Constant Popups

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message.

Please run the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing the above continue with the below:



- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. And tell me if you are still having any problems. This log could get quite large and you may need to compress it into a ZIP file to upload it.

Post this Ewido log.

After posting the Ewido log continue on to my next message!

 

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You did not post the Ewido log. You posted my directions. Please post the correct Ewido log and also post a log from HijackThis that is run in normal boot mode instead of safe mode.

 

Look in Add/Remove programs and tell me if you see any of the below and if so, uninstall them:

SurfSideKick 3
E2G or E2Give
Media Access

 

Also as double check using Windows Explorer for the below files and folders and delete them if found (some of them may already be delete from the tools we ran). Let me know the results. If you have trouble deleting them in normal boot mode, try booting in safe mode to delete them. Make sure your browsers are all closed too!!!!!

C:\Documents and Settings\Owner\My Documents\download\Morph2022e.exe
C:\WINNT\system32\nsvsvc <--- the whole folder
C:\WINNT\system32\vidctrl <--- the whole folder
C:\WINNT\system32\AUNPS2.dll
C:\WINNT\system32\wintask.exe
C:\WINNT\system32\InstallAPS.exe
C:\WINNT\Temp\ei.exe
C:\WINNT\Temp\install.exe
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\4PMPA745\install[2].exe
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\81Q74TE7\download[1].htm
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\WPUFSH2J\deliver46860[2].htm


Now continue with the below:
Download the following tool and save it where you will be able to find it.

L2MeFix Tool

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. You will need to post this log back here later when you come back.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now reconnect and continue with the below.

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments. This will require two messages.

 

Where you able to find and delete that list of files I gave?

Okay we have some more to do.

DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your next message.

Please don't run any other files in the L2MFix folder.


Now continue with the below:

- Download Pocket KillBox

Extract Killbox to its own folder - somewhere that you will be able to locate it later. Do not run it yet.

Reboot in Safe Mode (do not open any other processes)

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINNT\System32\DATADX.DLL
C:\WINNT\System32\CONRES.CPL
C:\WINNT\BROWSER.EXE
C:\WINNT\icont.exe
C:\WINNT\RMAgentOutput.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nppc.exe

When it reboots, please boot back to safe mode again.

Once in safe mode run KILLBOX again and Run those files through Killbox once more to be sure nothing survived. But this time place a tick by any of these selections if available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Sometimes these files can be stubborn to remove so I just want to run thru this twice.

After reboot this time, boot to normal mode and let me know how things are working.

Also attach a new HJT log and new logs from Find-Qoologic.bat and rkfiles.bat. Don't forget the L2MeFix log from above too. This will take two messages to post 4 logs.

 

That is not a complete log from L2MeFix option 2. Are you sure you let it run all the way!

You may need to run it again and make sure after reboot that you let it run to completion.

 

click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service

Now exit HJT and do not reboot if it asks you to do so.

For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Now restart HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - Global Startup: nppc.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\C0KQAI36\cwshredder[1].exe (file missing)

After clicking Fix, exit HJT.

Now run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINNT\System32\JOOKE.DLL
C:\WINNT\System32\__DELE~1.DLL
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nppc.exe

If it does not reboot or you get a Pending file operations error, just reboot the system yourself.

After reboot do not run anything else until you do the below.

Run Windows Explorer and look for the below and delete if found (some are double checks):
C:\Program Files\E2G <--- the whole folder
C:\Program Files\Media Access <--- the whole folder
C:\WINNT\System32\JOOKE.DLL
C:\WINNT\System32\__DELE~1.DLL
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nppc.exe

Now get a new HJT log. Then come back here and post the new HJT log and tell me how these steps went and how things are working.

 

Looks clean now! Now to help keep it that way, check out the below:

How to Protect yourself from malware!

 

That's good. But what did MS AS find?