Pop up problems

Hi there,

I am hoping someone can help me. I am having an issue with uncontrollable pop ups on a windows 2000 computer. I have ran all the scans that are listed in the thread regarding posting and have ran HijackThis. I am attaching my log.

Any help would be greatly appreciated.

Thanks in advance,

Barb

 

Allow me a moment to check your log.

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

JG2EB4.EXE

khwqk.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [khwqk] C:\WINNT\system32\hcpnck\khwqk.exe
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitemze32.exe

O16 - DPF: AFS Evision Check Research - https://netimage.northeast.intercept.net/evision/Check/EvCheck_ms.cab
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://172.22.4.160/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://172.22.4.160/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://172.22.4.160/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://172.22.4.160/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://172.22.4.160/officescan/console/ClientInstall/RemoveCtrl.cab

O23 - Service: vbvreakk - Unknown owner - C:\WINNT\system32\eakk\vbvr.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\system32\hcpnck ←–– Delete this whole folder if it exist!

C:\WINNT\system32\eakk ←–– Delete this whole folder if it exist!

C:\winnt\system32\elitemze32.exe

C:\WINNT\TEMP\JG2EB4.EXE


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Thank you for replying. I appreciate your help. I was enable to end the JG2EB4.ex and khwqk.exe tasks. I followed the rest of your instructions and upon rebooting Hijackthis still report the two 04 lines. Spybot did come up with Elite bar item, I selected fix.

I have attached the new log. I am still having an issue with pop ups, not nearly as many but still occuring often.

Thanks again for your help.

Barb

 

I re-tried your original instruction. This time the two items did not show up under the process tab. I was able to check off the two items that were not removed fromt he previou hijackthis. I didnt have any of the mentioned files to delete this time. I did re-run spybot while in safe mode and it came back clean and I did the ccleaner again. I rebooted into normal mode, re-ran spyboit and it came back clean again. So far no popups!!! I have attached the new log for your reference.

Thank you for your time and help you guys are awesome.

Barba

 

Are you familiar with this entry?


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\TEMP ←–– Delete everything in this folder, not the folder!

NEXT:
Run CCleaner


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing the above, Scan with HijackThis and attach the new log.

 

Hi there,

Thanks for the update. I did as intructed. I posted the log. I am familiar with the entry you mentioned. It is one of my servers here at work. I made sure I changed the home page to majorgeeks.com, after all it is the best.

Thanks for all your time and help.

 

Is this log from Safe Mode? If so, attach a fresh one from Normal Mode.

 

sorry i thought it was from normal mode, but here it is again. The user changed the start page to msn.com. I yelled at her!!!

Anyway I have my page set to you guys. Here is the log.

Barbara

 

If the last log is from normal mode, then it looks clean!

Are you having any further problems?

 

So far I am not having any more problems. Thanks for the help and if something occurs I will post again. I really do appreciate all your time and help. HAve a great day!!

Barb

 

Good Deal!

You should see this article on How to Protect yourself from malware!

Browse Safely!