I need your help please

I posted the other day but I did not get any replies? Not sure if I did something wrong in the post or I just got unlucky. I am having major problems with spyware and pop up ads.

I have run Norton Antivirus and it finds 2 or 3 files each time. They are hidden files and go into the directory and try to erase them. They are system32 files. It will not allow me to erase them though. Comes up with an error message and says I can not delete it?

I also keep getting the desktop hijack where it changes the desktop to "you are in danger" and then if you click it it redirects you to their website. I am also getting the same constant pop up ads which start with my browser id as the name of the pop up window.

I have followed the instructions here for running the adaware programs and sbybot and cwshredder and the rest mentione dint he faq. It helped get rid of many of my problems, however I am still having problems. If anyone can help, please offer a hand.

I appreciate any and all help that can be offered. I do have my hijackthis log, but will wait to post it until someone asked for it.

 

Hi Sean,

Please send us an Up-to-date HJT log. Scan and attach your log as per the instructions here:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I will try to take a look when I can. I am a bit overextended these days and I have little free time for this forum. Hang in there & be patient

PP

 

Thanks for replying PP

Attached you will see my HJT log. Let me know if you need anything else from me. Thanks again for any help you can provide.

 

Hi Sean,

You have a mess of stuff to deal with. However, before we do that, please download this tool: http://www.cexx.org/lspfix.zip

Now, run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the calsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move calsp.dll into the Remove section.

Please do the same for aklsp.dll

Then, click the Finish Button. When the Repair Summary box appears, click OK.

Now, Reboot and then scan with HijackThis and attach that log and we’ll attack the other problems. I'll check back when I get a chance.


Best
PP

 

First impression after doing that, WOW! I was waiting at the windows screen for 2 to 3 minutes many times recently. Now the computer botted up in like 15 seconds like old times!

Internet seems a lot slower though? Not sure if that is just coincidense or something is wrong? It was fine before I erased those files, now seems slower?

Also, I keep getting this pop-up. http://adserver.sharewareonline.com/AdServer/MemTurbo/Adm/ad080504.htm
Not sure if it is a no-no to post such a thing. But I thought it might helkp in solving the problem.

Here is the HJT log you asked for after running the lsp fix. Thanks again for all your help, you are a huge asset to this online forum.

 

Hi Sean,

I'm generally happy to help - If I've got the free time You're off to a good start!

BEFORE doing the following, you MUST extract HijackThis from the ZIP File to its own safe folder - C:\Program Files\HijackThis -->This is very important!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and END it (if found):

taskmgn.exe

Next, scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and DELETE the following if it remains:

C:\windows\system32\taskmgn.exe

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back tonight.

Best luck
PP

 

OK, I followed your instructions and did everything. The computer seems to be running fine. It is much quicker now in booting up than it was before. The internet slow down is not happening so maybe it was coincidence?

Here is the log. However after doing all this, when I opened my browser, I got that spyware I told you about earlier.
http://adserver.sharewareonline.com...dm/ad080504.htm
It opens in a seperate window and I erase it, but it still bothers me that it pops up immediatly when I go to explorer.

 

Hi Sean,

Use HijackThis to fix this line:
O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe

Then, delete this in safe mode: C:\windows\system32\taskmgn.exe - - - > Note that taskmgr.exe is the legitimate process.

Then reboot normal and tell me if you are still having problems. If you still are, you might look at this: O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

PP

 

I followed the instructions and I am still getting those same pop up ads? It is weird, because they are the same ones over and over again.

The two that I get are:
http://isg01.casalemedia.com/V2/40250/41950/
&
http://adserver.sharewareonline.com...dm/ad080504.htm

Other than that it seems to be doing much better. I have attached another HJT log. I ran it while I was still in safe mode. Dont know if that is ok. If not I will reboot and send you another. Also, I went into the directory looking to erase taskmgn.exe, but it wasnt there?

 

Yes hidden files are to set to where I can see them per the tutorial here. I have attached another HJT log.

I notice virtual bouncer on there now, didnot notice that before?

 

Followed that ans it got rid of those two things. I will attach th new HJT log.

However I still get this pop up each time I open my browser.
http://adserver.sharewareonline.com/AdServer/MemTurbo/Adm/ad080504.htm

Also, when I went through the system32 file ot see if there was anything abnormal, I keep find two icons for both expedia, ebay and something else, I cant remember. Anyhow they stick out because back when the computer was really bad, all of the sudden I would get those through icons on my desktop as shortcuts. But I didnt put them there. I have erased them from system 32 several times now but they keep popping back up?

 

My apologies, you are correct, I forgot a whole step there. SO used to doing it the other way and in a time rush, sorry.

I did as you asked and now I get a pop up called red zip?

Attached is the hjt log.

 

chaslang, I ran adaware just now and it gave me 6 different "malware" problems. They were all vx2 files. I tried to find them in system32 as they were names but I did not see them anywhere? This is the first time it has noticed malware? Any ideas on how to tackle that problem?

Thanks for all your help. I really appreciate it. I have already recommended this site to several people. You guys know your stuff.