Constant Nonsense Popup Box in IE...

Please follow the steps below:

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Please attach your log here to your message.

Is the below your expected Startpage:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht


Also the below does not seem valid, do you know what it is:
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to svchost.exe or moto Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

svchost.exe

If that does not work, try the short name: moto

Now exit HijackThis and we will restart it in a few lines with different options.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\svchost.exe <--- just incase it is still running. The other step should have kill it.

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\system32\appwiz.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker005.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb005.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb005.dll
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe <--- this may be gone if the previous steps worked

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\appwiz.dll
C:\WINDOWS\System32\zolker005.dll
C:\WINDOWS\System32\ztoolb005.dll
C:\WINDOWS\System32\symcsvc.exe
C:\WINDOWS\svchost.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

The first step was not to kill the svhost.exe process. The first step was to run services.msc.

Also the only svchost.exe process that needed to be killed was this one: C:\WINDOWS\svchost.exe
Not the ones in system32.

You did not answer my questions from message # 5.

Also the below does not seem valid for Ccleaner and we will need to run some other tools to look for some potential hidden problems.

O21 - SSODL: CCleaner - {8AF0A992-DD76-300B-4C0D-D6D6CBD9A971} - c:\program files\applications\ccleaner\winejiej32.dll

Other than that, your log is clean.

Please downloaded and extract the files from the attachment to its own folder - C:\Program Files\Find Qoologic2.
Then, DoubleClick Find-Qoologic.bat to run the tool. It will produce a log of what it finds. Please attach it to your next message.