Having Problems with popups and errors.

I am working with a friend's computer. It had the spy sheriff infection, and I believe that it has more problems that I cannot figure out how to fix. I followed all of the directions on the sticky for basic spyware removal as well as the one for the spy Sheriff problem.

I was not able to run ad-aware, as the computer kept freezing during the deletion process after the scan. , and the two virus scans that were recommended were done in normal mode, because I could not access the internet in safe mode.

The Spy Sherrif problem seems to be gone (with the exception of the lingering "active desktop recovery message), but I can not get rid of these pop ups.

Also, the computer will not shut down from the start menu. It gives me an error message and then freezes.

I keep recieving the message "Error loading C:\\PROGRA~1WILDTA~1\APPS\CDA\CDAENG~1.DLL. The system cannot find the path specified." when I start the computer.

and I get this message randomly, and sometimes with other programs listed that I can not remember. "Motmon has caused an error in KRNL386.EXE. Motmon will now close. If you continue to experience problems, try restarting your computer."

If you can help with any or all of this, I would be greatly appreciative. Thank you!

 

Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here is the requested log. I'd appreciate any help you could offer. Thanks again!

 

First, please disable Spybot's TeaTimer because it will block parts of this fix.

Please look in Add or Remove Programs for the following and Uninstall them if found:

bhat

WeatherBug

Internet Optimizer

Rzklul

Virtual Bouncer or VBouncer

WildTangent


Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

I got as far as installing ewido, but when I tried to install it said "Sorry ewido requires windows 2000 and above" The computer I am working on in Windows ME. Is there any way around this, or a similar program that will work with ME?

 

Crap, I forgot you was running WindowsME, procede with the following:

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, double click the file sysclean.com

When the system cleaner loads, click SCAN to start the scanner. After you have completed the scan reboot and attach a fresh HJT log.

 

I ran that program, and here is my new HJT log

 

oops. That was before I rebooted. I'm not sure if this one is the same or not, but this is from after I rebooted.

Also, the computer still will not shut down from the start menu. I have to push the button on the tower to shut it down (which I know is not good, but it is the only way to turn the computer off. The delete key is broken on their keyboard so I can not even ctrl-alt-del.) Is this possibly related to the mess that is going on with the popups or is this an entirely different problem?

 

First, please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments.

 

I ran the panda online scan and then during the scan, my bar at the bottom with my start button and everything disappeared. When the scan finished and I tried to reboot the computer, I got a message saying that explorer.exe could not be found and windows needed to be reinstalled. Found the factory settings restore disk and restores the computer. It seems to be fixed. Should I post anything?

 

Also, I have downloaded sygate personal firewall, and it keeps saying "win 32 kernel core component (kernel32.dll) has recieved a broadcast packet froml the remote machine [10.65.160.1]. Do you want to allow this program to access the network?" I keep clicking no because I don't know what it is. Is it something that I should allow?

 

Did you wipe out everything to factory default? Yes, go ahead and attach a current HJT log to confirm your clean.

Are you on a network?

 

Yes, everything was wiped back to factory default. However, someone needed to use the computer before I could get a firewall and anti-spyware software put on it, and I think there may be some minor stuff that reinfected. Over the past few days there have been a few popups (1-2 per day), but nothing anywhere close to what used to be on this computer. The computer is not on a network, it is a single computer hooked to a cable modem. Here is a current HJT log.

 

Scan with HijackThis and Check the Boxes for the following:

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


After you complete the above your log will be clean. Reboot and few times and let me know if you have any problems.