Computer sending e-mails involuntarily, pop-ups

Hi, a few days ago, I noticed that my computer was trying to send what looked to be spam virus e-mails, as Symantec e-mail scan boxes would suddenly pop up out of nowhere. My computer has also been plagued by pesky pop-ups, which load every 5 minutes or so. The Ad-Aware scan turned up about 150+ critical objects. Attached are the bitdefender, active scan, and HJT logs.

I think I've had this problem before on another computer (was much worse, the whole screen was fileld with the Symantec boxes), and Major Geeks advised me to have it reformatted, which I did. Thanks in advance for any help!

 

Welcome to MajorGeeks.com!

Please see the below thread on how to install and run Ewido Anti-Malware.

• Running Ewido Anti-Malware...

Once you run Ewido, please see the below thread on running the L2MeFix Tool.

• Look2Me VX2 Removal

Once you have ran both steps, reboot and attach a fresh HJT log, Ewido scan/removal log and the log from the Look2Me utility.

 

Here you go!

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

ipwins

zango

Ewido

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

zango.exe

ipwins.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/ search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,

O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D67D547B412C3DC7 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\ipwins ← Delete this whole folder if it exist!

C:\Program Files\zango ← Delete this whole folder if it exist!

NOW:
Click Start > Run > type services.msc and Click OK

Locate npkcsvc and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Next, Click Start > Run > type in:

sc delete npkcsvc

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if it does not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\npkcsvc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you have rebooted follow the below steps...

• Running WinPfind by OldTimer
• Using GetRunKey
• Using ShowNew

Once you have followed each thread you should attach these three logs to your next post.

• WinPFind.txt
• runkey.txt
• newfiles.txt
• HJT Log.txt

 

Thank you so much for all the help!

Here are the logs you asked for.

 

Yay! All the pop-ups are gone and my computer doesn't seem to be sending out e-mails anymore! Once again, many many thanks. Here's the HJT log:

 

Please look in Add/Remove Programs for the following and uninstall them if found:

MyGlobalSearch

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"

Again, make sure ALL browser windows are closed when you click FIX.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\MyGlobalSearch ← Delete this whole folder if it exist!

C:\Program Files\zango ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Once you complete this post, reboot to normal mode and attach a fresh HJT log. Also let me know how things are running and if your having any problems.

 

Sorry for the delay, I wasn't able to go online for a week or so because of midterms and such. Here's my HJT log, the pop-ups are completely gone, the clock is back to normal, and there are no other problems, as far as I can see. Thanks for taking the time out to help me and countless others with our malware problems!

 

Your HJT log looks good, are you having any further problems?