ad.firstadsoulution pop ups....need help

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Re: Did all the scans andt ests....still need help

You need to attach the other two logs requested. (GetRunKey and ShowNew) Did you look at the error messages being received (if any)? Are they the same as ones described on the download pages?

 

Re: Need help....ad.firstadsolution and more

Also please run the below procedure.

Please download VundoFix.exe to your desktop.

1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click YES
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click OK.

• If the above steps said no problems were found, skip down to the section below to attach a log. If the above steps did find Vundo, please just repeat steps 1 thru 6 again.
• Now repeat the above bullet again (this would make 3 times if Vundo is still being found).

Attaching a VundoFix Log

Now please post the contents of C:\vundofix.txt and a new HiJackThis log.


Note: It is possible that VundoFix may encounter a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

 

Click Start, Run and enter cmd and click OK. This will open up the command prompt window. Now type the below into the command prompt. Note that I don't know the folder name you used for GetRunKey or ShowNew so I will assume the below. Change the text to match where you installed them. Make sure to include the quote as shown.

cd "C:\Program Files\GetRunKey"
getrunkey.bat

now tell me exactly what you see in the window

cd "C:\Program Files\ShowNew"
shownew.bat

now again tell me exactly what you see in the window

 

Now please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\qxfkvmtd.dll
O2 - BHO: (no name) - {8bbc9663-8949-48a1-9431-93602e5d8aea} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: (no name) - {E73F42E0-D307-4049-8451-34BDCEC814AB} - (no file)
O4 - HKCU\..\Run: [buildshim] C:\DOCUME~1\KRISTI~1\APPLIC~1\CHINBE~1\City remote.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: mgmspi - C:\WINDOWS\

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\KRISTI~1\Application Data\CHINBE~1\City remote.exe
C:\WINDOWS\system32\fhcxufct.dll
C:\WINDOWS\system32\gtdppcvc.dll
C:\WINDOWS\system32\lvmcdgof.dll
C:\WINDOWS\system32\nmuwkwbq.dll
C:\WINDOWS\system32\qmaoyrww.dll
C:\WINDOWS\system32\qpwfbwmd.dll
C:\WINDOWS\system32\vhbcjvxe.dll
C:\WINDOWS\system32\vphwdtfy.dll
C:\WINDOWS\system32\vtgsggdt.exe
C:\WINDOWS\system32\vubyqrac.dll
C:\WINDOWS\system32\vufxvyep.dll
C:\WINDOWS\system32\qxfkvmtd.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs (if possible) and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I still see the same items in your HJT log. Did you follow the directions exactly? Did you click Fix checked?

If you are getting that error message from GetRunKey and ShowNew it means you did not extract all the files from the ZIP file. Tell me exactly where you extracted the files to (like is it C:\Program Files\GetRunKey ) and give me a list of what files you see in the folders.

 

We are working on a way to make it possible to do that and all money we collect will go towards charities.

 

You are not following the directions that said to download the ATTACHED file. The files you mentioned above are not GetRunKey nor is it ShowNew. Those are the files from the XPfix stuff that you only need to download when the defined error occurs and if you did get that error, this is not the correct place to put those files.

You need to download GetRunKey.zip and ShowNew.zip. You are not doing that! See the attachments not the inline links that are for error problems.

 

You still have a few infections:

1. Smitfraud
2. NSIS Media
3. Virtumonde
4. LOP

Let's continue!

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Mozilla Firefox (1.5.0.9)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox


Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab

After clicking Fix, exit HJT.


Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Kristi Reams\Application Data\chin beep hole\City remote.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dlhelper.dll
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.ini2
C:\WINDOWS\system32\hkdclvvh.ini
C:\WINDOWS\system32\pluggi1.dat
C:\ajspu.sys

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Documents and Settings\Kristi Reams\Application Data\chin beep hole
C:\Documents and Settings\Kristi Reams\Application Data\obj mess kind
C:\Program Files\chin beep hole
C:\Program Files\Uniblue\SpyEraser


Also delete all files and subfolders in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Kristi Reams\Local Settings\Temp\

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You're welcome & Merry Christmas to you too.

Okay I had a typo in that last registry patch and I also think CounterSpy may be blocking the fixes. So please uninstall CounterSpy now. Do this before continuing!!!!


Then re-download the fixME.reg patch from my last message because I changed it. Then add it into the registry just like last time. Make sure you tell me if you get a success message or a failure or error message when doing this.


You did not run ShowNew & GetRunKey properly last time. You ran it from inside the ZIP file. Delete the ShowNew.zip GetRunKey.zip files so that you cannot do this by mistake anymore. You must only run the ShowNew.bat file and GetRunKey.bat files from outside of the ZIP file and from Windows Explorer prompt. When you got your logs in message # 17, you ran them properly.

After doing all of the above, attach new logs from GetRunKey & ShowNew and also indicate how things are working.

 

This was a bad idea! Especially while your PC is still having problems with infections!

Now you need to begin the READ & RUN ME over again from the beginning, since we have no idea what may have happened now! However before starting the READ & RUN ME, install both of the below:

AVG Free Edition - install get updates and run a full system scan. If anything is found in normal boot mode that cannot be removed, boot in safe mode and run again.

ZoneAlarmFree

Now run the READ & RUN ME and attach all logs.

 

Based on what I'm seeing, you need to keep your "friend" off your PC! Especially on your user account! ZoneAlarm does not seem to be installed properly. Did you reboot after installing it as it suggests?

First uninstall CounterSpy because it may get in the way of these fixes.

Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

After clicking Fix, exit HJT.


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Application Data\BlehExtraCurbVga\beepball.exe
C:\WINDOWS\system32\scvhost.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.


After reboot, retry the fixME.reg patch from message number 18.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey - download the new version first and use it
2. ShowNew - download the new version first and use it
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Try this!

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be
sure the "Save as" type is set to "all files" Once you have saved it double click
it and allow it to merge with the registry.

Can you run GetRunKey and ShowNew now?

 

You should not be getting a message that is the same as for trying to run GetRunKey and ShowNew. We are not trying to open a command prompt. We are just trying to add a fix into the registry. Are you double clicking on the fixMe.reg file saved to your Desktop or are you double clicking on your Desktop? Please explain problems more clearly with more details. Earlier in message # 18 you added in the registry patch given so why can't you do the same now. If you still cannot run get the fixMe.reg patch to add into your registry, try the below.

1. Download the file UnHookExec.inf and save it to your Windows desktop.
2. Locate the UnHookExec.inf file on the Windows desktop.
3. Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

Questions:

1. What version of Windows XP do you have (home, Pro, Media)?
2. If you click Start, Run and enter gpedit.msc and click OK, does the Group Policy window come up.

 

It does not look like you ran ShowNew.bat from outside of the ZIP file. Are you sure you extracted it from the ZIP file and did you open a Windows Explorer session and navigate to ShowNew.bat and double click on it. I think you ran from the ZIP file because I see the below in your log:

Code:

"C:\Documents and Settings\Kristi Reams\Local Settings\Temp\"
TEMPOR~1.ZIP  Dec 29 2006              "Temporary Directory 1 for ShowNew.zip"

 

Let's fix a couple more problems!

Start by downloading another tool we will need

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of hvvlcdkh.dll once and then click the kill button. After you have killed all of the hvvlcdkh.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
xvidvfw.dll

Next double click on explorer.exe and again click once on each instance of hvvlcdkh.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
xvidvfw.dll

Next double click on iexplore.exe and again click once on each instance of hvvlcdkh.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
xvidvfw.dll

Now just exit Process Explorer.


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\hvvlcdkh.dll
C:\WINDOWS\system32\xvidvfw.dll
C:\WINDOWS\system32\ckl009.dat

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey - if possible
2. ShowNew - if possible
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

What do you mean? What were you running?

Did you do what was requested in message number 34? I need the new HJT log.

Also note you need to get the new version of ShowNew. It was updated!

 

You did not get the NEW version of ShowNew. Don't post a new one yet! Just get the new version and complete the below instructions first.

It could be due to something malware did or it could just be another non-malware problem with your system. I will make some suggestions later, but if they do not help, you will have to work on fixing System Restore in the Software Forum.


Delete the below folder:
C:\Documents and Settings\Kristi Reams\Application Data\obj mess kind

For System Restore try the below.


Copy the bold text below to notepad. Save it as fixSR.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Did that fix System Restore? If not, do the below:

• use Windows Explorer to get into the C:\windows\inf folder.
• Locate the file named sr.inf
• Right click on sr.inf and select Install

Does System Restore work now? If not, click Start, Run, and enter services.msc and click OK. In the next window that comes up, scroll down to System Restore Service and double click on it. Make sure the Startup type is set to Automatic and that the Service status is Started.


Now run Pocket Killbox and select File, Cleanup, Delete All Backups

Now attach a new log from ShowNew (make sure you have the current version).

 

Okay at this point you will have to continue with this problem in the Software Forum as this is not a malware problem.

They same place you downloaded it the first time. Which is the link in the READ & RUN ME I'll repeat it here for your convience but this is where it should always be downloaded from:

Using ShowNew