help! pop-ups are not going away.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Deeman, Nov 24, 2004.

  1. Deeman

    Deeman Private E-2

    Hi,

    I have followed all the "How to: Spyware, Trojan And Virus Removal
    " instructions to a tee, even running all the optional scans but I continue to have these extremely annoying pop-ups. They seem to be from advnt05, and about: blank.

    Would any one be willing to look at my hijackthis log?

    Any help would be much appreciated.

    Thanks,

    Deeman
     

    Attached Files:

    Deeman, Nov 24, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Deeman,

    Welcome to MG's. Next time do not post a log unless we reques one. Before continuing you must install HJT into its own directory as indicated in the HJT tutorial. You are running it from the ZIP file:
    C:\Documents and Settings\Catherine Mitchell\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
     
    chaslang, Nov 24, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Be sure you have put HJT in a proper directory before continuing or you will not get backups.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
    C:\Documents and Settings\Catherine Mitchell\Application Data\eeto.exe
    C:\WINDOWS\System32\w?nspool.exe


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {1EA03101-B137-7DC0-D100-65550EF42910} - C:\WINDOWS\System32\ppillsxl.dll
    O4 - HKLM\..\Run: [fLYOh] C:\documents and settings\catherine mitchell\local settings\temp\fLYOh.exe
    O4 - HKLM\..\Run: [ga] C:\documents and settings\catherine mitchell\local settings\temp\ga.exe
    O4 - HKLM\..\Run: [f4bcd2cf7bba] C:\WINDOWS\System32\capicom4.exe
    O4 - HKCU\..\Run: [Urat] C:\Documents and Settings\Catherine Mitchell\Application Data\eeto.exe
    O4 - HKCU\..\Run: [Xvefgqw] C:\WINDOWS\System32\w?nspool.exe

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\ppillsxl.dll
    C:\documents and settings\catherine mitchell\local settings\temp\fLYOh.exe
    C:\documents and settings\catherine mitchell\local settings\temp\ga.exe
    C:\WINDOWS\System32\capicom4.exe
    C:\Documents and Settings\Catherine Mitchell\Application Data\eeto.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Nov 24, 2004
    #3
  4. Deeman

    Deeman Private E-2

    Chaslang,

    thank you so much for the quick reply! You're right, I had completely forgotten about saving HijackThis in the right directory. Sorry about that (and for posting the log without prior request).

    I just followed your instructions and fixed the lines you mentioned below on HijackThis. The strange thing was (or may be not so strange) that when I rebooted in safemode, those files were all already gone except for one I found called capicom.dll (the original one was capicom4.dll). Should I have erased this too?

    Anyway, the end result: I booted back in normal mode and scanned with Hijackthis again (attached the log) but the most important thing is, I am 10 minutes into browsing the internet and there's still no pop-ups!!!

    That was exactly the help I needed because I originally wasn't sure if I should have fixed those lines when I first saw them as I was afraid to erase necessary applications.

    I can't tell you how much I appreciate your help!!!

    Cheers!!!

    Deeman
     

    Attached Files:

    Deeman, Nov 24, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. You log is clean now. You can aso remove that capicom.dll file. Are you sure you had viewing of hidden files enabled?
     
    chaslang, Nov 24, 2004
    #5
  6. Deeman

    Deeman Private E-2

    Cool. Thanks. I will remove it. Yep, I am absolutely sure the viewing of hidden files was enabled.
     
    Deeman, Nov 24, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    OK! Let us know if you have anymore problems.
     
    chaslang, Nov 24, 2004
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds