Please help army of pop-ups

You should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File >

And then post your HijackThis log as a .txt file attachment. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder or choose run from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Are these lines something you put in:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a

What is your expected home page? http://www.dell.com ??

 

Hit CTRL-ALT-DEL to bring up Task Manager and select Processes. Look for the below processes and if found end them:
jmzmbst.exe
ojkp.exe
Jx.exe
KHost.exe
winyri32.exe
sjter40m.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {05CACBB9-A276-12EB-A863-CDCE65DA245E} - C:\WINDOWS\Mcvvmqyv.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 50.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 50.dll
O4 - HKLM\..\Run: [jmzmbst] C:\WINDOWS\jmzmbst.exe
O4 - HKLM\..\Run: [ojkp] C:\WINDOWS\ojkp.exe
O4 - HKLM\..\Run: [Jx.exe] C:\documents and settings\sunfish\local settings\temp\Jx.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyri32.exe
O4 - HKLM\..\Run: [sjter40m] C:\WINDOWS\System32\sjter40m.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/en/wowbeta/Si.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab


Make sure you have enabled viewing of hidden files and folders per the READ ME FIRST tutorial.
Boot in safe mode and delete:
C:\WINDOWS\EliteBar <---- the whole directory
C:\WINDOWS\Mcvvmqyv.dll
C:\WINDOWS\jmzmbst.exe
C:\WINDOWS\ojkp.exe
C:\documents and settings\sunfish\local settings\temp\Jx.exe
C:\WINDOWS\kdx\KHost.exe
C:\windows\system32\winyri32.exe
C:\WINDOWS\System32\sjter40m.exe

If you have problems deleting any of these, hit CTRL-ALT-DEL to bring up Task Manager and select Processes. Look for the process in the list and end it. Then try deleting the file. Let me know if any of these could not be found or were found but could not be deleted.

Reboot in normal mode and tell me how things are working and post a new HJT log attachment.

 

I don't understand why you posted another log. You did not run the steps I requested. If you do not see the processes running just continue to do everything else.

 

Do you know what these lines are:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a

You did not fix:
C:\windows\system32\winyri32.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyri32.exe

I'm not sure what you mean by,

"but the script to link is still there, such as: "<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">internet</a>" for internet on the post below."

 

This line is still in your HJT log:
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyri32.exe

You need to find this file and delete it. Go thru the below again:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Make sure you uncheck Hide extensions for know file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Tell me if you are able to do this correctly or not.

Then boot into safe mode and USE Windows Explorer to locate (this is not Windows search) the below file and delete it:
C:\windows\system32\winyri32.exe

Tell me if you find this and are able to delete it. If you find it and cannot delete it, look for it using Task Manager. If found end the process and then delete the file.

While in run HijackThis and fix:
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyri32.exe

Now reboot normal and let me know how all that works.

 

How did you look for the file? What procedure?

Did you try looking in safe mode?

Did you delete the line in HijackThis in safe mode?

Is it still in your log? Just run a new scan for yourself and look. And just tell me.

 

Read what I posted again! I wanted you in safe mode already when you used HijackThis.

And what did you use to look for the file? (Just double checking.)

 

If doing what I asked in the previous post from safe mode does not get rid of that line from HJT. Try this:

Download killbox here:

KillBox

Unzip the file to your desktop (or someplace else you can find it):

Start Killbox.exe

When it is open, enter C:\windows\system32\winyri32.exe into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone.

Then fix this with hijackthis, reboot then fix the below line again:

O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyri32.exe

Now run another scan with HJT and tell me if it is really gone.

 

Post a new HijackThis log attachment.

 

Your log looks clean. Anymore hijacks to SearchMiracle?
What about words being changed to links?

 

I hope you meant 'no' word are being linked?