I Want to destroy the programmers of popups.

Please double check that you have the below options set:

Right Click Start.
Select Explorer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

Then look for the file again. Also look for the below files and answer the question in red:
C:\Windows\system32\locate.com
C:\Windows\icont.exe
C:\Windows\tsc.exe Did you ever download Trend Micro's System Cleaner?
C:\Windows\ukogaaqdf.exe

 

Ooops! One more that I wanted you to look for:
C:\DOCUME~1\RIPTHO~1\LOCALS~1\Temp\_iu14D2N.tmp

 

That was not my question. My question is not about the online scanner. It is about Trend Micro's System Cleaner . That's a different tool.

I'm going to assume you did not download it.

 

Rename the following (use safe mode if necessary)
C:\Windows\system32\locate.com to locate.ccc
C:\Windows\icont.exe to icont.xxx
C:\Windows\tsc.exe to tsc.xxx
C:\Windows\ukogaaqdf.exe <--- delete this one if it lets you otherwise rename to ukogaaqdf.xxx
C:\DOCUME~1\RIPTHO~1\LOCALS~1\Temp\_iu14D2N.tmp <--- delete this one if it lets you!

The reboot into normal mode and tell me the results of the above. Double check to make sure they are still renamed (or deleted). Any improvement in popups?

 

So you were able to rename or delete all the others except the _iu14D2N.tmp file?
Did you reboot?

 

Are all the popups from one address?

Please do the below:
1) go here and download Registrar lite and install it: http://www.majorgeeks.com/download469.html
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field:

 

IEhook is a keylogger. Delete that folder and any files in it.

How did you install wintask? If installed, it should have an uninstall in Add/Remove programs. But since it does not we may have to use HJT to fix the registry entry and then delete the file.

 

You should dump SpyHunter too.

Have you run Microsoft® Windows AntiSpyware yet! If not download it, install it, and update it. Then run a full system scan. Let me know if it finds anything. If that does not help, try the following:

Download this virus checker and tool from eScan Mwav.exe (Use Download Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We just want to use it to try to identify anything that is bad.

Once you copy that to a notepad file, highlight the text and copy as an attachment.

 

Just to keep you going (I have to disconnect - need sleep). After doing what was in my previous message. Do the below:

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Exit all browser sessions and then run the below steps

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Now let me know if there is any change.

 

Did you read message number 52?

That was the reasoning behind renaming it rather than deleting it. There are also malware files named tsc.exe. We can check the properties on the file later and rename it back to tsc.exe if it belongs to Trend Micro (which it this case it probably does).

 

You did not post any logs! Did you run Hoster?

 

You still did not post the log from Mwav.exe .
What address are appearing in your hosts file?

What did Microsoft Antispyware find? Did it fix what it found?

You have a firewall from Zonelabs and you have Symantecs AV.
But exactly what do you use C:\Program Files\ewido\security suite\ewidoctrl.exe for.

 

Can you post that log with carriage returns so it is readable.

What is in the rest of the log that makes it too big?

 

Also please download the following tool: L2MeFix Tool

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now come back here and post the l2mfix log as an attachment.

Please DO NOT REBOOT after after posting this log!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

I know we did this back in message #16 but you appear to have some of those problems back again.

 

What do you mean? Why are you using dial-up and DSL at the same time?


Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log to your next message and also post another HJT log.

Again, don't run any other files in the L2MFix folder.

 

Okay! L2MeFix delete a load of bad stuff.

Now run Hoster again and make sure that this time the bad lines do not come back.

Now boot into safe mode and make sure viewing of hidden & system files is enabled.
Now run Windows Explorer and delete the below files:
C:\WINDOWS\icont.exe
C:\WINDOWS\icont.xxx
C:\WINDOWS\iconu.exe
C:\WINDOWS\wnunan.exe
C:\WINDOWS\system32\advapi32.exe
C:\WINDOWS\system32\hletcfg.dll
C:\WINDOWS\system32\Process.exe
C:\Windows\system32\Cache\mgsSetp.exe
C:\Windows\system32\Cache\mswinstall.exe
c:\windows\iletdll.exe
c:\windows\mgkgenc.exe
C:\Windows\system32\Cache\tool5-fran-one.exe
c:\windows\system32\nsx591.dll

Then reboot an post a new HJT log and tell me how things are working.

 

You must have something setup in your connections to dial a connection.

 

You log is good. I would just fix this line:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04c5c40fc3285e46c906/netzip/RdxIE601.cab


Were you able to find and delet all those files I listed?

 

HijackThis logs do not show everything that could be on your PC. They only show certain registry locations that it was designed to look at. It would be much more useful to us if you told us exactly what NoAdware is finding (the filenames and paths or registry keys). It has been known to give false detections. Do any other scanners detect it? Did you buy NoAdware? If so, does it fix the problems it reports? If it does not fix them and you bought it, ask them why not.

You should check out the below two programs. They are much better and will fix problems. Sometimes a safemode scan is better.

Microsoft® Windows AntiSpyware
Spy Sweeper