Absurdly irritating spyware

I've got some absurdly irritating spyware on my computer. I'll say this up front, I don't get fancy computer stuff. I did all the reading that the "read this first" post contained, and did as much as I understood to do, and have some log files as it requested, however I'm certain I'm missing some because I couldn't get at least one program (panda active scan) to finish downloading.

My computer gets frequent popups from ad sites, and has been doing so since early july. I've been trying to get rid of it for almost a month now. It seems to go away when I run virus scans and stays dormant for a few hours or even days, but then it comes back with a vengance. I've had to close almost fifty popups within one minute once. I don't have a clue how to stop this. Help!

 

[SIZE=+1]Welcome to MajorGeeks.com!

[/SIZE] [SIZE=+1] Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments. [/SIZE][SIZE=+1]
[/SIZE][SIZE=+1] [/SIZE][SIZE=+1]
[/SIZE][SIZE=+1] [/SIZE] [SIZE=+1]- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
[/SIZE]

• [SIZE=+1]Make sure you check version numbers and get all updates.[/SIZE]

[SIZE=+1]

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

[/SIZE][SIZE=+1]Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

[/SIZE][SIZE=+1]When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
[/SIZE]

• [SIZE=+1]runkeys.txt - the log from GetRunKey.bat[/SIZE]
• [SIZE=+1]newfiles.txt - the log from ShowNew.bat[/SIZE]
• [SIZE=+1]CounterSpy - ONLY IF you were not able to run Windows Defender[/SIZE]
• [SIZE=+1]Bitdefender - from step 6[/SIZE]
• [SIZE=+1]Panda Scan - from step 6[/SIZE]
• [SIZE=+1]HijackThis[/SIZE][SIZE=+1]
  [/SIZE]

 

Please, I'm not trying to be one of those belligerant persons who doesn't do what he's told because he's lazy, I just am a totally ignorant person when it comes to running computer stuff. If there's anything I didn't do, lack of reading the instructions is not the reason, and, please don't interpret this disrespectfully, but giving them to me again isn't the solution.
I think I got two more of the programs to work, but I cannot get pandascan to work. I already submitted the hijackthis log and the bitdefender log, and I got windows defender to work so I am not supposed to use counterspy, I believe.
Was there some problem with the Hijackthis log? I assume there was, since the instructions were repeated, but what exactly do you need done that I didn't do? Here, I'll run it again, following your instructions in case I did somthing wrong, but I believe I did it the same way before.
So here are the two other programs, and the second log. Please, I'm not doing this wrong on purpose. I am totally ignorant as to computer things, I'll admit this, but I know how to (try to) follow instructions. (I make no guerentees as to sucess, however).
Panda Active Scan will not load, so besides that, is anything else still screwy?
Apologies in advance for anything I do wrong.

 

Oh yes, this I should probably include too. when I run shownew, It only goes so far and then gets stuck, saying " 'dlh9jkdq.exe is not recognized as an internal or external command, operatable program, or batch file.

Is that important?

 

HijackTHis is not installed as request in the Read Me. Move HijackThis to C:\Program FIles\HJT. This is critical, otherwise the backup folder for HJT will not be created properly.

You were missing 3 logs, with no explaination as to why. When I first view a thread I scan it quickly, and check for signs that our instructions were/were not followed. What I do next depends on what I see when I scanned the post and HJT .

Yes the error message from ShowNew is important, I'll contact the developer about it, as he is a member here, and the admin for this forum.

After you have moved HJT, post a fresh HijackThis log. There are several issues I saw as I scanned to log that we will need to deal with.

 

Thank you, thank you.

I put the file in c:\program files\HJT\, but if there's supposed to be another file being created... it's not being created.
Here's the new file, but I suspect I did somthing wrong again.

 

Download
- Pocket Killbox
- ExplorerXP

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 7 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Confirm HijackThis default configuartion settings.
1. Run Hijack This
2. Click on the "None of the above, just start the program" button
3. Under "Other stuff", click on the "Config..." button
4. Make sure the following have check marks next to them:

• Make backups before fixing
• Confirm fixing & ignoring of items (safe mode)
• Ignore non-standard but safe domains in IE (e.g. msn.com, microsoft.com)
• Indclude list of running processes in logfiles
• Show intro frame at startup

5. Click on the "Back" Button

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

I'm currently downloading Java updates. But I'd like to ask a question first. Is there any potential that doing this could screw up my computer in any way? I just don't want to do anything if it deletes vital system files by accident or somthing, at least not unless I backup some things first.

 

Actually, with the java updated, panda active scan is running at the moment (I'm in safe mode).
I'll get that log too, but it's running slow.

 

Ok, Panda Active Scan worked. I've got the file as requested.

 

Sorry for the quadruple post (Is there an edit function?)
Hijack this is configured, and I did as instructed, and checked the two acttil.dll things for deletion. The O20 deletes easily, but the O2 one will not go away. I've tried normal mode, I've done it in safemode, it isn't deleting.

 

Post the HijackThis log.

 

Got it.

 

Using Add or Remove Programsin the Control Panel; uninstall the following:

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Download
- Process Explorer

Extract its own folder somewhere that you will be able to locate it later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

Note: Some of the below processes may not be running on your sytem. In that case just skip the process and continue to the next process.

In the top section of the Process Explorer screen double click on smss.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of acttil.dll once and then click the kill button. After you have killed all of the acttil.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on winlogon.exe and again click once on each instance of acttil.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of acttil.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of acttil.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on rundll32.exe and again click once on each instance of acttil.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on wrssdk.exe and again click once on each instance of acttil.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh Hijackthis log.

 

Ok. Some of that worked really well, and some didn't. I'll go through what I was able to do step by step.

1: Remove Winfixer2005 and Winantivirus2006
Total failure. The add/remove programs in the control panel does not acknowledge that they exist.

2: Process Explorer
Moderate Sucess.
The download worked. It ran great. However, Acttil.dll
-did not exist in smss.exe.
-did exist in winlogon.exe and I killed it.
-did exist in explorer.exe and I killed it
Furthermore,
-iexplore.exe could not be found
-rundll32.exe could not be found
-wrssdk.exe could not be found

3: Hijack this
Sucess

These files no longer exist in the log. I saved an extra log from this point, before resuming with the cleaining, just in case you want to see it.

4ocket Killbox
Sucess
Temp files deleted, those six files deleted on reboot, reboot worked fine without incident.

5: Reboot in Safe Mode
Sucess

6: FixReg.reg
Sucess

7: Explorer XP
Possible Sucess?
Well, the files in question didn't exist, so I think that makes it a sucess. Nonetheless, there were other xxxx_0001_xxxxxxxxNetInstaller.exe type named files in the location in question, it's just that the xxxx's were different. I don't know if that's ok or if it's the same problem, so it's a possible sucess, I think.

8: CCleaner and Delete Prefetch
Sucess
Deleted and wiped a small amount of temporary files and cookies, no issues.

9: cleanmgr
Sucess
Ran just fine. Files deleted.

10: Reboot to normal mode and get a fresh HJT log.
Sucess

I am posting the fresh log, but like I said, I do have an older log from right after the wiping out of acttil.dll if you want it.

I haven't seen any symptoms yet, but given the way this spyware behaved in the past, that means absolutely nothing. I'll leave it to you to know if it's gone, and what to do next. Thanks.

 

OK, your HijackThis log is clean.

As the instructions stated, you may not have some of the process running, and of the processes running not all of them are going to have the dll. This is a blanket procedure, for this type of infection. There are many variants and they use different processes. Instead of trying to figure out what processes have been hooked into on your system, I just put all the process known to have been hooked into, in the procedure.

Post an entire list of, xxxx_0001_xxxxxxxxNetInstaller.exe, type files. Don't edit anything in the name.

Just to clean up any loose files from the infection, follow the directions for Virtumonde aka Trojan Vundo Removal.

Post teh VundoFix log.

 

USDR6_0001_D09M0706NetInstaller.exe
USDR6_0001_D09M0706NetInstaller.inf
UWA6P_0001_N822M1605NetInstaller.exe
CONFLICT.1\UWA6P_0001_N822M1605NetInstaller.exe
CONFLICT.2\UWA6P_0001_N822M1605NetInstaller.exe
CONFLICT.3\UWA6P_0001_N822M1605NetInstaller.exe
CONFLICT.5\UDC6_0001_D10M2905NetInstaller.inf

These are the files that are along the same format, in Downloaded Internet FIles.
I haven't run 'Virtumonde aka Trojan Vundo Removal' yet, but I'm doing this now. Results forthcoming.

 

And here the log is.

 

You can delete all those files.

EDIT: Your Vundo log showed 1 item found and deleted.

How is your computer running?

 

Nothing strange yet. In the past, I would get popups with near maniac frequency at least twice a day when I flipped quickly between sites on the internet. I haven't had even one since the removal. However, it also stopped for about a day when I installed my firewall, so only time will tell.

Which program would you like me to use to wipe the remaining files? I've downloaded about a dozen different files and programs, etc, over the course of this problem, so I can't remember which one is the one to use.

 

Killbox would be the best for that.

After reboot, dlete everythimg in C:\!Killbox, empty the Recycle Bin, run CCLeaner.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Killbox can't find them. Windows explorer says they're there, but the browse function in killbox doesn't see them.

 

Copy and paste the filename and full path into Killbox. The instructions on how to do that are in Post #14

 

Ok, they're gone, and I disabled and reenabled my System Restore. Everything looks like it's running correctly.

 

Good, to hear.

Safe Surfing!