Adware/Malware problem with pop ups

Hi,
This is my first post on Major Geeks, I found you guys as I was trying to remove surfsidekick 3 (I thought that might be the source of my problems, the adivce was very helpful and worked, but the problems remain). I read the read me first post and searched around but I haven't been able to fix this. The problem is that I'm getting pop ups in IE all the time, even when I'm not surfing so it's obviously some sort of adware. I don't often have problems with this sort of thing, but I let my cousin use the comp the other day and I've been deluged with crap ever since. I've tried running Adaware, CCleaner and SpyBot but to no avail. They have found and removed stuff, but the pop ups continue. I have attached my HijackThis log file. I looked through it myself and cannot seem to figure out what the problem is. I've even looked up the processes I wasn't sure about at processlibrary.com, but I just can't figure it out. Any help would be greatly appreciated.

Also, it will open up IE by itself, but it will only change the page in firefox, if I don't have it open it won't open. I don't know if that helps, but I figure the more information the better.

 

Hello and welcome to Major Geeks.

Platform: Windows XP (WinNT 5.01.2600) <<=== You appear to be running a completely unpatched copy of Windows XP; as this is teh orginal version of XP as indicated by the version number.

It is extremely important that you install SP2 and run Windows Update to bring your OS fully Up2Date. Failing to do so will leave your computer vulnerable and it will become infected again.

DO NOT update your computer until after it has been verified to be infection free.

Download
- Pocket Killbox

Follow the directions for Look2Me VX2 Removal.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

I followed your instructions, and the two offending lines appear to be gone from my HJT log, however when I restarted I still got a pop up opening up. I am waiting to see if anything else shows up, will post again if so.

Here's a new log.

 

Yup, as I feared the problem is not resolved, I'm still getting pop ups.

Once again, I really appreciate all the help!

 

Now neither adaware nor ccleaner find anything, they say my system is clean, and there doesn't appear to be anything wrong when I look at the HJT log which I've posted above. Also, Symantec Antivirus doesn't find anything and I've updated the definitions for all of these programs.

However, the pop ups will not go away... This is some tenacious adware! If anyone has any thoughts, please let me know.

Thanks Again!

 

Follow the directions for teh following:
- Running WinPfind by OldTimer
- Using GetRunKey

Exactly what pops are you getting? From who? What doteh look like?

Post the WinPFind.txt and runkey.txt files when finished.

 

Ok, here are the logs.

It looks like WinPfind found some bad stuff, and I have no idea what's going on with GetRunKey...

I'll post more about the pop ups I actually get in an hour or so, there should be 15-20 by then. Also, it will no longer take over Firefox so that's definitely a step in the right direction. The pop ups are all in IE and it will open IE even if I have it closed.

 

Here are some of the websites that pop up

Online Reward Center
Scottsdale Luxury Sweets
creative.adsrevenue.net
888.com
American Eagle Realty
Hannahs Internet Pharmacy

 

Again, I don't know if this is useful but it's stuff I hadn't noticed before.

First, I'm getting popups from 66.48.78.222 that are divided up into 4 panes each with different crap in them.

Also, it's been somehow playing audio ads without any IE windows open.

 

Hmmm... Symantec just picked up something

Here's the blurb

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader
File: C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\8HAN4PA7\sploit[1].anr
Location: C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\8HAN4PA7
Computer: GREG-9OS3ELOOB6
User: Greg
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, June 13, 2006 9:26:00 PM

 

Follow the directions for Running Hoster.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Follow the directions for Running Ewido Anti-Malware.

Post the Ewido log and a fresh HijackThis log.

 

Ok, I followed the instructions exactly as you said. When I went back to delete the files after killboxing them, they were all gone. Unfortunately when I just restarted I got a pop up.

Here are the logs you asked for, and I just want to say again how much I appreciate the help!

 

Your HijackThis log is clean. The Ewido log shows a few things of concern.

Follow the directions for the following:
- Look2Me VX2 Removal
- SurfSideKick Removal

Using Add or Remove Programs in the Control Panel; uninstall the following:
- New.Net
- Limeshop
- Ewido Anti-Malware

Follow the directions for Running Spy Sweeper

Post the SpySweeper log.

 

Ok, here are the results...

You already told me to do the look2me thing, ran it before, it found something and removed it. I ran it again today and again it found and removed something. Because of this, I ran it a second time today. The second time it didn't find anything. However something very interesting happened. When I restarted I got the background that says you need to restore your active desktop, but no pop ups. As soon as I hit restore, I got pop ups.

Trying to remove surfsidekick is what got me here in the first place (I found that while I was trying to fix this myself and figured it might be the problem). I followed those instructions the other day, but I tried to go through the steps described again and none of the files were there. I even did searches for all the names.

As far as uninstalling, new.net and limeshop did not show up and I uninstalled Ewido.

Spy sweeper, your link on the instructions page is dead. I looked up the software on the company's website and downloaded it. Now they require you subscribe in order to get any logs or to have it actually clean the problems it finds.

I can tell you what it found if necessary, but I'll have to actually type it out which will be a bitch. Let me know.

 

So I checked out my active desktop settings and there were two programs I didn't recognize there, so I deleted both of them. However, pop ups continue...

 

Ok, the programs that are running via the active desktop are
c:\program files\messanger\kyze.exe
c:\program files\windows NT\howyny.html

I removed both of them once manually, and the pop ups went away. However after restart, they're back. How should I clean them?

 

Last Update!

I just went into the folders and deleted these files and finally, no more pop ups!

I can't thank you guys enough for all the help. I'm sincerely glad that there are people like you fighting against all the assholes making malware!

 

Glad to hear you got the last of the infection. I've been away the last couple of days.

Post a fresh HijackThis log, just to make sure.