Need help to get rid of pop-ups

Hi, can someone assist me to get rid of that shitty 69sexsearch pop-up please.

I have been through the process as outlines in stickyling 'getting rid of spyware, trojansd & viruses but no success.

Thanks...Brumby

 

If you have followed ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal please see the below information.

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Thanks, have done all steps as outlined downloading all latest versions with the exception of 'about:blank'. Each time i tried to run it i had an error saying it had a corrupted database, download and try again. Tried several times but same result

All of the other programmes run as designed it seemed. Spybot & Ad-aware both found a few things but nothing substantail (cant remember what unfort), Stinger found nothing, HSR Remove found a few things but it didnt say what,

I'll download Hijackthis 1.99 and run as instructed and post log.

Thanks...Brumby

 

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

I have run Hijackthis1.99 and the log file is attached

Let me know the next step. Thanks...B

 

Run HJT and have it fix these entries, before removing anything with HJT please close all browsers.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aflashcounter.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aflashcounter.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aflashcounter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SERVER:8080
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [E0DCFBE6] C:\WINDOWS\system32\ppmsfesnp.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [E0DCFBE6] C:\WINDOWS\system32\ppmsfesnp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.yeak.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adrenalin.com.au
O17 - HKLM\Software\..\Telephony: DomainName = adrenalin.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adrenalin.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = adrenalin.com.au
O23 - Service: VNC Server - Unknown - C:\Program Files\UltraVNC\WinVNC.exe (file missing)

After you remove this from HJT please follow below, You have a few trojan infections and the W32.SpyBot.Worm

1) Search for the following files and delete them:

winsys32.exe
scrgrd.exe
winsys32.exe
wuclient.exe
ppmsfesnp.exe

2) Reboot and post new HJT log. Thanks!

 

Have done, log attached.

I dont think I missed any?

 

Ok, Just to let you know, you have whats called the "W32.HLLW.Reckus Worm" its spread via peer to peer. Now lets start by removing that infection.

1) Boot into Safe Mode

2) Go into the directory C:\WINDOWS\system32 and look for the file winsys32.exe Delete this file.
NOTE: Make sure you have "view hidden files and folders" enabled per the tutorial.

3) Click Start > Run >> type in regedit
NOTE: Make a backup of the registry before modifying it.

4) Navigate to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value: (if it exist)
"WinSys"="C:\Windows\system32\Winsys32.exe""

5) Exit the Registry Editor

6) Reboot and run HJT, fix the below entry if it exist:
Be sure to close all browsers before fixing anything with HJT

O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe


6) After removing this entry, reboot and post new HJT log. Thanks!

 

OK, done. However winsys32.exe was not in the C:\WINDOWS\System folder

Nor was there a reg key named "WinSys"="C:\Windows\system32\Winsys32.exe""

There was a file named a 'Microsoft update' with the 'Data' name winsys.exe. As it did not match the string you gave i left it as is - was not sure how literal your naming was.

HJT log attached, cheers and thanks for the help so far....B