Help! @#$% popups!!

Welcome to Majorgeeks!

It looks like CounterSpy fixed a bunch of things that I see in your current newfiles.txt log (from ShowNew.bat) Please attach a new log from ShowNew so we can work on any remaining problems.

 

Okay you have a load of Look2 Me infections!

Run this Look2Me VX2 Removal and attach the requested log.

Also download the newest version of ShowNew (changed last night). And get a new log from it to attach.

 

It is not a false positive. The malware has change who owns the registry keys and thus Spybot cannot fix it for you. We will get to this later.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\system32n9nyb.exe
C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\system32n9nyb.exe
C:\WINDOWS\SYSTEM32\bez6n4r21.exe
C:\WINDOWS\SYSTEM32\mwinqpez.exe
C:\WINDOWS\SYSTEM32\TNPI32.DLL
C:\WINDOWS\SYSTEM32\xez6fd5b.dll
C:\WINDOWS\Sy5KLiBhbmQgRXJpbiBNYXJrcw\mVc4M211vAk0lrLDv21hsrLOwT.vbs
C:\WINDOWS\SYSTEM32\guard.rar
C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\mwinqpez.exe
C:\WINDOWS\SYSTEM32\opdsregp.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locat the below folder and delete it if found:
C:\Program Files\outlook

Now attach a new HJT log and tell me how the steps went.

Also download the current version of ShowNew (from the same link) and attach a new ShowNew log

Attach a log from Spybot that shows the detections of CmdService!

Make sure you tell me how things are working now!

 

Your logs are clean other than cmdService. Let's fix it.

Please download and install Registrar Lite

Run Registrar Lite navigate to the following keys and take ownership of them (explained further down):

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService


To take ownership of the key do the following:

• Copy & Paste one registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the regitry key.
• Click-on Security in the Menu
• Select Take Ownership
• After taking ownership, right click on the registry key and select delete. MAKE sure you are right clicking on only the above keys (the three cmdService entries).
• Now exit RegistrarLite .
• Tell me the results. Any errors?

Now see if Spybot runs clean!

 

You're welcome!

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!