I Want to destroy the programmers of popups.

hello all, Im infected...and dying a slow death.

your assistance would be very much appreciated. here is my hijack this

Unrequested inline log removed

 

Those who enjoying helping others request you go through the following tutorial entitled

This provides a baseline for us to help you. Please, inform us of your results.

Go forth and conquer your demons.

 

thank you very much for the quick reply, I have however spent time going through the steps and I am still infected. I have all the software on there.

should one of them fixed my problem? It always says it has found the problem... deletes it. Then on a reboot its back. Im have a few issues with some annoying dll popups saying it cant find the nail.exe on startup etc, its a window message.

any other ideas?

 

1. Power down your system and turn it back on.
2. Run HijackThis as described in the tutorial and save the log file created.
3. Attach the file to your next post. Do not copy/paste into the post.

You may need to make some registry modifications after analysis. Are you confortable with running regedit?

 

hello again, I have completed wht you said and here it is.

thank you for looking, I am going nuts.

 

Oh, sorry and just quickly,

Every time i log onto a profile in normal mode i am give 2 windows prompts..

" An exception occurred while trying to run "c:\WINDOWS\system32\txpmonui.dll",DLLGetVersion "

and...

"windows cannot locate the file nail.exe etc..."

 

::dracula::

Internet Explorer Settings
================================
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://yoursearch.ws/browser/ << suspected to be evil.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/ << suspected to be evil.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/

Use SpySweeper for the following.
1. Left panel - select Shields
2. Right panel - select Internet Explorer tab.
3. Make sure you have the IE Hijack Shield selected and select Edit IE Hijack Shield Settings
4. Verify the following data:
SearchURL = http://yoursearch.ws/browser/ /* Change if not correct */
Start Page = http://www.google.co.nz/
5. If the data is correct, select Automatically Restore Default Without Notification.
***NOTE*** You can use the Advanced Settings to check other items.

Before proceeding reboot your system into Safe Mode and disconnect your modem cable.

system.ini
============================
1. Select Start > Run
2. Type sysedit and enter
3. Look for the line "Shell=Explorer.exe C:\WINDOWS\Nail.exe"
4. Delete this line and save the file.

Registry Items
============================
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
O4 - HKLM\..\Run: [MGKGENC] C:\WINDOWS\MGKGENC.EXE
O4 - HKLM\..\Run: [ILETDLL] C:\WINDOWS\ILETDLL.EXE
O4 - HKLM\..\Run: [ybyrlf] c:\windows\system32\mdvccwa.exe

Use your registry editor.
1. Select Start > Run
2. Type regedit and enter

Skip at your own risk.
a. Select File > Export Registry File ...
b. Select a location to export the registry to and provide a name.
c. At the bottom where you see Select Range, select the All radio button.
This creates a backup of your registry in it's current state. You may safely delete this later
after all of your problems are fixed.

3. Navigate the left pane to the full key displayed above.
4. In the right pane, select the three items and delete them.
5. Save the registry and exit.

Questionable Processes
================================
C:\WINDOWS\MGKGENC.EXE
C:\WINDOWS\ILETDLL.EXE

1. Locate the files above using windows explorer or by searching for file.
2. Delete them.
3. Empty recycle bin.

Please post your results with a new HJT log created during normal mode.

 

hello again,

I followed the process to destroy this annoying bug and I reached the stage for the sysedit but was unable to do it.. Windows message gave me this response
"c:\windows\system32\autoexec.NT. the system file is not suitable for running MS-DOS and Microsoft Windows applications. chose "close" to terminate"

so I skiped this and finished the process.
is there another way to get in there?

here is my new hjt log file.

BY the way, thank you and I am comfortable editing the registry, no problemo

 

Ok, thanks for pointing it out. Why didn't you take the next step and correctly identify the removal process. I will not apologize for helping people learn how to use tools already on their systems. I agree with you about editing the registry. But, how did you learn? What the user went through has helped. You could have simply made suggestions on items I missed.

 

yes, thank you thus far for your help, but Im still having pop up problems and was unable to remove the system.ini thing.

Is there anything else you could suggest that will help, I very much appreciate what you have done so far,

fagan

 

enough gentlemen,

Please help me with the issue at hand, either of you please please please.

Im checking for updates on here every 10mins

 

no can do,

says...

"nail.exe" is not recognized as an internal or external command,
operable program or batch file"

 

not there,

prob why i get the windows pop up message on start up

"windows cannot find nail.exe etc...

 

Ok,

still getting popups, but have done the procedure you requested. however i was unable to find the hpsebc087.exe file and enpsl1771.dll file. I checked everywhere and did a search for them... no luck.

Here is the 2 files you asked me to upload.

 

ok,

I have attached the 2 new files, But i was unable to find that file in the system32 folder. it seems as if the winlogon thing is gone now though...

well your the expert..

 

Im getting the vibe from my computer that there are no pop ups, LIfe is good.

I want to head to one of those sites and brag about how major geeks squashed their little bug.


Thanx heaps for you assistance, if you ever need singing lessons, come to new zealand and i will give you some for free

 

This sux, they are still hanging around, its just not as bad.

What else can i do??? are you sure my hJT is clean?

 

I got some nasty piece of adware that installed a bunch of crap on my system and the only thing remaining now are two pop-ups that seem to come up randomly every 10 mins or so.. from 9ringtone.com and various ads from bundleware.com.

I'm pretty sure it's using RunDLL32.exe

So far I've run Ad-Aware, Spybot, trendmicro virus scan, pandascan, registry cleaner... I've also gone into my windows folder and deleted bad files, cleaned out registry keys manually, cleared my history/cookies/temp internet files - windows temp files... So I have no idea where this last piece of junk is that is making these ads pop-up. Nothing else is trying to be downloaded, so I'm pretty sure I got everything except one or two files.

Anyways... if Anyone has some info on similar problems and can help me solve this, please let me know.

 

there has to be something else i can do,

when i do a search for 9ringtone i see a bunch of people with the same problem but no solution.

sigh

 

::dracula::

I have been watching on the sidelines. Have you stopped the messenger service as suggested by Chaslang?

I haven't found anything useful for the ringtones popup.

 

yeah, but no luck

the firewall works - zone alert but i really want to kill the pop ups, its working through the rundll file thing suggested earlier.

I have read alot of search info on the 9ringtone etc and nothing seems clear... have you any ideas?

I still want messenger to run on my PC

 

My suggestion: Don't run the messenger service unless required by network administrators at your office. The messenger services opens you to unwanted solicatations. You can always turn it on when you need it. The main idea behind the service is to allow administrators to request users to disconnect from network resources as needed for repairs, updates, etc.

On the open internet, it is better to use other communication tools.

 

is there a way to clean the dll file? I suppose i cant delete it

 

Please do not delete the file. It is a required system file.

For inofmation on the RunDLL32.exe file follow the link below.
http://www.processlibrary.com/directory/files/RunDLL32/index.php

 

ok ok i read it, but it didnt help me to destroy this annoying bug.

here is the usuall link
http://www.loadingwebsite.com/normal/yyy47.html

either that or the 9ringtone, Im sick of it and every time it comes up I feel like smashing the PC. I just dont want them (bastards) to win.

We must be victorious, the demons are winning here.
we won the battle but they are about to win the war.....PLEASE ANYTHING ELSE.

 

Let's agree you were clean at the point you made the comment, Im getting the vibe from my computer that there are no pop ups, LIfe is good.

Please post a new HJT log per Chaslangs instructions to see If something new is there.

 

I spoke too soon, sorry. We did however fix lots of problems, but these other ones seem like they are on a timed basis.

however I notice some things are popping back up like the yoursearch thing, It wont die

here is the new log

 

Because of what we did with SpySweeper, this item is possible being reset.
Main,Default_Page_URL = http://yoursearch.ws/

You need to go back to SpySweeper and modify the items there.

 

Wait for Chaslang to take a look at your new log. It still looks clean minus the settings in SpySweeper that need to be changed.

 

thx, post one here you go

 

I remember at some stage seeing those in my programs folder, They are gone now however. Its weird cos no spyware is picking up problems on my PC and I have the zone alert thing on and everything. There is drips and drabs of info on the net but nothing is clear. I have even downloaded the wintask pro thing... no luck. This sucker is getting through somehow.

 

remove?

 

I put the wrong ones up sorry, here ya go

 

Rip Thort of Pig,

Kinda like that. I never suggested downloading Wintask. I only pointed you to information regarding RunDLL32.exe.