Popups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by alicia2010, Sep 26, 2006.

  1. alicia2010

    alicia2010 Private E-2

    Hi, I have been trying to run the programs asked in Read and Run me... but my comp only runs for short periods of time b4 freezing. It would not let me open programs and would not close the popups (the windows would freeze) and needed to be restarted every few minutes until today when i was finally able to run some anti-virus and spyware/adware programs. It is now freezing often and having a lot of popups, but is considerably better. I was unable to run the programs in safe mode because my comp wouldnt allow me to go to the website to find out the run code. I ran yahoo's antispy and anti virus, ccleaner, adaware and spybot. I am trying to attach my hijackthis log and it just says "error on page", I will post this, then try to attach the log again...
     
    alicia2010, Sep 26, 2006
    #1
  2. alicia2010

    alicia2010 Private E-2

    here's the hijackthis log
     

    Attached Files:

    alicia2010, Sep 26, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to do a better job of following the instructions in the READ ME. You did not even install and renamed HijackThis as required and this is very important. And why can't you run GetRunKey and ShowNew. They are just as easy and as fast as running HJT and give us a lot of information that is needed.

    You have a load of malware problems! And your OS is way out of date with updates!!! No wonder you are so badly infected. Your Yahoo tools are obviously totally ineffective too!

    Start by running the below:

    WareOut Removal and attach the requested log
     
    chaslang, Sep 26, 2006
    #3
  4. alicia2010

    alicia2010 Private E-2

    here:
     

    Attached Files:

    alicia2010, Sep 26, 2006
    #4
  5. alicia2010

    alicia2010 Private E-2

    ok, i ran the two things you said instead of hjt. I did it to the best of my ability since i have no idea what windows explorer is. I right clicked on the start button, and clicked "explore" and found the files from there. I hope i didnt irritate you again. I posted one above, along with the program you suggested, and one here. Thanks.
     

    Attached Files:

    alicia2010, Sep 26, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the below installed program is for? If not then uninstall it.
    Media Bar 3.2.02

    Also uninstall the below which was requested in step 0 of the READ ME.
    Viewpoint Media Player

    Okay now let's get started on the rest of your malware problems. As you will see from the length of the below procedure, you have an extremely bad infection.

    You must make sure that you have installed HijackThis and renamed it as requested in the READ & RUN ME before continuing with the below.

    Now click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Microsoft ASPI Manager ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    aspi113210

    If you receive any error messages just ignore them and continue.

    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


    Now download two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of winsys2freg.dll once and then click the kill button. After you have killed all of the winsys2freg.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs(If you do not find the dll, just continue on):
    artm_newreg.dll

    Next double click on explorer.exe and again click once on each instance of winsys2freg.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    artm_newreg.dll

    Now just exit Process Explorer.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\program files\popupwithcast\septpop06apsept.exe
    C:\WINDOWS\sys02320781287.exe
    C:\WINDOWS\sys09873207812.exe
    C:\WINDOWS\win3207128732078.exe
    C:\WINDOWS\win3208287320781.exe
    C:\WINDOWS\sys01732078128.exe
    C:\WINDOWS\System32\kwinrpes.exe
    C:\PROGRA~1\PRINTV~1\pvmodule.exe
    C:\WINDOWS\System32\crunner\cproc.exe
    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\Duce6.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
    F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\System32\ntos.exe,
    O2 - BHO: (no name) - {4F2E6525-FDC3-E312-290D-03F2C234C3BD} - C:\WINDOWS\System32\icxohqi.dll
    O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsh22.dll
    O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
    O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
    O4 - HKLM\..\Run: [trycrt] cmon14.exe
    O4 - HKLM\..\Run: [ExchangeMaster] vxdman.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_18.exe
    O4 - HKLM\..\Run: [defender] C:\\dfndrff_e1.exe
    O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
    O4 - HKLM\..\Run: [sys02320781287] C:\WINDOWS\sys02320781287.exe
    O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\default\LOCALS~1\Temp\silver.exe
    O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
    O4 - HKLM\..\Run: [sys09873207812] C:\WINDOWS\sys09873207812.exe
    O4 - HKLM\..\Run: [ms04078128732] C:\WINDOWS\ms04078128732.exe
    O4 - HKLM\..\Run: [ms03207812873] C:\WINDOWS\ms03207812873.exe
    O4 - HKLM\..\Run: [win3207128732078] C:\WINDOWS\win3207128732078.exe
    O4 - HKLM\..\Run: [win3208287320781] C:\WINDOWS\win3208287320781.exe
    O4 - HKLM\..\Run: [sys01732078128] C:\WINDOWS\sys01732078128.exe
    O4 - HKLM\..\Run: [idzd2d34] RUNDLL32.EXE w00c7925.dll,n 004d2d300000000200c7925
    O4 - HKLM\..\Run: [yqzmkek.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\yqzmkek.dll,qdrfei
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\kwinrpes.exe ELT001
    O4 - HKLM\..\Run: [Upnp] c:\docume~1\default\locals~1\temp\7f.tmp
    O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
    O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
    O4 - HKLM\..\Run: [{C1-18-80-04-ZN}] c:\windows\system32\dwdsregt.exe ELT001
    O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
    O4 - HKCU\..\Run: [media64] WinInitDll.exe
    O4 - HKCU\..\Run: [systemdll] TRPT.exe
    O4 - HKCU\..\Run: [___] atl_helper.exe
    O4 - HKCU\..\Run: [66b5082d.exe] C:\Documents and Settings\default\Application Data\66b5082d.exe
    O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe
    O4 - HKCU\..\Run: [Winsvr] C:\WINDOWS\System32\qvxgamet35632.exe
    O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
    O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\oqdsregk.exe
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\kwinrpes.exe
    O9 - Extra button: Help - {7D3EA1BD-F162-44F9-8450-F02E6D863E0F} - http://online.comcast.net/help/ (file missing) (HKCU)
    O9 - Extra button: Support - {9196A7B5-AD9A-4A1D-A4A5-511CC8D6C38D} - http://www.comcastsupport.com/ (file missing) (HKCU)
    O9 - Extra button: ComcastHSI - {F7E45793-6D43-422D-ABD2-E6A5EB80AD28} - http://www.comcast.net/ (file missing) (HKCU)
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: http://www.wellsfargo.com
    O16 - DPF: {4DF6EE77-15EE-3DB4-3E29-61B8181E7264} - http://85.255.113.214/1/gdnUS2339.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0830D3C3-CF23-48B7-BA10-79F52448B5C0}: NameServer = 85.255.115.20,85.255.112.81
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2D267F7C-08BC-4FBF-9958-30E810CE4896}: NameServer = 85.255.115.20,85.255.112.81
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7B35C8D7-A1ED-46B8-B7C9-70FF16F32059}: NameServer = 85.255.115.20,85.255.112.81
    O17 - HKLM\System\CCS\Services\Tcpip\..\{904558D3-31CD-4B22-ADBE-DBFFC329B456}: NameServer = 85.255.115.20,85.255.112.81
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F34C7E91-7A4C-4D2A-8D6F-EC9109C2EE19}: NameServer = 85.255.115.20,85.255.112.81
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0830D3C3-CF23-48B7-BA10-79F52448B5C0}: NameServer = 85.255.115.20,85.255.112.81
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0830D3C3-CF23-48B7-BA10-79F52448B5C0}: NameServer = 85.255.115.20,85.255.112.81
    O20 - AppInit_DLLs: dxclib303562752.dll
    O20 - Winlogon Notify: artm_newreg - C:\WINDOWS\All Users\Documents\Settings\artm_new.dll
    O20 - Winlogon Notify: winsys2freg - C:\WINDOWS\All Users\Documents\Settings\winsys2f.dll
    O21 - SSODL: jKDEoQv - {340C1805-9EA6-B2AF-4A09-BE1A639C0ED4} - C:\WINDOWS\System32\qke.dll (file missing)

    NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.
    del %windir%\temp\win*.*
    exit

    If you get an error message while doing the above command prompt step, just ignore it and continue!

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\default\Start Menu\Programs\Startup\TA_Start.lnk
    C:\Documents and Settings\default\Start Menu\Programs\Startup\Think-Adz.lnk
    C:\Documents and Settings\default\Local Settings\Temp\silver.exe
    C:\Documents and Settings\default\Local Settings\temp\7f.tmp
    C:\Documents and Settings\default\Application Data\66b5082d.exe
    C:\Program Files\Common Files\{340C1804-0320-1033-0319-010102260001}\Update.exe
    C:\Program Files\DeluxeCommunications\Dxc.exe
    C:\803_104.exe
    C:\814.exe
    C:\asdf.txt
    C:\avuqk.exe
    C:\clxruurt.exe
    C:\ctixqc.exe
    C:\dbg.txt
    C:\deskbar3.exe
    C:\dfndrff_e1.exe
    C:\ertixydh.exe
    C:\gawpnlj.exe
    C:\gcverv.exe
    C:\gyhorqt.exe
    C:\kuul.exe
    C:\kuspj.exe
    C:\jfkxjiar.exe
    C:\kccwl.exe
    C:\kybrdff_18.exe
    C:\mobg.exe
    C:\nqgkknr.exe
    C:\pmrv.exe
    C:\qwrvf.exe
    C:\taxgxf.exe
    C:\tjrufgmv.exe
    C:\WINDOWS\All Users\Documents\Settings\artm_new.dll
    C:\WINDOWS\All Users\Documents\Settings\winsys2f.dll
    C:\WINDOWS\109uninst.exe
    C:\WINDOWS\1205.exe
    C:\WINDOWS\ac3_0002.exe
    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\DXCecho.exe
    C:\WINDOWS\Eim03.exe
    C:\WINDOWS\MirarSetup_876057.exe
    C:\WINDOWS\ms03207812873.exe
    C:\WINDOWS\ms04078128732.exe
    C:\WINDOWS\popupwithcast.exe
    C:\WINDOWS\srvipeefwc.exe
    C:\WINDOWS\srvnskncbc.exe
    C:\WINDOWS\srvpapogoc.exe
    C:\WINDOWS\srvtsidqom.exe
    C:\WINDOWS\srvzxgmcjx.exe
    C:\WINDOWS\sys01732078128.exe
    C:\WINDOWS\sys02320781287.exe
    C:\WINDOWS\sys032078128732006.exe
    C:\WINDOWS\sys09873207812.exe
    C:\WINDOWS\t1.exe
    C:\WINDOWS\TIELT001.exe
    C:\WINDOWS\uni_7eh.exe
    C:\WINDOWS\uni_ehhhh.exe
    C:\WINDOWS\uninst104.exe
    C:\WINDOWS\unstall.exe
    C:\WINDOWS\win3206812873207.exe
    C:\WINDOWS\win3207128732078.exe
    C:\WINDOWS\win32082873207812006.exe
    C:\WINDOWS\win3208287320781.exe
    C:\WINDOWS\YazzleBundle-1264.exe
    C:\WINDOWS\SYSTEM32\adir.dll
    C:\WINDOWS\SYSTEM32\adrotate.dll
    C:\WINDOWS\SYSTEM32\adrot-uninst.exe
    C:\WINDOWS\System32\aspi243769.exe
    C:\WINDOWS\System32\atl_helper.exe
    C:\WINDOWS\System32\cmon14.exe
    C:\WINDOWS\SYSTEM32\bkd.exe
    C:\WINDOWS\SYSTEM32\dlh9jkdq8.exe
    C:\WINDOWS\SYSTEM32\dwdsregt.exe
    C:\WINDOWS\SYSTEM32\dxclib303562752.dll
    C:\WINDOWS\System32\icxohqi.dll
    C:\WINDOWS\SYSTEM32\kwinrpes.exe
    C:\WINDOWS\SYSTEM32\nsv54.dll
    C:\WINDOWS\SYSTEM32\nsa21.dll
    C:\WINDOWS\SYSTEM32\nsh22.dll
    C:\WINDOWS\System32\ntos.exe
    C:\WINDOWS\SYSTEM32\oqdsregk.exe
    C:\WINDOWS\System32\qke.dll
    C:\WINDOWS\System32\qvxgamet35632.exe
    C:\WINDOWS\SYSTEM32\rzvu32.dll
    C:\WINDOWS\SYSTEM32\scmt16.exe
    c:\windows\system32\stonedrv.exe
    C:\WINDOWS\System32\taskdir.exe
    C:\WINDOWS\System32\taskdir.dll
    C:\WINDOWS\System32\TRPT.exe
    C:\WINDOWS\System32\vxdman.exe
    C:\WINDOWS\System32\WinInitDll.exe
    C:\WINDOWS\SYSTEM32\WinNB58.dll
    c:\windows\system32\w00c7925.dll
    C:\WINDOWS\System32\yhbdupd.dll
    C:\WINDOWS\SYSTEM32\yqzmkek.dll
    C:\WINDOWS\System32\crunner\cproc.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folders and delete them if found:
    C:\uniq
    C:\Program Files\popupwithcast
    C:\Program Files\PrintView
    C:\Program Files\Deskbar
    C:\Program Files\DeluxeCommunications
    C:\Program Files\BHO Plugin
    C:\Program Files\Common Files\{340C1804-0320-1033-0319-010102260001}
    C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
    C:\Program Files\Common Files\misc002
    C:\Program Files\Common Files\{340C1804-0320-1033-0319-010102260001}
    C:\Program Files\Common Files\cloader
    C:\WINDOWS\System32\crunner

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\default\Local Settings\Temp

    Now attach new logs from the below:
    • HJT
    • GetRunKey
    • ShowNew
    And tell me how the steps went.

    Make sure you tell me how things are working now!
     
    chaslang, Sep 26, 2006
    #6
  7. alicia2010

    alicia2010 Private E-2

    hello, I am at the point where u asked me to "type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Microsoft ASPI Manager" When I typed in services.msc into the run box I got an "error" message, I did a print screen and made a word doc so you could see what it said, I have attached it below.
     

    Attached Files:

    alicia2010, Sep 27, 2006
    #7
  8. alicia2010

    alicia2010 Private E-2

    By the way, you said to ignore any error messages, but with the error message I am referring to, it is showing me nothing to scroll through, the program you asked me to find is not there. Please look at the attached .doc and tell me what to do....
     
    alicia2010, Sep 27, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just skip the part with services.msc for now and complete ALL other steps.
     
    chaslang, Sep 27, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds