888.com popups

Hiya, I've read through all the pinned "read this first!" stuff but I'm still stuck. I've run AdAware SE, Spybot, ZeroSpyware, CCleaner, the works, but I'm still getting annoying 888.com, casino ads and other popups. I don't want to fiddle with registry stuff without instructions because I'd probably wipe my computer, so anyone got any suggestions on what to do? Log is attatched.

Any help greatly appreciated!

 

You have HijackThis install incorrectly; install HijackTHis to C:\HJT.

After you have install HijackThis as request, do teh following:

Unistall the following using Add or Remove Programs in the Control Panel:

Scan with HijackTHis and fix teh following:

Follow the instructions in Running Spy Sweeper.

After you have completed all the above; come back here and post the Spy Sweeper log and a fresh HijackThis log as ATTACHMENTS.

 

Thanks for replying, I did all that and it took forever, my computer sort of froze while spysweeper was removing over 1000 files of rootkit or something? I had to leave it on overnight to finish. One thing I couldn't do was remove Messenger because I can't find it on my computer anywhere.

Now my PC is pretty sluggish - it took over a minute to open IE. I can't manage attatchments - I click the button and it freezes for a few minutes then just doesn't do anything. So I know you're not supposed to but I'll post the logs in here, because something is definitely still messed up.

Inline logs attached!

Sorry for having to post all that...

 

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:

• Click START > My Computer > Local Disc C: > Program Files
• Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:

• Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
• (C:\Program Files\HJT) and click Next.

After you have completed the above steps to relocate HJT, run it from the new location. Please save your HJT log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.


After you complete the above, please download AproposFix by Swandog46

Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

When the tool is finished, reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file that has been created in the aproposfix folder.

 

Thanks for that! I followed the instructions. This site still won't let me post attatchments though - I click on "manage attatchments" and it just freezes. So here are the logs:

(The HJ log is from after running the apropos thingy, I hope that's right)

Inline logs attatched!

 

Download and install Firefox. Are you having the same problems attaching logs?

 

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

Okay, Firefox seems to work fine. It opens immediately and I can use attatchments. However Panda Scan needs IE, and using that pressing the "scan now" button freezes everything just like managing attatchments. So I can't give you a log of that. However the other two logs are attatched.

Just in case it's any help - in safe mode there isn't any delay on opening things like My Computer.

 

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the instructions for Running Ewido Security Suite

Post the Ewido log and a fresh HijackThis log when finished with the above.

 

Okay, I couldn't find either C:\WINDOWS\RMAgentOutput.dll or C:\WINDOWS\UnGins.exe, but I did the rest. Logs are attatched. My Computer is still taking ages to open.

 

Uninstall Messenger Plus! 2 using Add or Remove Programs in the Control Panel.

Uninstall ZeroSpyware, you have plenty of Spyware Protection and this particular package isn't very effective.

Run Spy Sweeper again and post the log.

 

I can't find Messenger Plus anywhere on my system! It's not under add/remove, in program files, anywhere - I did a search of the whole thing!

But I uninstalled Zero and did a sweep again. I don't think it actually removed any of the files when it rebooted though.

 

Apropos is still present

Download FixAprop to your Desktop.

Reboot to Safe Mode.

Run FixAprop.

Reboot to Safe Mode.

Run Microsoft AntiSpyware and let it fix what it finds.(Update MSAS before running)

Reboot to Normal Mode.

This should remove Apropos

Next run Spy Sweeper in Safe Mode.

Download and run F-Secure Blacklight from: http://www.f-secure.com/blacklight/try.shtml

 

The FixAprop thing said it couldn't find any trace of Apropos, and Blacklight couldn't find anything either. Should I still run the anti-spyware stuff in safe mode or do something else?

Thanks for bearing with me!

 

Just a thought - I didn't have any of these problems before I ran Spy Sweeper and it deleted all that stuff, it was just a few pop-ups. In fact I don't think I've had any pop-ups recently, it's just folders and programs taking ages to open and some stuff freezing. Could that be something to do with the deleted files rather than spyware/virus things?

 

Spy Sweeper was reporting a rootkit, might be the Sony Rootkit. It came back on reboot. Run Spy Sweeper and Microsoft Anti-Spyware in safe mode. If it is the Sony Rootkit MSAS with updated definitions is supposed to remove it.

While in Safe Mode open Windows Explorer and look for C:\Program Files\Messenger Plus! 2, if it exists look for an uninstaller otherwise delete the entire directory.

 

Honestly I swear I cannot find Messenger Plus anywhere on my system - I did check and do a complete search, it's just not there!

As for the other scans, I did them both in safe mode as you said. Microsoft came up with absolutely nothing and I think Sweeper just did the same as last time. Log and HJ attatched.

Theoretically if I restored the stuff Sweeper removed in the first place, would I go back to where I started with popups but everything working as normal? Because the popups weren't too bad, and were much easier to live with than having to wait over a minute just to open each folder/program.

 

Scan with HijackThis and fix the following:

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Okely dokely - scan attatched.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, with the viewing of hidden files and folders enabled per the READ ME, navigate to and delete the following file:

C:\WINDOWS\SYSTEM32\P2P Networking v124.cpl


Just as a precaution please download Rootkit Revealer 1.56

Once download is complete, run the utility and click SCAN to begin scanning your system.

If you need any help with this utility please see the site below...
http://www.sysinternals.com/Utilities/RootkitRevealer.html

After you complete a scan, attach the log to your next post.

 

Okay, did all that. Log attatched.

 

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Run RootKit Revealer again post the log along with a fresh HijackThis log.

 

Rootkit finder didn't get anything. Hijack log attatched.

 

Your log is clean. How is your system running?

 

Still the same as since the first sweep - no popups but it takes a good minute to open things like IE and My Computer. I tried opening the manage attatchments bit with IE, it just froze again. Programs like iTunes and Paintshop Pro don't have the lag in opening. It's weird. Are you sure it doesn't have anything to do with all the files Spy Sweeper deleted on the first run? Because it only started after I did that.

 

Spy Sweeper didn't remove any systems files.

You could run sfc /scannow from the command prompt, you will need you XP CD.

SFC will replace any missing or damaged Windows system files. You may need to run Windows Update after it is finished.

 

I ran the sfc scan, it didn't ask me for my CD and didn't come up with any messages. Just opened, ran and closed, so I don't know if it changed anything. According to the website all the Windows Updates are already there. I rebooted, just because that seems like the general thing to do. Still got the lag on opening some programs and files.

Well I'm stuck on any other ideas now!

 

Try resetting all your setting in IE to the Default settings.

 

Under Internet Tools, Advanced?

Didn't make any difference. Still took a minute to open.

 

Uninstall the Google Toolbar. What does that do?

 

No difference again. I discovered that Control Panel is another thing with a lag to open though...

 

Oh I could kiss you - it worked! And it was as simple as that. Everything works fine again now!

Thank you all so much for your help, and for reading all those endless logs! You are all stars.

 

Sorry - you don't have little male/female symbols on here do you. Alocin is just Nicola backwards, hope that didn't freak you out too much...

 

Thanks chas, I was going to suggest uninstalling some apps next.