HELP! - pop-ups

Please follow ALL the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Did you run Spybot and use the Ignore Products bug fix as indicated in the READ ME FIRST?
It does not look like it since I see and O10 line for newdotnet!

Double check and run it again. I will include a manual fix in my next message just incase it does not work.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above for tkszowbuloao (if this is not found look for: gklfxrjm5)

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service

Now repeat the above HijackThis step for tkszowbuloao (if this is not found, use the short name: gklfxrjm5).

Now exit HJT and do not reboot if it asks you to do so. We will reboot later.

Download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the newdotnet6_38.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move newdotnet6_38.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.
If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\rded\eeee.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0E75C1DC-4573-2B14-DC9E-CD43F608DCDB} - (no file)
O4 - HKCU\..\Run: [Coae] C:\Program Files\rded\eeee.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Little Girl Lost\Desktop\CWShredder.exe (file missing)
O23 - Service: tkszowbuloao (gklfxrjm5) - Unknown owner - C:\WINDOWS\system32\teuksqpm5.exe (file missing)



After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\rded <--- the whole folder
c:\program files\newdotnet <--- the whole folder
C:\WINDOWS\system32\teuksqpm5.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

The READ ME FIRST sticky has to be checked everytime you come here. It changes. In fact it was totally re-written and posted last night. It is much different now.

Make sure you have Spybot configured as specified in the READ ME FIRST sticky. Now called: READ & RUN ME FIRST Before Asking for Support

 

Okay have HJT fix the below line (make sure no browsers are open when you click Fix):

O2 - BHO: (no name) - {0E75C1DC-4573-2B14-DC9E-CD43F608DCDB} - (no file)

After that you should be clean. Now work your way thru the below! You need a real firewall which is part of those steps.

How to Protect yourself from malware!

 

Tell me exactly what you have and I'll give you some suggestions. One thing you should realize too is that some tools (like Ad-Aware SE - unless you have the paid version and also SpywareBlaster) do not use any system resources until you run them. Spybot also uses very little unless you use Teatimer which I don't recommend. These tools really do not take up very much disk space either.

 

Did you buy Ad-Aware and Pest Patrol?

Do you have diskspace problems? Like are you low on free space?

No! Try the Software Forum.

 

So you did not buy any software?

But what space is available on your harddisk. It has to be way larger than a flashdrive.

 

To get disk space just bring up Windows Explorer and locate the drive you want info on (like the C drive) and then right click on it at the highest folder level (C:\ ) and select Properties. Another method is to just bring up My Computer and it should show Total Size and Free Space too.

Right now I would say uninstall PestPatrol. It does you no good to have it since it will not fix anything anyway.

With MS Antispyware installed, you really will not need SpywareGuard so you can uninstall it. I would keep the other stuff. Some are small enough to not be a big deal to keep.

about:Buster - small and only uses resources when run. Only need infrequently
Ad-Aware - only uses resources when run
CCleaner - only uses resources when run
CWShredder - small and only uses resources when run
HJT- small and only uses resources when run
HSRemove -small and only uses resources when run
Kill2Me - small and only uses resources when run.
LSPFix - small and only uses resources when run. Very useful to have around if any malware corrupts the LSP chain which does happen.
Microsoft AntiSpyware - big, always uses resources, but need it to block malware
Spybot - SDhelper uses very little resource. Scanner only uses resources when run.
SpywareBlaster - does not use any resources except when upgrading or configuring. It does not need to be running.
Stinger - small useful scanner that only uses resources when scanning



I don't know what you are referring to with site builder and it is probably not a topic for this forum.

 

You have plenty of space free! There is no need to uninstall any of the items except Spyware Doctor.

What is the exact error message? You may want to uninstall it and then make sure you reboot. After reboot delete the C:\Program Files\Ccleaner folder if it still exists. Now reinstall the program. Let me know if that helps.

 

You're welcome!

Now check out the steps in the below to help keep you clean. I believe you need a real firewall which is included.

How to Protect yourself from malware!

 

OK! Sorry about that. I forgot that and I had not seen another log to verify that you added the firewall.

Surf Safely!

 

In message # 13 a indicated you should fix:

O2 - BHO: (no name) - {0E75C1DC-4573-2B14-DC9E-CD43F608DCDB} - (no file)

Did you do that? It is still there! Note that there have been times that O2 BHO will just not go away. If you did try to fix it and it is still there, try again. If it still remains, try the below exactly as written:
- boot into safe mode without any internet connection possible (unplug your cable)
- DO NOT run anything (especially browsers) but what I give you.
- run HJT and select the O2 BHO line
- click Fix with HJT.
- Now scan again (in safe mode) and see if the O2 line is gone (make note and report back later)
- Now reboot into normal (still no connection and no browsers)
- scan with HJT! Is O2 BHO line still gone?
- Reconnect cable and open your browser. Then close the browser.
- scan with HJT! Is O2 BHO line still gone?

Now come back and tell me the results.

Is Site Builder the program from Yahoo? Perhaps you need to reinstall it.

 

Never heard of it and I'm not sure what you mean by it does not load properly. Perhaps you need to reinstall it.

 

It is not a file it is a registry key. We probably do not need to worry about it. We have come across items like this before and they have not caused any residual problems. We could try one more step using a manual approach to editing the registry.

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

0E75C1DC-4573-2B14-DC9E-CD43F608DCDB

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and post in this thread.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixBHO.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Now make sure you close all browser sessions including this one before continuing (so write the below down, copy locally, or print).

Then double-click on the fixBHO.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

Now run HJT and have it Fix (if still found):
O2 - BHO: (no name) - {0E75C1DC-4573-2B14-DC9E-CD43F608DCDB} - (no file)

Exit HJT and reboot your PC.

After reboot, check your HJT log again and see if the BHO entry is gone.

 

As I said in message # 33, we have had BHO's like this before. For some reason we just cannot get them completely removed. However they do not represent or cause any problems because there is no file associated with them.

We could try one more thing and then I would suggest ignoring it if it still exists.

Download RegSupreme Pro 1.1

Install this program, after you install you will be prompted to "defrag" you registry for best performance. Go ahead and click YES, should take but a minute or so.

After this completes at the top, click the REGISTRY CLEANER tab. Then click on "Aggressive" and let it scan. Afterwards you will see the total of invalid entries found. Once its complete, select ALL entries and select FIX. The program will then fix the ones that are fixable, the ones that are not will be removed. Type in a backup filename and save to a location where you know you can find it just in case we run into any problems.

Now see if the O2 BHO line still appears!

 

Let's try two more scans and then I would just ignore this BHO. We have had problems removing this before and while they just would not go away, there were no malware problems being experience with the registry keys still showing.

Run these.

Panda ActiveScan Save the log and attach later

Running Ewido Security Suite attach this log too.

 

Those are probably false positives from Avast. There have been many cases where an antivirus application will detect virus definitions for other scanners to be malware. That is likely the case here too. You could just disable Avast and try Panda again. Otherwise I would just drop this. I don't think there is any real point of going further. As long as your system is running OK, ignore that O2 BHO line.

 

You're welcome. Surf Safely!