Help with Spyware Pop-ups PLEAZE

Was that log from safe mode or normal mode? Your virus applications and other items do not appear to be running. Did you shut them down?

You have two popup stoppers running. This is probably not very useful. One should be sufficient.
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

I would uninstall one of them.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
SED.exe
crol\ivuw.exe
VirtualBouncer.exe
penwsx.exe
WToolsA.exe
wtta.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [ivuw] C:\WINDOWS\system32\crol\ivuw.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [JBqqRkc4R] penwsx.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe


Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SED <--- the whole directory
C:\WINDOWS\system32\crol\ivuw.exe
C:\Program Files\VBouncer <--- the whole directory
C:\WINDOWS\system32\crol\ivuw.exe
C:\WINDOWS\system32\penwsx.exe
C:\\Program Files\Common Files\WinTools <--- the whole directory
C:\WINDOWS\system32\crol\ivuw.exe
C:\Documents and Settings\Owner\Application Data\wtta.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

After getting the above fixed you will be ready to start working on the below problem:
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

 

Please Follow Directions And Only Post Hjt Logs As Attachments!

 

Hmmm! That trojan (iruw.exe) came back. Are you sure you found it and it actually deleted?
O4 - HKLM\..\Run: [ivuw] C:\WINDOWS\system32\crol\ivuw.exe

If you uninstalled one of the popup blockers, why do they both still show in your log.
You should uninstall this one:
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe




You have too many Active X items listed here and a bunch are not good. Let's just dump all the ones below. Any that you really need will get redownloaded when you access the site again (assuming you do).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {241E286B-57CD-47F2-B33F-B473B6E7969E} (CFM2005TurboDMC.UserControl1) - http://www.racelm.com/rlm/cfmturbo/cfm2005turboDMC.CAB
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/p...s/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2282183f40f2ed...ip/RdxIE601.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - http://www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - http://www.racelm.com/rlm/cfmturbo/...5turboDMCrs.CAB
O16 - DPF: {854816C0-3F15-4B8A-8EB0-7CC9E46CD5F3} (CFM2004Turbo.UserControl1) - http://www.racelm.com/rlm/cfmturbo/...4turbonorun.CAB
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - http://www.racelm.com/rlm/cfmturbo/cfm2005turboDMC.CAB
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB

 

Do the steps to fix the iruw.exe problem again (kill the process, fix in HJT, boot in safe mode, delete the file) but this time delete the whole C:\WINDOWS\system32\crol directory rather than the file.
O4 - HKLM\..\Run: [ivuw] C:\WINDOWS\system32\crol\ivuw.exe

 

Okay KC! That looks better. Each user account will have to be fixed separately if they have problems.

It is now time to fix the other problems with the O1 - Hosts lines. Get the stuff Phillie has indicated and say when you are ready to begin.

To get a feeling for what procedure will be required to fix this problem, see this thread : http://forums.majorgeeks.com/showthread.php?t=49886

 

Since PP is not around, I'll get you started.

Then, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that to your next post.

Do not reboot after that because that can cause the files to mutate.

 

Okay! To continue, we must delete a bunch of files using PocketKillbox. We are going to do this like Phillie did in the thread I gave you as a reference, however, since you have about 22 files to delete, I'm not going to give individiual instructions for each one. I'll take a slightly different approach.

Here is a list a files we must delete using PocketKillbox:
C:\WINDOWS\System32\swxcoins.dll
C:\WINDOWS\System32\lv0m09d1e.dll
C:\WINDOWS\System32\fp0s03d7e.dll
C:\WINDOWS\System32\k2800clmefqa0.dll
C:\WINDOWS\System32\imakui.dll
C:\WINDOWS\System32\k8js0i17e8.dll
C:\WINDOWS\System32\h82o0if3e82.dll
C:\WINDOWS\System32\lvno0953e.dll
C:\WINDOWS\System32\gp48l3hu1.dll
C:\WINDOWS\System32\g2jolc131f.dll
C:\WINDOWS\System32\l64q0gh5e64.dll
C:\WINDOWS\System32\l60u0gd9e60.dll
C:\WINDOWS\System32\fp4o03h3e.dll
C:\WINDOWS\System32\t48ulel91hq.dll
C:\WINDOWS\System32\n26qlcj51fo.dll
C:\WINDOWS\System32\lq32.dll
C:\WINDOWS\System32\mvr6l99s1.dll
C:\WINDOWS\System32\o866lijs18o6.dll
C:\WINDOWS\System32\m8rmli9118.dll
C:\WINDOWS\System32\lv2209foe.dll
C:\WINDOWS\System32\mv00l9dm1.dll

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\mv00l9dm1.dll (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\System32\swxcoins.dll


1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\System32\mv00l9dm1.dll into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After your machine reboots, run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.

 

Okay use Windows Explorer and get to Please Navigate to C:\Windows\SYSTEM32 and look for a file named guard.tmp. If it exists, feed it to KillBox and Delete using Standard File Kill.

Let me know if you find it or not. Also post a current HJT log.

 

Okay! So you found that guard.tmp file even though it was not in the original log. Right?
And you have double checked to make sure it is actually gone now.. Right?


Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NOW:

Open VX2Finder and Click the Restore Policy Button.

Then, use the UserAgent$ Button to remove the UserAgent from the registry.

NEXT: Run findit.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log

 

You forgot to:

Run findit.bat (Generic Detection Tool) and attach that Log

 

You still have not located HijackThis in a safe place for backups. You still have it running from
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
It would be better if you ran it from: c:\Program Files\HJT\HijackThis.exe

Using START > RUN > regedit, please open the registry editor and navigate to the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem

Backup this key by clicking File, Export and then enter a File name and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the Unimodem one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

If there are anymore lines like that with 69.20.16.183, fix them too.
Now after clicking Fix exit HJT and reboot in normal mode.

Now after reboot get another HJT log and attach it to your next message.

 

Okay KC! Your log looks good! How is everything working now?

 

You're welcome KC. I'm happy we got this all fixed up! Happy Holidays!