Can't get rid of Popup Trojan

System Info:
OS - MS Win XP Home Edition
OS Service Pack - Service Pack 2
IE - 6.0.2900.2180
CPU Type - Intel Pentium 4A, 2666 MHz (5 x 533)
Motherboard Name - Dell Computer Corp Dimension 4600
Chipset - Intel Springdale i865PE
Bios - Phoenix (2/20/04)
Network Adapter - Wireless-G PCI Adapter

I am having trouble with removing a popup Trojan. Here's what I have done so far:

I read the post Howto: Spyware, Trojan and Virus Removal and took these steps
1.) Disabled System Restore - No problem
2.) Skipped step 2 because I didn't have these services.
3.) Enabled viewing hidden files - no problem
4.) Downloaded all Tools as listed - no problem

Scanning and Cleaning (all in Safe Mode with Networking)
1.) I did an online scan at Trend Micro. These trojan's were listed:

TROJ NARRATOR.A C:\WINDOWS\SYSTEM32\pupuau.exe
TROJ NARRATOR.A C:\WINDOWS\SYSTEM32\guguqu.dll
TROJ NARRATOR.CAC C:\WINDOWS\SYSTEM32\calsp.dll

Trend Micro said they were uncleanable. I clicked the 'delete' button to remove.

Ran Symantec and McAfee scans with no problems.

2.) Cleaned hard drive - no problem
3.) Did Spyware Scan and Removal - there were items removed but I didn't write down (sorry). BTW, I checked the "TeaTime" option for Spybot just to monitor changes in the registry.
4.) None of the other Secondary Spyware Scan applied to me. I did not run.
5.) Did not take this option
6.) I downloaded HiJack This but did not run since this forum instructed not to post log until requested.

Other actions: I ran the TrojanScan online but it came up with nothing.

Finally, I took these actions:

1.) I checked Windows Update and I have all the updates.
2.) I removed Microsoft Java as instructed but when I tried to install the Sun Java but it kept giving me an error during installation saying that the file was corrupt. I didn't write down the exact message.

Some final steps I took:

1.) I enabled System Restore (reversed the first step I took).
2.) I installed Norton System Works 2002 AV software. It seemed to be giving me problems previously so I had uninstalled Norton AV some months ago. I have seen the free AV software you have listed. If you think it is a good idea, I will uninstall Norton AV and install one of those.

I did all these things and I seem to still have the popups for diet patches and cigars and other useless items.

Thanks in advance for your assistance.

 

Here goes the "echo station"! Please read the stickies at the top of the forum page concerning spyware removal, procedures to be followed, and applications to be downloaded. Follow all of these, and post back if the problem is still there.

 

If you have ran ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal please read below:

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

I'm a little confused by your reply. I specifically said that I had read the intro material (those items that applied to me). I even outlined my post using the items number from the "Howto: Spyware, Trojan and Virus Removal". I will follow the instructions of the other reply.

 

Please do! My suggestion was to follow the advice in all the stickies, not just one of them.

 

I wasn't clear in my post. I did run CWShredder and Kill2me without any problems. The about:Buster and HSremove were the two I didn't run. Sorry.

Will be posting log file soon.

Thanks again.

 

I shut down all programs that I could. I disconnected from my wireless network. There were two programs that I could not remove from the tray but I was able to disable.

Norton AV Autoprotect was running but disabled.
Cybersitter (Internet filter program) was running but disabled.

I didn't know how to remove them from the tray without completely un-installing.

Attached is my HiJackThis 1.99 log file. I installed and ran HiJackThis from the C:\Program Files\HiJack This folder that I created.

 

Before anyone replies, let me go thru and let HiJack This fix my problems before anyone posts a reply. I will post a list of all the fixes that I choose.

 

Here are the items that I checked for HiJack This to fix based on the instructions given by MajorGeeks.com.

R1 - www.dellnet.com (there were three of these)
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

I didn't fix these because I was unsure of what they were:

O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [ICQ Messenger] ICQLite.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O23 - I didn't do anything with these since the MajorGeeks.com website did not address.

 

One more question on this: I have downloaded one of the free firewalls suggested in one of the stickys. Should I go ahead and install or wait to get this issue resolved?

 

I went ahead and un-installed both QuickTime and RealPlayer. I use them rarely.

I went to the website you listed and read more about what nwiz.exe does. Right now I only have one monitor and I don't have any use to put 32 monitors on a host. Any suggestions on how to enable this .exe? I went to the Desktop Properties and hunted around for a radio button or check box and found nothing.

I removed Viewpoint Manager from the Control Panel
Admilli was not listed as an installed program (see below)

Done

Done

 

I will turn on.

 

Can't thank you enough for all your help. You have provided a great service to me and my family. Thanks again.

 

Easy enough. One more piece of info...

I uninstalled Norton AV and installed Avast! AV (Home Edition). It did a boot scan right after the re-boot and found this:

C:\Documents and Setting\...\local settings\temp\tracker7.exe is infected by WIN32:TROJAN_gen {other}

and

c:\install_george.exe.tcf is infected by WIN32:TROJAN_gen {UPX!}

I deleted them both.

 

I went in to each of the users in our family (there are four) and deleted the contents of each of the temp folders.

I also emptied the Recycle Bin on my user and the c:\windows\Prefetch folder.

As I mentioned earlier, I had installed Avast! AV and it had found a couple of trojans (see previous post). I then updated the Avast! database and reran a scan from the desktop.

I got the WIN32:Trojan_gen {other} virus two more times. I moved them to the Chest as recommeded by Avast!.

This trojan has now come up four times (twice on the boot scan and twice on the normal scan) and I'm still seem to be getting the popups. I have deleted and cleaned up all the folders you suggested. I'm going to research this trojan a little more and reboot.