pop up help

Use Add/Remove programs to uninstall SurfSideKick 3

If that does not work, make sure you have run all of the READ ME FIRST and then follow the steps below.


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.


You must remember to exit browsers ( C:\Program Files\Internet Explorer\IEXPLORE.EXE ) before using HijackThis.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ctrnzuv] C:\WINNT\system32\ctrnzuv.exe
O15 - Trusted Zone: *.frame.crazywinnings.com <--- probably already gone due to above step
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) <--- probably already gone due to above step


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINNT\system32\ctrnzuv.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Did you find the C:\WINNT\system32\ctrnzuv.exe file previously and were you able to delete it?

 

Look in c:\windows\system32 for other files with similar names to ctrnzuv.exe

There may even be ones ending with .dll

Tell me what you find. Also sort the system32 folder by date. What other filenames do you see with the dates around the same time as ctrnzuv.exe.

 

Do you really need Party Poker?

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
ctrnzuv.exe

After killing that process exit out of HJT.

Now with Windows Explorer navigate to the c:\windows\system32 folder and locate the below files and one at a time right click on them and select Rename. Change the names as given below (Note: You will get a message like "If you change a file name extension, the file may become unusable. Are you sure you want to change it?" Just say yes.)
ctrnzuv.exe to ctrnzuv.xxx
ctrnzuvndw30104lib.dll to ctrnzuvndw30104lib.ddd
WinStat11.dll to WinStat11.ddd
WinStat11.dat to WinStat11.ttt
WinStat10.dll to WinStat10.ddd
WinStat10.dat to WinStat10.ttt

Then run HijackThis and have it fix the below line:
O4 - HKLM\..\Run: [ctrnzuv] C:\WINNT\system32\ctrnzuv.exe

Exit HJT.

Reboot your PC. After reboot get a new HJT log and post it here. Let me know how the steps went and what your current status is.

 

Looks good now. I would would now delete all those files that we renamed.

Now that you are clean, we want to keep it that way. To help do this, you should follow the steps in the below thread:

How to Protect yourself from malware!

 

You're welcome Julie! Surf safely.