Pop-Ups and Slowness

[theruleofthree]

Hey Guys. I'm new here and was directed by a friend who spoke very highly of the expertise here. I'm hoping you can help me out.

My computer has been odd lately. I play a lot of Counter Strike: Source. My friend has a laptop that is basically a lot lower quality than mine, yet he manages to get higher pings, better FPS, etc. I have random pop-ups constantly on my computer, sometimes just a blank "This Page Cannot Be Displayed," othertimes with random advertisements for everything from horoscopes to groceries. My computer is laggy and slow at times, and even though its a laptop, it should be much faster with an AMD64 Athlon, ATI Mobility Radeon 9600, Windows XP and 512 RAM.

So I went through and did all the CCleaner, Adaware, Spybot, BDScan stuff. Attached are my BDScan log and my HijackThis Log file. Please let me know any suggestions or answers you have. When I ran HJ, I didn't have it fix anything... figured I would wait to see what you all thought.

Thanks again. Let me know if you need any other info!

[bjgarrick]

Let's start by following the below threads...

Uninstall Malware via Add/Remove Programs

SurfSideKick Removal

After you have completed the above threads please reboot and procede with the below...

Please see the below thread on how to install and run Ewido Anti-Malware.

• Running Ewido Anti-Malware...

Once you have completed the above, post the Ewido log with a fresh HJT log.

[theruleofthree]

Alright. Well I did everything, but I'm still getting popups. For the record, they say stuff like "Search Inquire" and other crap. Anyway, attached are the Ewido and HJT logs.

Please let me know what else you want me to do!

[bjgarrick]

You skipped the "Uninstall Malware via Add/Remove Programs" thread so this fix is going to be long.

Please look in Add/Remove Programs for the following and uninstall them if found:

Ewido

ICOO Loader

Wild Tangent

Viewpoint

SurfAccuracy

ISTsvc

Internet Optimizer

WinFixer2005

WeatherBug

eZula

GAIN

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp

R3 - Default URLSearchHook is missing

O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll
O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Search Bar] C:\WINDOWS\searchbar.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [IqFn8O] C:\WINDOWS\frsns.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Client Update] C:\WINDOWS\wup.exe
O4 - HKCU\..\Run: [WinFixer2005] C:\Program Files\WinFixer2005\uwfx5.exe /scan
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edg...activex/dlm-ac tivex-2.0.3.1.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} (Installer Class) - http://downloads.shopathomeselect.co...sm1009_sp2.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c9.cab

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

Manually locate and delete each of the folders below!

C:\WINDOWS\wt
C:\Program Files\ISTsvc
C:\Program Files\AWS
C:\Program Files\eZula
C:\Program Files\Viewpoint
C:\Program Files\ICOO Loader
C:\Program Files\SurfAccuracy
C:\WINDOWS\system32\nsvsvc
C:\Program Files\WinFixer2005
C:\Program Files\Internet Optimizer
C:\Program Files\Common Files\GMT
C:\Program Files\Common Files\CMEII

C:\WINDOWS\wup.exe

C:\WINDOWS\frsns.exe

C:\WINDOWS\searchbar.exe

Next, run CCleaner to clean up cookies and temp files.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

[theruleofthree]

Alright.. Well I'm going through and doing this now. I just wanted to post that the only programs on my program list were

Ewido
ICOO Loader

And anytime I've EVER tried to uninstall Weatherbug, I get an error that says "Could not load INSTALL.LOG."

Anyway, I'm gonna do everything else now.

[theruleofthree]

I just went through in safe mode to manually delete the files and folders as directed, and the only ones there were the following:

AWS
VIEWPOINT
ICOO LOADER


So I deleted those.

Ok, going onto the next step...

[theruleofthree]

Alright. Well it seems like it's alright now, but I just now got this popup... maybe you know what it is? Something about "You may have been infected by the Blackworm Virus. Click OK to prevent any further MalWare infection."

I don't know... anyway, here is the HJT log. Thanks!

[theruleofthree]

For what its worth, I'm still getting popups, although they are not as frequent. They really only occur when I have a browser open, although I use Firefox as my browser and the popups are always IE.

Any other ideas?

[bjgarrick]

Your HJT log looks good, let's get a little deeper to see if anything is hiding.

Please see the below thread on how to run WinPfind and attach the log.

• Running WinPfind by OldTimer

[theruleofthree]

Attached is the WinPFind Log.

*crosses fingers*

[bjgarrick]

Download AproposFix© by Swandog46

Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

When the tool is finished, reboot back into normal mode, and post a the entire contents of the log.txt file that has been created in the aproposfix folder.

[theruleofthree]

Here is the Apropos log... I wasn't sure how long it was supposed to run, it seemed rather quick... anyway, here ya go.

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Brock Aun\Desktop\aproposfix

************



Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CpXe6AE9hX95]
@="hs58v 2EFFEFFGFmvx:7w5EFFEUHFoafVgokF6C67w0LKFv5 9w56F010 36wuG6C6"
"Device"="\\\\.\\Udflter"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\mnmipsec.sys"
"DriverName"="Parudio"
"HideUninstallerName"="C:\\Program Files\\Mire k++\\cfgils.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\ctlship6.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{872DB474-11B1-431F-A173-10F02591C61D}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\ifmicdll.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{Xbfe402a-a8a2-6084-b30f-c2cd6dbd357d}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80

************

Removing hidden service:
Service Parudio removed.

Removing hidden folder:






That's all. Did I close it too early or was that all it runs?

[theruleofthree]

Ok, ignore that previous post. I went ahead and did it again and got the full log of the full scan, as well as a new HijackThis log.

Attached are both.

Let me know what else I need to do next!

[theruleofthree]

Anyone? Haha.

[chaslang]

BJ may not be around for a couple days!

Are you still having problems? It looks like AproposFix worked. This time.

[theruleofthree]

I think things are better... I haven't had any popups since the fix. Although I'm wondering if there is anything else I can do to check, since throughout this whole process I was made aware of several things on my computer that I didn't even know were hiding back there.

[chaslang]

Quote:

Originally Posted by theruleofthree

I think things are better... I haven't had any popups since the fix. Although I'm wondering if there is anything else I can do to check, since throughout this whole process I was made aware of several things on my computer that I didn't even know were hiding back there.

It should not be necessary at this point but there are other tools to use to look for more. Each tool can typically find a few things (even though some items foud are minor) that the others do not. But I don't think it is really necessary unless you are having problems. What you should now do since you are clean is the below:

It is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!