Spyware : Chinese pop up keeps appearing - to www.u8u.com

i keep getting a Chinese pop-up in internet explorer.
i use Win XP pro SP2 with IE6 SP2
i can close the page and carry on using my machine but i cannot find this bug anywhere to remove it. i have used spybot, ad-aware and trend AV office scan.
i have looked in windows startup and the registry startup.

can someone please help ?

 

Usually that's called adware - a program which generates ads.

Download HijackThis using the link provided - but do not download v2.0, please click to download the last stable version, which is 1.99.1. Once you have donwloaded it, save it and run it. Click on "Do a system scan and save a logfile". Post ALL of that logfile in a reply for me to look at.

 

heres the logfile,

 

Hello,

Glad you told me about that - I might have identified it as malware!

Do you know what the following are:

* ManageSoft
* OfficeScan NT
* Ecutel
* ProfileFix
* CFGDownload

There are quite a few things in your log that I need your input on. First of all - do you know these websites?

Next, please pay a visit to http://www.virustotal.com to upload a file. In the textbox at the top, next to the "Browse" button, copy and paste the following text:

C:\WINNT\wuauclt.exe

Hit "Send". You may have to wait for quite a while due to the queue. When scanning of the file begins, don't interrupt it! It may take up to ten minutes to scan a large file. When the scan is done, the "status box" at the top should say "STATUS: FINISHED". Your file will be scanned with more than 30 antivirus engines for a comprehensive result. When the scan is done, there will be two tables - one with your results and one with information like the MD5 Checksum. Ignore the smaller table - just copy all the text in the larger one and paste it into your reply.

 

hi,

 

oh yeah, one more thing

 

Since it's been a couple of days (sorry), could you post a fresh HijackThis log to refresh my memory? Thanks

 

hello again,

 

Let's get a close look at your system. Please download Deckard's System Scanner (formerly ComboScan) from the link provided. Save it to your Desktop.

Note: This program will clear your temporary files.

Please do a scan with dss.exe. It will only take about five minutes. If it cannot find HijackThis on your computer, it will prompt you to look for it. Please press "yes" and tell the scanner where it is located. If the scanner asks you to download HijackThis, please answer "yes" to that as well. During the scan, your firewall may warn you about a .exe file attempting to connect to the Internet; please allow it. Your antivirus may also detect Deckard's System Scanner as a Possible Threat or RiskTool; it may be better for you to temporarily disable your antivirus.

Once the scan is done, it will produce two logfiles for you: a "main.txt" (which you see) and an "extra.txt" (which is minimized). Please copy the contents of both these logfiles into your next reply.

 

here are the log files you asked for:
main.txt

 

Deckard's

 

Whew! That was a lot of information, but hopefully now we have the information we need to kill these pop-ups.

There is no user on this computer by the name of "david.bowen old", correct?

I will get back to you in a few moments - need to run a couple of errands first

 

hi again,

 

No, I didn't think it would. The nasty bugger is in most of your user profiles x_x

Give me a second to look over your log again and I will be back with a fix.

 

bbyb.exe , bbybs.exe and sxs.exe are looking suspicious arent they...

 

Hey, you replied before I replied The lines I've "redded" are bad. There is a chunk of bolded stuff near the end, too, which I will explain. Since this is a corporate computer, I'm going to ask if you know of a program called "DameWare Utilities". This program is for the remote access of your computer, but is usually installed in C:\Program Files\DameWare Development\DameWare NT Utilities\. Since it is a remote access tool, and is not installed where it is supposed to be, there is likely something suspicious going on. The entries in bold are the DameWare files.

sxs.exe and friends are the files that are causing your troubles.

Please copy the contents of this portion of the fix into a word processing document as we will be in Safe Mode and therefore unable to access the Internet.

Reboot your computer into Safe Mode:

1. Reboot your computer.
2. As soon as it starts booting, press the F8 key. You may get an error if this is done too soon, just reboot and try again.
3. You may get a message about boot drivers, just press ESC and keep tapping F8.
4. At the Advanced Options menu, use the arrow keys and navigate to Safe Mode. Press Enter and log in as you usually would.

Right-click on your Start Menu and select "Explore". Then, explore to these files and delete them (press Shift-Delete, will cause your files to skip the recycle bin and be deleted permanently):

C:\Documents and Settings\david.bowen old\sxs.exe
C:\Documents and Settings\instxp_sbs\sxs.exe
C:\WINNT\bbybs.exe
C:\WINNT\bbyb.exe
C:\Documents and Settings\david.bowen\sxs.exe

Also delete C:\Documents and Settings\david.bowen old using the Control Panel > User Accounts if it is not needed anymore.

Reboot back to normal.

Do another Deckard's System Scanner scan and post back (there will only be three sections to it this time).

 

Deckard's

 

and one more thing, we use dameware remote control as our corp support tool. i also noticed a sxs.dll in the c:\winnt\system32 directory which i renamed as well and also an sxs****.pf file in the same dir.

 

I would format your HDD and reinstall windows to make sure you get rid of all the spy/adware you may have more spyware then what just antispyware programs are telling you, also spyware has gotten so bad lately that they can attach themselves to system files and if they are deleted sometimes they it can cause your computer to not function right. So the best thing to do is format your HDD reinstall windows, apply all the latest updates, download ie7/firefox, download some antispyware software I recommend Windows Defender which you can get at microsoft.com/spyware, Adaware Free Edition which you can get at lavasoft.com, and Spybot Search and Destroy, also I would recommend getting the Free AVG antivirus which you can get at free.grisoft.com. Some other things I should point out are the best defense to keep these nasty things off your system is not all this software but your behavior like not opening attachments in emails, downloading music/etc from p2p sites, using firefox with the no script add-on instead or ie, applying all the windows updates. Oh and if you want a recommendation for a good firewall if you have a rputer you already have a great firewall, if you don't I would suggest going out to circuit city/ bestbuy and buying one. Also if you do download music from p2p sites I would suggest downloading the files to a second HDD so that if there is spyware/viruses it will be trapped on that other drive and will not affect your computer.

 

Don't listen to him... formatting is not the best way to go, and your files are not safe if you keep the infected ones on another drive.

Hehehe... C:\New Folder\dss.exe

Nasty little devils, those viruses are Since one of your worms (sxs.exe) spreads through removable devices and networks, please disconnect this computer from the others whenever possible, and please check all removable storage devices (USBs, floppies, etc). I also take it, that since this is a company laptop, that you have many restrictions present, such as Control Panel and Active Desktop?

Please select (highlight) everything in the box below. Right-click it and select "Copy".

Then, download The Killbox.

In the event that you already have the Killbox, this is a new version that I need you to download.

Once you have saved it to your desktop, double-click the Killbox to open it. Go to the "File" menu and click "Paste from Clipboard". Note: Do not paste manually, because that way only one file will be registered. At the bottom, select "Delete on Reboot, and select the button on the right saying "All files" (it will flash green to let you know you've done it right). If you can, place a checkbox beside the "Unregister .dll" box. Press the button that looks like the Killbox logo - a red circle with white cross. When asked if you would like to reboot now, please select "No".

Next, copy and paste all the text in the box below into a blank Notepad document:

Go to File > Save As. In the menu that says "Save as type" select "All files". Save it to your Desktop as "FixReg.reg". Double-click on "FixReg.reg" and when asked whether you want to merge the information into the registry press Yes.

Now, reboot your computer. Killbox will have made a log after you log in successfully - copy and paste that log into your reply, as well as a new HijackThis log.