious sites with a more comprehensive version, but I would like to know your Operating System before doing that.

Mister2

Hiya,

Thanks so much for your response!! I use windows XP home (plus SP2). I just noticed, that before a "pop-up" happens I can hear the IE "click-click" noise that indicates a pop-up is trying to start up (but the sound is really quiet) - and the top of my window moves down a bit. But, there is no yellow bar, and then the pop up happens without asking me

I just switched to broadband. When I did - I started to have problems with banner ads. They wouldn't load - and instead the page "hung" for ages. My ISP said to delete cookies etc. I did all that, still happened. I said I had spybot, and they told me to rename my "hosts" file "hosts.old". Anyway - a new hosts file "appeared", the problem eventually stopped, and although some banner ads dont show, the very long delays don't happen - but I do get these popups now. I am "immunised" with Spybot.

So here goes:

I had an old version of ad-aware on my system. The new version from your link found and removed: 21 objects ("data miners") (I just pressed "scan now").

(nasty pop-up happened inbetween)

Trend micro: Found one infected file: TROJ VUNDO.H in C:WINDOWS\system\crsvc.dll it says it cannot do anything with this.

In safe mode I cannot connect to the internet, so what should I do to remove this?

I downloaded this:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html

It found nothing. Perhaps the wrong tool

So, I continued.

Sygatetech > said "blocked all scans". I tried switching Zone Alarm off so windows firewall is enabled. Still didnt work

Windows security scan > said "error downloading engine" I had clicked to allow the active x control. All my security levels are at default. Could not get this to scan either.

Already have spybot. Scan found nothing new. I am immunised (but without the bad dowload button checked).

a² Free found nothing

Ccleaner ran (I didnt let it remove things from these applications: photoshop, imageready, Office, Messenger, zonealarm logs, adaware, spybot, winrar, windows media player - if you think I should I will). Everything else was removed.

I have Zonealarm (free), and AVG. AVG (I update before I scan) did not pick up anything.

I am sorry that this post is so long, and any further help you can give would be much appreciated.

Thanks again.

PS. The pop-ups are also becoming more frequent, and a new one has started.

Should I try safe mode with networking and run the scan again?

...................................................................

OK, I just did a Panda scan. It tells me that I was infected with the trojan:

QHost.gen - which was (unsurprisingly) in the "hosts.old" file, and it disinfected it. I am hoping that this means the new "hosts" file is fine.

http://www.pandasoftware.com/virus_info/encyclopedia/ficha.aspx?iddeteccion=133137

[it also says I have "FunWebProducts" adware, and that it cannot disinfect, I suppose spybot etc will do that when I run it again]
.....................................

This still leaves me the other, more worrying, trojan to deal with. Perhaps I should try running the 2 Vundo scans in safe mode (although it suggest backing up my registry before I do that )

As I type now - I can hear the sound and see the browser moving. Horrible.

Hi Iontach,

I use a hosts file from mvps.org, which seems pretty thorough. A download link is here - http://www.mvps.org/winhelp2002/hosts.zip

Try downloading the free FireFox browser from here - www.mozilla.org. Open it, go to Tools, Options, Web Features and check Block Popup Windows. This should give you some peace while you fix the problem. I use FireFox as my default browser but IE is still required to access Windows updates.

Vundo seems to have been getting more common recently. I would suggest you download the free trial of TrojanHunter from here - /downloads-file-83.html . Update it (Update button is at the top of the screen) but don't run it yet. Close the window, reboot into Safe Mode and run TrojanHunter. Hopefully this will find and clean the infection. If not then there is a manual fix detailed here - http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453079972

This fix involves editing the registry so please back it up first. Go to Start, Run, type regedit and click OK. In the regedit window go to File, Export and enter a name and a location to save the registry. Check the box next to Export Range - All at the bottom left and click Save. Close Regedit.

Follow the instructions under the heading Detection and Removal, halfway down the page. There are links in the instructions which tell you how to implement each stage of the instructions, but please post back if you're unsure and we'll help you through it.

I suggest you copy the info detailing the registry keys (the ones that start HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE) to notepad and print them out before proceeding - it will be handy if you need to delete and reboot.

Please let us know how it goes. There's a lot of information on that page but it's pretty straightforward if you take your time. After this I suggest running Spybot in Safe Mode as a precaution.

Good Luck!

Mister2

Thank you so much, you are a star!

Eeeep! The name of the trojan was a link - and so underlined.

The actualy name of the trojan is:

TROJ_VUNDO.H

Trend Micro have removal details:

http://uk.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=2&VName=TROJ_VUNDO.H

The thing is, I dont know exactly what to type (and dont want to get it wrong) - I am unsure whether to include the filename etc. or not

Is this right:

CD <Malware path>

(Note: %Malware path% is the complete path of the malware, including the root directory.)

CD <C:WINDOWS\system\crsvc.dll>
...............................................

REGSVR32 < Path and file name of malware > /U

REGSVR32 < C:WINDOWS\system\crsvc.dll > /U

................................................

I suppose I am asking, how is the format different bewteen the 2 entries.



Cheers!

I also ran TrojanHunter - and it found yet another trojan - and got rid of it (I didnt catch the name - and am not sure how to find that out). Those pop-ups have stopped though!! *celebrates*

I also popped that HOSTS file in the right place. A few minutes later - I got told by "Microsoft antispyware" that "something" was trying to alter my hosts file. I got this message twice. Should I have allowed the 2 websites to be added? [they all seem to be pointing to "127.0.0.1" - so I suppose tha is OK] - and the hosts file has got bigger. What is adding sites, and is this OK?

Should I lock down my hosts file with spybot, by checking this box:

'Lock Hosts file read-only as protection against hijackers'.

Cheers again

Hi again,

That's a good link you found there. Looks like it's getting better - slowly

Replace your hosts file and lock it down - at least until we've cleaned up.

Regarding the commands, the first one takes you to the correct folder, the second works on the actual file. So the commands to type are:

cd c:\windows\system

(Press Enter)

regsvr32 c:\windows\system\crsvc.dll /u

(Press Enter)

exit

(Press Enter)

Then do the registry editing (after backing up!)

If you need to follow the next instruction the System Restore needs to be off. To do this go to Start, All Programs, Accessories, System Tools, System Restore. Click System Restore Settings. On the System Restore tab check Turn Off System Restore on All Drives. It would do no harm to do this and run the Trend online scan anyway.

Remember to turn it back on when you're clean, and set a new Restore Point.

Heya,

Well things got an awful lot worse before they got better. The removal steps did not remove all instances of that key code. IE kept on crashing on the 1st opening and refuse to be shut down.

I googled the remaining key code positions, and they coresponded to "vundo.b". So I ran the vundo.b specific remove tool in safe mode - it altered/removed the remaining keys. Now my comp is running smoothly [and I re-ran everything in safe mode]. System restore is back on now.

But, why have I been infected with at least 3 trojans since I switched to broadband? And.... I also noticed that my systems tray kept being shuffled - all the security stuff being taken off. Can a virus/trojan do this? Also - safe mode was really odd - the screen kept freezing (this was before I tried to remove the trojan). Seems fine now.

................................................

Thank you so much for your help.

Is there any way to check Zone alarm to make sure it is configured OK for my broadband connection? [sorry if this sounds silly, I just don't know what went on].

there is one key code left - but perhaps that is in an OK position: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Ext\stats\{that key code}
There is one folder under that called "iexplore" with count/time/type entries. Is this just a harmless log?

Is there anything I can do to stop this kind of thing from returning? I only download from "safe" sites, and have a firewalland run malware scans.

Before I added a "fresh" version of the hosts file and locked it, the hosts file had grown to almost double the size. Should I unlock it now? Could good things be adding sites?

Thanks again.

Iontach.

Hi Iontach,

Sorry it wasn't an easy journey, but I'm pleased you got there

I really can't answer that one. When I first set up ZA I had alerts popping up all over the place warning of incoming connections, many of which were sniffing for web servers. On dialup I tended to do things while I was online - my system wasn't idle for long. With broadband there is a connection whenever your computer is running. As I said in an earlier post, Vundo seems to be getting more common lately. It's possible that systems to infect are being aggressively searched for.

Regarding the registry key, I checked and had 14 similar entries. After deleting Temporary History Files (including offline content) and Browser History they had all gone. Go to Control Panel, Internet options to clear these and see if your entry has gone.

To check your security go to www.grc.com and run the ShieldsUp port test. This will perform a thorough scan on all your ports and suggest areas which need tightening up. A good site for setting up ZoneAlarm up is www.donhoover.net. If you have any questions about your firewall then Hoov frequents the forums here and is very good on ZA. Try posting here - /f2-Firewalls.html - if you need further help.

I would keep the hosts file locked - you will soon know if something is trying to alter it and make a decision then. Mostly it will be something trying to add a suspect entry.

There is an excellent series of articles here - http://prince_serendip.castlecops.com/ - which will help increase your security.

As a precaution I would also suggest you post a HiJackThis log to allow our experts to confirm there are no hidden nasties lurking in there. Please be patient as the guys reading the logs get snowed under with work. You won't be overlooked, though.

Download HiJackThis from : /downloads-file-328.html

Create a folder and unzip the HiJackThis download to the folder. Do not unzip the HiJackThis download to a temp folder - it won't work.

Doubleclick "HijackThis.exe". First, update HiJackThis by pressing the "Config" button, then press "Misc Tools", followed by "Check for update online". If you downloaded an updated HJT, click "Yes" at the "Open the file?" prompt. If you did not update, press the "Back" button .

Press "Scan".When the scan is finished, use "Save Log" button and save the log as a text file. Its best to save your text file in the same folder as where you put HiJackThis. Don't try to fix anything yourself - most of the entries are required and removing them will cause problems.

Post your log in the HiJackThis forum : /f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html. Click "NewTopic" and simply copy/paste the HJT log into the textbox, and mention you've just removed several infections. Include the information requested in the HJT forum posting rules: /t102301-Hijackthis_Guidelines_Read_Before_Posting.html

Make sure your HJT log is posted only in the HiJackThis forum: /f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html , or else it will get moved.

After you have posted your HJT log in the HiJackThis forum, please post, in this thread, a link back to your HJT log. (Copy the address in the address bar of your browser when you post your log, and paste it as a reply in this thread).

Please post back if you have any further queries.

Good luck with the log.

Mister2

_________________
Never stop learning

Thank you so much

This is my HJT thread:

/p539138-Hijack_this_log.html#539138

I hope that I managed to do that OK.

My port test said everything was running in "stealth" mode etc.

See, when I changed from dial-up to broadband, I expected a few pop-ups from ZA, but I didn't get any.

*yay* Yes, when I deleted temp files/history, that entry bit the dust too. I feel much better.

I am a wee bit as I don't know why all these nasties arrived.

But, things seem better for now.

Thanks again

Iontach

Iontach
Failte!

Mister2 has pretty much covered everything!

If I might add one other suggested resource...

Have a look at Eric Howes' excellent site:
https://netfiles.uiuc.edu/ehowes/www/main-nf.htm

There is a wealth of information on securing your privacy whilst browsing the internet with links to various resources to do so.

Kindest regards,

Dragan Glas

@Iontach - I see Flrman1 has declared your log clean in that thread. Congratulations

@Dragen_Glas - That's a great link - went straight into my Bookmarks Thanks!

Mister2
You're welcome!

Kindest regards,

Dragan Glas