• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

trojan, malware issue caused by banner popup ad

"Hi Everyone / Quads,

I have read many many threads here and on other sites.  I have tried to fix my own problem but I'm really stuck and I'm asking if you can help me.  It would be greatly appreciated.

I got some banner ad issue today; it tried to launch the adobe pdf reader but I cancelled it before it could launch.  This happened twice. 

Afterwards, my pc is running slow.  I've rebooted many times, tried safe mode, ran scans, downloaded spyware removal software, updated windows defender but nothing works.

I keep getting these problems: 

- windows live messenger stopped working popsup after window starts.
- trojan:Win32/FakeIA.C  keeps popping up from windows defender.
- windows sidebar has stopped working after startup.
- launch windows internet explorer, get a page with insecure internet activitiy.  threat of virus attack. we recommend you to protect.  click here to get full advanced real time protection continue to this website unprotected. (this keeps showing everytime i open windows internet explorer).  when i click on the first link, it goes to "defender review" site. 

inet explorer only works for about a minute and then, it freezes. 

windows defender keeps popping:  Trojan.Zlob.G

i ran hijack this (new version) and ran sdfix in safemode but nothing works.

here is the hijack this log.  can you please take a look and give me some ideas as to what to do?  i am at a point where i am going to wipe out the hard drive and install vista again.  thanks for your time."

Replies

Kudos1

Re: trojan, malware issue caused by banner popup ad

Hi there 

Now, "trojan:Win32/FakeIA.C" is also known as "Trojan.fakeavalert", and you also have "Trojan.Zlob G" so they are working hand in hand.

 That is also why you are getting this, "launch windows internet explorer, get a page with insecure internet activitiy.  threat of virus attack. we recommend you to protect.  click here to get full advanced real time protection continue to this website unprotected. (this keeps showing everytime i open windows internet explorer).  when i click on the first link, it goes to "defender review" site. "  

It's a fake trying to get you to download a Rogue security program. It also tries to stop Legit security programs from running properly.

You are running Vista, so SDfix won't work.

Start Hijackthis and tick these entries.  

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O13 - Gopher Prefix:

O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

Then click "fix Checked"  Looks as though Sidebar has been corrupted

Now Download SuperAntispyware Free  http://www.superantispyware.com/download.html

Also Malwarebytes AntiMalware http://www.malwarebytes.org/mbam.php

Install and update both programs definitions, then Run a full scan of both programs in Safe Mode.

See how we go, at least hopefully get most of it then maybe just have to look for manual left over bits after.

Quads 

 

Kudos0

Re: trojan, malware issue caused by banner popup ad

Aragingbull,

 

Kindly check this Symantec Support Article which has the instructions for the removal of Trojan.Zlob.G. Hope this may help you.

 

Yogesh

Message Edited by yogesh_mohan on 12-13-2008 01:41 AM
Kudos0

Re: trojan, malware issue caused by banner popup ad

thanks quads and yogesh_mohan.  i will try this once i get home.  had to use a friend's computer for the past day.  i will post an update. Message Edited by aragingbull on 12-12-2008 01:01 PM
Kudos0

Re: trojan, malware issue caused by banner popup ad

thanks quads.  greatly appreciated the effort.

i did as you listed.  the popups are gone.  sidebar is still not working but that's minor.  i haven't tried launching sidebar yet.  i did not run malwarebyte in normal mode...., should i?  it ran in safe mode and found 10 items.

also, i reran hijack this again and here's the results.

i could not remove these 3 though (tried in normal and safe mode):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

Kudos1

Re: trojan, malware issue caused by banner popup ad

If your sidebar cannot launch, download and run ComboFix. It automatically restores many of the settings modifed and lock by malware.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

=\

Replies are locked for this thread.