China pop-ups

You need to complete the instructions in the READ ME.

• CounterSpy log should be attached
• Bitdefender online scan line must be run and log must be attached
• PandaActiveScan online scan must be run and log must be attached
• Your HijackThis log must be obtained from normal boot mode as requested in step 7 of the READ ME. BUT DO NOT ATTACH a new one yet. Wait until after doing the below

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to ClipBook ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the
'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
Network Logons

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower
right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into
the box that opens, and press "OK":

ClipSrv

Now repeat the Delete NT Service steps for:
NetWorkLogons
If you receive any error messages just ignore them and continue.

Now exit HJT and reboot when it tells you it needs to.


Please attach a new HJT log now.

 

You did not allow CounterSpy to fix the problems it found. You had it ignore everything according to the log. Run it again and let it fix the problems.

Also you did not attach the requested HijackThis log after complete message number 3.

 

Please install HijackThis into the folder that was requested in the READ ME. You have it installed exactly where we specify not to install it. Also you are running Spybot's Teatimer which we also specifically requested that you not use. Disable Spybot's Teatimer now and install HJT properly. Then continue.

You appear to have a lot of stuff on your PC that indicates you are accessing lots of Chinese based websites. Are you in China or are you Chinese and accessing these sites. I see a load of questionable files some of which are definitely indicated as malware. Let's look at the list below. Do you recognize any of these as being something that you installed and that are valid:

Code:

 
C:\Documents and Settings\Jason Heng\Local Settings\Temp\rg_lyric_039.exe
C:\WINDOWS\101371.exe
C:\WINDOWS\199019003.exe
C:\WINDOWS\5001.exe
C:\WINDOWS\5002vost.exe
C:\WINDOWS\bind_40094.exe
C:\WINDOWS\kw_rg_lyric_039.exe
C:\WINDOWS\kw_rg_lyric_057.exe
C:\WINDOWS\lmdm_setup_2.1_101.exe
C:\WINDOWS\realupdate.exe
C:\WINDOWS\setup173.exe
C:\WINDOWS\ss10202.EXE
C:\WINDOWS\winampc.exe
C:\WINDOWS\system32\17.exe
C:\WINDOWS\system32\checknetwork.exe
C:\WINDOWS\system32\ctfmoon.exe
C:\WINDOWS\system32\lrcsys.exe
C:\WINDOWS\system32\reggoo.exe
C:\WINDOWS\ef26ev.dll
C:\WINDOWS\system32\Inte32.dll
C:\WINDOWS\system32\YHBO.dll

C:\WINDOWS\system32\
lylk.dat      Sep 13 2006          27  "lylk.dat"
sys32.dat     Oct  7 2006         226  "Sys32.dat"
sysdb.dat     Sep 26 2006          66  "SysDb.dat"

 

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6

Now install the current version of Sun Java from: Sun Java Runtime Environment

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {16B770A0-0E87-4278-B748-2460D64A8386} - (no file)
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\CNNIC <--- the whole folder

Now reboot in normal mode
Now run Ccleaner

Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Please delete the below files:
C:\WINDOWS\system32\downews.ini
C:\WINDOWS\system32\jmx.ini
C:\WINDOWS\system32\popnews.ini
C:\WINDOWS\system32\lylk.dat


You forgot to tell me how things are working!

 

First disable/shutdown CounterSpy and run HJT again and fix the below lines:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {16B770A0-0E87-4278-B748-2460D64A8386} - (no file)

Now exit HJT!


Boot into safe mode and find and delete the below files:
C:\WINDOWS\system32\ACSs.dll
C:\WINDOWS\system32\sdmAgent20.dll
C:\WINDOWS\system32\sdmAgent22.dll

Let me know the results of locating and deleting the above files.

Attach new logs from HJT and ShowNew.

Are you still getting popups? If so, exactly when do they occur?
Is it only when online? What if your cable to the internet is disconnected?
What if no browsers are opened?
Do they only occur while using IE?
Do they occur while using FireFox?
When they occur, which browser opens?
What is in the popup window address bar and title bar?
Are you sure the popups are not related to any sites that you are accessing?

 

You did not answer all of my questions! I'll repeat and number the ones you did not answer:

1. Exactly when do they occur?
2. Is it only when online? What if your cable to the internet is disconnected?
3. What is in the popup window address bar and title bar?

Here are some new questions:

1. Do the popups occur in safe mode?
2. What is this folder for: C:\PSFONTS If you don't know what it is for, what is in the folder?
3. What is this file for C:\WINDOWS\lmdm_setup_2.1_101.exe It was created on Oct 1st.

Let's take a few more steps!

Now download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now Click Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns
• Hit Enter
• Exit the command window

Now run the below to make sure Windows Messenger is removed

Disable/Remove Windows Messenger


Any change to your PopUps? If not, continue with the below:

Download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

 

Yes your logs are clean! Did you do all the other steps in my last message?

Installing the firewall (which is a necessary piece of software) may just block the popups if they were incoming from the internet!

 

Then where is the log I asked for from Blacklight!

Have you installed a Software Firewall? If not, install ZoneAlarmFree

 

Are you still getting popups? If so, please attach a current HJT log and download the new version of ShowNew and attach a log from it.

 

Please download and use the current versions of ShowNew as requested in message number. Then attach a new log! Also retry the Sophos link Matt gave you. There were problems due to a new server being used for Majorgeeks at the time. It should work okay now.

Did you use the tool to remove Windows Messenger?

 

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to the following key and take ownership of it (I explained how to do that further down).

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16B770A0-0E87-4278-B748-2460D64A8386}


To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate to the above keys we took ownership of to make sure it was deleted.
• If the key still exists, right click on it and select Delete. Let me know if you have to do this and if you get any error messages at this point.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Then reboot your PC!

Now attach new logs from HJT, ShowNew, and GetRunKey

Are you still getting popups?

 

Sounds like you did not save the fixME.reg file properly. You must make sure that it is named fixME.reg and not fixME.reg.txt It is important to follow the directions exactly as written or you will not create the file properly. Also you should make sure you have followed the directions in step 2 of the READ ME exactly or you will not see file extensions. Thus a file like fixME.reg would look like just fixME and fixME.reg.txt would look like fixMe.reg and if you double clicked on this last one (which is really fixME.reg.txt), you would get an error message like that.

By the way you could still just continue with the instructions and delete the key manually in Registrar Lite.

 

Why did you start another thread?

And why is it that the HJT log posted has stuff in it that we already fixed?

Why does the log look different then your last log in this thread?

And if it is another PC, why didn't you say so and why didn't you follow the READ & RUN ME steps?

==============
Back to this thread and in answer to message # 40. I need the follow up logs I requested in message number 36.

 

Sorry for the confusion. See: China pop-ups

BJ closed the thread as a duplicate and it was an old thread. Closing it with a message brought it to the top of the queue as a new message. BJ should have deleted the thread instead of closing it with a message.

Your logs do not show any signs of problems! If you are still getting popups then it must be due to some software that you are running or you have allowed something to pass thru your Sygate firewall that you should not be allowing. Try uninstalling Sygate and using ZoneAlarmFree instead. Make sure you do not allow anything to pass thru it to start (accept IE). And then slowly allow certain things you use to get access thru the firewall and see if you can determine where the popups begin (I'm assuming that after uninstalling Sygate and installing ZoneAlarm that there will be no popups. This may be a bad assumption.)

 

Are you saying that what you are calling popups are just notifications from the firewall that the site is being blocked!!!!!!!!!!! That is not a popup! That is an information message from your firewall! You don't need to see these messages. Just turn them off. That site has your IP address due to a previous infection or from previously running without proper protection. Since they know about you, they are just trying to get to you again. Your firewall is doing what it is supposed to do.

 

No problem as long as my last statements were correct and that what you were calling popups are just messages from your firewall! Was my assumption correct?


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
7. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!