need help with pop up

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the links below:

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing


First Step:

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment (do it later when we reconnect).

Second Step:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Third Step:
Get a new HJT log.

Now reconnect and come back here and post as attachments the l2mfix log the find.bat log (normally already named output.txt) and the new HJT log (this will require two posts as only two attachments can be made in a message).Based on those logs, we will determine the next steps.

Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

 

Here are the next steps! I know this is tedious but we are making progress and this next step is going to clean up a load of bad stuff.

Step 1:

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Again, don't run any other files in the L2MFix folder.

Step 2:

Run "find.bat" from the Generic Detection Tool again!

Okay after doing the above DO NOT REBOOT. Now reconnect to the internet and come back here and post and attach the find.bat log along with the L2MeFix Log.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines (if they still exist) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [orsmff] c:\windows\system32\orsmff.exe
O4 - HKLM\..\Run: [xwdvusawqe] C:\WINDOWS\System32\orsmff.exe
O4 - HKLM\..\Run: [rvwecnu] C:\WINDOWS\System32\orsmff.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [ms] C:\WINDOWS\System32\ms.exe
O4 - HKLM\..\Run: [jbbfcot] C:\WINDOWS\System32\orsmff.exe
O4 - HKLM\..\Run: [AutoLoader30351ZPRdZPd] "C:\WINDOWS\System32\condspif.exe" /PC="CP.CDT3" /ShowLegalNote="nonbranded" /UninstallName="CtxPls"
O4 - HKCU\..\Run: [Iw3pRje9i] cnmogsvc.exe
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\o8lu0i39e8.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\picsvr <--- the whole folder
C:\WINDOWS\System32\nsvsvc <--- the whole folder
c:\windows\system32\orsmff.exe
C:\WINDOWS\System32\ms.exe
C:\WINDOWS\System32\orsmff.exe
C:\WINDOWS\System32\condspif.exe
C:\WINDOWS\System32\cnmogsvc.exe
C:\WINDOWS\system32\o8lu0i39e8.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

That's okay! But you need to post the follow up HJT log I asked for.

 

Okay! Your clean! How are things running?

Time for you to make sure you complete all the steps in the below link:

How to Protect yourself from malware!