another kind of adware

Hey,

I'm having what appears to be the same kind of problem that erik13 did in his "some kind of adware" post
(http://forums.majorgeeks.com/showthread.php?t=79476&highlight=adware).
I accepted a link to an image from someone on AIM. At first, the virus that I had disabled my internet. After I fixed that, I got a steady stream of popups for a few days. For a day or two, my computer seemed fine, there were no popups or other unwanted ads. But, yesterday they started up again, and haven't stopped since. I followed the instructions from a few different places for getting rid of it, including the "READ & RUN ME FIRST" post, and nothing worked completely (they apparently got rid of a lot of junk, but haven't fixed my pop up problem). I even tried to follow the same instructions given to erik13, but I didn't find
O4 - HKLM\..\Run: [04cg0ryk.dll] RUNDLL32.EXE 04cg0ryk.dll,b 1380680563
in my Hijack This log.

I have attached my Hijack This and WinPFind log files. Any help is very much appreciated.

Thanks in advance,
~Micah

 

Please see the below thread on how to install and run Spy Sweeper.

Running Spy Sweeper...

 

Hey,

Well, for the moment it seems to have worked (there haven't been any pop ups for the last ten minutes or so). I've attached the Spy Sweeper log, as instructed. Is there anything else I need to do to make sure my computer is clean?

Thanks again,
~Micah

 

Download L2MeFix Tool and save it where you will be able to find it.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Save this log. You will need to post this log back here later when you come back.

Next DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your next message.

Now open your browser and come back here and post the above two logs as attachments to your message. Also indicate your current status.


NOTE: Please do not run any other options or files in the l2mfix Folder!

 

Hey,

I have attached the report and the log that resulted from the L2MeFix Tool. I still haven't gotten any unwanted pop ups, but on the restart an error message popped up saying:

Error loading 0wao0o9s.dll
The specified module could not be found.

~Micah

 

Please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

Hey,

I did that and attached the report. I still haven't gotten any pop ups, but I did receive the

Error loading 0wao0o9s.dll
The specified module could not be found.

error on the restart again.

~Micah

 

Hey,

So, now that I don't have any apparent adware or viruses, etc., what's the best way to make sure that my computer is clean?

Thanks again,
~Micah

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Spy Sweeper

Ewido

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate Service 8 (Service Filter) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete the above, reboot and let me know how things are running!

 

Hey,

At this point, everything seems to be running very well! I still haven't gotten a single unwanted pop up, and the spy bot program didn't find a single thing wrong in the system check (the ad-aware found 1 file that needed to be fixed). May I assume that I can turn System Restore back on?

Thank you immensely for your help! It's truly appreciated.

~Micah

 

Was you able to disable the service?

Have HJT fix this entry below...

O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe (file missing)

 

My apologies. I was able to disable it before, but I attached the HJT file from before I made that change. Now I attached the most up-to-date HJT file.

~Micah

 

Your log is clean, are you having any further problems?

 

Nope. All seems to be running well.
Thanks again!

~Micah

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!