Can't kill the pop ups by myself, need help please!

I've tried everything at this point to erradicate pop-ups which just started the other night. I am getting the 'Aurora' pop-up, as well as other advertising pops. I've run Spybot, Ad-aware, CounterSpy and Microsoft's AntiSpyware beta, all with current definitions and can't seem to get to the root of the problem.

I see that the help folks have received here seems to help almost every single time, if not every time, and I'm really looking forward to getting this problem killed with the assistance of the great people on this site!

 

Looking at some of the processes you have running you could have CoolWebSearch.
Download CWShredder and run that to try and remove, CoolWebSearch is very difficult to remove some times.

 

Please follow forum guidelines!

You have NOT ran every step in the READ ME nor have you done the online scans. You have a mess in that log and need to do this.

Also, from now on never post your log inline as it will be removed. Always attach logs as an attachment to your post.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Gotcha. I did run through one of these "Do all this stuff first" threads, but thinking back, it was a different site. Of course, I haven't slept in two nights trying to fix this, so I'm a space cadet right now. Sorry about that. I will follow all steps in the referenced thread and then "attach" my log file if I'm still having problems.

Thanks for your help so far.

 

Your Welcome, will be awaiting your results.

 

Ok, I'm done with all the actions described in the readme.

Most tests/scans did find items, but typically removed them.

Here are a few things that weren't straightforward:

1. The Symantec Security Check found a file which apparently is tied to the ABetterInternt adware. I ran a program which said it removed it. When I later ran Spybot, it found the ABetterInternet adware, and says it removed it.

2. I wasn't entirely sure if I should run HSRemove, so I just did. It removed 8 objects.

3. The Symantec Security Check showed that I had files infected with ADWARE.Browseraid and ADWARE.EZULA, but I could find none of the known registry entries for these.

I am immediately getting adware pop-ups after rebooting from safe mode to normal mode.

Attached is the new HJT log file I just ran after completing all other steps. To me, it still looks like a huge mess, but I really don't know what I'm looking at.

 

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

qigc.exe

yywbbh.exe

dfpxmje.exe

lcoffc.exe

jgowswm.exe

oegk.exe

ctse.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=

O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [aqvuvu] C:\WINDOWS\system32\lwnwc\aqvuvu.exe
O4 - HKLM\..\Run: [yywbbh] C:\WINDOWS\system32\rbvngwc\yywbbh.exe
O4 - HKLM\..\Run: [qigc] C:\WINDOWS\system32\alyjwph\qigc.exe
O4 - HKLM\..\Run: [faxyqo] C:\WINDOWS\system32\frcflwx\faxyqo.exe
O4 - HKLM\..\Run: [aaas] C:\WINDOWS\system32\qpnlxb\aaas.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteczn32.exe
O4 - HKLM\..\Run: [abvi] C:\WINDOWS\system32\nmgpk\abvi.exe
O4 - HKLM\..\Run: [buejex] C:\WINDOWS\system32\qdthxy\buejex.exe
O4 - HKLM\..\Run: [hlnf] C:\WINDOWS\system32\pgus\hlnf.exe
O4 - HKLM\..\Run: [tmlfj] C:\WINDOWS\system32\pttyhw\tmlfj.exe
O4 - HKLM\..\Run: [ydym] C:\WINDOWS\system32\rrxtwn\ydym.exe
O4 - HKLM\..\Run: [ahnqfag] C:\WINDOWS\system32\iocqf\ahnqfag.exe
O4 - HKLM\..\Run: [hgat] C:\WINDOWS\system32\ellrl\hgat.exe
O4 - HKLM\..\Run: [0s9W3qj] wsnipr07.exe
O4 - HKLM\..\Run: [dfpxmje] C:\WINDOWS\system32\bnti\dfpxmje.exe
O4 - HKLM\..\Run: [skyhn] C:\DOCUME~1\Mom\LOCALS~1\Temp\lcoffc.exe
O4 - HKLM\..\Run: [mwqpma] C:\WINDOWS\system32\whirdeu\mwqpma.exe
O4 - HKLM\..\Run: [nhfcrb] C:\WINDOWS\system32\ugat\nhfcrb.exe
O4 - HKLM\..\Run: [jgowswm] C:\WINDOWS\system32\ftltr\jgowswm.exe
O4 - HKLM\..\Run: [uttte] C:\WINDOWS\system32\khtfnbv\uttte.exe
O4 - HKLM\..\Run: [jopkkgpi] C:\WINDOWS\system32\ejcj\jopkkgpi.exe
O4 - HKLM\..\Run: [oegk] C:\WINDOWS\system32\jqbwhg\oegk.exe
O4 - HKLM\..\Run: [ctse] C:\WINDOWS\system32\kcabs\ctse.exe
O4 - HKLM\..\Run: [yrqvvbf] c:\windows\system32\hycbxcq.exe
O4 - HKLM\..\Run: [rdmq] C:\WINDOWS\system32\supokwv\rdmq.exe
O4 - HKCU\..\Run: [HBq6RkHER] s3itab.exe

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver/arcadegames/meteormadness/eacom/wtins t.cab
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0007.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O23 - Service: hgatellrl - Unknown owner - C:\WINDOWS\system32\ellrl\hgat.exe (file missing)
O23 - Service: qigcalyjwph - Unknown owner - C:\WINDOWS\system32\alyjwph\qigc.exe
O23 - Service: rdmqsupokwv - Unknown owner - C:\WINDOWS\system32\supokwv\rdmq.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: tmlfjpttyhw - Unknown owner - C:\WINDOWS\system32\pttyhw\tmlfj.exe
O23 - Service: ydymrrxtwn - Unknown owner - C:\WINDOWS\system32\rrxtwn\ydym.exe
O23 - Service: yywbbhrbvngwc - Unknown owner - C:\WINDOWS\system32\rbvngwc\yywbbh.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\alyjwph ←–– Delete this whole folder!

C:\WINDOWS\system32\rbvngwc ←–– Delete this whole folder!

C:\WINDOWS\system32\bnti ←–– Delete this whole folder!

C:\WINDOWS\system32\ftltr ←–– Delete this whole folder!

C:\WINDOWS\system32\jqbwhg ←–– Delete this whole folder!

C:\WINDOWS\system32\kcabs ←–– Delete this whole folder!

C:\WINDOWS\system32\lwnwc ←–– Delete this whole folder!

C:\WINDOWS\system32\rbvngwc ←–– Delete this whole folder!

C:\WINDOWS\system32\alyjwph ←–– Delete this whole folder!

C:\WINDOWS\system32\frcflwx ←–– Delete this whole folder!

C:\WINDOWS\system32\qpnlxb ←–– Delete this whole folder!

C:\WINDOWS\system32\nmgpk ←–– Delete this whole folder!

C:\WINDOWS\system32\qdthxy ←–– Delete this whole folder!

C:\WINDOWS\system32\pgus ←–– Delete this whole folder!

C:\WINDOWS\system32\pttyhw ←–– Delete this whole folder!

C:\WINDOWS\system32\rrxtwn ←–– Delete this whole folder!

C:\WINDOWS\system32\iocqf ←–– Delete this whole folder!

C:\WINDOWS\system32\ellrl ←–– Delete this whole folder!

C:\WINDOWS\system32\bnti ←–– Delete this whole folder!

C:\WINDOWS\system32\whirdeu ←–– Delete this whole folder!

C:\WINDOWS\system32\ugat ←–– Delete this whole folder!

C:\WINDOWS\system32\ftltr ←–– Delete this whole folder!

C:\WINDOWS\system32\khtfnbv ←–– Delete this whole folder!

C:\WINDOWS\system32\ejcj ←–– Delete this whole folder!

C:\WINDOWS\system32\jqbwhg ←–– Delete this whole folder!

C:\WINDOWS\system32\kcabs ←–– Delete this whole folder!

C:\WINDOWS\system32\supokwv ←–– Delete this whole folder!


C:\WINDOWS\system32\hycbxcq.exe

C:\WINDOWS\system32\pacis.exe

C:\WINDOWS\system32\exp.exe

C:\windows\system32\eliteczn32.exe <--- also look for and delete other files beginning with elite and ending with exe. There could be as many as ten more.

lcoffc.exe ←–– Search for this this file and delete when found!

wsnipr07.exe ←–– Search for this this file and delete when found!

s3itab.exe ←–– Search for this this file and delete when found!

NEXT:
Stay in safe mode and run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:

hgatellrl

qigcalyjwph

rdmqsupokwv

tmlfjpttyhw

ydymrrxtwn

yywbbhrbvngwc


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above, run these online virus scans.

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan


After doing EVERY STEP ABOVE,
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

I can't download Holster from the provided link. IE says that the site is unavailable or does not exist.

If I use Firefox, it downloads a file called Holster.zip, but says that this file is corrupt.

Can I get it somewhere else?

 

I apologize, I forgot to change the link.

Download HOSTER

 

I've completed all the steps provided. Here's a few items of note:

1. I have a file on my Desktop called Thumbs.db that was there before I got started doing all steps. It's a grayed out Windows icon with the two gears on it.

2. These files did not exist to delete:
a. C:\WINDOWS\SYSTEM32\hycbxcq.EXE
b. C:\WINDOWS\SYSTEM32\pacis.EXE
c. C:\WINDOWS\SYSTEM32\exp.EXE
d. C:\WINDOWS\SYSTEM32\eliteczn32.EXE (Or any other files containing elite and .exe.

3. When searching for file lcoffc.exe, search found it and I deleted it, but there was also a file called LCOFFC.EXE-2CBC6B94.pf located in the C:\WINDOWS\Prefetch folder. I did not delete this file.

4. Search did not find files:
a. WSNipr07.exe
b. S3itab.exe

5. Spybot S&D found no threats.

6. When doing the 'Delete a Windows NT Service', it asked me if I wanted to reboot each time I deleted a file. I did not reboot after each file deletion, should I have?

7. TrentMicro Online Scan found the file TrojBuddy.f labeled as an uncleanable file, but it did delete it.

8. I've attached the log file from the BITDEFENDER scan below.

9. RAVANTIVIRUS found no virus and no suspicious files.

10. I then went to run TROJANSCAN, but the IE window it opened in kept closing after hitting the Start Scan button. So I rebooted my PC. While closing Windows, a message box popped up that said that SunasServAlert.exe failed to start because Windows was shutting down. I let Windows continue to shut down and did not click OK on the box.

11. When Windows was starting up again, Microsoft AntiSpyware popped up a message saying that qigc.exe was trying to be added. I clicked the "BLOCK" button.

12. TROJANSCAN did run after the reboot, and found no infections.

13. During the 5-6 hours that Windows was booted in Normal Mode doing all of the online scans, I saw no automatic pop ups. The second I open a new IE window, a full size pop up appears as well with ads in it. If I use FireFox instead, the pop up does not open.

Attached are the new HiJack This log (and I see that qigc.exe is running again even though I blocked it and there's several other weird named items still.

 

This is more probably bad advise, but I find that ZoneAlarm Pro4 keeps the pop-ups from actually popping up...however it does not rid you of the initial program . It's probably better if you listen to the experts.

2p,
~Gangrel

 

Thanks for the tip Gangrel. I will be adding something like ZoneAlarm or Norton Internet Security once I'm cleaned up again.

 

No need to fight over helping me! I'm sure I need enough that it will take two people!

 

Thanks!

Quick question. You're first instruction is to delete this program. Do you have information identifying this as a threat? This is a weather program which we downloaded from our local news TV station.

First look in Add/Remove programs for the below and uninstall if found:
11 News ALERT or TrueWeather

 

I went ahead and deleted it already anyway after posting. I figured the gain of having it wasn't worth the potential problems it could cause.

Okay, followed all the new steps. Here are the only issues I had:

The following process wasn't showing up as an option to be killed in HJT.
C:\WINDOWS\system32\alyjwph\qigc.exe

The following executable file was not present to delete
C:\WINDOWS\svcproc.exe

The following were not available to be FIXED when I ran HJT while still in SAFE MODE:
O4 - Global Startup: 11 News ALERT.lnk = C:\Program Files\Common Files\11 News ALERT\TrueWeather.exe

O23 - Service: qigcalyjwph - Unknown owner - C:\WINDOWS\system32\alyjwph\qigc.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

O23 - Service: wjibsxyuh - Unknown owner - C:\WINDOWS\system32\xyuh\wjibs.exe

Find attached is the new HJT log file.

 

Done.

The only thing that varied was that I could not find this:

O23 - Service: xhmjifdusrukq - Unknown owner - C:\WINDOWS\system32\dusrukq\xhmjif.exe

to have HJT fix.

This was there when I booted to SAFE MODE, so I deleted the dusrukq folder.

C:\WINDOWS\system32\dusrukq\xhmjif.exe

New log file is attached.

 

Well, I switched User accounts so my wife could check her e-mail. Since you're post said no rebooting or powering down, I figured just switching users was okay. When her account was pulling up, Antispyware beta stopped something called Huntbar from initializing. When she was done with her mail, I tried logging her off, and the screen just went black forever. The drive light would come on every once in a while, but otherwise everything was frozen. So I ended up having to push the power button to shut the computer off. When I started the PC up again, I logged back in to my user account and Antispyware stopped CoolWebSearch from initializing.

I've run and posted a differnent HJT log file since I had to reboot.

I have a question. Once things are fixed under my XP User Account, will I have to repeat a similar process under all other user accounts?

 

Ok, thank you very much for the help! I'll start a new thread for my wife's account next I guess.

 

You know, I went through all the steps in the Readme and found absolutely nothing on my wife's account and it seems to be running great! So I think I'm good.

One thing of interest. I had installed Microsoft's Antispyware beta back when all this started. Things were okay with it until today. All of a sudden, both of uor user accounts became unusable because Antispyware was trying to load, but couldn't finish loading for whatever reason. I removed it and the system runs great again. I have added ZoneAlarm's firewall (I'm currently in the free trial) and am hoping that will keep more of these kinds of intrusions out in the future.

Thank you very, very much for the help!

 

I added it the other day, to try to keep more crap from getting in while I was fixing everything.

 

If you look back at the very first log file I submitted, it was not installed. I decided to add it while in the process of working out the problems already on my machine to avoid new problems. Per that log on 4/14, I did not have it installed and running. I have only installed ZoneAlarm one time, and that was just about 3 days ago.

By the way, my PC is running GREAT!! Even my wife's account is working as it should again.

 

I'm all over it!

Thanks again!